Norman Virus Control for Exchange Version 5.95 User’s Guide

Norman Virus Control for Exchange

Version 5.95

User’s Guide

ii NVC for Exchange - User’s Guide

Limited warranty

Norman guarantees that the enclosed diskette/CD-ROM and documentation do not have production flaws. If you report a flaw within 30 days of purchase, Norman will replace the defective diskette/CD-ROM and/or documentation at no charge. Proof of purchase must be enclosed with any claim.

This warranty is limited to replacement of the product. Norman is not liable for any other form of loss or damage arising from use of the software or documentation or from errors or deficiencies therein, including but not limited to loss of earnings.

With regard to defects or flaws in the diskette/CD-ROM or documentation, or this licensing agreement, this warranty supersedes any other warranties, expressed or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.

In particular, and without the limitations imposed by the licensing agreement with regard to any special use or purpose, Norman will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages.

This warranty expires 30 days after purchase.

The information in this document as well as the functionality of the software is subject to change without notice. The software may be used in accordance with the terms of the license agreement. The purchaser may make one copy of the software for backup purposes. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchaser's personal use, without the explicit written permission of Norman.

The Norman logo is a registered trademark of Norman ASA.

Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only.

NVC documentation and software are

Copyright © 1990-2008 Norman ASA.

All rights reserved.

Last revised on 21 May 2008.

Copyright © 1990-2008 Norman

iii

Norman OfficesNorman Data Defense Systems ASBlangstedgårdsvej 1, DK-Odense SØ, DenmarkTel. +45 6311 0508 Fax: +45 6313 3901email: [email protected] Web: http://www.norman.no/dk

Norman France8 Rue de Berri, 75008 Paris, FranceTel: +33 1 42 99 94 14 Fax: +33 01 42 99 95 01email: [email protected] Web: http://www.norman.fr

Norman Data Defense Systems GmbHZentrale, Gladbecker Str. 3, 40472 Düsseldorf, GermanyTel.: +49 0211 / 5 86 99-0 Fax: 0211 / 5 86 99-150email: [email protected] Web: http://www.norman.de

Norman Data Defense SystemsCentro Direzionale Lombardo, Via Roma, 10820060 Cassina de’Pecchi (MI), ItalyTel: +39 02 951 58 952 Fax: +39 02 951 38 270 email: [email protected] Web: http://www.normanit.com

Norman/SHARK BVPostbus 159, 2130 AD, Hoofddorp, The Netherlands.Tel: +31 23 789 02 22 Fax: +31 23 561 3165email: [email protected] Web: http://www.norman.nl

Norman ASAMailing address: P.O. Box 43, N-1324, Lysaker, Norway. Physical address: Strandveien 37, Lysaker, N-1324 Norway.Tel: +47 67 10 97 00 Fax: +47 67 58 99 40 email: [email protected] Web: http://www.norman.no/no

Norman Data Defense Systems Camino Cerro de los Gamos 1, Edif.1E - 28224 Pozuelo de Alarcón MADRID, SpainTel: +34 91 790 11 31 Fax +34 (0) 91 790 11 12email: [email protected] Web: http://www.normandata.es

Norman Data Defense Systems ABKorsgatan 2, 602 33 Norrköping, SwedenTel:+46 11 - 230 330 Fax: +46 11 - 230 349 email: [email protected] Web: http://www.norman.com/se

Norman Data Defense Systems AGMünchensteinerstrasse 43, CH- 4052 Basel, Switzerland.Tel: +41 61 317 2525 Fax: +41 61 317 25 26email: [email protected] Web: http://www.norman.ch

Norman Data Defense Systems (UK) LtdExchange House, 494 Midsummer BoulevardCentral Milton Keynes, MK9 2EA, United KingdomTel. +44 08707 448044 / 01908 255990 Fax: 0870 1202901email: [email protected] Web: http://www.normanuk.com


http://www.norman.no/dk

http://www.norman.fr

http://www.norman.de

http://www.normanit.com

http://www.norman.nl

http://www.norman.no/no

http://www.normandata.es

http://www.norman.com/se

http://www.norman.ch



http://www.normanuk.com

http://www.normanuk.com

iv NVC for Exchange - User’s Guide

Norman Data Defense Systems Inc.9302 Lee Highway, Suite 950A, Fairfax, VA 22031, USATel: +1 703 267 6109, Fax: +1 703 934 6367email: [email protected] Web: http://www.norman.com

Training and Technical SupportFor training or technical support, please contact your local dealer or Norman ASA.


http://www.norman.com

v

System requirements• Exchange 2003, or• Exchange 2000 with Service Pack 1 or later• Norman Virus Control v5.99• 210 MB of free disk space • 256 MB RAM above requirements for OS and Exchange

(recommended)Note: On-access scanners from other vendors than Norman

must not be installed. Such scanners can interfere with NVC for Exchange’s use of temporary files, and at worst viruses will pass through the server undetected. Norman’s on-access scanner runs smoothly with NVC 5 on the server.

