[Topic 22779]

About Kaspersky Security 9.0 for Microsoft Exchange Servers

Kaspersky Security 9.0 for Microsoft Exchange Servers is an application designed for protecting mail servers based on Microsoft Exchange Server against viruses, Trojans, worms and other types of threats that could be transmitted via email, as well as against spam and phishing.

Kaspersky Security provides anti-spam protection on the level of your corporate mail server, saving your employees the trouble of deleting unwanted mail manually.

Kaspersky Security protects mailboxes, public folders, and relayed mail traffic on a Microsoft Exchange Server against malware, spam, and phishing. Kaspersky Security scans all e-mail traffic passing through the protected Microsoft Exchange Server.

Kaspersky Security can perform the following operations:

• Scan mail traffic, incoming and outgoing mail, as well as email messages stored on the Microsoft Exchange Server (including shared folders) for malware. The scan processes the message and all of its attachments. Depending upon the selected settings, the application disinfects and removes detected harmful objects and provides users with complete information about them.
• Filter mail traffic to prevent unsolicited mail (spam) and messages with fake senders (spoofing). The Anti-Spam component scans mail traffic for spam content. In addition, Anti-Spam allows you to create black and white lists of sender addresses and supports flexible configuration of anti-spam scanning sensitivity.
• Scan mail traffic for phishing and malicious URLs.
• Filter attachments in email messages by format, name, and size of attached files.
• Save backup copies of objects (an object consists of message content and its attachments) and spam messages prior to their disinfection or deletion to enable subsequent restoration, if required, thus preventing the risk of data losses. Configurable filters allow the user to easily locate specific stored objects.
• Notify the sender, the recipient and the system administrator about messages that contain malicious objects.
• Manage identical settings of multiple Security Servers in centralized mode by means of profiles.
• Maintain event logs, display statistics, and create regular reports on application activity. The application can create reports automatically according to a schedule or manually.
• Configure the application settings to match the volume and type of relayed mail traffic, in particular, define the maximum connection wait time to optimize scanning.
• Update the Kaspersky Security databases automatically or in manual mode. Updates can be downloaded from the FTP and HTTP servers of Kaspersky, from a local / network folder that contains the latest set of updates, or from user-defined FTP and HTTP servers.
• Re-scan old (previously scanned) messages for the presence of new viruses or other threats according to a schedule. This task is performed as a background scan and has little effect on the mail server’s performance.
• Perform anti-virus protection on storage level based on the list of protected storages.

[Topic 27818]

Distribution kit

Kaspersky Security is available from online stores of Kaspersky (for example, http://www.kaspersky.com, in the eStore section) and from partner companies.

Kaspersky Security is supplied as part of Kaspersky Security for Mail Servers and Kaspersky Total Security.

After buying a license for Kaspersky Security, you will receive an email with a link for downloading the application from the eStore website along with an application key file, or a CD with the distribution kit containing the application files and manuals.

Before breaking the seal on the envelope with the installation disk, carefully read through the EULA.

[Topic 100302]

What's new

Kaspersky Security has the following new capabilities and improvements:

• Attachment filtering based on individually configured rules.
• Filtering of mass messages of the same type.
• Forwarding of unchanged objects from Backup to their original recipients.
• Forwarding of Backup objects to any other manually defined email addresses.
• Editing of the contents of the informational file that the application attaches to a message in place of the original attachment that was deleted based on the results of a virus scan or attachment filtering.

Kaspersky Security 9.0 for Microsoft Exchange Servers is compliant with General Data Protection Regulation (GDPR) and applicable European Union laws on confidential information, personal data and data protection.

The Maintenance Release 5 version of the application does not support Data Leak Prevention functionality. After the application is upgraded, the DLP Module and its related data will be unavailable. If your organization requires continued use of the DLP Module, install the Maintenance Release 4 version of the application.

[Topic 28855]

Hardware and software requirements

For Kaspersky Security to work properly, the computer should meet the hardware and software requirements listed below.

Hardware requirements

The hardware requirements for installing the Security Server are identical to the hardware requirements for a protected Microsoft Exchange server, except for the RAM volume. The Management Console is installed together with the Security Server.

Hardware requirements for installing the Security Server:

• Processor – according to the hardware requirements for the protected Microsoft Exchange server;
• At least 2 GB of free RAM
• 6 GB of available disk space

  Additional disk space may be required depending on the application settings and operation mode.

The Management Console can be also installed separately from the Security Server.

Hardware requirements for the Management Console installation:

• Intel Pentium 400 MHz or faster processor (1000 MHz is recommended)
• 256 MB of free RAM
• 500 MB of available disk space for installing the application

Software requirements

The Security Server can be installed under one of the following operating systems:

• Microsoft Windows Server 2019 Standard or Datacenter (Desktop Experience);
• Microsoft Windows Server 2016 Standard or Datacenter;
• Microsoft Windows Server 2012 R2 Standard or Datacenter;
• Microsoft Windows Server 2012 Standard or Datacenter;
• Microsoft Windows Small Business Server 2011 SP1 Standard;
• Microsoft Windows Server 2008 R2 SP1 Standard, Enterprise or Datacenter.

The following software is required to install the Security Server:

• One of the following mail servers:
  • Microsoft Exchange Server 2019 deployed in at least one of the following roles: Mailbox or Edge Transport.
  • Microsoft Exchange Server 2016 deployed in at least one of the following roles: Mailbox or Edge Transport.
  • Microsoft Exchange Server 2013 SP1 deployed in at least one of the following roles: Mailbox, Hub Transport, or Client Access Server (CAS);
  • Microsoft Exchange Server 2010 SP3 deployed in at least one of the following roles: Hub Transport, Mailbox, or Edge Transport;
• Microsoft .NET Framework 4.5.
• One of the following database management systems (DBMS):
  • Microsoft SQL Server 2017 Express, Standard, or Enterprise;
  • Microsoft SQL Server 2016 Express, Standard, or Enterprise;
  • Microsoft SQL Server 2014 Express, Standard, or Enterprise;
  • Microsoft SQL Server 2012 Express, Standard, or Enterprise.

Management Console can be installed under one of the following operating systems:

• Microsoft Windows Server 2019 Standard or Datacenter (Desktop Experience);
• Microsoft Windows Server 2016 Standard or Datacenter;
• Microsoft Windows Server 2012 Standard or Datacenter;
• Microsoft Windows Server 2012 R2 Standard or Datacenter;
• Microsoft Windows Small Business Server 2011 SP1 Standard;
• Microsoft Windows Server 2008 R2 SP1 Standard, Enterprise or Datacenter;
• Microsoft Windows 7 SP1 Professional, Enterprise or Ultimate;
• Microsoft Windows 8;
• Microsoft Windows 8.1;
• Microsoft Windows 10;

Installation of the Management Console requires the following software:

• Microsoft Management Console 3.0;
• Microsoft .NET Framework 4.5.

To install any of the listed application components, you must install Microsoft Windows update KB2999226.

To install the administration plug-in, you must have one of the following versions of Kaspersky Security Center:

• Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1
• Kaspersky Security Center 10 Service Pack 2 Patch a
• Kaspersky Security Center 10 Service Pack 3.

[Topic 101616]

About data provision

The application uses data whose processing requires the consent of the Kaspersky Security administrator.

You can view the list of data and the terms of its use, and give consent to data processing in the following agreements concluded between your organization and Kaspersky:

• In the End User License Agreement and the Privacy Policy.

  According to the terms of the accepted End User License Agreement, you agree to automatically send Kaspersky the information listed in the End User License Agreement under "Data Provision". This information is needed to improve the level of real-time protection.

• In the Kaspersky Security Network Statement.

  If you participate in Kaspersky Security Network and send KSN statistics to Kaspersky, information received during operation of the application may also be transmitted. The list of data sent is given in the Kaspersky Security Network Statement.

  You can read the terms of the Kaspersky Security Network Statement in the following ways:

  • By clicking the KSN Participation Agreement link in the Settings node.
  • By reading the ksn_agreement.rtf document located in the application installation folder.

  Participation in Kaspersky Security Network is voluntary. You can opt out of participating in Kaspersky Security Network at any time.

• In the section titled Working with personal data of users.

  The Kaspersky Security administrator must become familiar with the list of such data and ensure its security.

Kaspersky protects any received information pursuant to the legal requirements and effective Kaspersky rules.

[Topic 22793]

Application architecture

[Topic 26311]

Application components and their purpose

Kaspersky Security consists of three basic components:

• The Security Server is installed on the Microsoft Exchange server and is responsible for protection against viruses and filtering of mail traffic against spam and phishing content. Security Server intercepts messages coming to the Microsoft Exchange Server and scans them for viruses, spam and phishing content using embedded Anti-Virus and Anti-Spam modules, respectively. If an incoming message is infected with a virus or if a message contains indicators of spam or phishing links, the application takes the actions defined in the settings of the corresponding module.
• The Management Console is a dedicated isolated snap-in integrated into Microsoft Management Console 3.0. You can use the Management Console to create and edit the list of protected Microsoft Exchange servers and manage Security Servers. The Management Console can be installed both on a Microsoft Exchange server with the Security Server and on a remote computer.
• The Kaspersky Security for Microsoft Exchange Servers administration plug-in includes libraries allowing you to manage a protected object through Kaspersky Security Center.

[Topic 26302]

Security Server modules

Security Server consists of the following modules:

• Email interceptor. Intercepts messages arriving on the Microsoft Exchange server and forwards them to Anti-Virus and Anti-Spam. This module is integrated into Microsoft Exchange processes using either VSAPI 2.6 or Transport Agents technology depending on the role in which the Microsoft Exchange server has been deployed.

  When installing Kaspersky Security, a transport agent named Kaspersky Antispam filter agent is registered on the Microsoft Exchange server that has the highest priority. Do not change the priority of this transport agent. Doing so may reduce the effectiveness of protection.

• Anti-Virus. Scans messages for viruses and other malicious objects. This module comprises an anti-virus kernel and a storage for temporary objects, which is used for scanning objects in RAM. The storage is located in the working folder Store.

  The Store folder is created in the application data storage folder (by default: <application setup folder>/data). You have to exclude it from scanning by anti-virus applications installed on the corporate network. Otherwise, Kaspersky Security may operate incorrectly.

• Anti-Spam. Filters out unsolicited mail. Copies of deleted messages can be stored in Backup.
• Internal Application Management and Integrity Control Module. It is the Kaspersky Security 9.0 for Microsoft Exchange Servers service in Microsoft Windows.

  The module is started automatically when the first message passes through the Microsoft Exchange server;

  This service does not depend on the state of the Microsoft Exchange Server (whether it is started or stopped), so the application can be configured when the Microsoft Exchange Server is stopped.

  The Internal Application Management and Integrity Control Module should be running at all times. Do not end the Kaspersky Security 9.0 for Microsoft Exchange Servers service manually, as this will disable the Security Server and stop the scanning process.

[Topic 134320]

Backup and statistics database

The application stores Backup data and application statistics in a special database deployed on a Microsoft SQL Server, the so-called the Backup and statistics database (hereinafter also database).

During installation, the application can create a new database or use an existing database. When the application is removed, the database can be saved on an SQL server for future use.

The Backup and statistics database can be stored locally on one computer with the Security Server or on a remote computer on the corporate LAN.

Kaspersky Security does not encrypt data transmitted between the Security Server and the database. When the database is hosted on a remote computer, you have to manually encrypt data transmitted via communication channels if such encryption is required by the information security policy of your company.

Some part of the application configuration data are stored in the database. The application does not control unauthorized modification of those data nor their integrity. You will have to take your own steps in order to protect the data against unauthorized access and control the data integrity.

When creating an SQL database, the server uses local collation rules. Take the Collation parameter into account when installing the application to avoid register-dependent behavior and errors when connecting to the database.

Database settings

The Backup and statistics database settings are stored in the following configuration file:

<application setup folder>\Configuration\BackendDatabaseConfiguration2.config

It is an editable XML file. It contains the following settings:

• AdditionalConnectionParameters – additional settings of the SQL server connection. The value of this setting is automatically defined by the application based on the information provided by the administrator during installation of the application.
• SqlServerName : name of the SQL server. It is specified by the application automatically as <SQL server name>\<copy> based on information provided by the administration during installation of the application.
• DatabaseName – name of the main database. It is specified by the application automatically based on information provided by the administration during installation of the application.
• FailoverPartner: settings (SQL server and instance) of the database mirror. They are specified by the application automatically as <SQL server name>\<copy>.

In the Additional connection parameters field, it is not recommended to define the SqlServerName and DatabaseName settings because they are already defined in the Name of SQL server and Database name fields.

Database mirroring

The application supports the Database Mirroring technology. If this technology is used in the configuration of your SQL server, the application will use it automatically. In other words, if the main Backup and statistics database fails or is disabled, the application automatically switched to using a database mirror. The application automatically switches back to the primary database as soon as it has been restored.

If the application is installed with or works with an SQL database configured with AlwaysOn technology, you must synchronize the rights between all servers that belong to the database mirroring group.

[Topic 28935]

Common application deployment procedures and scenarios

This section describes the Microsoft Exchange mail infrastructure configurations in which Kaspersky Security can be deployed.

[Topic 26303]

Basic application installation models

You can choose one of the two application deployment models depending on your corporate Microsoft Exchange infrastructure:

• The Security Server is installed on the computer hosting the stand-alone Microsoft Exchange Server. Management Console is installed on the same computer.
• The Security Server is installed in the Database Availability Group (hereinafter also "DAG"). In this case, the Security Server and Management Console must be installed together on each Microsoft Exchange server belonging to the DAG.

You can also install Management Console on any other computer in your enterprise network for remote management of Security Servers.

Page top

[Topic 67854]

Special considerations when installing the application on a standalone Microsoft Exchange server

The application can be installed on one or several standalone Microsoft Exchange servers. Security Server and Management Console used to manage Security Server can be installed on the same Microsoft Exchange server.

If necessary, you can install the Management Console separately from the Security Server on any computer on the corporate network for remote management of the Security Server. If several administrators work concurrently, Management Console can be installed on each administrator's computer.

Management Console connects to the Security Server via TCP port 13100. You have to open this port in the firewall on a remote Microsoft Exchange server or add the Kaspersky Security for Microsoft Exchange Servers service to the list of trusted applications for the firewall.

[Topic 49503]

Special considerations when installing the application in a Microsoft Exchange database availability group

Kaspersky Security can be installed on servers included in a Microsoft Exchange Database Availability Group (DAG). In this case, the Security Server and Management Console must be installed together on each Microsoft Exchange server belonging to the DAG. You can also install Management Console on any other computer in your enterprise network for remote management of Security Servers.

The application automatically identifies a DAG during installation. The order in which the application is installed on nodes within a DAG is irrelevant.

The specifics of Kaspersky Security installation in the DAG are as follows:

• A single database must be used for all DAG nodes. To do this, specify a single database during Kaspersky Security installation on all nodes of the DAG.
• The account used to perform the installation procedure must be authorized to write to the Active Directory configuration section.
• If a firewall is enabled on the DAG servers, the Kaspersky Security for Microsoft Exchange Servers service must be added to the list of trusted applications on each server within the DAG. This is necessary to ensure the interaction between Kaspersky Security and Backup.

While the previous version of the application is being upgraded on all servers of the DAG, we recommend that you avoid connecting to these servers using the Management Console, or editing the application settings. Doing so may cause the update to end in an error, which may result in application malfunctions. If the connection needs to be established during an update, before connecting make sure that the Security Server version matches the version of the Management Console used for establishing the connection.

When the application is installed on all servers of a DAG, most of the application settings are stored in Active Directory, and all the DAG servers use those settings. Kaspersky Security automatically detects active servers and applies the Active Directory settings to them. However, the individual settings of the Microsoft Exchange Server have to be defined manually for each server. Examples of individual settings of the Microsoft Exchange Server include: anti-virus protection settings for the Hub Transport role, anti-spam scan settings, Backup settings, settings of the Anti-Spam and Anti-Virus reports for the Hub Transport role, and Anti-Spam database update settings.

Using profiles to configure DAG servers has the following particularities:

• You can add DAG servers to a profile only all at once.
• When a DAG is added to a profile, all servers and all their roles (including the Hub Transport role) are added to this profile.
• You can remove DAG servers from a profile only all at once.

After Kaspersky Security is uninstalled from DAG servers, the configuration is stored in Active Directory and can be used to reinstall the application.

[Topic 89867]

Application deployment models

Before deploying the application, prepare the following accounts:

• Account for installing the application. The Application Setup Wizard and the Application Configuration Wizard are started under this account.
• Account for launching the application service. If the SQL server is hosted by the same computer on which the application is installed, the role of this account can be performed by the Local System account. In this case, you do not need to create a special account for launching the service.
• Account for preparing the database. Under this account, the Installation Wizard prepares the application database on the SQL server. This account is not used after the installation has been completed.

In order for the application to work properly, TCP port 13100 must be opened on all computers that will host the Security Server and Management Console as well as along the path of data transmission between them.

You can deploy the application under one of the following scenarios:

• Scenario of application deployment with the full set of access privileges.
• Scenario of application deployment with a limited set of access privileges.

[Topic 89868]

Scenario of application deployment with the full set of access privileges

This deployment scenario is suitable for you if you have sufficient privileges to perform all installation operations on your own without the assistance of other specialists and if your account has the appropriate set of access rights.

To deploy the application with the full set of access rights:

1. Make sure that the account intended for deploying the application is included in the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application.
2. Make sure that the account intended for deploying the application is included in the "Domain Administrators" and "Enterprise Administrators" groups. If not, include the account in these groups. This is needed in order for the Installation Wizard to be able to create a configuration storage and a role-based access group in Active Directory.

   If the application already has been installed on at least one computer on the enterprise LAN, all you need to install the application on other computers on the enterprise LAN is a local administrator account. In this case, the user account used for installing the application must be granted permissions to read the Microsoft Exchange configuration from the following Active Directory container and all its child objects:
   CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

3. Assign the sysadmin role on the SQL server to the account intended for preparing the database. These permissions are required to create and configure the database. The user account must also have the Allow Logon Locally permission granted in the local security policy on the Microsoft Exchange server on which the application is being installed.
4. Add the account intended for launching the service to the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application.

   If you previously removed the Debug Programs permission granted to the Administrators group by default, grant this permission to the user account under which the service is intended to run.

5. Add the account intended for launching the service to the Organization Management group. This is required for the application to retrieve the configuration settings of the Microsoft Exchange server.
6. Run the Application Installation Wizard and the Application Setup Wizard, and then follow their steps.
7. Assign dedicated user roles to the accounts owned by users who perform corresponding duties in your company. To do this, add user accounts to the following account groups in Active Directory:
   • Add administrator accounts to the Kse Administrators group.
   • Add the accounts of anti-virus security officers to the Kse AV Security Officers group.
   • Add the accounts of anti-virus security operators to the Kse AV Operators group.
8. Perform replication of Active Directory data across the entire organization. This is required in order for application settings saved in Active Directory to become available for subsequent installations of the application on other Microsoft Exchange servers at your organization.

When creating an SQL database, the server uses local collation rules. Take the Collation parameter into account when installing the application to avoid register-dependent behavior and errors when connecting to the database.

If the application is installed with or works with an SQL database configured with AlwaysOn technology, you must synchronize the rights between all servers that belong to the database mirroring group.

[Topic 89869]

Scenario of application deployment with a limited set of access privileges

This deployment scenario is suitable for you if the security policy of your organization does not allow performing all application installation operations under your account and restricts access to the SQL server or Active Directory. For example, this can happen when the database at your organization is administered by a different specialist with full access to the SQL server.

To prepare for installation with a limited set of permissions to access the SQL server or Active Directory:

1. Make sure that the account intended for deploying the application is included in the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application. If not, include the account in this group.
2. Create the following container in Active Directory:

   CN=KasperskyLab,CN=Services,CN=Configuration,DC=domain,DC=domain

3. Configure full access to this container and to all of its child objects for the account intended for the application installation.
4. Create a group of Kse Watchdog Service accounts. The type of group is "Universal". Include in this group the account intended for launching the application service. If a Local System account is used as this account, also include in the Kse Watchdog Service group the account of the computer on which installation is performed.
5. Add the Kse Watchdog Service group to the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application.

   If you previously removed the Debug Programs permission granted to the Administrators group by default, grant this permission to the Kse Watchdog Service group.

6. Provide the Kse Watchdog Service group with the rights to read data from the Active Directory container, which stores the configuration data of Microsoft Exchange:

   CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain

7. (Only applicable for Microsoft Exchange 2013 and Microsoft Exchange 2016 servers). Provide the Kse Watchdog Services group with the ms-Exch-Store-Admin right. To do this, run the following command in the Exchange Management Shell console:

   Add-ADPermission -Identity "<path to container with configuration of Microsoft Exchange>" -User "<domain name>\Kse Watchdog Service" -ExtendedRights ms-Exch-Store-Admin

   For example:

   Add-ADPermission -Identity "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain" -User "domain\Kse Watchdog Service" -ExtendedRights ms-Exch-Store-Admin

8. (Applicable for Microsoft Exchange 2013 / 2016 servers). Provide the Kse Watchdog Service group with the right to run under a different name (impersonation). To do this, run the following command in the Exchange Management Shell console:

   New-ManagementRoleAssignment -Name KSE_IMPERSONATION -Role applicationImpersonation -SecurityGroup "Kse Watchdog Service"

9. If you want to use on-demand scan for selected mailboxes on Microsoft Exchange 2010 servers, grant the Kse Watchdog Service group the right to run under a different name (impersonation). To do this, run the following command in the Exchange Management Shell console:

   New-ManagementRoleAssignment -Name KSE_IMPERSONATION -Role applicationImpersonation -SecurityGroup "Kse Watchdog Service"

10. Create the following account groups: Kse Administrators, Kse Security Officers, Kse AV Security Officers, and Kse AV Operators. These groups can be created in any of the organization's domains. The type of groups is "Universal".
11. Perform replication of Active Directory data across the entire organization.
12. Assign the appropriate user roles to the accounts owned by users who perform the corresponding duties in your organization. To do this, add user accounts to the following account groups in Active Directory:
    • Add administrator accounts to the Kse Administrators group.
    • Add the accounts of security officers to the Kse Security Officers group.
    • Add the accounts of anti-virus security officers to the Kse AV Security Officers group.
    • Add the accounts of anti-virus security operators to the Kse AV Operators group.
13. Ensure creation of the application database. Perform this operation on your own or delegate it to an authorized specialist.
14. Create accounts for the following Active Directory groups on the SQL server: Kse Administrators, Kse AV Security Officers, and Kse Watchdog Service.
15. Ensure that the Kse Watchdog Service group of accounts is assigned the db_owner role on the application database level.
16. Ensure that the account intended for preparing the database is assigned the db_owner role on the application database level and the VIEW ANY DEFINITION permission on the SQL server level.