The installation process must be carried out by a user logged in with administrator rights.

Prerequisites It is important to read and understand this entire document prior to installation and use.To take full advantage of all the functions in NVC, you should have a good knowledge of Exchange 2000/2003 as well as Windows Server OS. NVC is designed to work with the operating system at all levels, and you will find that basic Windows functionality is reflected in the program.For detailed information on NVC v5, please refer to the following documents:

• Norman Virus Control - Reference Guide• Norman Virus Control - User’s Guide• Norman Virus Control - Administrator’s Guide


vi NVC for Exchange - User’s Guide

Known issuesDue to a flaw in the design of AVAPI 2.0 from Microsoft, outbound e-mail can under certain circumstances pass through unchecked. This means that infected files may circulate within the network without being detected or stopped. On the other hand, all inbound e-mail is checked. E-mail addressed to users in the same domain is checked, and the problem is therefore limited to e-mail leaving the domain. Whereas all incoming e-mail is checked, an infection can only take place because a totally new virus arrives or because the source of infection is different, such as shared disk volumes or floppy disks. This is only a potential problem for massmailing viruses with dispatching of confidential documents as their only payload. This problem will be eliminated as soon as a bug fix is issued.Microsoft has published a knownledge base article which can be found athttp://support.microsoft.com/support/kb/articles/Q298/4/04.ASPNote: These issues are resolved for Exchange 2000 SP3 and

Exchange 2003.

Technical supportNorman provides technical support and consultancy services for NVC and security issues in general. Technical support also comprises quality assurance of your anti-virus installation, including assistance in tailoring NVC to match your exact needs.Note that the number of services available will vary between the different countries.


Contents vii


ContentsSystem requirements................................................................................. vKnown issues ........................................................................................... viTechnical support..................................................................................... vi

Installing and updating ...............................................................................7

Installing NVC for Exchange.................................................................... 7The Install Shield Wizard ......................................................................... 8

Updating your installation ....................................................................9Uninstalling NVC for Exchange............................................................. 10

About NVC for Exchange .........................................................................11

The components ...................................................................................... 11On-access scanner .........................................................................11Configuration .................................................................................11Norman Service Monitor ...............................................................11On-access scanning .......................................................................12Updating virus definition files and scanner engine .......................12

Norman Service Monitor (NSM) ..............................................................13

Configuration .............................................................................................15

Virus scanning ........................................................................................ 15Quarantine............................................................................................... 18Attachment blocking............................................................................... 19

Appendix A - Sandbox ..............................................................................22

Index ...........................................................................................................25

Installing and updating 7

Installing and updatingInstalling NVC for Exchange

Note for distributed installations:Even if your NVC installation is distributed, NVC for Exchange should be installed locally on the server(s) running Exchange 2000/2003 and must be installed on each server running Exchange 2000/2003 separately. The NVC installation, however, should be kept distributed as this will ensure distributed engine updates and virus definition files. This way the configuration window for NVC for Exchange will only appear on the server(s) running Exchange 2000/2003.

To install NVC for Exchange you need a corporate license for NVC, i.e. an authentication key that allows you to install the full version of NVC as a basis for the Exchange plug-in.Follow this procedure:1. Install the full version of NVC v5x.2. Run Norman Internet Update (NIU) to update the

installation.3. Install the NVC for Exchange plug-in.When the files are copied the components will be installed and registered. This may take several minutes. During this phase your Exchange server will be restarted to accommodate the new settings. (A reboot of the server is not needed.)



The Install Shield Wizard1. When you run the InstallShield wizard, a welcome screen

appears. Click Next. 2. Note: The following dialog appears only if an NVC for

Exchange plug-in already exists:

The options in this dialog are:Repair: If you select this option, the existing files will be copied over the current installed files, and thereby repairing an installation and replacing lost files.Remove: Removes NVC for Exchange altogether. Alternatively, remove the plug-in from Control Panel’s Add or Remove Programs.Click Next.