    If you do not grant the VIEW ANY DEFINITION permission to the account, a message prompting you for the ALTER ANY LOGIN permission will appear on the screen when the Setup Wizard checks for roles and permissions of users to access the application database. The ALTER ANY LOGIN permission is required by the Setup Wizard to create SQL server users, assign roles to those users, and grant them permissions to use the database.

17. If you plan to manage the application using Kaspersky Security Center, add the accounts of all computers on which you are installing Kaspersky Security to the KSE Administrators group in Active Directory.

    If you have not added user accounts of all computers on which you are installing Kaspersky Security into the KSE Administrators group in Active Directory, the screen will display a message containing information about how to ensure the capability to manage the application using Kaspersky Security Center.

18. Ensure that the steps of the Application Installation Wizard and Application Configuration Wizard are performed under the account intended for installing the application.
19. Perform replication of Active Directory data across the entire organization. This is required in order for application settings saved in Active Directory to become available for subsequent installations of the application on other Microsoft Exchange servers at your organization.

If the application is installed with or works with an SQL database configured with AlwaysOn technology, you must synchronize the rights between all servers that belong to the database mirroring group.

[Topic 28899]

Upgrading the application

You can upgrade the following application versions:

• Kaspersky Security for Microsoft Exchange Servers 9.0 Maintenance Release 2 and above to version 9.0 Maintenance Release 5.
• Kaspersky Security for Microsoft Exchange Servers 9.0 Maintenance Release 3 and above to version 9.0 Maintenance Release 5 Hotfix 1.

Upgrading from earlier versions is not supported.

The application is upgraded using the Setup Wizard.

The Maintenance Release 5 version of the application does not support Data Leak Prevention functionality. After the application is upgraded, the DLP Module and its related data will be unavailable. If your organization requires continued use of the DLP Module, install the Maintenance Release 4 version of the application.

[Topic 97927]

Requirements for application upgrade

The application upgrade must meet the following requirements:

• The user account for which the application update is planned must be included in the Domain Admins group and in the Kse Administrators group in Active Directory.

  If an update was already performed on at least one Security Server or Management Console in the corporate network, all you need is a local administrator account to update the remaining instances of the application on other corporate computers. In this case, the user account used for upgrading the application must be granted permissions to read the Microsoft Exchange configuration from the following Active Directory container and all its child objects:
  CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

• It is recommended to upgrade the application in a sequence on all Security Servers and Management Console deployed on the corporate network. If the application upgrade has failed on any Security Server, you will be able to connect to this Security Server only using the Management Console of the previous version.
• It is recommended to upgrade the application on Microsoft Exchange servers running within a DAG configuration as quick as possible.
• SQL server hosting the application database must remain accessible during the upgrade procedure. Otherwise the upgrade will fail.
• In order for the application to work properly, TCP port 13100 must be opened on all computers where the application will be upgraded as well as along the path of data transmission between them.
• During the update procedure the application's Setup Wizard accesses the application's database. The account for which the upgrade procedure is planned must have the following access rights:
  • For the SQL server: the ALTER ANY LOGIN, ALTER ANY CREDENTIAL and VIEW ANY DEFINITION rights.
  • To the database: db_owner role.
• On all computers on which an application update is planned, Microsoft Windows update KB2999226 must be installed.

[Topic 97928]

Transferring application settings and data when upgrading to version 9.0 Maintenance Release 5

Updating the Management Console component

On the computer with only Management Console installed, the Installation Wizard only performs the update of Management Console. The Installation Wizard installs no Security Server modules on this computer.

Application settings do not change after Management Console is updated. The settings of the Microsoft Management Console interface take their default values.

Updating the Security Server component

On the computer with Security Server installed, the Installation Wizard updates all Security Server modules.

During an update, the Installation Wizard transfers the values of settings and data from the previous version of the application to the new version as follows:

• The license for the previous version of the application remains effective for the new version. The end date of the license validity period remains unchanged.
• The Backup and statistics database connected to the application will be upgraded to 9.0 Maintenance Release 5.

  If you do not upgrade the application but remove it and then install 9.0 Maintenance Release 5 instead, the previous version of the Backup and statistics database will not be upgraded to 9.0 Maintenance Release 5, which will make it inoperable in the application.

• The application automatically transfers the white list and black list of Anti-Spam addresses from the first updated server of the DAG group to all other servers of the DAG group.

  If you are using different white lists or black lists of Anti-Spam addresses for different servers of the DAG (applicable for application version 9.0 Maintenance Release 2), you are advised to export the lists of Anti-Spam addresses from all servers of the group to files and import the saved lists to the first server of the group prior to upgrading the application. During the update, this list will be applied to all servers of the group. You can also synchronize the white lists / black lists of Anti-Spam addresses in the PowerShell environment for all servers of the DAG group with the white lists / black lists of the first server of the DAG group.

• The use of Kaspersky Security Network is disabled automatically. If you are planning to use KSN, you must accept the terms of the Kaspersky Security Network Statement in the KSN Settings section of the Settings node. The KSN usage settings in Anti-Virus and in Anti-Spam remain unchanged after the application is upgraded.

  Upgrading the application does not affect the settings for use of Kaspersky Private Security Network.

• The values of other application settings defined in the previous version will be applied without changes to the corresponding settings in the new version.
• Backup and statistical data will be preserved.

[Topic 97930]

Application update procedure

The account under which you intend to perform the upgrade, must be included in the Domain Admins group.

During upgrade of Kaspersky Security, restart of MSExchangeTransport service and MSExchangeIS service is required. Services will be restarted automatically without additional prompts.

Prior to updating, exit the Management Console if it is started.

To upgrade the application:

1. Run the setup.exe file from the application installation package on the computer on which you want to upgrade the application.

   A window with the text of the End User License Agreement opens.

2. Carefully read and accept the terms of the End User License Agreement and the Privacy Policy by selecting the corresponding check boxes. Then click Next.
3. Please read the warning about the unavailability of the DLP Module in the Maintenance Release 5 application version. Perform one of the following actions:
   • If your organization requires continued use of the DLP Module for Data Leak Prevention, click the Cancel button and cancel the current upgrade.
   • If you are ready to stop using the DLP Module, click the Next button.
4. In the window that opens, click the Install button.

   The Setup Wizard will perform subsequent application upgrade steps automatically.

5. When the application upgrade process finishes, click Finish to exit the application Setup Wizard.

All application components and modules installed on the computer are upgraded.

During Kaspersky Security installation, the Setup Wizard adds the account of the computer running the installation to the KSE Administrators group in Active Directory. You will have to add the computer account to the KSE Administrators group if you need to manage Kaspersky Security through Kaspersky Security Center.

[Topic 132228]

Installing, restoring, and removing the application

This section provides information about the application installation, initial setup, recovery, and uninstallation.

[Topic 28917]

Installing the application using the Setup Wizard

During Kaspersky Security installation, services of MSExchangeTransport and MSExchangeIS will need to be restarted. Services will be restarted automatically without additional prompts.

You can install the application by running the Setup Wizard, which guides you through every step of the setup process. The Back and Next buttons can be used to navigate between the screens of the Setup Wizard. The Cancel button allows you to exit the setup wizard.

When installing from the command line, the default settings may differ from the default settings that are configured when installing with the Setup Wizard.

Before running the application installation, make sure that you have completed all the required preparations.

The first time Kaspersky Security is installed in an organization, the Application Setup Wizard automatically adds the account of the computer running the installation to the KSE Administrators group in Active Directory. You will have to add a computer account to the KSE Administrators group if you intend to manage Kaspersky Security through Kaspersky Security Center.

If installation has already been performed on at least one computer in the enterprise network, all you need is a local administrator account to install an identical application version to other enterprise computers. In this case, the user account used for application setup must be granted permissions to read the Microsoft Exchange configuration from the following Active Directory container and all its child objects:
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

To start installation of the application using the Setup Wizard:

Run the installation file from the application installation package.

This opens the welcome window of the Installation Wizard.

[Topic 28951]

Step 1. Checking for required software

The Welcome window of the Setup Wizard provides general information about installation and a link to the Online Help.

At this step, the Wizard checks the computer for the software required for the application operation (Microsoft .NET Framework 4.5). If Microsoft .NET Framework 4.5 has not been installed, an error message is displayed, and the Setup Wizard closes.

[Topic 22863]

Step 2. Viewing information about the start of installation. Reading the End User License Agreement and the Privacy Policy

At this step in the Installation Wizard window, review the information about the start of Kaspersky Security installation on your computer, and click the Next button to proceed to the window containing the text of the End User License Agreement and the Privacy Policy. The End User License Agreement is an agreement between the application user and Kaspersky. The Privacy Policy describes the handling of a user's personal data and preserving the confidentiality of that data.

Please confirm that you have fully read, understand, and accept the the terms and conditions of this EULA and Privacy Policy describing the handling of data by selecting the corresponding check boxes.

If you do not accept the terms of the End User License Agreement and Privacy Policy, you will not be able to install Kaspersky Security.

[Topic 22864]

Step 3. Selecting the installation type

At this step, select the type of application installation:

• Typical. The application will install all application components and modules. The application files will be copied to the default application installation folder and the default data storage folder. If you select this installation type, the Wizard proceeds to Step 5. Setting up the application's connection to the database of Backup and statistics.
• Custom. In this case, the next step of the Installation Wizard allows you to select the application components and modules to be installed, as well as the destination folder for application installation and data folders. If you select this installation type, the Wizard proceeds to Step 4. Selecting application components and modules.

[Topic 22868]

Step 4. Selecting application components and modules

At this step, you have to select the application components and modules to be installed, and specify the paths to the setup folder and data folders. The set of components and modules available for installation varies depending on whether a Microsoft Exchange server is installed on the computer and on the roles in which it has been deployed.

Components and modules available for installation on the Microsoft Exchange 2010 server

Components and modules available for installation on the Microsoft Exchange 2013 server

The CAS Interceptor module can be selected only if the Microsoft Exchange 2013 server is deployed in the Client Access Server (CAS) role alone.

The CAS Interceptor module is designed to improve spam detection. It is recommended for installation on all Microsoft Exchange 2013 servers deployed in the Client Access Server (CAS) role only. This module is installed automatically together with the Anti-Spam module on Microsoft Exchange 2013 servers deployed in the Mailbox role (if you choose to install Anti-Spam).

Components and modules available for installation on the Microsoft Exchange 2016 server

Select the application components and modules that you want to install. To cancel your selection of components and return to the default selection, click the Reset button.

To view information about the availability of free disk space needed for the installation of the selected components on the local drives, click the Disk usage button.

The path to the default installation folder is displayed in the lower part of the window in the Destination folder field. If necessary, specify a different destination folder. To do so, click Browse and select a folder in the window that opens.

The Data storage folder field below shows the default path to the application data storage folder. This folder is intended for temporary storage of objects to be scanned and auxiliary files. If necessary, specify a different data folder. To do so, click Browse and select a folder in the window that opens.

[Topic 28955]

Step 5. Creating a database and configuring the application connection to the SQL server

To create a database on an SQL server and configure connections to it:

1. In the Name of SQL server field, specify the name (or IP address) of the computer where the SQL server is installed, and the name of the SQL instance, for example, MYCOMPUTER\SQLEXPRESS.

   Click the Browse button opposite the Name of SQL server field to select the SQL server in the network segment in which the computer is located.

   If the connection is to a remote SQL server, make sure that the SQL server is enabled to support TCP/IP as a client protocol. The relevant SQL server may be missing from the list of SQL servers if the service of the SQL server browser is not running on the computer hosting the SQL server.

2. In the Database name field, specify the name of the database where the application will store Backup data, statistics, and application configuration details.

   Assign the user account used to start the Setup Wizard with the db_owner role at the application database level and the ALTER ANY LOGIN permission at the SQL server level. The ALTER ANY LOGIN permission is required by the Setup Wizard to create SQL server users, assign roles to those users, and grant them permissions to use the database. The db_owner role provides a set of permissions allowing the performance of all actions to configure and maintain the database, as well as to delete the database.

   You can use any of the following databases for handling the application:

   • Database created in advance by the SQL server administrator;
   • Database created automatically by the Setup Wizard

   If you want to use a single Backup and statistics database for several Security Servers, the same SQL server and database names must be specified for all Security Servers. In this case, when installing the application on the second and subsequent Security Servers, specify the same values in the Name of SQL server, Database name and Additional connection parameters fields for connecting to the database created during application installation on the first Security Server. If you do not intend to use a common database, you can specify custom SQL database connection settings for each server belonging to the DAG group.

   You can use the database of the previous version of the application. The database of the previous version of the application is connected during the application upgrade. If you remove and then install a new version of the application using the Setup Wizard, you will not be able to use the database from the previous version.

3. In the Additional connection parameters field, specify the additional settings for connecting the Backup and statistics database to the server.

   For a description of the settings for connecting the database to a server, please refer to the Microsoft website via the following link: connection string settings.

   Example:

   • Connection Timeout=30;Integrated Security=SSPI;MultiSubnetFailover=true

   In the Additional connection parameters field, it is not recommended to specify the Data Source and Database settings because they are defined in the Name of SQL server and Database name fields.

4. To finish the database configuration and proceed to the next step of the Setup Wizard, click the Next button.

Kaspersky Security does not provide channel encryption during data transmission between the server and the SQL database. To secure your data, manually encrypt data to be transmitted over communication channels.

[Topic 64684]

Step 6. Selecting an account for launching the Kaspersky Security service

At this step, specify the account to be used for launching the application service and connecting Kaspersky Security to the SQL server:

• Local System account. In this case the application service will be started and the connection to the SQL server established under the local system account.
• Other account. In this case the application service will be started and the connection to the SQL server established under a different account. You must specify the account name and password. You can also select an account by clicking the Browse button.

The specified account must be granted the required access rights. The details of access rights assigned to the account, which is intended for running the application service, are given in application deployment scenarios with the full and limited set of access rights.

Page top

[Topic 22870]

Step 7. Completing installation

At this step, the application files are copied to the computer, the components are registered in the system, and temporary files are removed from Backup.

Click the Install button in the Setup Wizard window.

The Setup Wizard starts copying the application files to the computer, registering the components in the system, creating a database on the SQL server (if you chose to create a new database), and restarting the MSExchangeTransport and MSExchangeIS services.

MSExchangeTransport and MSExchangeIS services will be restarted automatically without additional prompts.

Once the files are copied and the components are registered in the system, the Setup Wizard displays a notification about the completed application installation.

To finish the installation, click the Next button.

The Application Configuration Wizard starts automatically. The application configuration wizard makes it possible to perform initial configuration of application settings.

[Topic 28904]

Initial setup of the application

The Application Configuration Wizard allows you to configure the minimum collection of settings needed to build a system for centralized management of Microsoft Exchange server protection.

The Application Configuration Wizard helps to:

• Activate the application by adding a key
• Configure Microsoft Exchange server protection by the Anti-Virus and Anti-Spam modules
• Enable Kaspersky Security Network (hereafter also KSN)
• Configure the proxy server
• Configure notification delivery

The Application Configuration Wizard starts automatically after the installation using the Setup Wizard is completed. It provides instructions to be followed at every step. The Back and Next buttons can be used to navigate between the Application Configuration Wizard screens. You can exit the Application Configuration Wizard at any step by closing its window.

You can skip the application configuration step and close the Wizard by clicking the Cancel button in the welcome window of the Wizard. You can configure the application in its Management Console after launching the application.

[Topic 28944]

Step 1. Activating the application

At this step, you can add a key for activating Kaspersky Security.

You can also skip this step and install a key later, after the Application Configuration Wizard finishes and the application launches.

If no key has been added, Kaspersky Security runs in "Administration only" mode without protecting the Microsoft Exchange server. To use Kaspersky Security in full functionality mode, you must add a key.

If you are using the following activation methods, skip this step, because you will be able to activate the application in the application Management Console after the Application Configuration Wizard finishes:

• You are activating the application with an activation code.
• You are activating the application based on a Commercial (subscription) license.

To activate the application:

1. Click the Add button.
2. In the window that opens, in the File name field, specify the path to the key file that has the .key extension.
3. Click the Open button.

They key is installed as the active key. The active key allows you to use Kaspersky Security for the duration of the license validity period on the terms of the End User License Agreement.

Activating the application when installed in a DAG of Microsoft Exchange servers

If you deploy Kaspersky Security on a DAG of Microsoft Exchange servers, it suffices to install the key just once during application installation on any of the Microsoft Exchange servers within this DAG. Once this is done, the Application Configuration Wizard will automatically detect the installed key during application installation on other Microsoft Exchange servers within this DAG. In this case, you will not have to add the keys on other Microsoft Exchange servers within the DAG.

Special considerations when activating the application for various deployment scenarios

Activation of the application depends on the application deployment scenario:

• If the application is being used on standalone Microsoft Exchange servers, you must add a Security Server key on each server.
• If the application is being used on Microsoft Exchange servers that are part of a DAG, you must add one Security Server key. Keys are applied to the entire DAG group.
• If you are using profiles to manage several Security Servers, you must add one Security Server key. Keys are applied to all Security Servers of the profile.

[Topic 35006]

Step 2. Configuring the Microsoft Exchange server protection

At this step, you can configure the Microsoft Exchange server protection against spam, viruses, and other riskware. The Anti-Virus and Anti-Spam modules start working as soon as you launch the application. Anti-Virus and Anti-Spam protection is enabled by default. The Enforced Anti-Spam Updates Service and automatic updates for application databases (Anti-Virus databases and Anti-Spam databases) are also used by default.

The Enforced Anti-Spam Updates Service requires the computer hosting the Security Server to have a constant Internet connection.

If you do not want Anti-Virus and Anti-Spam to start working as soon as the application is launched, clear the Enable Anti-Virus protection and Enable Anti-Spam protection check boxes. You can enable protection later using the Management Console.

To disable Enforced Anti-Spam Updates Service, clear the Enable Enforced Anti-Spam Updates Service check box.

To disable updates of Anti-Spam and Anti-Virus databases from Kaspersky servers as soon as the application is run, clear the Enable automatic database updating check box.

[Topic 52094]

Step 3. Enabling the KSN service

At this step, you can enable the use of the KSN (Kaspersky Security Network) service.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the Kaspersky online knowledge base that contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the effectiveness of some protection components, and reduces the risk of false positives.

Access to the KSN service is regulated by a special Kaspersky Security Network Statement. You can review the full text of the Kaspersky Security Network Statement in a separate window by clicking the KSN Participation Agreement button.

To use KSN for spam analysis, select the I accept the Kaspersky Security Network Statement and want to use KSN services for protection check box, thereby confirming that you have read the Kaspersky Security Network Statement and accept its terms.

[Topic 23784]

Step 4. Configuring the proxy server settings

At this step, you can configure proxy server settings. The application uses these settings to connect to Kaspersky update servers while updating application databases and to connect to Kaspersky Security Network.

If you want the application to connect to Kaspersky servers via a proxy server, select the Use proxy server check box and specify the settings of the connection to the proxy server in the relevant fields: proxy server address and port. The default port number is 8080.

To use authentication on the proxy server that you have specified, select the Use authentication check box and enter the account credentials in the Account and Password fields. Use the button to select one of the existing accounts.

[Topic 22872]

Step 5. Configuring notification delivery

At this step, you can configure notification delivery settings. Notifications enable you and other persons whom they concern to learn about all Kaspersky Security events in a timely fashion. Notifications are sent by email. The following settings have to be specified for successful delivery of notifications: address of the web service and account settings.

In the Web service address field, specify the address of the web service used for sending notifications through the Microsoft Exchange server (by default, the Microsoft Exchange server uses the following address: https://<client_access_server_name>/ews/exchange.asmx).

Specify any account registered on the Microsoft Exchange Server in the Account field manually by clicking the . button, and enter the password of the selected account in the Account field.

Enter in the Administrator address field the destination mail address, for example, your e-mail.

Click the Test button to send a test message. If the test message arrives in the specified mailbox, it means that delivery of notifications is configured properly.

[Topic 65000]

Step 6. Completing the configuration

At this step, the configured application settings are saved and the configuration process finishes.

By default, the Management Console launches automatically after the configuration has been completed. If you want to disable Management Console, clear the Start Management Console after the Application Configuration Wizard finishes check box.

Click the Finish button to close the Application Configuration Wizard.

[Topic 24086]

Application Activation window

Expand all | Collapse all

Add / Replace

Key

License type

Representative

Number of mailboxes

Expiration date

Status

[Topic 35007]

Protection settings window

Expand all | Collapse all

Enable Anti-Virus protection

Enable Anti-Spam protection

Enable Enforced Anti-Spam Updates Service

Enable automatic database updating

[Topic 51803]

Use Kaspersky Security Network services window

Expand all | Collapse all

In this window, you can enable the use of Kaspersky Security Network (KSN) services in the application. Kaspersky Security Network is an infrastructure of cloud services providing access to the Kaspersky online knowledge base that contains information about the reputation of files, online resources, and software. Kaspersky Security Network is intended for improving detection of viruses and other threats, spam and phishing links, as well as for receiving statistics used to detect threats. The use of Kaspersky Security Network is controlled with a special agreement named Kaspersky Security Network Statement. To enable the use of Kaspersky Security Network in the application, you must accept its terms.

I accept the Kaspersky Security Network Statement and want to use KSN services for protection

[Topic 51879]

Proxy server settings window

Expand all | Collapse all

Connection through a proxy server can be used when connecting the application to the following resources:

• Application database update sources
• Kaspersky Security Network services
• External Anti-Spam services, such as Enforced Anti-Spam Updates Service;
• Kaspersky activation servers.

Use proxy server

Proxy server address

Port

Use authentication

Account and Password

Button

[Topic 24356]

Notification settings window

Expand all | Collapse all

Web service address

Account and Password

Administrator address

[Topic 20712]

Configuration node

Expand all | Collapse all

The Configuration management configuration section lets you export the application configuration for the server or profile to an XML file to import it from that file to the application installed on another Microsoft Exchange server. You can import the configuration to an unassigned Security Server or to a Security Server in the profile.

Export

Import

The Data storage configuration section lets you configure the Backup settings.

Restrict the Backup storage size

Restrict the duration of object storage in Backup

The Diagnostics section lets you configure the parameters of Kaspersky Security application event logs.

Logs folder

Default

Log storage period

In the Log details section, you can configure the detail level of logs. The following detail levels are available:

• Minimum. Kaspersky Security only logs main events, such as the start of an objects scan, start of an update, expiration of the license, as well as errors in the operation of the application components and errors occurred when updating the databases.
• Custom. Kaspersky Security logs main events, as well as detailed information about the events that have been selected in the Diagnostics settings window.
• Maximum. Kaspersky Security logs detailed information about all events in the application operation.

The current detail level set for logs is displayed in the Detail level field. The detail level depends on the number of events that have been selected in the Diagnostics settings window.

Settings

Reset

The Proxy server settings configuration section lets you define the settings for connecting the application to a proxy server if one is used in your network.

Connection through a proxy server can be used when connecting the application to the following resources:

• Application database update sources
• Kaspersky Security Network services
• External Anti-Spam services, such as Enforced Anti-Spam Updates Service;
• Kaspersky activation servers.

Use a proxy server to access KSN, Enforced Anti-Spam Updates Service, and Kaspersky Lab activation servers

Proxy server address

Port

Use authentication

Account and Password

Bypass proxy server for local addresses

The KSN Settings configuration section lets you select one of the following options for using the Kaspersky Security Network and Kaspersky Private Security Network services:

• Do not use Kaspersky Lab services

  This option lets you decline to use Kaspersky Security Network and Kaspersky Private Security Network services, as well as the services that utilize Kaspersky Security Network in their operations, such as Reputation Filtering.

  If this option is selected, you decline to accept the Kaspersky Security Network Statement and to use Kaspersky Security Network or Kaspersky Private Security Network, as well as the services that use Kaspersky Security Network in their operations, such as Reputation Filtering.

  This option is selected by default.

• I accept the KSN Statement. Use Kaspersky Security Network

  This option enables participation in Kaspersky Security Network.

  If this option is selected, you accept the terms of the Kaspersky Security Network Statement, and you allow the application to use Kaspersky Security Network as well as services that utilize Kaspersky Security Network in their operations, such as Reputation Filtering.

  Clicking the KSN Participation Agreement link opens the window with the text of the Kaspersky Security Network Statement.

• Use Kaspersky Private Security Network (KPSN)

  This option enables the application to utilize Kaspersky Private Security Network services. Kaspersky Private Security Network will use the settings that were previously configured for Kaspersky Security Network in Anti-Spam and Anti-Virus. All services that utilize Kaspersky Security Network in their operations, (such as Reputation Filtering), are provided through Kaspersky Private Security Network.

  If this option is selected, the application uses Kaspersky Private Security Network based on the settings for using Kaspersky Security Network.

Import

[Topic 22825]

Restoring the application

If the application encounters a failure while running (for example, if its executable files are corrupted), you can repair the application by using the Setup Wizard or the command line.

To repair Kaspersky Security using the Setup Wizard:

1. Run the installation file from the application installation package.

   This opens the welcome window of the install package.

2. Click the Kaspersky Security 9.0 for Microsoft Exchange Servers link to open the welcome screen of the Setup Wizard and click Next.
3. In the Change, Repair or Remove the application window, click the Restore button.
4. In the Restoration window, click the Repair button.

   This opens the Restore application window with information about restoring the application.

5. After the application has been restored, the Setup Wizard displays a notification about the completed application restoration. To finish restoring the application, click the Finish button.

To repair Kaspersky Security using the command line:

Run the installation file from the application installation package on the command line with the following options:

--install-mode=repair

During Kaspersky Security removal, services of MSExchangeTransport and MSExchangeIS will need a restart. Services will be restarted automatically without additional prompts.

Restoration of the application will not be possible if its configuration files are damaged. Removing and reinstalling the application is recommended in that case.

[Topic 22826]

Removing the application

You can remove the application using the Setup Wizard, the command line or standard Microsoft Windows installation and removal tools. If the application is installed on several servers, it has to be removed from each server.

To remove Kaspersky Security from the computer using the Setup Wizard:

1. Run the installation file from the application installation package.

   This opens the welcome window of the install package.

2. Click the Kaspersky Security 9.0 for Microsoft Exchange Servers link to open the welcome screen of the Setup Wizard and click Next.
3. In the Change, Restore, or Remove the Application window click the Delete button.
4. In the Uninstallation dialog, click the Delete button.

   This opens the Remove application window with information about application removal.

5. In the warning dialog that opens, perform the following operations:
   • If you want the application to save the database on the SQL server during application removal, click Yes.

     Backup data added by the application will be deleted from the database. Statistics data added by the application will be saved.

   • If you want the application to delete the database and statistics from the SQL server during application removal, click No.
6. After the application has been removed, the Setup Wizard displays a notification about the completed application removal. To finish removing the application, click the Finish button.

To remove Kaspersky Security using the command line:

Run the installation file from the application installation package on the command line with the following option:

--install-mode=delete

If you delete Kaspersky Security using the command line, the database and statistics data is not deleted from the SQL server.

During Kaspersky Security removal, services of MSExchangeTransport and MSExchangeIS will need a restart. Services will be restarted automatically without additional prompts.

You can also uninstall the application using the standard software management tools in Microsoft Windows.

[Topic 56701]

To administrator

This Help section is intended for specialists who perform Kaspersky Security installation and administration, as well as for those who provide technical support to organizations that use Kaspersky Security.

[Topic 81511]

Role-based user access control for the application features and services

Expand all | Collapse all

Kaspersky Security lets you use the following roles to restrict user access to application features and services:

• Roles of application users

  Kaspersky Security 9.0 for Microsoft Exchange Servers lets you apply application user roles to manage shared user access to the application. Each role is assigned a set of available application functions, and a set of available nodes displayed in the Management Console tree.

  A role is assigned to a user by adding the user account to an Active Directory group. A user can combine multiple roles. In this case, the user account must be added to the Active Directory groups that correspond to these roles. The user will be granted access rights in accordance with the roles assigned.

  Applying changes made to Active Directory groups may take up to 10 minutes.

  The table below shows the names and descriptions of roles, names of Active Directory groups corresponding to those roles, and a list of nodes, which are displayed in the Management Console for each role.

  All available profiles for all user roles are displayed in the Management Console.

  Roles of application users

  Role	Description	Active Directory group	Nodes displayed in Management Console
  Administrator	A specialist who performs general application administration tasks, such as configuring Anti-Virus and Anti-Spam settings, generating Anti-Virus and Anti-Spam operation reports, creating/deleting profiles, adding/deleting Security Servers from profiles, and configuring access to profiles. The To administrator section describes the administrator tasks and instructions on how to perform them.	Kse Administrators	Profiles <Security Server name> Server protection Updates Notifications Backup Reports Settings Licensing
  Anti-Virus Security Officer	A specialist who has the rights to access the following application features: viewing the details of the protection status of Microsoft Exchange servers, retrieving reports on the operation of Anti-Virus, Anti-Spam, and Attachment Filtering, restricted access rights to features for management of Backup objects (except for object deletion), and access rights to all of the application settings but without the capability to edit them.	Kse AV Security Officers	Profiles <Security Server name> Server protection Updates Notifications Backup Reports Settings Licensing
  Anti-Virus Security Operator	Specialist who has access rights to view the details of the protection status of Microsoft Exchange servers and to retrieve reports on the operation of Anti-Virus, Anti-Spam, and Content Filtering.	Kse AV Operators	Profiles <Security Server name> Reports

  User groups in Active Directory are created automatically when the application is installed or upgraded to Kaspersky Security 9.0 for Microsoft Exchange Servers. Those groups can also be created manually before the application installation using standard Active Directory data management tools. Groups can be created in any domain of the organization. The type of groups is "Universal".

  When Management Console is launched, the application checks which group includes the user account under which Management Console has been launched, and the user's role in the application is determined on the basis of this information.

  The names of user account groups must remain unique within the Active Directory forest.

• Profile roles

  A set of profile roles lets you manage user access to individual profiles. Each role is assigned a set of available application functions, and a set of available nodes displayed in the Management Console tree for the profile.

  A role is assigned to users when configuring access to a specific profile. A user can have multiple roles and have access to multiple profiles.

  The table below shows the profile roles and their descriptions, and a list of nodes that are displayed in the Management Console for each role within a profile.

  Profile roles

  Role	Description	Profile nodes displayed in the Management Console
  Profile administrator	A specialist who performs general application administration tasks for a profile, such as configuring Anti-Virus and Anti-Spam settings or generating Anti-Virus and Anti-Spam operation reports.	Server protection Updates Notifications Backup Reports Settings Licensing Servers
  Profile Anti-Virus Security Officer	A specialist who has the rights to access the following application features within a profile: viewing the details of the protection status of Microsoft Exchange servers, retrieving reports on the operation of Anti-Virus, Anti-Spam, and Attachment Filtering, restricted access rights to features for management of Backup objects (except for object deletion), and access rights to all application settings but without the capability to modify them.	Server protection Updates Notifications Backup Reports Settings Licensing Servers
  Profile Anti-Virus Security Operator	A specialist who has access rights to view the details of the protection status of Microsoft Exchange servers and to retrieve reports on the operation of Anti-Virus, Anti-Spam, and Content Filtering within a profile.	Reports Servers

  When the Management Console is started, the application checks which profile role is assigned to the user account whose permissions were used to start the Management Console, and based on this information the application determines the user's rights to access profiles.

  For correct operation of role-based restriction of user access to profiles, you must make sure that the users have not been added to the Kse Administrators, Kse AV Security Officers or Kse AV Operators groups in Active Directory. Otherwise, the users will have access to all existing profiles.

• System role

  A system role will be held by the account on behalf of which the Kaspersky Security 9.0 for Microsoft Exchange Servers application service will be launched

  The system role is assigned to the account that you selected during installation of the application. If you want to specify another account for starting the application service after the application has already been installed, you must assign the system role to it. The system role is assigned by adding a user account to the Kse Watchdog Service group in Active Directory.

  Applying changes made to Active Directory groups may take up to 10 minutes.

[Topic 167084]

Working with personal data of users

Kaspersky Security processes the following personal data of users to perform its basic functions:

• Active Directory accounts.

  The application checks Active Directory accounts to implement the role-based user access control for the application features and services.

• E-mail messages.

  The application scans E-mail messages, including attached objects, to provide anti-virus protection, filter attachments as well as to provide anti-spam and anti-fishing protection according to the pre-defined settings.

  Original messages that initiated an alert of one of the protection components are saved in the Security Server file system. This enables to restore deleted objects via Backup.

• E-mail metadata.

  E-mail metadata (fields From, To, Subject) that initiated an alert of one of the protection components are saved in the application database. This enables to restore deleted objects via Backup.

  E-mail metadata can be sent to Kaspersky Security Center as part of information on application events if your organization uses this software solution.

  E-mail metadata is also saved in the application log, which is required to provide technical support.

• E-mail addresses excluded from scanning.

  E-mail addresses excluded by the administrator from scanning are saved in Active Directory together with other protection settings.

• Mailbox names.

  The application saves the names of mailboxes selected for background scan to ensure correctness of scanning.

• Application configuration changes.

  Any configuration change information is saved in the application logs and in the Windows event log. Depending on introduced changes, such information can include e-mail addresses excluded from scanning and the names of mailboxes selected for background scan.

  Similar information may be contained in the application configuration export file (*.kseconfig).

• Message texts.

  Texts of processed email messages can be saved on the Security Server if the administrator has enabled detailed event logging for the application. This information can be used to provide technical support.

• Organization representative information.

  Information on the contact person of the organization that signed the End User License Agreement is used to validate the license. Depending on the application configuration, such information is stored either in Active Directory or locally on the Security Server.

The table below presents the specifics of storing the listed data.

Specifics of storing personal data of users in Kaspersky Security

You can restrict handling of personal data of users by the application as follows:

• Change the storage term for application logs.
• Restrict the duration of object storage in Backup.
• Remove objects from Backup.
• Monitor the list of users added to Anti-Spam white and black lists.
• Monitor the list of users, the messages for whom are excluded from anti-virus scan.
• Monitor the list of users, to the messages from/for whom the attachment filtering rules apply.
• If you need to change the contact person of your organization, please contact the license provider.

[Topic 69238]

Application licensing

This section provides information about general concepts related to licensing of Kaspersky Security.

[Topic 60774]

Licensing models. License restrictions

All application licensing schemes employ a limit on the number of mailboxes that are protected by the application.

Licensing a Security Server:

• Trial license. A license for trial use of the application. It is granted for a specific period that is assigned by Kaspersky. When the trial license expires, all application features become disabled. You can activate the application using a key or activation code.
• Commercial. A license for commercial use of the application. It is granted for a specific period that is assigned by Kaspersky when the license is purchased. When the commercial license expires, the application continues to work in limited functionality mode. The user is no longer able to update the application databases, receive new application versions, or contact Technical Support. You can activate the application using a key or activation code.
• Commercial (subscription). A license for commercial use of the application distributed through vendors based on a subscription. It is granted for a specific period that is assigned by the vendor based on a subscription. According to the license restriction, you can use the application during the period for which you purchased a subscription from the vendor. You can activate the application with an activation code, but you cannot activate the application with a key.

[Topic 138186]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and Kaspersky AO, stipulating the terms on which you may use the application.

Carefully review the terms of the License Agreement before using the application.

You can view the terms of the License Agreement in the following ways:

• During installation of Kaspersky Security.
• By reading the license.rtf file. This file is included in the application's distribution kit.

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

[Topic 73976]

About the license certificate

License Certificate is a document provided together with a key file or activation code.

The License Certificate contains the following license information:

• License key or order number
• Details of the license holder
• Information about the application that can be activated using the license
• Limitation on the number of licensing units (devices on which the application can be used under the license)
• License start date
• License expiration date or license validity period
• License type.

[Topic 136912]

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement. A license is linked to a unique activation code for your copy of Kaspersky Security.

A license includes the right to do the following:

• Use of the application in accordance with the terms of the End User License Agreement
• Technical support;
• update the databases and receive new versions of the application.

To work with the application in full functionality mode, you must purchase a license to use the application and activate the application. A license has a limited validity period.

We recommend renewing the license before its expiration date to ensure maximum protection of your computer against all potential security threats.

Before purchasing a license, you can get acquainted with the free trial version of Kaspersky Security. The trial version of Kaspersky Security performs its functions during a short trial period. After the trial period expires, Kaspersky Security stops performing its functions. To continue using the application, you must purchase a license.

[Topic 88817]

About the key

A license key is a sequence of bits with which you can activate and subsequently use the application in accordance with the terms of the End User License Agreement. A license key is generated by Kaspersky.

To add a key to the application, you must apply a key file or add a key based on an activation code.

After you add a license key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky can blacklist a license key in response to violations of the End User License Agreement. If the license key has been blacklisted, you must add another license key to use the application.

A license key may be active or reserve.

An active license key is a license key that is currently being used by the application. A trial or commercial license key can be added as the active key. The application cannot have more than one active license key.

A reserve license key is a license key that entitles the user to use the application but is not currently in use. A reserve license key automatically becomes active when the license associated with the current active license key expires. A reserve license key can be added only if an active license key has already been added.

A license key for a trial license can be added only as the active license key. A license key for a trial license cannot be added as a reserve license key.

A Security Server key is used to activate the application. Depending upon the application deployment scenario to activate the application, add the following keys:

• If the application is being used on standalone Microsoft Exchange servers, you must add a Security Server key on each server.
• If the application is being used on Microsoft Exchange servers that are part of a DAG, you must add one Security Server key. Keys are applied to the entire DAG group.
• If you are using profiles to manage several Security Servers, you must add one Security Server key. Keys are applied to all Security Servers of the profile.

[Topic 69431]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. The purpose of a key file is to add a license key that activates the application.

You receive a key file at the email address that you provided when you bought Kaspersky Security or ordered the trial version of Kaspersky Security.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To recover a key file, do one of the following:

• Contact the license vendor.
• Obtain a key file on the Kaspersky website based on your existing activation code.

[Topic 69430]

About the activation code

An activation code is a unique sequence made up of twenty Latin letters and numbers. You must enter an activation code to add a license key that activates Kaspersky Security. You receive your activation code at the email address that you provided when you purchased Kaspersky Security or ordered the trial version of Kaspersky Security.

To activate the application with an activation code, Internet access is required for connection to Kaspersky activation servers.

If you have lost your activation code after activating the program, contact the Kaspersky partner from whom you purchased the license.

[Topic 136504]

About the subscription

A Kaspersky Security subscription grants the right to use the application based on a commercial license by subscription. A license has a limitation on the number of mailboxes protected by Kaspersky Security. You can order a Kaspersky Security subscription from a vendor (such as a mail protection service provider).

You can activate the application using an activation code.

If you are using the application based on a Commercial (subscription) license, Kaspersky Security contacts Kaspersky activation servers at specific time intervals to update license data.

If you are using the application based on a Commercial (subscription) license, you must ensure continuous Internet access for the Security Server and for the server on which the Management Console is installed.

If your subscription has not yet expired but a long time has passed since the application has last updated its data and it has not received confirmation that the subscription has expired from Kaspersky activation servers (for example, if there is no Internet access for the Security Server and the server on which the Management Console is installed), the application stops attempting to connect to Kaspersky activation servers, stops updating anti-virus databases and Anti-Spam databases, and stops using Kaspersky Security Network. If the application receives Internet access after the application has stopped attempting to contact Kaspersky activation servers, the application updates license data, resumes updates of Anti-Virus databases and Anti-Spam databases, resumes use of Kaspersky Security Network, and provides the functionality of the Anti-Virus and Anti-Spam modules.

You can pause or resume your subscription, renew it, or opt out of it. To manage your subscription, you need to contact the vendor that provided you with Kaspersky Security. The set of subscription management options may vary depending on the service provider that you are using.

To give you more time to renew your subscription, you may be granted a grace period during which the application continues to perform all its functions. The vendor determines whether or not to grant a grace period and determines its duration. After the subscription or the grace period for subscription renewal expires, Kaspersky Security continues to work but stops updating the anti-virus databases of the application and stops using Kaspersky Security Network.

[Topic 68142]

Special considerations of activating the application when using profiles

If you use profiles to manage multiple Security Servers, make allowance for the following special features of the application activation:

• The effective term of the license is counted from the moment the active key is added. Active keys are automatically replaced with reserve keys upon expiration of the license on each of the Security Servers included in the profile, according to the time of the Microsoft Exchange server on which the Security Server is installed. This is important when, for example, the Security Servers included in a profile are located in different time zones.
• In the Management Console, in the workspace of the Profiles \ <Profile name> \ Licensing node, the keys and license expiry dates are shown for each of the added keys according to the time of Management Console. For example, if the license defined by the active key has expired according to the time of Management Console and a reserve key has been added, the workspace shows only the reserve key and its properties.
• You cannot add, replace or delete a key separately for a Security Server that has been added to the profile. You can add, replace or delete a key only for all Security Servers in the profile, where the license applied to all Security Servers of the profile.
• After you have added a Security Server to a profile, the active key of this Security Server is replaced with the active key, added for the entire profile.
• After you have deleted the Security Server from the profile, the active key that was added for the profile is the one that remains active for the Security Server. The key for this Security Server is displayed in the workspace of the Licensing node.

[Topic 28945]

Activating the application with a key for a Security Server

If Kaspersky Security is installed in a configuration with a DAG, you only need to add one Security Server key for all servers of the entire DAG. You can add keys by connecting the Management Console to any server within the DAG.

If you create a DAG group from servers on which the application was already previously installed and activated, you must activate the application for this group. To do so, you need to add one Security Server key after adding the first server to the DAG group.

Prepare a key file prior to activating the application. If you have only an activation code for a trial or commercial license, you can generate a key file based on the activation code. To generate a key file based on an activation code, you can use the Kaspersky website at https://activation.kaspersky.com/.

To add a key:

1. Perform the following steps in the Management Console tree:
   • If you want to add a Security Server key, expand the node of the Security Server for which you want to add a key.
   • If you want to add a Security Server key for a profile:
     1. Open the Profiles node.
     2. Open the node of the profile for which you want to add the key.
2. Select the Licensing node.
3. In the workspace, perform one of the following actions:
   • To add an active key for a Security Server:
     1. Click the Add button in the Active key section.

        This opens the Add license window.

     2. In the Add license window that opens, in the Select key file section, click the Add button.
   • To add a reserve key of the Security Server, click on the Add button in the Additional key section.

     A reserve key for a Security Server can be added only if the Security Server has an active key. Only a commercial license key can be added as a reserve key. A trial license key cannot be added as a reserve key.

4. In the displayed File name dialog specify path to the key file (file with the .key extension) and click Open.
5. If you are adding an active key for a Security Server, click the Next button.