9 NVC for Exchange - User’s Guide

3. The following dialog appears:

4. When the files are copied the installation/update is completed. Note that the update of NVC for Exchange is still in process so it will take a minute before all the new components are finished loading. Click Finish in the next dialog to complete the installation.

Updating your installationYou can configure NVC to update automatically via Norman Internet Update (NIU). However, the NVC for Exchange plug-in is not updated via NIU. At irregular intervals, new install builds are available, typically when an upgrade of the NVC full version is released. Information about plug-in updates is published at Norman’s web site. The new virus definition files are applied automatically. After a few minutes NVC for Exchange will detect the updates and will set up all previously scanned e-mails for rescanning on access.Note: While upgrade is in progress, scanning of e-mail is

temporarily halted.



Note when configuration is changed:

After changes are performed in the configuration editor, it takes a little while before the new settings are effective in NVC for Exchange.

Uninstalling NVC for Exchange1. Open Control Panel.2. Select Add/Remove programs.3. Select NVC for Exchange and click on Change/Remove.

4. Select Remove and click on Next.5. Click OK if you are sure you want to uninstall NVC for

Exchange. All settings and the log file will be deleted.6. Removing the components may take several minutes and

will require Exchange to be restarted. It is not necessary to reboot the server.



About NVC for ExchangeThe components

On-access scannerNVC for Exchange uses an AVAPI 2.0 plug-in which connects to the Exchange Information Store on the server for access to e-mails and attachments. NVC for Exchange becomes an integrated part of Exchange itself and is controlled by Exchange. All incoming and outgoing e-mails are scanned on access in both private and public information stores. Access is only granted to virus-free items or when a present virus has been removed. If scanning of an attachment fails, access to the item is denied until it’s successfully scanned to ensure that a program error does not lead to leakage.

ConfigurationConfiguration is done within the Norman Configuration Editor. NVC for Exchange will add a component in Norman Configuration Editor. Thus all Norman Virus Control operation on the server can be handled through one interface. Note that after changing your configuration, it will take a couple of minutes before the new settings take effect.

Norman Service MonitorWhen NVC for Exchange is installed on your system, Norman Service Monitor will be configured to monitor the Information Store component of Exchange. This ensures better control over Exchange on the server and notifies the administrator if something is wrong.See “Norman Service Monitor (NSM)” on page 13.


About NVC for Exchange 12

On-access scanningEach element of the e-mail is scanned separately on-access. I.e. the attachment and the mail body is scanned individually. Access to an e-mail is only granted if all elements are virus free.

Updating virus definition files and scanner engineWhen updated virus definition files, scanner engine, or NVC modules are available for download you should use Norman Internet Update (unless you update from CD only). NVC for Exchange updates itself dynamically and without any user interaction. If you configure NIU to download updates once a week, for example, NVC for Exchange is automatically kept up-to-date. A few minutes after new virus definition files have been installed, NVC for Exchange will adapt its version number so that previously scanned e-mails will be scanned again with updated files on next access.



Norman Service Monitor (NSM)

Norman Service Monitor (NSM) is included in NVC for Exchange. This utility monitors selected services on the computer and takes appropriate action if the service crashes. The installation routine will set up NSM to monitor Exchange 2000/2003 Information Store. If a crash occurs (either due to a crash in NVC – when a crash dialog is displayed on the server, or due to a crash inside Exchange itself – when normally no information is given to the user at all) the following dialog is displayed:

In this case all the command buttons are enabled. However, certain modules monitored by NSM will not enable the Restart service button. The dialog contains information about which services that stopped responding and which program is affected.In addition, an error message is sent through NPM to alert the administrator of such an event.Note that if there are dependent services these will not be restarted. If NSM is activated because of a program crash in NVC


Norman Service Monitor (NSM) 14

for Exchange or Exchange itself, this does not represent a problem. However, if the administrator has deliberately shut down the Information Store on the server, NVC for Exchange will detect this and call NSM to alert that the requested service was not active. In this case services which are dependent on the Information Store are also stopped, but are not started by NSM.



ConfigurationVirus scanning

Scan mailboxes on startup/updateSelect this option if you want Exchange 2000/2003 to scan all mailboxes on the server. A scan is performed each time the server is rebooted or the scanner is reloaded. All e-mails are scanned if new virus definition files are added since the last scan. (Mailboxes on the local computers will of course not be scanned when this option is on - this applies to e-mails not yet downloaded from the user’s mailbox on the server.)This option is useful in a situation with the following scenarios: 1) Mailboxes on the server are already infected, and 2) The administrator downloads new virus definition files each Friday


Configuration 16

after working hours. This setting will ensure that all e-mail is scanned during the weekend with updated anti-virus tools.Administrators should note that when this option is selected, it may generate unnecessary workload on the server. In most cases the on-access component is sufficient. Scan inside archive files

When this option is selected, NVC for Exchange will scan recursively inside archive files for all supported formats. This will take more time and may consume more memory, but it’s the safest option to ensure that your server is absolutely virus free. Scan for new, unknown viruses using Sandbox

NVC employs its sandbox functionality to detect new, unknown viruses. Select this option if you want NVC to look out for new virus variants. The sandbox is particularly tuned to find new e-mail-, network- and peer-to-peer worms and file viruses, and will also react to unknown security threats. When a new piece of malicious code is detected, the system administrator receives a message through NVC’s messaging system listing the vital facts.When this option is selected, scanning time will increase, but it is not likely to affect the performance considerably. For more information about the sandbox, please refer to ‘Appendix A - Sandbox’ on page 22.Virus handlingThese settings decide how infected e-mails are handled.

Clean infected files

All virus infected attachments will be cleaned. When the entire file is the virus, like trojan horses and worms, it is cleaned by deletion. Remove if not cleaned

If an error occurs during the cleaning of an attachment, it will be removed. If an archive file contains an infected file, and cleaning within archives of that format is not possible, the archive file will be removed. Temporary deny access if unable to scan



If an error occurs during the scanning of an attachment, access to the e-mail is blocked. Such errors may occur when the server is under heavy workload. The attachment will be scanned correctly the next time it’s accessed. However, this may also affect damaged files, and access to damaged attachments is blocked. If there are damaged e-mails and attachments on the server, you should deselect this option. Note the potential risk of letting infected files pass uncleaned.

Remove infected attachment

All infected attachments will be removed. Delete massmailers from server (Exchange 2003 only)

Massmailers like Netsky and Bagle are distributing themselves as e-mails, where the e-mail that carries the malware is the virus per se as the e-mail is illegitimate with the sender missing. If you select this option, the entire e-mail(s) are removed from the server, rather than only removing the infected attachment.


Configuration 18

Quarantine

No quarantine

No files are quarantined.

Quarantine infected attachments

All infected attachments are quarantined.

Quarantine only if deleted

Only deleted attachments are sent to quarantine.



Attachment blocking

Block all attachmentsAll attachments are blocked. See also the note on page 20. Block attachments with double extensions

Many worms and e-mail viruses apply a technique where an additional extension is added, for example <filename>.jpg.vbs. Most e-mail clients will hide the last extension so that the attachment appears to only have the extension .jpg. However, this feature is not only used by viruses - nexscan.hlp.zip and todolist 20.dec.doc are both treated as double extensions. Block attachments with CLSID extensions

Some recent worms and e-mail viruses apply a CLSID technique to fool e-mail scanners and blocking software. They take advantage of a feature in Windows which makes it possible to


Configuration 20

replace an .exe extension with a{...} extension and thus evade blocking of .exe files. Since there is no reason for legal attachments to use this type of extension, this behavior is blocked by default. Block encrypted archives

Another technique that worms now apply is to distribute themselves as encrypted archive files, trying to trick the user into decrypting and running the file. One example is the the Bagle worms, which are sending themselves attached as encrypted archives. Note that legitimate files may be sent using the same method. If you select this option, all encrypted archive files of a format known to NVC are blocked. NVC recognizes most archive formats. Please refer to the Reference Guide for details.Block named attachments/extensionsIn this field you can specify file names that should be blocked. Wildcard (‘*’) is accepted for blocking of specified extensions. For obvious reasons, only wildcard for file names is allowed, i.e. *.vbs. To the average user, file types like .vbs, .pif or .lnk are hardly critical. You should also consider to block extensions/file types like .exe, .com and .bat as these also represent a potential risk for virus infections. In this field you can also block specific attachments with names known to contain viruses, such as AnnaKournikova.jpg.vbs. Theoretically, you may block a virus before updated virus definition files are released from the vendor.Note:Blocking e-mail attachments is an effective measure to stop viruses from entering your system. Blocking affects new e-mails as well as old mails already stored when these are accessed or scanned with different configuration settings. Incorrect use of the blocking utility may cause loss of data. For example: during a nasty virus epidemic the system administrator decides to select Block all attachments to prevent the new virus from infecting the entire network. The company stores all mail on the server, which is quite normal. In addition to



delete all new, incoming attachments, old e-mail attachments may be deleted too as a result of background or on-access scanning. A visible warning appears when you select this option, and you should be aware of the possible consequences.