The key will be added, and its information will appear in the section corresponding to the key type.

[Topic 137367]

Activating the application using an activation code

If you activate the application using an activation code, you must take into account the special considerations for application activation:

• If you used an activation code to activate the application on a Security Server, you cannot add a reserve key. You can add a reserve key only if you used a key file to activate the application for a Security Server.
• You can replace the activation code with a key file at the Kaspersky website https://activation.kaspersky.com/.

To activate the application with an activation code:

1. In the Management Console tree, perform one of the following actions:
   • If you want to use an activation code to activate the application for a Security Server, open the node of the Security Server for which you want to activate the application.
   • If you want to use an activation code to activate the application for Security Servers of a profile:
     1. Open the Profiles node.
     2. Open the node of the profile for which you want to activate the application.
2. Select the Licensing node.
3. To activate a Security Server using an activation code, click the Add button in the Active key section.
4. In the window that opens, select the Enter activation code option.
5. Enter the activation code in the text input fields and click Next.

   If you use an activation code to activate the application, you must ensure continuous Internet access for the Security Server and for the server on which the Management Console is installed.

6. The application will send an activation request to the Kaspersky activation server. The application will notify you if the activation request is successfully completed.
7. Click the Add button to activate the license.

The window of the Licensing node in the Active key section displays information about the added key.

[Topic 89327]

About notifications related to the license

The application makes it possible to learn in good time about events and errors, related to the license, with the help of notifications.

The application records these notifications in a log and sends them by email if delivery of notifications on license-related events is enabled.

[Topic 26402]

Configuring the license expiry term notification

To configure notifications of a forthcoming license expiration:

1. Perform the following steps in the Management Console tree:
   • If you want to configure notification of a forthcoming expiry of the license that is active on an unassigned Security Server, select the node of that Security Server.
   • If you want to configure notification of a forthcoming expiry of the license that is active on a profile, expand the Profiles node and select the node of the relevant profile.
2. Select the Notifications node.

   The workspace displays the Notification delivery settings and Event notifications sections.

3. Expand the Event notifications section and perform the following actions:
   1. In the left part of the section, in the Notification subjects list, select the License-related events event.
   2. In the right part of the section, select the notification recipients.
   3. In the right part of the section, in the Notify about license expiration in advance (days before) field, specify in how many days before license expiry you want to receive this notification.
4. Click the Save button.

[Topic 28908]

Viewing information about installed keys

To view the details of the installed keys:

1. In the Management Console tree, perform one of the following actions:
   • To view the details of keys added for a Security Server, maximize the node of the Security Server the details of whose keys you want to view.
   • If you want to view information about the keys of a profile:
     1. Open the Profiles node.
     2. Open the node of the profile whose key information you want to view.
2. Select the Licensing node.

   The workspace displays the following information about the number of mailboxes and added keys.

[Topic 68150]

Replacing a key

To replace a key added for a Security Server:

1. In the Management Console tree open the node of the Security Server for which you wish to add a key.
2. Select the Licensing node.
3. In the workspace, perform one of the following actions:
   • To replace the active key for a Security Server:
     1. Click the Replace button in the Active key section.

        This opens the Add license window.

     2. In the Add license window that opens, in the Select key file section, click the Replace button.
   • To replace the reserve key of the Security Server, click the Replace button in the Additional key section.
4. In the displayed File name dialog specify path to the key file (file with the .key extension) and click Open.
5. If you are replacing an active key for a Security Server, click the Next button.

The key is replaced, and details about the new key appear in the relevant section.

To replace a key added for a profile:

1. In the Management Console tree, expand the Profiles node.
2. Expand the node of the profile whose key you want to replace.
3. Select the Licensing node.
4. In the workspace, perform one of the following actions:
   • To replace the active key for a Security Server:
     1. Click the Replace button in the Active key section.

        This opens the Add license window.

     2. In the Add license window that opens, in the Select key file section, click the Replace button.
   • To replace the reserve key of the Security Server, click the Replace button in the Additional key section.
5. In the displayed File name dialog specify path to the key file (file with the .key extension) and click Open.
6. If you are replacing an active key of a Security Server for a profile, click the Next button.

The key is replaced, and details about the new key appear in the relevant section.

[Topic 26401]

Removing a key

To remove a key added for a Security Server:

1. In the Management Console tree open the node of the Security Server for which you wish to remove a key.
2. Select the Licensing node.
3. In the workspace, perform one of the following actions:
   • To delete the active key of the Security Server, click on the Delete button in the Active key section.
   • To delete a reserve key of the Security Server, click on the Delete button in the Additional key section.

The application deletes the selected key. When the active key is deleted, the reserve key (if added) becomes active.

To delete a key added for a profile:

1. In the Management Console tree, expand the Profiles node.
2. Expand the node of the profile whose key you want to remove.
3. Select the Licensing node.
4. In the workspace, perform one of the following actions:
   • To delete the active key of the Security Server, click on the Delete button in the Active key section.
   • To delete a reserve key of the Security Server, click on the Delete button in the Additional key section.

The application deletes the selected key. When the active key is deleted, the reserve key (if added) becomes active.

[Topic 61039]

Licensing node

Expand all | Collapse all

Number of mailboxes on the server / Number of mailboxes on profile servers

The Active key and Additional key sections contain information about the active and reserve Security Server keys added to the application, as well as information about the licenses associated with those keys. These sections also let you add, update, replace, and delete keys.

The Additional key section is not displayed if no active Security Server key has been added.

Refresh

Status

Key

License type

Representative

Number of mailboxes

Expiration date

Add / Replace

Delete

[Topic 137446]

Add License window

Expand all | Collapse all

Select key file

Enter activation code

Back

Next

[Topic 137269]

Viewing the number of mailboxes

You can compare the number of mailboxes located on your Security Server with the number of mailboxes to which your license applies.

To view information about the number of mailboxes calculated by the application:

1. In the Management Console tree, perform one of the following actions:
   • If you want to view information about the number of mailboxes on a separate Security Server (for example, on a server in the Mailbox role or on a server within a DAG group), open the node of the Security Server for which you want to view information about the number of mailboxes.
   • If you want to view information about the number of mailboxes of a profile:
     1. Open the Profiles node.
     2. Open the node of the profile for which you want to view information about the number of mailboxes.
2. Select the Licensing node.

The workspace displays information about the number of mailboxes calculated by the application on your server, and information about keys that have been added.

When calculating license restrictions, the application takes into account the following types of mailboxes:

• UserMailbox;
• LinkedMailbox;
• SharedMailbox;
• RoomMailbox;
• EquipmentMailbox.

The application does not take into account service mailboxes and shared folders when calculating license restrictions.

Take into account the following considerations for calculating the number of mailboxes:

• On a separate Security Server (for example, on a server in the Mailbox role), the application takes into account the mailboxes located on this server.
• On a server in the Hub Transport role, the number of mailboxes is always 0.
• On a server in the Edge Transport role, the number of mailboxes is always 0.
• On a server within a DAG group, the application takes into account the mailboxes located in active storage on this server.
• In a profile, the application takes into account the mailboxes located on all servers within the profile.

To calculate the number of mailboxes, the application uses the Get-MailboxDatabase command for PowerShell, which is part of a Microsoft Exchange server. You can use this command to view the number of mailboxes on a protected Microsoft Exchange server:

[Topic 36256]

Starting and stopping the application

This section contains information on starting and shutting down the application.

[Topic 24848]

Starting and stopping a Security Server

A Security Server starts automatically in the following cases:

• After the application installation
• When running the operating system on a computer with an installed Security Server, if the Automatic run mode has been selected in the settings of Kaspersky Security for Microsoft Exchange Servers.

To stop a Security Server manually:

1. In Management Console, disable Anti-Virus protection and Anti-Spam protection on the Security Server.
2. On the computer hosting the Security Server, use the tools of the operating system to stop Kaspersky Security for Microsoft Exchange Servers and set its run mode to Disabled.

   The Security Server will stop running.

To run a Security Server manually:

1. On the computer hosting the Security Server, use your operating system tools to run Kaspersky Security for Microsoft Exchange Servers and set its run mode to Automatic.

   The Security Server will start running.

2. In Management Console, enable Anti-Virus protection and Anti-Spam protection on the Security Server.

   The Microsoft Exchange server is then protected.

[Topic 24851]

Starting Management Console

The Management Console can only be run by a user account that has been assigned one of the application user roles. This user account must also have local administrator rights on the computer where the Management Console is started. To run the Management Console on a Microsoft Exchange server with the Edge role, the user account only requires local administrator rights on the computer.

To launch the Management Console,

Select Start → Programs → Kaspersky Security 9.0 for Microsoft Exchange Servers → Kaspersky Security 9.0 for Microsoft Exchange Servers.

When the Management Console starts, the Kaspersky Security snap-in connects to Microsoft Management Console, and the Management Console tree displays the application icon and the Kaspersky Security 9.0 for Microsoft Exchange Servers node.

When Management Console is running, you can add the Microsoft Exchange servers with an installed Security Server (hereinafter referred to as protected servers) to Management Console.

The application records information about the starting and stopping of Management Console to the Windows Event Log. A record contains information about the time of a start / stop of Management Console, as well as the user who initiated those activities.

[Topic 24852]

Adding Security Servers to Management Console

To allow managing the application, the protected servers must be added to Management Console.

If the Security Servers are installed on Microsoft Exchange servers included in a Microsoft Exchange database availability group (DAG), you can connect Management Console to any of those Security Servers in order to define the settings shared by the entire DAG, or connect Management Console to an individual Security Server in order to define its own settings.

Shared settings of the entire DAG include, e.g., the anti-virus protection settings for the Mailbox role, the Anti-Virus reporting settings for the Mailbox role, the notification settings, and the update settings of Anti-Virus databases. The entire DAG also shares the contents of Backup and the key.

Examples of individual settings of the Microsoft Exchange Server include: anti-virus protection settings for the Hub Transport role, anti-spam scan settings, Backup settings, settings of the Anti-Spam and Anti-Virus reports for the Hub Transport role, and Anti-Spam database update settings.

To add a Security Server to Management Console:

1. Select the Kaspersky Security 9.0 for Microsoft Exchange Servers node in the Management Console tree.
2. Open the Add server window in one of the following ways:
   • By selecting the Add server item in the Action menu.
   • By selecting the Add server item in the context menu of the Kaspersky Security 9.0 for Microsoft Exchange Servers node.
   • By clicking the Add server button in the workspace of the node.
   • Click the Add server link in the quick access bar.
3. In the Add server window, select the Security Server deployed on the Microsoft Exchange server, to which you want to connect the Management Console:
   • If you want to connect the Management Console to a Security Server deployed on a local computer, choose the Local option.
   • If you want to connect the Management Console to a Security Server deployed on a remote Microsoft Exchange Server, choose the Remote option.

     Management Console connects to the Security Server via TCP port 13100. You have to open this port in the firewall on the remote Microsoft Exchange server or add the service of Kaspersky Security 9.0 for Microsoft Exchange Servers to the list of trusted applications of the firewall.

4. If you have chosen the Remote option, in the entry field specify the name of the remote Microsoft Exchange Server on which the Security Server is deployed. You can select the remote Microsoft Exchange server from the list by clicking the Browse button or by typing manually one of the values for the remote Microsoft Exchange server:
   • IP address
   • Fully-qualified domain name (FQDN) in the format <Computer name>.<DNS-domain name>
   • the computer name in the Microsoft Windows network (NetBIOS name).
5. Click the OK button.

The added Security Server appears in the Management Console tree.

The Security Servers that have been added are displayed in the Management Console tree as separate nodes. To proceed to the management of a Security Server, you should expand the corresponding node.

You can also manage a group of Security Servers using profiles.

[Topic 20068]

Kaspersky Security 9.0 for Microsoft Exchange Servers node

Expand all | Collapse all

The Protected servers section allows you to connect a server with Kaspersky Security installed to the Management Console and proceed to its configuration.

Add server

The Added servers section contains buttons with the names of servers that have been connected to Management Console.

<Server name>

[Topic 19924]

Add server window

Expand all | Collapse all

Local

Remote

Management Console connects to the Security Server via TCP port 13100. You have to open this port in the firewall on a remote Microsoft Exchange server or add the Kaspersky Security for Microsoft Exchange Servers service to the list of trusted applications for the firewall.

[Topic 28931]

Default Microsoft Exchange Server protection

Anti-virus and anti-spam protection of the Microsoft Exchange server starts immediately after the Security Server component is installed unless it has been turned off in the Application Configuration Wizard.

The following application mode is engaged by default:

• The application scans messages for all currently known malware in Anti-Virus databases with the following settings:
  • The application scans the message body and attached objects in any format, except for container objects with a nesting level above 32.
  • The application scans all storages of public folders and all mailbox storages.
  • The choice of the operation performed upon detection of an infected object depends on the role of the Microsoft Exchange Server where the object has been detected:
    • When an infected object is detected on a Microsoft Exchange Server in a Hub Transport or Edge Transport role, the object is deleted automatically, and the application saves the original copy of the message in Backup and adds the [Infected object detected] tag to the message subject.
    • When an infected object is detected on a Microsoft Exchange Server in a Mailbox role, the application saves the original copy of the object (message attachment) in Backup and attempts disinfection. If disinfection fails, the application deletes the object and replaces it with a text file containing the following notification:

      Malicious object <VIRUS_NAME> has been detected. The file (<object_name>) was deleted by Kaspersky Security 9.0 for Microsoft Exchange Servers. Server name: <server_name>

  • When a password-protected object is detected, the application skips the object.
• The application scans messages for spam with the following settings:
  • The application uses the low sensitivity level of anti-spam scanning. This level provides an optimal combination of scanning speed and quality.
  • The application skips all messages. Messages that have been tagged as Spam, Probable spam, Mass mailing, or Blacklisted are marked with special tags in the message subject: [!!SPAM], [!!Probable Spam], [!!Mass Mail] and [!!Blacklisted], respectively.
  • The maximum duration for scanning a single message is 60 seconds.
  • The maximum size of a message with attachments to be scanned is 1536 KB (1.5 MB).
  • External services are used to check IP addresses and URLs: DNSBL and SURBL. These services enable spam filtering using public black lists of IP addresses and URLs.
  • If you chose to use KSN in the Configuration Wizard, the KSN and Reputation Filtering services are enabled. Otherwise, the KSN and Reputation Filtering services are disabled.
  • If you enabled the use of the Enforced Anti-Spam Updates Service in the Application Configuration Wizard, the use of the Enforced Anti-Spam Updates Service is enabled. Otherwise, the use of the Enforced Anti-Spam Updates Service is disabled.

[Topic 18740]

<Microsoft Exchange Server name> node

Expand all | Collapse all

The Profile section explains how to configure Security Server by means of profiles.

Profiles

TheProduct info configuration section shows information about the Microsoft Exchange server on which the Security Server is installed, and the application modules.

The set of fields reflecting the status of application modules may be shorter, depending on the configuration of the Microsoft Exchange Server. If the field corresponding to a module is not displayed, this module cannot be installed with the current configuration of the Microsoft Exchange Server.

If the SQL server is unavailable, the Product info configuration section shows information about an error that occurred when connecting the application to the SQL server.

Server name

Details of the application deployment scheme

Version

Anti-Spam Module

Anti-Virus Module for the Hub Transport role

Anti-Virus Module for the Mailbox role

Attachment filtering

Configure server protection settings

The Licensing configuration section contains information on the status of the Security Server key.

If the Status field of the Licensing section shows a value that differs from Current license, the corresponding section is highlighted in red.

Functionality

Status

Expiration date

Number of mailboxes

Additional key

Manage keys

The Anti-Spam databases configuration section shows the Anti-Virus database status information.

If the last Anti-Spam database update resulted in an error, the node is highlighted in red and the error message is displayed in the Status field.

Last update

Status

Release date and time

Configure update settings

The Anti-Virus databases configuration section contains information about the anti-virus databases.

If the last anti-virus database update resulted in an error, the node is highlighted in red and the error message is displayed in the Status field.

Last update

Status

Release date and time

Configure update settings

The Statistics configuration section shows the following counters with the number of messages moved to Quarantine for rescanning for spam.

Total number of messages moved to Quarantine

Current number of messages in Quarantine

Displayed underneath the counters in the Statistics configuration section are charts with performance statistics of application modules over the past seven days.

The set of charts may be abbreviated depending on the configuration of the application.

Charts show statistics that have been collected over the period of time during which the corresponding application modules were enabled. The application retrieves no statistics on modules that are disabled.

Anti-Spam

Anti-Virus for the Hub Transport role

Anti-Virus for the Mailbox role

[Topic 60542]

Viewing Microsoft Exchange Server protection status details

Expand all | Collapse all

To Microsoft Exchange Server protection status details:

1. Start Management Console by going to the Start menu and selecting Programs → Kaspersky Security 9.0 for Microsoft Exchange Servers→ Kaspersky Security 9.0 for Microsoft Exchange Servers.
2. In the Management Console tree, select the node of the Security Server installed on the relevant Microsoft Exchange server whose status you want to view.

The workspace of the selected Security Server node shows the following information about the status of server protection:

• The Profile section explains how to configure Security Server settings by means of profiles.
• The Product info sectionshows information about the Microsoft Exchange server and the application modules:
  • Server name

    The server name can take the following values:

    • Name of the physical server if the Management Console is connected to a Security Server deployed on a standalone Microsoft Exchange server, a passive node within a cluster, or on a server that belongs to a DAG.
    • Virtual server name, if the Management Console is connected to a virtual server or its active node.
  • Details of the application deployment scheme

    The field contains one of the following values:

    • Virtual Server, if the Management Console is connected to a virtual Microsoft Exchange Server or its active node.
    • <DAG name>, if the Management Console is connected to a Security Server deployed on a Microsoft Exchange server that belongs to a DAG.
  • Version

    Details of the application version.

  • Anti-Spam Module

    Status of the Anti-Spam module. Displayed when the Security Server is installed on a Microsoft Exchange Server that is deployed in the Hub Transport or Edge Transport role. Possible values:

    • Disabled – the Anti-Spam module is installed, anti-spam scanning of messages is disabled.
    • Inoperable or running with errors – the Anti-Spam module is installed, anti-spam scanning of messages is enabled, but the Anti-Spam module is not scanning messages for spam due to licensing errors, Anti-Spam database errors, or scan errors.
    • Not installed: the Anti-Spam module is not installed.
    • Enabled – the Anti-Spam module is installed, and anti-spam scanning of messages is enabled.
  • Anti-Virus Module for the Hub Transport role

    Status of the Anti-Virus module for the Hub Transport role. Displayed when the Security Server is installed on a Microsoft Exchange Server that is deployed in the Hub Transport or Edge Transport role. Possible values:

    • Disabled – the Anti-Virus module is installed for the Hub Transport and Edge Transport roles, and anti-virus protection for the Hub Transport role is disabled.
    • Inoperable or running with errors – the Anti-Virus module is installed for the Hub Transport and Edge Transport roles, anti-virus protection for the Hub Transport role is enabled, but the Anti-Virus module is not scanning messages for viruses and other threats due to licensing errors, Anti-Virus database errors, or scan errors.
    • Not installed – the Anti-Virus module is not installed for the Hub Transport and Edge Transport roles.
    • Enabled – the Anti-Virus module is installed for the Hub Transport and Edge Transport roles, anti-virus protection for the Hub Transport role is enabled, and the Anti-Virus module is scanning messages for viruses and other threats.
  • Anti-Virus Module for the Mailbox role

    Status of the Anti-Virus module for the Mailbox role. Displayed when the Security Server is installed on a Microsoft Exchange Server that is deployed in the Mailbox role. Possible values:

    • Disabled – the Anti-Virus module is installed for the Mailbox role, and the anti-virus protection for the Mailbox role is disabled.
    • Inoperable or running with errors – the anti-virus protection is enabled for the Mailbox role, but the Anti-Virus module is not scanning messages for viruses and other threats due to licensing errors, Anti-Virus database errors, or scan errors.
    • Not installed – the Anti-Virus module is not installed for the Mailbox role.
    • Enabled – the anti-virus protection is enabled for the Mailbox role, and the Anti-Virus module scans messages for viruses and other threats.
  • Filtering of attachments

    Attachment Filtering module status. Possible values:

    • Disabled – the Attachment Filtering Module is installed, but it is disabled.
    • Inoperable or running with errors – the Attachment Filtering Module is installed and enabled, but it does not perform filtering in messages due to licensing errors or scan errors.
    • Not installed – the Attachment Filtering module is not installed.
    • Enabled – the Attachment Filtering module is installed and enabled.

  The set of fields reflecting the state of Security Server modules may be reduced, depending on the configuration of the Microsoft Exchange Server. If the field corresponding to a module is not displayed, this module cannot be installed with the current configuration of the Microsoft Exchange Server.

  If the SQL server is unavailable, the Product info configuration section shows information about an SQL server connection error.

  Click the Configure server protection settings link to open the workspace of the Server protection node.

• The Licensing configuration section displays license information:
  • Functionality

    Available application features determined by the current license. Possible values:

    • Full functionality.
    • The license expired. Database updates and technical support are not available. The license has expired. Application database updates and technical support are unavailable.
    • Management only.
    • Update only. Only application database updates.
  • Status
    • The Status field is displayed only for active keys. The following statuses of a Security Server key and its corresponding application restrictions are possible:
      • Current license. The functionality of the Anti-Virus and Anti-Spam modules is unlimited.
      • Trial license has expired. The functionality of the Anti-Virus and Anti-Spam modules is not available, updates of Anti-Virus and Anti-Spam databases are prohibited.
      • License expired. Updates of Anti-Virus and Anti-Spam databases are prohibited, Kaspersky Security Network cannot be used. The functionality of the Anti-Virus and Anti-Spam modules is available.
      • Databases corrupted. Anti-Virus or Anti-Spam databases are corrupted or missing.
      • Key is missing. The functionality of the Anti-Virus and Anti-Spam modules is not available, updates of Anti-Virus and Anti-Spam databases are prohibited.
      • Key blocked. The functionality of the Anti-Virus and Anti-Spam modules is unavailable. Only updates of Anti-Virus and Anti-Spam databases are available.
      • Key blacklist corrupted or missing. The functionality of the Anti-Virus and Anti-Spam modules is unavailable. Only updates of Anti-Virus and Anti-Spam databases are available.
      • Cannot refresh licensing status. The functionality of the Anti-Virus and Anti-Spam modules is unlimited. You can view a description of the error in the Server state section in the License status field.

    If the Status field of the Licensing section shows a value that differs from Current license, the corresponding section is highlighted in red. This requires adding the corresponding active key after opening the Licensing section via the Manage keys link.

  • Expiration date

    License expiration date.

    If the Expiration date field is highlighted in red, you have to renew the license, for example by adding the corresponding reserve key by opening the Licensing node via the Manage keys link.

   

  The time period left until the license expiration during which this field is highlighted with red is defined by the Notify about license expiration in advance (days before) setting located in the workspace of the Notifications node. The default value is 15 days.

  • Number of mailboxes

    The maximum number of mailboxes that the application can protect using this key.

  • Additional key

    Information on the availability of a reserve key: Added or Not found.

  Clicking the Manage keys link opens the workspace of the Licensing node in which you can add or remove keys.

• The Anti-Spam databases section shows the following Anti-Spam database status information:
  • Last update

    Date of the last update of the Anti-Spam databases.

  • Status

    Status of the last update of the Anti-Spam databases. Possible values:

    • Database updated – the databases have been updated successfully.
    • Completed with an error – an error has occurred during the database update.
    • Not performed – the database update task was not performed.
  • Release date and time

    Anti-Spam database release date and time. Displayed in the date format defined in the settings of the operating system.

    If the Anti-Spam databases are outdated by more than one hour, the text in this field is highlighted in red.

  If the Anti-Spam databases and the Release date and time field within this section are highlighted in red, update the Anti-Spam databases. If necessary, you can configure the Anti-Spam database update settings.

  If the last Anti-Spam database update resulted in an error, the Anti-Spam databases section is highlighted in red and the error message is displayed in the Status field.

  Clicking the Configure update settings link opens the workspace of the Updates node.

• The Anti-Virus databases configuration section shows the following Anti-Virus database status information:
  • Last update

    Date of last anti-virus database update

  • Status

    Status of the last anti-virus database update. Possible values:

    • Database updated – the databases have been updated successfully.
    • Completed with an error – an error has occurred during the database update.
    • Not performed – the database update task was not performed.
  • Release date and time

    Anti-Virus database release date and time Displayed in the date format defined in the settings of the operating system.

    If the anti-virus databases are outdated by more than one day, the text in this field is highlighted in red.

  If the Anti-Virus databases section and the Release date and time field within this section are highlighted with red, you must update the Anti-Virus databases. If necessary, you can configure the Anti-Virus database update settings.

  If the last Anti-Virus database update ended with an error, the Anti-Virus databases section is highlighted in red and the error message is displayed in the Status field.

  Clicking the Configure update settings link opens the workspace of the Updates node.

• The Statistics section shows the following counters with the number of messages moved to Quarantine for rescanning for spam:
  • Current number of messages in Quarantine

    Number of messages currently in Quarantine.

  • Total number of messages moved to Quarantine

    Number of messages moved to Quarantine since the application started receiving statistics.

  Displayed underneath the counters in the Statistics configuration section are charts with performance statistics of application modules over the past seven days:

  • Anti-Spam

    The chart includes the following information:

    • Total messages. Number of messages received for scanning.
    • Containing phishing or spam. Number of scanned messages containing spam or phishing links.
    • Unscanned. Number of messages left unchecked.
    • Clean. Number of messages belonging to the following categories:
      • Scanned messages containing no spam or phishing links.
      • Messages that have been excluded from scanning by means of white lists of senders or recipients.
    • Other items. Number of messages belonging to the following categories:
      • Potential spam.
      • Formal notification.
      • Mass mail.
      • Message that is in the scope of black lists of senders.
      • Messages arriving via trusted connections (if scanning of trusted connections is disabled).
  • Anti-Virus for the Hub Transport role

    This section displays the following statistics:

    • Total messages. Number of messages received for scanning.
    • Infected. Number of messages found to contain malicious objects.
    • Attachments filtered out. Number of messages found to contain files that match the attachment filtering criteria.
    • Unscanned. Number of messages that have not been scanned by the application (for example, due to errors in the application operation).
    • Found clean. Number of messages found to contain no malicious objects after an Anti-Virus scan, as well as no files that match the attachment filtering criteria.
    • Other items. Number of messages categorized as Probably infected.
  • Anti-Virus for the Mailbox role

    The chart includes the following information:

    • Server name. Name of the connected server.
    • Total messages. Number of processed messages.
    • Infected. Number of infected messages detected.
    • Unscanned. Number of messages left unchecked.
    • Found clean. Number of checked messages that are free from threats.
    • Other items. Number of messages categorized as Probably infected and Protected.

  The set of charts may be abbreviated depending on the configuration of the application.

[Topic 70655]

Viewing information about the protection status of Microsoft Exchange servers of a single profile

Expand all | Collapse all

To view information about the protection status of Microsoft Exchange servers of a single profile:

1. Start Management Console by going to the Start menu of the operating system and selecting Programs → Kaspersky Security 9.0 for Microsoft Exchange Servers → Kaspersky Security 9.0 for Microsoft Exchange Servers.
2. In the Profile node of the Management Console tree, select the node of the profile whose Microsoft Exchange server protection status details you want to view.

The following information appears in the workspace of the selected profile:

• The Profile configuration section displays information about the status of the Security Server key added to the Security Servers in the profile:
  • Functionality

    Available application features determined by the current license. Possible values:

    • Full functionality.
    • The license expired. Database updates and technical support are not available. The license has expired. Application database updates and technical support are unavailable.
    • Management only.
    • Update only. Only application database updates.
  • Status
    • The Status field is displayed only for active keys. The following statuses of a Security Server key and its corresponding application restrictions are possible:
      • Current license. The functionality of the Anti-Virus and Anti-Spam modules is unlimited.
      • Trial license has expired. The functionality of the Anti-Virus and Anti-Spam modules is not available, updates of Anti-Virus and Anti-Spam databases are prohibited.
      • License expired. Updates of Anti-Virus and Anti-Spam databases are prohibited, Kaspersky Security Network cannot be used. The functionality of the Anti-Virus and Anti-Spam modules is available.
      • Databases corrupted. Anti-Virus or Anti-Spam databases are corrupted or missing.
      • Key is missing. The functionality of the Anti-Virus and Anti-Spam modules is not available, updates of Anti-Virus and Anti-Spam databases are prohibited.
      • Key blocked. The functionality of the Anti-Virus and Anti-Spam modules is unavailable. Only updates of Anti-Virus and Anti-Spam databases are available.
      • Key blacklist corrupted or missing. The functionality of the Anti-Virus and Anti-Spam modules is unavailable. Only updates of Anti-Virus and Anti-Spam databases are available.
      • Cannot refresh licensing status. The functionality of the Anti-Virus and Anti-Spam modules is unlimited. You can view a description of the error in the Server state section in the License status field.

    If the Status field in the Profile section displays a value other than Current license, the section is highlighted in red. This requires adding an active key after opening the Licensing section via the Manage keys link.

  • Expiration date

    License expiration date.

    If the Expiration date field is highlighted in red, you have to renew the license, for example by adding a reserve key by opening the Licensing node via the Manage keys link.

   

  The time period left until license expiration (during which this field is highlighted in red) is defined by the Notify about license expiration in advance (days before) parameter. This setting is located in the workspace of the Licensingnode. The default value is 15 days.

  • Number of mailboxes

    The maximum number of mailboxes that the application can protect using this key.

  • Additional key

    Information on the availability of a reserve key: Added or Not found.

  Clicking the Manage keys link opens the workspace of the Licensing node in which you can add or remove keys.

• The Server state section shows a table in which columns contain information about the statuses of Security Servers in this profile, as well as updates of application databases, application modules, and the SQL server:
  • Server

    Name of the Microsoft Exchange Server on which the Security Server added to the profile is installed. Possible values:

    • <Microsoft Exchange Server domain name>: if a Security Server installed on a stand-alone Microsoft Exchange Server has been added to the profile.
    • <DAG name – Microsoft Exchange Server domain name>: if a Security Server installed on a Microsoft Exchange Server that belongs to a DAG has been added to the profile.
  • License status

    The license status may have the following values:

    • Current license. The functionality of the Anti-Virus and Anti-Spam modules is unlimited.
    • Trial license has expired. The functionality of the Anti-Virus and Anti-Spam modules is not available, updates of Anti-Virus and Anti-Spam databases are prohibited.
    • License expired. Updates of Anti-Virus and Anti-Spam databases are prohibited, Kaspersky Security Network cannot be used. The functionality of the Anti-Virus and Anti-Spam modules is available.
    • Databases corrupted. Anti-Virus or Anti-Spam databases are corrupted or missing.
    • Key is missing. The functionality of the Anti-Virus and Anti-Spam modules is not available, updates of Anti-Virus and Anti-Spam databases are prohibited.
    • Key blocked. The functionality of the Anti-Virus and Anti-Spam modules is unavailable. Only updates of Anti-Virus and Anti-Spam databases are available.
    • Key blacklist corrupted or missing. The functionality of the Anti-Virus and Anti-Spam modules is unavailable. Only updates of Anti-Virus and Anti-Spam databases are available.

    If the Status field has the value Cannot refresh licensing status, you can read the error description in the License status field.

  • Update status

    Up-to-date status of the application databases on the Security Server. Possible values:

    • Databases are up to date – the application databases have been updated successfully.
    • Database error – an error occurred during the application database update, the databases are obsolete or corrupted, or no updates have been performed.
    • Server unavailable – the Security Server is not available on the network or turned off.
  • Anti-Virus Module

    Status of the Anti-Virus module. Possible values:

    • Disabled – the Anti-Virus module for the Hub Transport and Edge Transport roles or the Anti-Virus module for the Mailbox role is installed; the anti-virus scanning of messages is disabled.
    • Inoperable or running with errors – the Anti-Virus module for the Hub Transport and Edge Transport roles or the Anti-Virus module for the Mailbox role is installed; the anti-virus scanning of messages is enabled, but the Anti-Virus module is not scanning messages for viruses and other threats due to licensing errors, Anti-Virus database errors, or scan errors.
    • Not installed – the Anti-Virus module is not installed for the Hub Transport and Edge Transport roles or the Mailbox role.
    • Enabled – the Anti-Virus module for the Hub Transport and Edge Transport roles or the Anti-Virus module for the Mailbox role is installed; the anti-virus scanning of messages is enabled; the Anti-Virus module is scanning messages for viruses and other threats.
  • Filtering of attachments

    Attachment Filtering module status. Possible values:

    • Disabled – the Attachment Filtering Module is installed, but it is disabled.
    • Inoperable or running with errors – the Attachment Filtering Module is installed and enabled, but it does not perform filtering in messages due to licensing errors or scan errors.
    • Not installed – the Attachment Filtering module is not installed.
    • Enabled – the Attachment Filtering module is installed and enabled.
  • Anti-Spam Module

    Status of the Anti-Spam module. Displayed when the Security Server is installed on a Microsoft Exchange Server that is deployed in the Hub Transport or Edge Transport role. Possible values:

    • Disabled – the Anti-Spam module is installed, anti-spam scanning of messages is disabled.
    • Inoperable or running with errors – the Anti-Spam module is installed, anti-spam scanning of messages is enabled, but the Anti-Spam module is not scanning messages for spam due to licensing errors, Anti-Spam database errors, or scan errors.
    • Not installed: the Anti-Spam module is not installed.
    • Enabled – the Anti-Spam module is installed, and anti-spam scanning of messages is enabled.
  • SQL server

    The status of the SQL server. Possible values:

    • Available.
    • Unavailable.

  If the Security Server is not available, the Update status column displays the Server unavailable status, while the Update status, Anti-Virus Module, and Anti-Spam Module columns are highlighted with red.

  If the Update status column shows a value other than Databases are up to date, the column is highlighted in red.

  If the status of Anti-Virus or Anti-Spam is Disabled or Inoperable or running with errors, the column corresponding to the module is highlighted in red.

  Clicking the link with the Security Server name in the Server column opens the workspace of the corresponding node.

[Topic 18746]

Server protection node

The workspace of this node contains tabs that allow you to configure the settings for Anti-Virus, Anti-Spam, Anti-Phishing, and filtering of attachments and filtering of same-type messages.

Protection for the Mailbox role

Protection for the Transport Hub role

Advanced Anti-Virus settings

[Topic 20591]

Protection for the Mailbox role tab

Expand all | Collapse all

The Virus scan settings drop-down section lets you configure Anti-Virus scan settings.

Enable anti-virus protection for the Mailbox role

The Object processing settings section lets you configure the actions taken by the application on objects detected during the Anti-Virus scan.

Infected object

Protected object

Save a copy of the object in Backup

The Protection for mailboxes drop-down section allows you to select the mailbox storages in which messages need to be scanned for viruses, and configure the background scan settings and run a background scan.

Protected mailbox storages

Protected public folder storages

The Background scan block of settings allows you to define the settings of the background scan of email messages stored on a mail server and the contents of public folders as well as run the background scan.

Schedule

Scan message text

Scan recent messages only

Scan messages received before background scan start but not earlier than (days) before

Limit the scan time

Stop scan in (hours)

Start scan

The On-demand scan configuration section lets you configure the on-demand scan settings for email messages and other objects stored in the selected mailboxes and shared folders, and to run an on-demand scan.

Scan message text

Scan recent messages only

Scan messages received before background scan start but not earlier than (days) before

Limit the scan time

Stop scan in (hours)

Scan scope

Start scan

[Topic 18757]

Protection for the Hub Transport role tab

Expand all | Collapse all

Virus scan settings

The Virus scan settings drop-down section lets you configure Anti-Virus scan settings.

Enable anti-virus protection for the Hub Transport role

The Object processing settings section lets you configure the actions taken by the application on objects detected during the Anti-Virus scan.

Infected object

Save a copy of the object in Backup

Filtering of attachments

The Filtering of attachments drop-down section allows you to configure rules for filtering files attached to messages.

Enable attachment and content filtering

Filtering messages of the same type

The Filtering messages of the same type drop-down section lets you configure a limit on the number of messages sent by a user of your organization per unit of time. The main purpose of this limit is to prevent a situation where an infected mailbox automatically generates an endless stream of messages sent to internal and external recipients. Normally, such messages have a common attribute, such as the same subject or the same attachment.

Limit the number of same-type messages sent by an internal user

Maximum permissible number of messages

Time interval (min)

Apply the limit to the following types of messages

Action

Do not apply the limit to the following internal senders

Anti-Spam scan settings

The Anti-Spam scan settings drop-down configuration section lets you configure the settings for scanning messages for spam and phishing content.

Enable anti-spam scanning of messages

Sensitivity level

The Spam processing settings section lets you configure the actions to be taken by the application on messages depending on the status tag assigned by Anti-Spam, as well as configure the use of additional spam analysis services.

Table of spam processing settings

Enable anti-phishing scanning of messages

Table of phishing processing settings

Use Kaspersky Security Network

Maximum waiting time when requesting KSN

Use Reputation Filtering

Use Enforced Anti-Spam Updates Service

Outgoing message processing settings

Scan outgoing messages and delete spam messages or messages containing phishing links

White list of Anti-Spam addresses

The White list of Anti-Spam addresses dropdown section allows you to create the white list of message sender and recipient addresses. The application will not scan messages from those senders or to those recipients for spam and / or bulk email delivery.

You can add the addresses of internal and external senders and recipients to this list.

Add recipient

Add sender

Change

Delete

Table of white list addresses

Export

Import

Black list of Anti-Spam addresses

The Black list of Anti-Spam addresses dropdown section allows you to create a black list of message senders. The application assigns those messages the Address blacklisted status and processes them in accordance with the settings that have been defined for this status in the spam processing settings. You can expand this list by adding the addresses of senders from which you need to always delete or reject messages.

Add sender

Change

Delete

Table of black list addresses

Export

Import

Spam rating detection settings

The Spam rating detection settings dropdown section allows you to configure an increase in the spam rating of messages that show indirect signs of spam.

The Increase spam rating if section lets you configure an increase in the spam rating of a message based on results of analysis of the sender's and recipient's addresses.

"To" field contains no addresses

Sender's address contains numbers

Sender's address in the message body does not contain the domain part

The Increase spam rating if the subject contains section lets you configure an increase in the spam rating of a message based on results of the e-mail subject analysis.

More than 250 characters

Many blanks and/or dots

Time stamp

The Increase spam rating if the message language is section lets you configure an increase in the spam rating of the message based on the results of message language analysis.

Chinese

Korean

Thai

Japanese

Using external Anti-Spam services

The Using external Anti-Spam services drop-down section lets you configure the usage of external services that scan IP addresses and URL addresses for spam.

Use external resources for spam scan

The DNSBL settings section lets you configure usage of the DNSBL service (Domain Name System Blocklist).

Use set of DNSBL black lists

Server DNS name

Weighting coefficient

The SURBL settings section lets you configure usage of the SURBL service (Spam URI Realtime Block List).

Use set of SURBL black lists

Check sender IP for presence in DNS

Check SPF record

Check if sender's IP address is dynamic

Maximum DNS request timeout

Advanced settings of Anti-Spam

The Advanced settings of Anti-Spam drop-down section lets you limit the maximum duration of message scanning and size of the object being scanned, as well as configure scan settings for Microsoft Office files and other additional Anti-Spam settings.

The Restrictions section lets you limit the duration of message scanning by Anti-Spam and the maximum size of the message being scanned.

Maximum time for scanning a message

Maximum object size to scan

The Scan settings for Microsoft Office files section lets you configure the settings of Microsoft Office documents scanning.

Scan DOC files

Scan RTF files

The Other settings section allows you to configure the use of image analysis technology and configure scanning of trusted connections and scanning of messages sent to the Postmaster address for spam.

Use image analysis

Scan messages arriving over trusted connections for spam

Skip messages for the Postmaster address

[Topic 48563]

Advanced Anti-Virus settings tab

Expand all | Collapse all

Use Kaspersky Security Network

Maximum waiting time when requesting KSN

Scan attached containers/archives

Scan attached containers/archives with nesting level not higher than

Do not scan files matching the masks

Do not scan messages for the following recipients

Edit (Attachment deletion message following a virus scan)

Edit (Attachment deletion message following a filter rule)

[Topic 139947]

About Kaspersky Security Network

Kaspersky Security Network is an infrastructure of cloud services providing access to Kaspersky's online knowledge base with the following information:

• Reputation of files, websites, and applications
• Categories of files, websites, and applications (for example, an operating system file, computer game, Adult content website)
• Frequency of file detection in all countries of the world and geography of file distribution
• Statistics on how files and websites are trusted by users of Kaspersky applications worldwide (Kaspersky Application Advisor)
• Recalls by Kaspersky AV analysts of individual virus signatures in local databases of anti-virus applications (for example, a verdict changed from "dangerous" to "safe" for a particular object)

Kaspersky Security Network data is used in Kaspersky applications for the following purposes:

• Ensure a faster response by applications to objects whose information is not yet included in anti-virus application databases.
• Reduce the probability of Anti-Spam false alarms.
• Improve the performance of certain protection components.

  For example, the anti-virus application can perform the following actions based on Kaspersky Security Network data:

  • Block user access to malicious websites.
  • Block execution of malicious files on the user's computer.
  • Restrict access to specific categories of files and websites (for example, restrict files and websites of the Computer Games category from being opened during office hours).

If the user participates in Kaspersky Security Network, the Kaspersky application installed on the user's computer receives information from Kaspersky Security Network and sends Kaspersky information about potentially dangerous objects detected on the user's computer to be analyzed additionally by Kaspersky analysts and to be included in reputation and statistical databases of Kaspersky Security Network.

[Topic 71170]

Participating in Kaspersky Security Network

To protect your computer more effectively, Kaspersky Security uses data that is collected from users around the globe. Kaspersky Security Network is designed to collect such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the Kaspersky online knowledge base that contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the effectiveness of some protection components, and reduces the risk of false positives.

Thanks to your participation in Kaspersky Security Network, Kaspersky is able to promptly gather information about types and sources of threats, develop solutions for neutralizing them, and process spam messages with a high level of accuracy.

If you participate in Kaspersky Security Network, certain statistics are collected while Kaspersky Security is running and are automatically sent to Kaspersky. Also, additional checking at Kaspersky may require sending files (or parts of files) that are imposed to an increased risk of being exploited by intruders to do harm to the user's computer or data.

Certain considerations may have to be kept in mind when processing user data depending on whether the user is located in a particular region in accordance with local regulations. If you are participating in Kaspersky Security Network and cross borders into different regions, you will receive notifications about the transition to a different KSN segment. If your application is configured to send notifications about system errors, the warning will also be sent to the specified email addresses.

Participation in Kaspersky Security Network is voluntary. You can opt out of participating in Kaspersky Security Network at any time. Any information about data that the application sends to Kaspersky can be obtained through the KSN Statement.

You can enable or disable Kaspersky Security Network for Anti-Virus and Anti-Spam.

To reduce the load on KSN servers, Kaspersky specialists can release updates for the applications that temporarily turn off or partially restrict access to Kaspersky Security Network. In this case, you will receive warnings about the limited use of KSN in the Windows Event Log. When it returns to normal operating mode, you will also receive a notification in the Windows Event Log. If your application is configured to send notifications about system errors, the warning and notification will also be sent to the specified email addresses.