Configuration 22

Appendix A - Sandbox

BackgroundThe vision of inventing a method that automatically detects new, unknown viruses is as old as the antivirus industry itself. Throughout the years, the AV business has invested significant resources to come up with a solution which could fulfill this ambitious goal.At the Virus Bulletin Conference in 2001, Norman produced a fully functional prototype of a scanning engine with sandbox functionality.

What is a sandbox?Sandbox is the term that best describes the technique that is used to check if a file is infected by an unknown virus. The name is not randomly picked, because the method allows untrusted, possible viral code to play around on the computer – not in the real computer, but in a simulated and restricted area within the computer. The sandbox is equipped with everything a virus expects to find in a real computer. This is a playground where it is safe to let a virus replicate, but where every step is carefully monitored and logged. The virus is exposing itself in the sandbox, and because its actions have been recorded, the cure for this new perpetrator can be generated automatically. Today, a new e-mail worm can infect ten thousands of workstations in a matter of seconds. The AV vendors are expected to find the cure, update the virus definition files, and distribute these to its customers immediately. The need for speed is imperative, because the nature of today’s malware is such that a “successful” piece of viral code can paralyze networks and cause serious damage to an unlimited number of computers.



Sandboxing techniquesSandboxing using emulationA computer virus is a computer program, defined through its behavior. It will transfer code/data to other computer files. When these other computer file in turn is given control, the virus code is somehow activated, trying to infect other computer files. This process is called replication. For a computer program to be called “viral”, it must be able to perform this task recursively.Norman’s sandbox is a virtual world where everything is simulated. It is powered by an emulator, and together they let possible virus infected binary executables “run” just as they would do on a real system. When execution stops, the sandbox is analyzed for changes.Sandboxing using a virtual machineIt is also possible to build a sandbox by creating a VM (Virtual Machine). The idea is to block all exits, so the executable you are examining cannot escape. However, we don’t consider this solution as safe enough. There will always be “another” exploit of the PC’s processor, some weird interrupt/exception/fault etc. that will allow malicious code to escape a VM, and spread to your real system.

How does sandboxing affect the user?The fundamental idea about the sandbox is to offer better protection for the user. A major challenge is to integrate the new technology in the product without slowing down scanning speed. The other capital problem —false alarms—has already been solved. Norman’s sandbox technology is officially introduced with NVC v5.60, even through is has been “covertly” used by the scanning engine for some time. But as of v5.60 the sandbox is visible among the configuration options in certain modules.


Index 25

Copyright © 1990-2008 Norm

Index—A—

administrator vAttachment blocking

Block all attachments 19Block attachments with CLSID

extensions 19Block attachments with double ex-

tensions 19Block encrypted archives 20Block named attachments/exten-

sions 20

—B—Block all attachments 19Block attachments with CLSID exten-

sions 19Block attachments with double exten-

sions 19Block encrypted archives 20Block named attachments/extensions

20

—C—Clean infected files 16CLSID extensions 19

—D—Deelete massmailers from server (Ex-

change 2003 only) 17double extensions 19

—E—e-mail worms 16Exchange Information Store 11

—I—Information Store 14

—N—network worms 16No quarantine 18Norman Internet Update (NIU) 12Norman Service Monitor (NSM) 11, 13NSM 13, 14

—Q—Quarantine

No quarantine 18Quarantine infected attachments

18Quarantine only if deleted 18

Quarantine infected attachments 18Quarantine only if deleted 18

—R—Remove if not cleaned 16Remove infected attachments 17Requirements, system v

—S—Sandbox

Scan for new, unknown viruses us-ing Sandbox 16

sandbox 16Sandboxing

emulation 23virtual machine 23

Scan for new, unknown viruses using Sandbox 16

Scan inside archive files 16Scan mailboxes on startup/update 15System requirements v

—T—Technical support viTemporary deny access if unable to

scan 16

an

26 Index

—V—Virtual Machine (VM) 23Virus scanning

Clean infected files 16Delete massmailers from server

(Exchange 2003 only) 17Remove if not cleaned 16Remove infected attachments 17Scan mailboxes on startup/update

15Temporary deny access if unable

to scan 16


Documents

Norman Virus Control for Exchange Version 5.95 User’s Guide