[Topic 139934]

About Kaspersky Private Security Network

You can use

Kaspersky Private Security Network (KPSN) is a solution that lets you receive access to Kaspersky Security Network data via a server located within your organization's network. KPSN enables Kaspersky applications to receive access to the online Kaspersky Knowledge Base for information about the reputation of files, web resources, and software. KPSN does not transmit statistics and files to Kaspersky. For more detailed information, please refer to the Kaspersky Private Security Network Administrator's Guide.

The Kaspersky Private Security Network service was designed for corporate customers who are unable to participate in Kaspersky Security Network for any of the following reasons:

• Servers have no Internet connection
• Legislative ban on transmitting any data outside of the country
• Corporate security requirements imposed on the transmission of any data outside of the corporate LAN

Application services that use KPSN in their operation do not require an Internet connection. Other Kaspersky Security components, such as the Enforced Anti-Spam Updates Service, components that perform application database updates, and components that perform application activation, require an Internet connection.

Data that the application exchanges with KPSN servers is transmitted only within the corporate LAN. The data that the application transmits to KPSN does not include statistics. The application transmits statistics only to KSN servers.

The Anti-Spam Module transmits the following data to KPSN servers:

• IP address of the sender of an email message.
• IP address of intermediate servers involved in transmitting the message and mail servers through which the message was transmitted.
• Names of the domains of the message sender from the SMTP session and MIME header.
• Web addresses contained in the scanned message. If such addresses contained passwords, the passwords are not transmitted to KPSN servers.
• Short text signatures for message text. Text signatures are irreversible compressions of text that do not allow for the original text to be restored. The message text is not transmitted. The application uses short text signatures to filter known spam messages and to provide verdicts based on the results of such filtering.
• Checksum (MD5) from the email address of the sender of the message being scanned.
• Checksums (MD5) of graphic objects included in the message.
• Categories of the content filtering database.
• Text topic category determined by the application
• List of categories determined by the application during scanning by the heuristic analyzer
• Checksum (MD5) of the name of the file attached to the message

The Anti-Phishing Module transmits to KPSN servers web addresses that the application detected in a message when scanning the message for phishing links.

The Anti-Virus Module transmits the following data to KPSN servers:

• Check sums of processed files (MD5, SHA2-256)
• ID and version of the record related to the threat in the anti-virus database

[Topic 140552]

Configuring the settings for connecting to Kaspersky Private Security Network

To configure the settings for connecting to Kaspersky Private Security Network:

1. Perform the following steps in the Management Console tree:
   • If you want to configure the connection to Kaspersky Private Security Network for an unassigned Security Server, expand the node of the relevant Security Server.
   • If you want to configure the KPSN connection settings for Security Servers belonging to a profile, expand the Profiles node and within it expand the node of the profile for whose Security Servers you want to configure the connection to Kaspersky Private Security Network.
2. Select the Settings node.
3. In the workspace, expand the KSN Settings section of settings.
4. Select the Use Kaspersky Private Security Network (KPSN) check box.

   The Import button becomes activated.

5. Click the Import button.

   The Open folder window opens.

6. In the Open folder window, select the folder containing the files with the settings for connecting to Kaspersky Private Security Network servers.

   The following files are provided by Kaspersky:

   • Files containing the settings for connecting to KPSN servers:
     • kc_private.xms;
     • kh_private.xms.
   • ksncli_private.dat – file containing a public RSA key for encrypting the channel used to transmit data between the application and Kaspersky Private Security Network servers.

   For detailed information please refer to Technical Support.

   If you have received files containing settings for connecting to Kaspersky Private Security Network servers and the names of those files differ from the names specified in this reference document, change the file names to match the file names specified in this reference document.

7. Click OK.
8. Click the Save button.

The application imports files containing the connection settings and applies the received settings for the connection with Kaspersky Private Security Network servers.

If you are using Kaspersky Private Security Network for the purpose of not transmitting your organization's data over the Internet, make sure that you have disabled other additional Kaspersky Security services such as the Enforced Anti-Spam Update Service that requires an Internet connection to exchange data with Kaspersky servers.

[Topic 129469]

Enabling and disabling the use of Kaspersky Security Network and Kaspersky Private Security Network in Anti-Spam

To enable or disable the use of Kaspersky Security Network and Kaspersky Private Security Network in Anti-Spam:

1. Perform the following steps in the Management Console tree:
   • If you want to enable or disable the use of KSN and KPSN in Anti-Spam for an unassigned Security Server, expand the node of the relevant Security Server.
   • If you want to enable or disable the use of KSN and KPSN in Anti-Spam for Security Servers belonging to a profile, expand the Profiles node and within it maximize the node of the profile for whose Security Servers you need to enable or disable it.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Anti-Spam scan settings configuration section.
4. In the bottom part of the section, select the Use Kaspersky Security Network check box.

   The Use Kaspersky Security Network check box is available if the I accept the KSN Statement option is selected in the KSN Settings section in the Settings node. Use Kaspersky Security Network or the Use Kaspersky Private Security Network (KPSN) option. All settings of the Kaspersky Security Network service are applied to the Kaspersky Private Security Network service.

5. If necessary, specify the timeout for requests to a KSN server in the Maximum waiting time when requesting KSN scroll field.

   The default value is 5 sec.

6. Click the Save button.

If you are using profiles to manage Security Servers located in different regions (distributed infrastructure), the changes you made will be applied after Active Directory data replication occurs in the organization. If you need to apply the changes sooner, perform a forced synchronization of Active Directory data.

[Topic 76345]

Enabling and disabling the use of Kaspersky Security Network and Kaspersky Private Security Network in Anti-Virus

To enable / disable KSN in Anti-Virus:

1. Perform the following steps in the Management Console tree:
   • To enable or disable KSN in Anti-Virus for an unassigned Security Server, expand the node of the relevant Security Server.
   • To enable or disable KSN in Anti-Virus for Security Servers belonging to a profile, expand the Profiles node and inside it expand the node of the profile for whose Security Servers you need to enable or disable it.
2. Select the Server protection node.
3. In the workspace, select the Advanced Anti-Virus settings tab.
4. In the bottom part of the section, select the Use Kaspersky Security Network check box.

   The Use Kaspersky Security Network check box is available if the I accept the KSN Statement option is selected in the KSN Settings section in the Settings node. Use Kaspersky Security Network or the Use Kaspersky Private Security Network (KPSN) option. All settings of the Kaspersky Security Network service are applied to the Kaspersky Private Security Network service.

5. If necessary, specify the timeout for requests to a KSN server in the Maximum waiting time when requesting KSN scroll field.

   The default value is 5 sec.

6. Click the Save button.

If you are using profiles to manage Security Servers located in different regions (distributed infrastructure), the changes you made will be applied after Active Directory data replication occurs in the organization. If you need to apply the changes sooner, perform a forced synchronization of Active Directory data.

[Topic 28854]

Anti-virus protection

One of the main purposes of Kaspersky Security is the anti-virus protection, which aims the application at scanning the mail flow and messages in mailboxes for viruses and other security threats, as well as disinfecting infected messages and other Microsoft Exchange objects, such as messages, tasks, or entries in shared folders.

Hereinafter, any information and instructions on how to perform actions on messages without affecting the integrity are also applicable to other Microsoft Exchange objects (such as tasks, appointments, meetings, entries), if there is no other specifically assigned condition.

General performance principles of Anti-Virus

Anti-Virus scans messages using the

Anti-Virus scans the message body and attachments in any format.

Kaspersky Security differentiates between the following types of objects that are scanned: a simple object (message body or a simple attachment, such as an executable file) and a container object, which consists of several objects (such as an archive or a message with another message attached).

When scanning multivolume archives, the application processes each volume as a separate object. In this case, Kaspersky Security can detect malicious code only if the code is fully located in one of the volumes. If the malicious code is also divided into parts during a partial download, it will not be detected during the scan. In this situation, the malicious code may propagate after the object is restored as one entity. Multiple-volume archives can be scanned after they are saved to the hard drive by the anti-virus application installed on the user's computer.

If necessary, you can define a list of objects that should not be scanned for viruses. Archives, all container objects with a nesting level above the specified value, files matching name masks, andmessages addressed to specific recipients can be excluded from scanning.

Files over 1 MB will be saved to the Store folder for processing. The Store folder is located in the application Data folder. The Data folder also contains the temporary files storage – the Tmp folder. The Store and Tmp folders should be excluded from scanning by anti-virus applications running on computers with a Microsoft Exchange server installed.

Following the scan, Anti-Virus assigns one of the following status tags to each message:

• Infected: the object has been scanned and contains at least one known virus.
• Not infected: the object has been scanned and contains no viruses.
• Protected: the object has not been scanned, protected with a password.

If an e-mail message or a part of it is infected, Anti-Virus processes the detected malicious object in accordance with the specified settings.

In the settings of Anti-Virus, you can configure the actions that the application will perform on messages containing malicious objects. You can configure the following actions:

• Skip. Anti-Virus skips the message and the malicious object which it contains.
• Delete object. Anti-Virus deletes the malicious object but allows the message to pass.
• Delete message. Anti-Virus deletes the message along with the malicious object.

When a malicious object is deleted on a Microsoft Exchange server, the message or attachment containing the malicious object is replaced with a text file containing the name of the malicious object, the release date of the database used to detect the malicious object, and the name of the Microsoft Exchange server on which the object was detected.

Before an item is processed, its copy can be saved in Backup.

Anti-Virus consists of two application modules: Anti-Virus for the Hub Transport role and Anti-Virus for the Mailbox role.

Anti-Virus for the Hub Transport role

Anti-Virus for the Hub Transport role scans in real time all e-mail messages arriving at the Microsoft Exchange server. It processes both incoming and outgoing e-mail traffic as well as the stream of transit messages. If anti-virus protection of the server is enabled, traffic scanning starts and stops simultaneously with the starting and stopping of the Microsoft Exchange server.

Anti-Virus for the Mailbox role

Anti-Virus for the Mailbox role scans messages and other Microsoft Exchange items located in users' mailboxes within an organization and shared folders, searching for viruses and other security threats.

Protection provided by Anti-Virus for the Mailbox role covers all mailboxes and shared folders that are located in protected mailbox storage areas and protected storage areas for shared folders, respectively. You can include mailbox repositories and shared folder repositories in Anti-Virus protection individually, or exclude them.

Microsoft Exchange 2013 and Microsoft Exchange 2016 mail servers feature no storage of shared folders. Those mail servers store mailboxes and shared folders in common storage areas.

When a user whose mailboxes are protected creates messages in public folders of unprotected Microsoft Exchange servers, Kaspersky Security does not scan such messages. If messages are transferred from public folders of an unprotected storage to a protected one, the application scans them. During data replication between protected and unprotected storages, any changes made by the application as a result of the anti-virus scan are not synchronized.

How to prevent detainment when sending messages through Anti-Virus

In exceptional cases, failures in the anti-virus kernel operation may result in significantly increased times of message scanning by Anti-Virus. In such cases, Anti-Virus temporarily switches to the restricted scan mode in order to prevent message detainment. In this mode, some messages can be skipped without undergoing anti-virus scanning.

If an application that collects information and sends it to be processed is installed on your computer, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from scanning by configuring Kaspersky Security as described in this document.

[Topic 26326]

Enabling and disabling anti-virus server protection

If the anti-virus server protection is enabled, anti-virus scanning of e-mail traffic is started or stopped together with the Microsoft Exchange server. Background scanning of storages can be launched either manually or automatically according to schedule.

Disabling anti-virus protection of the server considerably increases the risk of malware infiltrating the e-mail system. You are advised not to disable anti-virus protection unless absolutely necessary.

Anti-virus protection of a Microsoft Exchange server deployed in Mailbox and Hub Transport roles is enabled separately.

To enable or disable Anti-Virus protection of the Microsoft Exchange server in the Mailbox role:

1. Perform the following steps in the Management Console tree:
   • To enable or disable anti-virus protection of an unassigned Security Server, maximize the node of the relevant Security Server;
   • To enable or disable anti-virus protection of Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure anti-virus protection.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Mailbox role tab, in the Virus scan settings configuration section, perform one of the following actions:
   • Select the Enable anti-virus protection for the Mailbox role check box if you want to enable the Anti-Virus protection of the Microsoft Exchange Server.
   • Clear the Enable anti-virus protection for the Mailbox role check box if you want to disable the Anti-Virus protection of the Microsoft Exchange Server.
4. Click the Save button.

If the application is running on a DAG of Microsoft Exchange servers, anti-virus server protection enabled for the Mailbox role on one of the servers is enabled automatically on the remaining servers within this DAG. Enabling anti-virus protection for the Mailbox role on the remaining DAG servers is not necessary.

To enable Anti-Virus protection of the Microsoft Exchange server in the Hub Transport role:

1. Perform the following steps in the Management Console tree:
   • To enable or disable anti-virus protection of an unassigned Security Server, maximize the node of the relevant Security Server;
   • To enable or disable anti-virus protection of Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure anti-virus protection.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, in the Virus scan settings configuration section, perform one of the following actions:
   • Select the Enable anti-virus protection for the Hub Transport role check box if you want to enable the Anti-Virus protection of the Microsoft Exchange Server.
   • Clear the Enable anti-virus protection for the Hub Transport role check box if you want to disable the Anti-Virus protection of the Microsoft Exchange Server.
4. Click the Save button.

[Topic 97932]

Configuring anti-virus object processing: Anti-Virus for the Hub Transport role

Expand all | Collapse all

You can configure Anti-Virus processing of objects by selecting the action to be taken by Anti-Virus for the Hub Transport role on each type of objects.

To configure object processing settings:

1. Perform the following steps in the Management Console tree:
   • To configure the settings of anti-virus processing of objects for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the settings of anti-virus processing of objects for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the settings of anti-virus processing of objects.
2. Select the Server protection node.
3. On the Protection for the Transport Hub role tab, expand the Virus scan settings section.
4. In the Object processing settings section, configure the following setting:

   Infected object

   The drop-down list Infected object lets you select the action to be taken by the application upon detecting an infected object.

   The following options are available:

   • Allow. The application delivers the message with the infected object to the recipient unchanged.

     If the Add label to message header and Tag for external recipients check boxes are selected, the application adds an extra text (tag) to the message subject. The Add label to message header check box adds a tag to messages for internal recipients, while the Tag for external recipients check box adds a tag for external recipients. The tag text can be edited. Default tag value: [Infected object detected].

   • Delete object. The application attempts to disinfect the infected object. If disinfection has failed, the application deletes the infected object and delivers the message to the recipient.

     If the Add label to message header and Tag for external recipients check boxes are selected, the application adds an extra text (tag) to the message subject. The Add label to message header check box adds a tag to messages for internal recipients, while the Tag for external recipients check box adds a tag for external recipients. The tag text can be edited. Default tag value: [Infected object deleted].

   • Delete message. The application completely deletes the message containing the infected object.
5. To have the application save a copy of the object in Backup before processing it, select the Save a copy of the object in Backup.

If the application is running in a configuration with a DAG of Microsoft Exchange servers, you have to configure anti-virus processing of objects for the Hub Transport role on each server in the DAG individually.

[Topic 26328]

Configuring anti-virus processing of objects: Anti-Virus for the Mailbox role

You can configure anti-virus processing of objects by selecting the action to be taken by Anti-Virus for the Mailbox role on each type of objects.

To configure object processing settings:

1. Perform the following steps in the Management Console tree:
   • To configure the settings of anti-virus processing of objects for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the settings of anti-virus processing of objects for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the settings of anti-virus processing of objects.
2. Select the Server protection node.
3. On the Protection for the Mailbox role tab, expand the Virus scan settings configuration section.
4. In the Object processing settings section, define the following settings:
   • Infected object

     The drop-down list Infected object lets you select the action to be taken by the application upon detecting an infected object.

     The following options are available:

     • Allow. The application delivers the message with the infected object to the recipient unchanged.
     • Delete object. The application attempts to disinfect the infected object. If disinfection has failed, the application deletes the infected object and delivers the message to the recipient.
     • Delete message. The application completely deletes the message containing the infected object.
   • Protected object

     In the Protected object dropdown list, you can select the action to be performed by the application on detecting a password-protected object.

     The following options are available:

     • Allow. The application delivers the message with the password-protected object to the recipient unchanged.
     • Delete message. The application completely deletes the message containing the password-protected object.
5. To have the application save a copy of the object in Backup before processing it, select the Save a copy of the object in Backup.

If the application is running in a configuration with a DAG of Microsoft Exchange servers, the object processing settings defined for the Mailbox role on this server are automatically applied to other servers in this DAG. You do not have to configure anti-virus object processing for the Mailbox role on other servers in the DAG.

[Topic 26704]

Configuring anti-virus scan exclusions

To ease the load on the server during an anti-virus scan, you can configure scan exclusions by limiting the range of objects to scan. Anti-virus scan exclusions apply to both e-mail traffic scanning and background scanning of storages.

You can configure anti-virus scan exclusions as follows:

• Disable scanning of containers and archives.
• Configure exclusions by file name masks.

  Files with names matching the specified masks are excluded from the anti-virus scan.

• Configure exclusions by recipient's address.

  Messages addressed to the specified recipients are excluded from the anti-virus scan.

If the application is running on a DAG of Microsoft Exchange servers, all exclusions from scan configured on any of the servers are automatically applied to all Microsoft Exchange servers in the same DAG. Configuring exclusions from scan on the rest of the servers in this DAG is not necessary.

[Topic 63841]

About trusted recipients

You can exclude messages addressed to specific recipients by specifying the addresses of these recipients in the list of trusted recipients. The list is empty by default.

You can add recipients' addresses to the list of trusted recipients in the form of entries of the following types:

• Active Directory objects:
  • User.
  • Contact.
  • Distribution Group.
  • Security Group.

  It is recommended to add addresses in the form of entries of this type.

• SMTP addresses in the mailbox@domain.com format.

  Entries of this type should be added when Anti-Virus is installed for the Hub Transport role or the address you want to exclude cannot be located in Active Directory.

  To exclude a public folder from scanning by Anti-Virus for the Hub Transport role, you should add all of its SMTP addresses (if there are several of them) to the list of trusted recipients. If any of the SMTP addresses of the public folder are not on the list, messages arriving in the public folder can be scanned by Anti-Virus.

• Display Name.

  Entries of this type should be added when Anti-Virus is installed for the Mailbox role or the address you want to exclude cannot be located in Active Directory.

• Public folders.

  Entries of this type should be added if Anti-Virus has been installed for the Mailbox role. Public folders cannot be selected from Active Directory. The full path to the public folder should be specified when adding such entries.

When Anti-Virus is installed for the Mailbox role and the Hub Transport role and the address you want to exclude cannot be located in Active Directory, the list of trusted recipients should include two entries corresponding to this address: SMTP address and user / group name. Otherwise, messages sent to this address will not be excluded from the scan.

Recipients' addresses specified in the form of Active Directory objects are excluded from the anti-virus scan according to the following rules:

• If the recipient's address is specified as a User or a Contact, messages addressed to this recipient are excluded from scanning.
• If the address is specified as a Distribution Group, messages addressed to this distribution group are excluded from the scan. However, messages addressed personally to individual distribution group members are not excluded from the scan unless their addresses have been added to the list separately.
• If the address is specified as a Security Group, messages addressed to this group and its members are excluded from the scan.

The application automatically updates user addresses received from Active Directory following changes to the relevant Active Directory accounts (for example, when a user's email address has changed or a new member has been added to a security group). This update is performed once a day.

[Topic 60936]

Configuring exclusions by recipient addresses

You can exclude messages addressed to specific recipients by specifying the addresses of these recipients in the list of trusted recipients.

To configure exclusions by recipient's address:

1. Perform the following steps in the Management Console tree:
   • If you want to configure exclusions by recipient address for an unassigned Security Server, expand the node of the relevant Security Server.
   • If you want to configure exclusions by recipient address for Security Servers belonging to a profile, expand the Profiles node and then expand the node of the profile for whose Security Servers you want to configure exclusions.
2. Select the Server protection node.
3. In the workspace, select the Advanced Anti-Virus settings tab.
4. Select the Do not scan messages for the following recipients check box.
5. Add the recipient's address to the list of trusted addresses. To do so, perform the following:
   • To add an Active Directory account to the list:
     1. Click the button.
     2. In the window that opens, locate the relevant Active Directory account and click OK.

     Addresses selected in Active Directory are marked in the list by the following symbols:

     • – users, contacts, distribution groups;
     • – security groups.
   • To add an SMTP address, a user name, or a public folder to the list:
     • To add an SMTP address or a user name to the list, type it in the entry field and click the button.
     • To add a public folder, enter the path to the folder and click the button.

     Addresses added in this way are marked on the list by the icon.

     Addresses added in this way are not checked for their presence in Active Directory.

6. To remove a recipient's address from the list of trusted recipients, highlight the recipient's entry in the list and click the button.
7. To export a list of trusted addresses to file:
   1. Click the button.
   2. In the window that opens, specify the file name in the File name field.
   3. Click the Save button.
8. To import a list of trusted addresses from file:
   1. Click the button.
   2. In the window that opens, in the File name field specify the file containing the list of trusted addresses.
   3. Click the Open button.
9. Click the Save button.

[Topic 60935]

Configuring exclusions by file name mask

To configure exclusions by file name masks:

1. Perform the following steps in the Management Console tree:
   • To configure exclusions by file name masks for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure exclusions by file name masks for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure exclusions.
2. Select the Server protection node.
3. In the workspace, select the Advanced Anti-Virus settings tab.
4. Select the Do not scan files matching the masks check box.
5. Add a file name mask (hereinafter also "mask") to the list of masks. To do so, perform the following:
   1. Type the mask in the entry field.

      Examples of allowed file name masks:

      • *.txt - all files with the *.txt extension, for example, readme.txt or notes.txt;
      • readme.??? – all files named readme with an extension of three characters, for example, readme.txt or readme.doc;
      • test - all files named test without an extension.
   2. Click the button on the right of the entry field.
6. To delete a mask from the list of masks, highlight the mask entry in the list and click the button.
7. To export the list of masks file:
   1. Click the button;
   2. In the window that opens, specify the file name in the File name field
   3. click the Save button.
8. To import a list of masks from file:
   1. Click the button;
   2. In the window that opens, in the File name field specify the file containing the list of masks.
   3. Click the Open button.
9. Click the Save button.

This setting is considered during attachment filtering. Files that have been excluded from Anti-Virus scanning by file names and/or file name masks will also be excluded from attachment filtering.

[Topic 26327]

Configuring scanning of attached containers and archives

Kaspersky Security scans attached archives and containers by default. You can disable scanning of attachments or limit the nesting level of such objects to optimize the operation of Kaspersky Security, decrease the server load, and decrease mail traffic processing time. It is not recommended that you disable scanning of attachments for a long time, since they may contain viruses and other malicious objects.

To configure scanning of attached containers and archives:

1. Perform the following steps in the Management Console tree:
   • To configure scanning of attached containers and archives for an unassigned Security Server, maximize the node of the relevant Security Server
   • To configure scanning of attached containers and archives for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure scanning.
2. Select the Server protection node.
3. In the workspace, select the Advanced Anti-Virus settings tab.
4. Enable / disable scanning of attached containers and archives by performing one of the following actions:
   • If you want the application to scan such objects, select the Scan attached containers/archives check box.
   • If you want the application to ignore such objects, clear this check box.
5. If you want to limit the maximum allowed nesting level of archives and containers being scanned, select the Scan attached containers/archives with nesting level not higher than check box and specify the limit in the spin box.
6. Click the Save button.

If the application is running on a Microsoft Exchange DAG, the settings for scanning of attached containers and archives configured on one of the servers will be automatically applied to all servers within the DAG. Configuring scanning of attached containers and archives on other servers of the DAG is not necessary.

[Topic 166318]

Editing of the message regarding removal of an attachment by the Anti-Virus module

If the application removes an attached file from an email message based on the results of a virus scan, a TXT file is attached to the outgoing message. This file contains text informing the user about the action taken by the application. By default, the text includes a list of deleted objects. You can edit the contents of this information message and include instructions or other information relevant for employees of your organization.

To edit the message informing the user about the deletion of an attached object by the Anti-Virus module:

1. In the Management Console tree, expand the node of the relevant Security Server.
2. Select the Server protection node.
3. In the workspace, select the Advanced Anti-Virus settings tab.

Click the Edit button (Attachment deletion message following a virus scan).

1. In the opened window, in the Message text field, edit the contents of the message.
2. Click OK.
3. Click the Save button.

This information message template is not applicable for Microsoft Exchange Server 2010 mail servers in the Mailbox role.

[Topic 99915]

How to prevent detainment when sending messages through the Anti-Virus module

In exceptional cases, when the Anti-Virus module is running, the time spent for scanning messages with the anti-virus kernel may increase significantly. This may happen when a failure occurs in the anti-virus kernel operation. An increased scan duration may result in a queue of messages waiting to be scanned by Anti-Virus. As a result, delivery of a message to a user may be postponed, or the user may encounter an increased waiting time when opening messages that have already been received.

To resolve this issue, the application provides the option of preventing such message lags in the Anti-Virus module. When a failure is detected in the anti-virus kernel, the application performs the following actions:

• Switches Anti-Virus into a mode in which it can skip waiting messages without scanning them, for a short period of time
• Displays an error message in the server protection status window, in the workspace of the <Server name> node
• Records an error message in the application log
• Notifies you of the error by email if notifications of system errors have been enabled

When the specified time interval elapses, Anti-Virus resumes message scanning in standard mode. If the failure in the anti-virus kernel operation has not yet been eliminated, the process described above will be repeated.

[Topic 97985]

Types of attachment files window

Expand all | Collapse all

In this window, you can create a list of file types that the application will use to filter attachments by file type.

File types

[Topic 97988]

Names of attachment files window

In this window, you can create a list of file names that the application will use to filter attachments by file name.

It is acceptable to specify wildcards in file names, such as attach*.*, report?.doc*.

To create a list, you can use the entry field and the following buttons:

•  - add the record from the entry field to the list.
•  – remove the selected record from the list.
•  – export the list to a file.
•  – import the list from a file.

[Topic 28871]

Protection against spam and phishing

A key feature of Kaspersky Security is filtering out spam from the mail traffic passing through the Microsoft Exchange server. The Anti-Spam module filters incoming mail before messages reach user mailboxes.

Anti-Spam scans the following types of data:

• Internal and external traffic via SMTP using anonymous authentication on the server.
• Messages arriving on the server through anonymous external connections (edge server).
• Outgoing Emails.

Anti-Spam does not scan the following types of data:

• Internal corporate mail traffic.
• External mail traffic arriving on the server during authenticated sessions. The scanning of this mail traffic can be enabled manually using the Scan messages arriving over trusted connections for spam setting.
• Messages arriving from other servers of the Microsoft Exchange mail infrastructure, because connections between servers within the same Microsoft Exchange infrastructure are considered to be trusted. Notably, if messages arrive in the infrastructure via a server on which Anti-Spam is inactive or not installed, the messages are not scanned for spam on all subsequent servers of this infrastructure along the path traveled by messages. The scanning of such messages can be enabled manually using the Scan messages arriving over trusted connections for spam setting.

Anti-Spam scans the message header, contents, attachments, design elements, and other message attributes. While performing the scan, Anti-Spam uses linguistic and heuristic algorithms that involve comparing the message being scanned with sample messages, as well as additional cloud services, such as Kaspersky Security Network.

After filtering, Anti-Spam assigns one of the following statuses to messages:

• Spam. The message shows signs of spam.
• Potential spam. The message shows signs of spam but its spam rating is not high enough to mark it as spam.
• Mass mailing. A message belongs to a mass mailing (usually a news feed or advertisement) that lacks sufficient attributes for a spam verdict.
• Formal notification. An automatic message informing, for example, about mail delivery to the recipient.
• Clean. The message shows no signs of spam.
• Blacklisted. The sender's email address or IP address is on the black list of addresses.

  When checking the internal flow of mail that is sent over the SMTP protocol and when enabling spam filtering for messages that are sent through trusted connections, Anti-Spam sets the status to Clean for the following messages: newsletter messages as well as technical messages and messages whose spam rating does not allow them to be classified like spam.

You can choose actions to be taken by the application on messages with a particular status. The following operations are available for selection:

• Allow. The message is delivered to recipients unchanged.
• Reject. An error message is returned to the sending server (error code 500), and the message is not delivered to the recipient.
• Delete. The sending server receives a notification that the message has been sent (code 250), but the message is not delivered to the recipient.
• Add SCL value. The application will assign a rating to messages indicating the probability of spam content inside (SCL, Spam Confidence Level). The SCL rating is a number ranging from 1 to 9. A high SCL rating means a high probability that the message is spam. The SCL rating is calculated by dividing the spam rating of the message by 10. If the resulting value exceeds 9, the SCL rating is assumed to equal 9. The SCL rating of messages is taken into account during subsequent processing of messages by the Microsoft Exchange infrastructure.
• Add label to message header. Messages that have been tagged as Spam, Potential spam, Mass mailing or Blacklisted are marked with special tags in the message subject: [!!SPAM], [!!Probable Spam], [!!Mass Mail] or [!!Blacklisted], respectively. You can edit the text of such tags.

The application supports four sensitivity levels of anti-spam scanning:

• Maximum. This sensitivity level should be used if you receive spam very often. When you select this sensitivity level, the frequency of false positives rises: i.e., useful mail is more often recognized as spam.
• High. When this sensitivity level is selected, the frequency of false positives decreases (compared to the Maximum level) and the scan speed increases. The High sensitivity level should be used if you receive spam often.
• Low. When this sensitivity level is selected, the frequency of false positives decreases (compared to the High level) and the scan speed increases. This Low sensitivity level provides an optimum combination of scanning speed and quality.
• Minimum. This sensitivity level should be used if you receive spam rarely.

By default, the application uses the Low sensitivity level of anti-spam protection. You can increase or decrease the sensitivity level. Depending on the sensitivity level and the spam rating assigned after the scan, a message can be tagged as Spam or Probable spam (see table below).

Threshold values of spam rating at different sensitivity levels of spam scanning

In exceptional cases, failures in the Anti-Spam kernel operation may result in significantly increased times of message scanning for spam. In such cases, Anti-Spam temporarily switches to the restricted scan mode in order to prevent message detainment. In this mode, some messages can be skipped without undergoing scanning for spam.

[Topic 64806]

Enabling and disabling anti-spam protection of a server

Disabling anti-spam protection of a server considerably increases the risk of unwanted email. We do not recommend that you disable anti-spam protection unless absolutely necessary.

To enable or disable anti-spam protection of a Microsoft Exchange server:

1. Perform the following steps in the Management Console tree:
   • To enable or disable anti-spam protection of an unassigned Security Server, expand the node of the relevant Security Server.
   • To enable or disable anti-spam protection of Security Servers belonging to a profile, expand the Profiles node and inside it expand the node of the profile for whose Security Servers you need to configure anti-spam protection.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, in the Anti-Spam scan settings section, perform one of the following actions:
   • To enable Anti-Spam protection, select the Enable anti-spam scanning of messages check box.
   • If you need to disable anti-spam protection, clear this check box.
4. Click the Save button.

[Topic 72000]

About anti-phishing scans

Kaspersky Security can scan messages for phishing and malicious URLs.

Phishing URLs lead to fraudulent websites designed to steal personal data of users, such as bank account details. A phishing attack can be disguised, for example, as a message from your bank with a link to its official website. By clicking the link, you go to an exact copy of the bank's website and can even see the bank site's address in the browser, even though you are actually on a spoofed site. All of your further actions on the website are tracked and can be used to steal your private data.

Malicious URLs lead to web resources designed to spread malware.

To protect Microsoft Exchange servers against phishing and malicious URLs, the application uses databases of URL addresses that have been tagged as phishing or malicious URLs by Kaspersky. The databases are regularly updated and are included in the Kaspersky Security delivery kit.

While scanning messages for phishing and malicious URLs, the application analyzes not only URLs but also the message subject, contents, attachments, design features, and other message attributes. The scan also uses heuristic algorithms and requests to the Kaspersky Security Network (KSN) cloud services if the use of KSN is enabled in the Anti-Spam settings. With the help of KSN, the application receives the latest information about phishing and malicious URLs before they appear in Kaspersky databases.

On detecting phishing or malicious URLs in a message, the application tags it as Phishing. You can choose actions to be taken by the application on messages with this status. The following operations are available for selection:

• Allow. The message is delivered to recipients unchanged.
• Reject. An error message is returned to the sending server (error code 500), and the message is not delivered to the recipient.
• Delete. The sending server receives a notification that the message has been sent (code 250), but the message is not delivered to the recipient.
• Add SCL and PCL rating. The application adds a spam confidence level (SCL) rating of 9 and a phishing confidence level (PCL) rating to 8 to messages. On arriving in the Microsoft Exchange mail infrastructure, messages with a high PCL rate (more than 3) are automatically directed to the Junk E-Mail folders, and all URLs contained in them are deactivated.
• Add label to message header. Messages with Phishing status are marked with a special [!!Phishing] tag in the message subject. You can edit the text of this tag.

[Topic 72001]

Enabling and disabling message scanning for phishing

You can enable Anti-Phishing scanning of messages only if Anti-Spam protection of the Microsoft Exchange server is enabled. Anti-Phishing scanning of messages also includes scanning for malicious URLs.

To enable or disable anti-phishing message scanning:

1. Perform the following steps in the Management Console tree:
   • To enable or disable message scanning for phishing on an unassigned Security Server, expand the node of the relevant Security Server.
   • To enable or disable message scanning for phishing for Security Servers belonging to one profile, expand the Profiles node and inside it expand the node of the profile for whose Security Servers you need to configure anti-phishing scanning.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, in the Anti-Spam scan settings section, perform one of the following actions:
   • If you want to enable message scanning for phishing, select the Enable anti-phishing scanning of messages check box.
   • If you need to disable message scanning for phishing, clear this check box.
4. Click the Save button.

[Topic 26330]

Configuring spam and phishing scan settings

To configure the Anti-Spam and Anti-Phishing scanning settings:

1. Perform the following steps in the Management Console tree:
   • To configure the Anti-Spam and Anti-Phishing scanning settings for an unassigned Security Server, maximize the node of the relevant Security Server.
   • To configure the Anti-Spam and Anti-Phishing scanning settings for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the Anti-Spam and Anti-Phishing scanning settings.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Anti-Spam scan settings configuration section.
4. Select the Enable anti-spam scanning of messages check box if you want the application to scan messages for spam using the Anti-Spam module.
5. Use the Sensitivity level slider to set the spam scanning sensitivity level: maximum, high, low, or minimum.
6. In the Spam processing settings section, in the Action dropdown list, select the action that the application will perform on messages with each of the statuses listed (Spam, Probable spam, Formal notification, Address blacklisted, Mass mail):
   • Allow. The message is delivered to recipients unchanged.
   • Reject. An error message is returned to the sending server (error code 500), and the message is not delivered to the recipient.
   • Delete. The sending server receives a notification that the message has been sent (code 250), but the message is not delivered to the recipient.

     If your organization has several Microsoft Exchange servers through which messages are transmitted, Microsoft Exchange processes spam messages as follows: if a spam message was not deleted on the first server but it was deleted on a subsequent server, the spam message is stored in the shadow redundancy queue of the first server for the time period specified in the Microsoft Exchange settings. This method of message processing in Microsoft Exchange leads to a longer shadow redundancy queue on the first server.

7. In the Spam processing settings section, specify the additional actions that the application must take on messages with each of the statuses listed. Select check boxes opposite the relevant parameters:
   • Add SCL value. The application will add a Spam Confidence Level score to the message (SCL score). The SCL score is a number ranging from 1 to 9. A high SCL score means a high probability that the message is spam. The SCL rating of messages is taken into account during subsequent processing of messages by the Microsoft Exchange infrastructure.
   • Save copy. A copy of the message can be saved in Backup.
   • Add label to message header. Messages that have been assigned the Spam, Probable spam, Formal notification, Address blacklisted, and Mass mail statuses are marked with special tags in the message subject: [!!Spam], [!!Probable Spam], [!!Formal], [!!Blacklisted], and [!!Mass Mail], respectively. If necessary, edit the text of these tags in the entry fields corresponding to the statuses.
8. Select the Enable anti-phishing scanning of messages check box if you want the application to scan messages for phishing links.
9. In the Spam processing settings section, under the Enable anti-phishing scanning of messages check box in the Action dropdown list, select the action that the application will perform on messages with the Phishing status:
   • Allow. The message is delivered to recipients unchanged.
   • Reject. An error message is returned to the sending server (error code 500), and the message is not delivered to the recipient.
   • Delete. The sending server receives a notification that the message has been sent (code 250), but the message is not delivered to the recipient.
10. In the Spam processing settings section, under the Enable anti-phishing scanning of messages check box, specify the additional actions that the application must take on messages with the Phishing status. Select check boxes opposite the relevant parameters:
    • Add SCL and PCL rating. The application assigns messages a spam confidence level (SCL) rate of 9 and a phishing confidence level (PCL) rate to 8. On arriving in the Microsoft Exchange mail infrastructure, messages with a high PCL rating (more than 3) are automatically directed to the Junk E-Mail folders, and all URLs contained in them are deactivated.
    • Save copy. A copy of the message can be saved in Backup.
    • Add label to message header. Messages with the Phishing status are marked with a special tag in the message subject: [!!Phishing]. If necessary, edit the text of this tag in the entry field on the right.
11. In the Spam processing settings section, configure the usage of additional spam scanning services:
    • To enable the use of Kaspersky Security Network (KSN) services during anti-spam and anti-phishing scans:
      1. Select the Use Kaspersky Security Network check box.
      2. If necessary, specify the timeout for requests to a KSN server in the Maximum waiting time when requesting KSN field.

         The default value is 5 sec.

      The Use Kaspersky Security Network check box is available if the I accept the KSN Statement option is selected in the KSN Settings section in the Settings node. Use Kaspersky Security Network or the Use Kaspersky Private Security Network (KPSN) option. All settings of the Kaspersky Security Network service are applied to the Kaspersky Private Security Network service.

    • To enable the use of the Reputation Filtering service, select the Use Reputation Filtering check box. The Reputation Filtering check box is available if the Use Kaspersky Security Network check box is selected.
    • To disable Enforced Anti-Spam Updates Service, select the Use Enforced Anti-Spam Updates Service check box.

    If your organization uses a proxy server for Internet access, you can configure the application connection to Kaspersky Security Network and Enforced Anti-Spam Updates Service through a proxy server.

12. Select the Scan outgoing messages and delete spam messages or messages containing phishing links check box in the Outgoing message processing settings section if you want to enable scanning of outgoing messages for spam and phishing.
13. Click the Save button.

[Topic 26334]

Configuring additional settings of spam and phishing scans

You can configure additional Anti-Spam and Anti-Phishing analysis settings, such as time- or size-based scanning restrictions, and spam analysis of Microsoft Office files attached to messages.

To configure time- or size-based Anti-Spam and Anti-Phishing scanning restrictions:

1. Perform the following steps in the Management Console tree:
   • To configure Anti-Spam and Anti-Phishing scanning restrictions for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure Anti-Spam and Anti-Phishing scanning restrictions for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure Anti-Spam and Anti-Phishing scanning restrictions.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Advanced settings of Anti-Spam configuration section.
4. In the Restrictions section, use the Maximum time for scanning a message spin box to specify the necessary value in seconds.

   If the message scan duration exceeds the specified time, the Anti-Spam or Anti-Phishing scan of the message stops. The default value is 60 sec. If the application is configured to add service headers to the message, they will contain information to the effect that the maximum scan time has been exceeded.

5. In the Restrictions configuration section, use the Maximum object size to scan spin box to specify the necessary value in kilobytes.

   If the message with all attachments exceeds the specified size, Anti-Spam and Anti-Phishing scanning is not performed, and the message is delivered to the recipient. The default value is 1536 KB (1.5 MB). The maximum value is 2096128 KB (2047 MB), and the minimum value is 1 KB. If the application is configured to add service headers to the message, they will contain information to the effect that the maximum object size has been exceeded.

6. Click Save to save the changes.

To define the settings for Microsoft Office file scan for spam:

1. Perform the following steps in the Management Console tree:
   • To configure the settings of Anti-Spam and Anti-Phishing scanning of Microsoft Office files for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the settings of Anti-Spam and Anti-Phishing scanning of Microsoft Office files for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the settings of Anti-Spam and Anti-Phishing scanning of Microsoft Office files.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Advanced settings of Anti-Spam configuration section.
4. In the Scan settings for Microsoft Office files configuration section, perform the following actions:
   • If you want the application to scan Microsoft Word documents for spam, select the Scan DOC files check box.
   • If you want the application to scan RTF documents for spam, select the Scan RTF files check box.

     These settings have no impact on document scan for phishing.

5. Click Save to save the changes.

To configure additional Anti-Spam and Anti-Phishing scan settings:

1. Perform the following steps in the Management Console tree:
   • To configure additional Anti-Spam and Anti-Phishing scan settings for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure additional Anti-Spam and Anti-Phishing scan settings for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure additional Anti-Spam and Anti-Phishing scan settings.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Advanced settings of Anti-Spam configuration section.
4. If you want the application to analyze images in mail attachments using image analysis technology (GSG), select the Use image analysis check box.

   It is used to analyze images by checking them against the samples in the Anti-Spam database. If a match is found, the spam rating of such messages will be increased.

5. Select the Scan messages arriving over trusted connections for spam check box to enable scanning of mail received via a trusted connection for spam.

   Scanning of messages received via a trusted connection for malicious links (phishing) is enabled permanently.

6. Select the Skip messages for the Postmaster address check box to disable scanning of messages arriving for the Postmaster address for spam and phishing.
7. Click Save to save the changes.

[Topic 26332]

Configuring an increase in the spam rating of messages

You can configure the Anti-Spam settings affecting detection of a special message property - its spam rating. This special message property is assigned to messages based on their scan results. By default, Anti-Spam protection applies the low severity level. Depending on the severity level and the spam rating assigned after a scan, a message can be tagged as Spam or Probable spam.

Anti-Spam settings allow you to configure the application to increase the spam rating of a message based on the analysis of its sender's email address and message subject, as well as when the message is written in a foreign language.

To configure the application to increase the spam rating of a message based on the analysis of its sender's address:

1. Perform the following steps in the Management Console tree:
   • To configure the application to increase the spam rating of messages for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the application to increase the spam rating of messages for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the application to increase the spam rating of messages.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Spam rating detection settings configuration section.
4. In the Increase spam rating if configuration section, select the check boxes for the following settings as necessary:
   • "To" field contains no addresses. The spam rating of a message will be increased if its "To" field is empty.
   • Sender's address contains numbers. The spam rating of a message will be increased if the address of its sender contains digits.
   • Sender's address in the message body does not contain the domain part. The spam rating of a message will be increased if the address of its sender contains no domain name.
5. Click the Save button.

To configure the application to increase the spam rating of messages based on the analysis of the message subject:

1. Perform the following steps in the Management Console tree:
   • To configure the application to increase the spam rating of messages for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the application to increase the spam rating of messages for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the application to increase the spam rating of messages.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Spam rating detection settings configuration section.
4. In the Increase spam rating if the subject contains configuration section, select the relevant check boxes for the following settings:
   • More than 250 characters. The spam rating of a message will be increased if its subject contains more than 250 characters.
   • Many blanks and/or dots. The spam rating of a message will be increased if its subject contains multiple spaces and / or dots.
   • Time stamp. The spam rating of a message will be increased if its subject contains a digital ID or a time stamp.
5. Click the Save button.

To configure the application to increase the spam rating of messages based on the analysis of its content language:

1. Perform the following steps in the Management Console tree:
   • To configure the application to increase the spam rating of messages for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the application to increase the spam rating of messages for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the application to increase the spam rating of messages.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Spam rating detection settings configuration section.
4. In the Increase spam rating if the message language is configuration section, select the check boxes for the languages whose presence in a message you consider to be a sign of spam:
   • Chinese, if you are not expecting mail in this specific encoding.
   • Korean, if you are not expecting mail in this specific encoding.
   • Thai, if you are not expecting mail in this specific encoding.
   • Japanese, if you are not expecting mail in this specific encoding.
5. Click the Save button.

    

[Topic 63919]

About additional services, features, and anti-spam technologies

The application uses the following additional features, services, and technologies of Kaspersky for more thorough anti-spam protection of email:

• DNSBL (Domain Name System Block List). This feature retrieves information from DNSBL servers containing public lists of IP addresses used by spammers.
• SURBL (Spam URI Realtime Block List). This feature retrieves information from SURBL servers containing public lists of links leading to online resources advertised by spammers. Thus, if a message contains web addresses from that list of links, it will most likely be spam.

  During spam rating calculation, the application considers the weight assigned to each responding DNSBL and SURBL server. If the total rate of servers that responded makes more than 100, the application assigns the message the Address blacklisted status and performs the action that has been specified for this status. If the total rate of servers that responded makes less than 100, the application increases the spam rate of the message.

• KSN (Kaspersky Security Network). Infrastructure of cloud services that provides access to the Kaspersky online knowledge base containing information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the effectiveness of some protection components, and reduces the risk of false positives.

  KSN is disabled by default. To start using KSN, you have to accept the KSN Statement that governs the procedure for collecting information from the computer running Kaspersky Security.

• Enforced Anti-Spam Updates Service. The service providing quick updates to the Anti-Spam database. If the Enforced Anti-Spam Updates Service is enabled, the application will keep contacting the servers of Kaspersky and updating the Anti-Spam database as soon as new spam descriptions become available on Kaspersky servers. This approach helps improve the efficiency of Anti-Spam against new emerging spam.

  To ensure proper functioning of the Enforced Anti-Spam Updates Service the following conditions are required:

  • a constant Internet connection of the computer that hosts the Security Server;
  • regular updates of the Anti-Spam database (recommended frequency: every five minutes).
• Reputation Filtering. A cloud-enabled reputation filtering service of additional message scanning that moves messages requiring additional scanning to a special temporary storage area named Quarantine. During the specified period (50 minutes), the application scans the message again using additional information received from Kaspersky servers (for example, from KSN). If the application has not marked the message as spam during this time, it allows the message to reach the recipient. Reputation Filtering increases the accuracy of spam detection and reduces the probability of Anti-Spam false positives.

  To be able to use Reputation Filtering, you have to confirm your participation in the Kaspersky Security Network (KSN) and accept a special KSN Statement.

  Messages that have been moved to Quarantine by Reputation Filtering but have not be tagged as spam are delivered to recipients after the 50-minute period expires even if the application is closed or paused.

• Dynamic DNS client. This feature detects whether the sender IP address potentially belongs to a botnet using reverse lookup of its DNS. This functionality can be used provided that the protected SMTP server is not serving any xDSL or dial-up users.
• SPF (Sender Policy Framework) technology. A technology that checks the sender's domain for signs of spoofing. Domains use SPF to authorize certain computers to send mail on their behalf. If a message sender is not included in the list of authorized senders, its spam rating will be increased.

[Topic 26333]

Using external anti-spam message scanning services

To enable the use of external services to check for spam:

1. Perform the following steps in the Management Console tree:
   • To configure the use of external anti-spam message scanning services for an unassigned Security Server, maximize the node of the relevant Security Server.
   • To configure the use of external anti-spam message scanning services for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the use of external anti-spam message scanning services.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Using external Anti-Spam services configuration section.
4. Select the Use external resources for spam scan check box if you want the application to consider the IP address and URL scan results of these services during anti-spam analysis.
5. If you want to use your own list of DNS names of servers providing blacklists of DNS names and assign them weighting coefficients, select the Use set of DNSBL black lists check box. To generate a custom list:
   • If you want to add an entry to the custom list, specify the DNS name of the server and its weighting coefficient in the corresponding fields and click the button.
   • If you want to delete an entry from the custom list, click the button.
   • If you want to import a custom list, click the button.
   • If you want to export a custom list, click the button.
6. If you want to use your own list of SURBL names of servers providing blacklists of URLs and assign them weighting coefficients, select the Use set of SURBL black lists check box. To generate a custom list:
   • If you want to add an entry to the custom list, specify the DNS name of the server and its weighting coefficient in the corresponding fields and click the button.
   • If you want to remove a record, click the button.
   • If you want to import a custom list, click the button.
   • If you want to export a custom list, click the button.
7. To enable a reverse DNS lookup of the sender's IP address, select the Check sender IP for presence in DNS check box.
8. To enable the use of SPF technology, select the Check SPF record check box.
9. If you want the application to check if the sender's IP address belongs to a botnet based on its reverse DNS zone, select the Check if sender's IP address is dynamic check box.

   If the check result is positive, the spam rating of the message is increased.

10. In the Maximum DNS request timeout spin box, specify the maximum waiting time in seconds.

    The default value is 5 sec. After timeout, the application scans the message for spam without checking if the sender's IP address belongs to a dynamic DNS.

     

[Topic 112993]

About the white and black lists of email addresses

The white and black lists allow you to specify email addresses that you need to process in accordance with the settings that have been defined for those lists individually. For example, you can add an address to the white list and disable spam scanning for messages sent from this address, or configure deletion of all messages sent from an address that has been added to the black list.

White list of Anti-Spam addresses

The white list allows you to let in messages regardless of the current settings of Anti-Spam defined in the Spam processing settings section.

A white list can contain two types of addresses, which differ by their purpose:

• Message sender addresses. Anti-Spam lets in messages received from these addresses regardless of the current spam scan settings. Sender addresses can be defined as email addresses, email address masks, or IP addresses.
• Message recipient addresses. Anti-Spam lets in messages sent to these addresses regardless of the current spam scan settings. Recipient addresses can be defined as email addresses, email address masks, as well as user accounts or groups of user accounts for addresses within a company.

Anti-Spam can let in messages without spam scans of any type, including scan for bulk email delivery, or without scan for bulk email delivery only, depending on the settings that have been defined for the address added to the white list:

• Spam, phishing, and mass email. Anti-Spam lets in messages that have been classified as Spam, Probable spam, Formal notification, Phishing, and Mass mail.
• Mass mail. Anti-Spam only lets in messages that have been classified as Mass mail.

Messages that have been received or sent undergo an anti-virus scan regardless of whether recipient and sender addresses are on the white list.

The white list is empty by default.

Black list of Anti-Spam addresses

The black list allows you to process messages that come from senders whose addresses are on the list, by applying some special actions. The application assigns the Address blacklisted status to messages from those senders and performs the action that has been specified for this status in the Spam processing settings section by, for example, rejecting such messages.

Sender addresses on the black list can be specified as email addresses, email address masks, or IP addresses.

The black list is empty by default.

Priorities of the white and black list during message processing

The application applies the white and black list to messages according to their respective priorities:

1. Records on the white list with the "Spam, phishing, and mass email" scope have the highest priority.
2. Records on the black list have a lower priority than those on the white list with the "Spam, phishing, and mass email" scope.
3. Records on the white list with the "Mass mail" scope have the lowest priority.

If a sender address has been added to the white list and the black list simultaneously, the result of processing messages from that sender will depend on the scope of the white list record.

Procedure for processing messages from a sender who has been added to the white and black list

Page top

[Topic 127323]

Creating the white list of Anti-Spam addresses

Expand all | Collapse all

To add an address to the white list of Anti-Spam addresses:

1. Perform the following steps in the Management Console tree:
   • If you need to create a white list for an unassigned Security Server, expand the node of the relevant Security Server.
   • If you need to create a white list for Security Servers belonging to a profile, expand the Profiles node and inside it expand the node of the profile for whose Security Servers you want to create the white list.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the White list of Anti-Spam addresses configuration section.
4. To add a new address to the list:
   1. Click the Add recipient button to add a recipient address to the list, or click the Add sender button to add a sender address to the list.
   2. In the White list record settings window that opens, define the following settings:

      Email address or mask

      Adding message senders or recipients to the white list by an email address or address mask. This is the default option.

      You can use:

      • Individual email addresses. Example: user@domain.com.
      • Masks of email addresses. For example, *@domain.com; *@site.domain.com; *.domain.com, or user@site.domain.com (for a multilevel domain).

        If you add message senders to the white list, the application will let in messages that have been sent from the specified email addresses without scanning them for spam and / or bulk email delivery.

        If you add message recipients to the white list, the application will let in messages that have been sent to the specified recipients without scanning them for spam and / or bulk email delivery.

      Active Directory user account or group

      Adding message recipients to the white list by an Active Directory user account. The application will let in messages sent to recipients defined by the specified user accounts without scanning them for spam and / or bulk email delivery.

      This option is only available when adding or changing the message recipient address. Please also refer to the About trusted recipients section.

      IP address

      Adding a sender to the white list by an IP address. The application will let in messages that come from the specified IP address without scanning them for spam and / or bulk email delivery. You can use a range of IP addresses specified in subnet format. For example, 10.0.0.0/8.

      This option is only available when adding or changing the message sender address.

      Do not check messages for the following contents

      In this section, you can specify which scans you need to exclude for messages with the specified senders or recipients. The following options are available:

      • Spam, phishing, and mass email. The application will let in messages containing spam and bulk email.
      • Mass mail. The application will let in bulk email only.

      Comment

      Additional information about the record. For example, the cause for adding the address to the list. The maximum comment length is 200 characters.

   3. Click the OK button.

   The new record is added to the list.

5. Click the Save button.

All changes that were made to the white list of Anti-Spam addresses will be saved.

You can also:

• Define the record settings by clicking the Change button
• Delete one or several records from the list by clicking the Delete button
• Copy the records selected in the list to a text file (for example, by pressing Ctrl+C and Ctrl+V)
• Export list records to an XML file by clicking the Export button.
• Import records to the list from a previously exported XML file or TXT file by clicking the Import button. When importing a TXT file, the file will be recognized as a list of email addresses of senders.

[Topic 127325]

Creating the black list of Anti-Spam addresses

Expand all | Collapse all

To add an address to the black list of Anti-Spam addresses:

1. Perform the following steps in the Management Console tree:
   • If you need to create the black list for an unassigned Security Server, expand the node of the relevant Security Server.
   • If you need to create the black list for Security Servers belonging to a profile, expand the Profiles node and inside it expand the node of the profile for whose Security Servers you want to create the black list.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Black list of Anti-Spam addresses configuration section.
4. To add a new sender address to the list:
   1. Click the Add sender button.
   2. In the Black list record settings window that opens, define the following settings:
      • Email address or mask

        Adding message senders to the black list by an email address or email address mask. Anti-Spam will assign the Address blacklisted status to messages that have been sent from the specified email addresses and perform on them actions configured for messages with this status.

      • IP address

        Adding a sender to the black list by an IP address. Anti-Spam will assign the Address blacklisted status to messages that come from the specified IP address and perform on them actions that have been configured for messages with this status.

      • Comment

        Additional information about the record. For example, the cause for adding the address to the list. The maximum comment length is 200 characters.

   3. Click the OK button.

   The new record is added to the list.

5. Click the Save button.

All changes made to the black list will be saved.

You can also:

• Define the record settings by clicking the Change button
• Delete one or several records from the list by clicking the Delete button
• Copy the records selected in the list to a text file (for example, by pressing Ctrl+C and Ctrl+V)
• Export list records to a file by clicking the Export button
• Import records from a file to the list by clicking the Import button

[Topic 127157]

White list record settings window

Expand all | Collapse all

In this window, you can define the settings of a white list record.

Email address or mask

Active Directory user account or group

IP address

Do not check messages for the following contents

Comment

[Topic 127158]

Black list record settings window

Expand all | Collapse all

In this window, you can define the settings of a black list record.

Email address or mask

IP address

Comment

[Topic 123340]

Informing Kaspersky of false alerts returned by Anti-Spam

You can send messages to Kaspersky for further analysis if Kaspersky Security has mistakenly classified them as spam (those with the Spam or Probable spam statuses), formal notifications (those with the Formal notification status), or mass email (those with the Mass mail status).

Together with the message that initiated the false alert returned by Anti-Spam, the component also sends its service data related to the message processing. Upon receiving this message and service data from Anti-Spam, Kaspersky experts can analyze the case of Anti-Spam false alert and make necessary changes to Anti-Spam databases.

Messages and Anti-Spam service data are sent on behalf of the user account specified in the notification settings.

To send to Kaspersky for analysis a message that initiated a false alert returned by Anti-Spam:

1. In the Management Console tree, select the node of a Microsoft Exchange server and open it.
2. Select the Backup node.
3. In the node workspace, in the list of Backup objects, select the message that you need to send to Kaspersky for analysis. You can select a message with the Spam, Probable spam, Formal notification, or Mass mail status.
4. Right-click and select Complain about false positive returned by Anti-Spam in the message context menu.

   The Send object to Kaspersky Lab dialog will appear.

5. In the Email for feedback field, specify an email for contacting Kaspersky experts. If necessary, Kaspersky experts will contact you for additional details.
6. Read and accept the terms for sending objects to Kaspersky by selecting the I accept the terms of object sending check box. In the Details of object sending field, you can view the object sending conditions.
7. Click the OK button.

The message that you selected will be sent to Kaspersky for further analysis of reasons of a false alert returned by Anti-Spam.

[Topic 80928]

Improving the accuracy of spam detection on Microsoft Exchange 2013 servers

When installing the application on a Microsoft Exchange 2013 server deployed in the Client Access Server (CAS) role only, an additional component is available in the list of components that can be installed: CAS Interceptor. This component is designed to improve the accuracy of spam detection. It is recommended for installation on all Microsoft Exchange 2013 servers deployed in the Client Access Server (CAS) role only.

This component is installed automatically together with the Anti-Spam component on Microsoft Exchange 2013 servers deployed in the Mailbox role (if you choose to install Anti-Spam).

[Topic 138450]

About scanning outgoing mail for spam and phishing content

You can enable or disable scanning of outgoing messages for spam and phishing content using the Anti-Spam module. If messages containing spam or phishing content are being sent from a specific address in your organization, this could mean that a specific computer in your organization is infected.

If the Anti-Spam module detects a message that contains spam or phishing content, the message status takes the value Spam or Phishing. The application deletes the outgoing message containing the detected spam or phishing content while saving a copy of the outgoing message in Backup.

The Sender type field for outgoing messages in Backup has the value Internal. To determine whether or not a specific computer distributing spam or phishing content in your organization is infected, you can view the list of copies of outgoing messages in Backup, the list of events in the Windows Event Log, or the list of events in the Kaspersky Security Center Event Log.

The Anti-Spam Module scans outgoing mail messages addressed to external email addresses. The module does not scan messages related to the following categories:

• Messages addressed to internal email addresses.
• Messages for which the addresses of message recipients are in the white list.

The Anti-Spam Module determines the message status based on the text content and the message header. In the scan results, the application accounts for only the presence of spam or phishing content in messages to which the Anti-Spam Module assigned the status of Spam or Phishing. In the scan results, the application does not take into account positives in messages with the following statuses:

• Probable spam. The message is probable spam.
• Formal notification. The message is a formal notification.
• Mass mail. The message is mass mail.

The Reputation Filtering service is not used when scanning outgoing messages for spam and phishing.

[Topic 138481]

Enabling and disabling the scanning of outgoing messages for spam and phishing content

To enable or disable the scanning of outgoing messages for spam and phishing content:

1. In the Management Console tree, expand one of the following nodes:
   • If you want to enable or disable the scanning of outgoing messages for spam and phishing for an unassigned Security Server, expand the node of the relevant Security Server.
   • If you want to enable or disable the scanning of outgoing messages for spam and phishing for Security Servers belonging to one profile, expand the Profiles node and within it expand the node of the profile for whose Security Servers you want to configure scanning of outgoing messages for spam and phishing.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Transport Hub role tab, expand the Anti-Spam scan settings configuration section.
4. In the Outgoing message processing settings section, perform one of the following actions:
   • If you want to enable message scanning for phishing, select the Scan outgoing messages and delete spam messages or messages containing phishing links check box.

     The Scan outgoing messages and delete spam messages or messages containing phishing links check box is available if the Enable anti-spam scanning of messages check box is selected.

   • If you want to disable the scanning of outgoing messages for spam and phishing, clear the Scan outgoing messages and delete spam messages or messages containing phishing links check box.
5. Click the Save button.

[Topic 28884]

Configuring mailbox and public folder protection settings

The application can protect the number of mailboxes that does not exceed the limitation of the current key. If this number is insufficient, you can alternate protection between mailboxes. To do so, you have to move to unprotected storage the mailboxes that need no protection. By default, the application also protects all public folders of the mail server. You can remove protection from public folders if you think that scanning them would be redundant.

By default, the application protects those storages of mailboxes and storages of public folders on the protected Microsoft Exchange server, which already existed at the time when the application was installed, as well as all newly-created storages.

To configure the protection settings for mailboxes and public folders:

1. Perform the following steps in the Management Console tree:
   • To configure the protection settings for mailboxes and public folders for an unassigned Security Server, maximize the node of the relevant Security Server;
   • To configure the protection settings for mailboxes and public folders for Security Servers belonging to a profile, maximize the Profiles node and inside it maximize the node of the profile for whose Security Servers you want to configure the protection settings for mailboxes and public folders.
2. Select the Server protection node.
3. In the workspace, on the Protection for the Mailbox role tab, expand the Protection for mailboxes configuration section.

   The Protected mailbox storages and Protected public folder storages lists contain repositories of mailboxes and shared folders of the protected Microsoft Exchange server.

   If the application is running in a DAG of Microsoft Exchange servers, these lists enumerate mailbox storages and public folder storages on all the servers within this DAG.

   When viewed from a profile, the Protected mailbox storages list shows only the protected storages of those Microsoft Exchange servers on which Anti-Virus for the Mailbox role is deployed.

4. In the Protected mailbox storages list, select the check boxes of the mailbox storages for which protection should be enabled.
5. In the Protected public folder storages list, select the check boxes of the shared folder repositories for which protection must be enabled.
6. Click the Save button.

[Topic 92441]

Background scan and on-demand scan

Background scanning is an operation mode of Anti-Virus for the Mailbox role when Anti-Virus scans messages and other Microsoft Exchange objects stored on a Microsoft Exchange server, searching for viruses and other security threats with the latest version of the anti-virus databases. You can run a background scan manually or set up a schedule. Using background scan mode decreases the load on the servers during busy hours and increases the security level of the e-mail infrastructure in general.

On-demand scan is an operation mode of Anti-Virus for the Mailbox role in which Anti-Virus scans for viruses and other threats in messages and other Microsoft Exchange objects stored in selected mailboxes and shared folders on a Microsoft Exchange server. You can manually run an on-demand scan of selected mailboxes and shared folders. Use of an on-demand scan lets you limit the scan scope and reduce scan time. If an on-demand scan was interrupted, the scan will start from the beginning the next time it is run. This means that it scans all the selected objects again.

Hereinafter, any information and instructions on how to perform actions on messages are also applicable to other Microsoft Exchange objects (such as tasks, appointments, meetings, entries) if there is no other specifically assigned condition.

Background scanning of messages can be repeated. Anti-Virus performs repeated background scanning of messages that have been scanned earlier after you update the anti-virus databases. An on-demand scan of the same messages in selected mailboxes and shared folders is only performed once.

If a background scan was interrupted, the next time a scan is run the application scans only those mailboxes and shared folders that were not scanned during the previous interrupted scan. If a background scan was completed, the next scan will start from the beginning the next time it is run. This means that it scans all selected objects.

If your organization is simultaneously using different versions of Microsoft Exchange servers (such as Microsoft Exchange 2010 / 2013), you are advised to run an on-demand scan of selected mailboxes and shared folders from the Security Server console of the specific server on which the storage of those mailboxes and shared folders is located.

Background scanning may lead to a slowdown in the Microsoft Exchange server's operation. We recommend that you run a background scan when the load on mail servers is at its minimum, for example, by night. If you want to run a scan of specific mailboxes or shared folders, you can use an on-demand scan.

During a background scan and on-demand scan:

1. Kaspersky Security, in accordance with the current settings, receives from the Microsoft Exchange server the email messages and other Microsoft Exchange objects (such as tasks, appointments, meetings, and entries) located in the following areas:
   • Background scan – objects located in protected mailbox storages and shared folders.
   • On-demand scan – objects located in selected mailboxes and shared folders.
2. Kaspersky Security sends the following messages to the Anti-Virus for the Mailbox role module for processing:
   • Background scan – messages that have not been scanned using the latest version of the anti-virus databases.
   • On-demand scan – messages that are located in the selected mailboxes and shared folders and that match the on-demand scan settings.
3. When a background scan or on-demand scan detects infected objects, Anti-Virus processes them in accordance with the parameters defined in the settings of Anti-Virus for the Mailbox role, using the following algorithm:

   If an infected object is detected in a message or another Microsoft Exchange object, and the Delete object or Delete message action is selected in the settings of Anti-Virus, the latter attempts to disinfect that object.

   If disinfection has been successful, Anti-Virus replaces the infected object with the disinfected one.

   If disinfection has failed, Anti-Virus performs the actions specified in the table below.

   Actions performed by Anti-Virus if disinfection of an infected object fails

   Where the infected object was found	Action selected	Action of Anti-Virus
   In a message	Delete message	Anti-Virus deletes the message along with the infected object.
   	Delete object	Anti-Virus replaces the infected object (attachment) with a text file informing that the infected object was deleted.
   In another Microsoft Exchange object (such as a task, meeting, or entry)	Delete message
   	Delete object