General protection settings

KSMG protects email coming in and out of the organization. You can configure the following general protection settings:

• Anti-Virus protection
• Link scanning
• Anti-Spam protection
• Anti-Phishing protection
• Content filtering of messages
• Mail Sender Authentication

General protection settings are applied when scanning all messages. You can configure actions taken on messages after the scan and additional settings using message processing rules.

Anti-Virus protection

KSMG provides Anti-Virus protection of messages: scans email messages for viruses and other threatening programs and disinfects infected objects using the current (latest) version of Anti-Virus databases.

Messages are scanned for viruses and other threats by the Anti-Virus module. The Anti-Virus module scans the body of the message and all attached files in any format (attachments) using the Anti-Virus databases. The Anti-Virus module detects and blocks email attachments that are intended for a limited number of recipients and are components of targeted attacks designed to exploit software vulnerabilities.

You can configure the following settings of the Anti-Virus module:

• Heuristic analysis

  Technology designed to detect threats that cannot be detected using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.

• Maximum duration of message scan
• Maximum depth of archive analysis
• Exclusions from scanning for certain legitimate programs that can be used by hackers

Based on the results of the scan, the Anti-Virus module assigns a status to the message:

• Not detected means the message is not infected.
• Infected means the message is infected; either it cannot be disinfected, or disinfection has not been attempted.
• Disinfected means the message was disinfected.
• Encrypted means the message could not be scanned because it is encrypted.
• Error means an error occurred when scanning the message.
• Bases error means the message could not be scanned because of an error while applying the application databases.
• Intrusion threat means the object can be used by hackers to intrude the LAN.
• Not scanned means the message was not scanned in accordance with the application settings.
• Probably infected means the object contains signs of malware.

The Anti-Virus module is enabled by default. If required, you can disable the Anti-Virus module or disable Anti-Virus scanning for any rule.

Link scanning

KSMG checks the links in the body of the message for being malicious, advertising, or relevant to legitimate applications that can cause harm to the computer.

You can modify the following settings of link scanning:

• Maximum duration of message scan.
• Exclusions from the scan.

  You can disable the detection of advertising links and links relevant to certain legitimate programs.

Based on the results of link scanning, the application assigns one of the following statuses to the message:

• Bases error means the message could not be scanned because of an application database error.
• Not detected means the message does not contain any links that would be detectable in accordance with the application settings.
• Error means the scan returned an error.
• Detected means the message contains malicious links, advertising links, or links relevant to legitimate programs.
• Not scanned means the message was not scanned in accordance with the application settings.

Anti-Spam protection

KSMG filters messages passing through the mail server to remove unsolicited mail (spam).

Messages are scanned for spam by the Anti-Spam module. The Anti-Spam module scans each message for signs of spam. First, the Anti-Spam module scans the attributes of the message, such as sender and recipient addresses, size, and headers (including the From and To fields). Second, the Anti-Spam module analyzes the message content (including the Subject header) and attached files.

If spam or probable spam is detected in a message, a certain status is assigned to it depending on the spam rating. The spam rating of a message is an integer number from 0 to 100, which is a sum of points awarded to the message for each time the Anti-Spam module was triggered while processing the message. The spam rating takes into account the results of the SPF scan and reputation filtering of messages.

When the Anti-Spam module is enabled, protection against BEC attacks is automatically enabled. This protection helps recognize spoofed messages from hackers attempting to compromise business correspondence.

You can configure the following settings of the Anti-Spam module:

• Moebius service.

  Instant Anti-Spam database update service that allows to install critical updates in real time.

  The Moebius service compares the current Anti-Spam database used by the application with the database on the Moebius server and determines the difference. Missing entries are then sent to the Control node over HTTPS. To keep the size of transmitted data reasonable and ensure normal functioning of the Moebius server, Anti-Spam databases must be updated on a regular basis.

• Protection against Active Directory spoofing.

  A type of attack based on the falsification (spoofing) of transmitted data. Spoofing may be aimed at obtaining elevated privileges, primarily through bypassing the verification mechanism by generating a request similar to an authentic request. One variant of spoofing is to forge an HTTP header to gain access to hidden content.

  The goal of spoofing may also be to deceive a user. A classic example of such an attack is the falsification of the sender's address in emails.

  The Anti-Spam module helps prevent spoofing attacks in which hackers use a fake name (Display Name) in the From MIME header, and the domain from which the message was sent does not match the domain of the specific organization. You can indicate one Active Directory group containing at most 10 000 users which will be protected against spoofing.

• Check the reputation of IP addresses and domains.

  This option lets you check SMTP session data based on records of blocked IP addresses and domains in Anti-Spam module databases.

• Anti-Spam Quarantine.

  A Backup location where email messages are temporarily kept if the Anti-Spam module is unable to assign a final status after a scan.

  Anti-Spam Quarantine is available only if KSN participation is enabled.

  After a message is placed in Anti-Spam Quarantine, the application contacts KSN servers for further scanning of the message. The KSN cloud service improves the accuracy of spam detection because KSN databases contain more up-to-date information than Anti-Spam databases used by the application.

• Maximum duration of message scan.
• Maximum storage duration of a message in Anti-Spam Quarantine
• Maximum number of messages in Anti-Spam Quarantine.
• Maximum size of the Anti-Spam Quarantine.

Based on the Anti-Spam scan results, the Anti-Spam module assigns one of the following statuses to the message:

• Not detected means the message does not contain spam.
• Spam means the message is definitely diagnosed as spam.
• Probable spam means the message is probably spam.
• Mass mail means the message belongs to a mass mailing campaign.
• Error means the scan returned an error.
• Bases error means the message could not be scanned because of an application database error.
• Formal message means the application treats the message as a formal automatically generated notification (for example, auto-responses by users or notifications about exceeded mailbox size).
• Not scanned means the message was not scanned in accordance with the application settings.
• Trusted means the message was received from a sender whose domain is in the list of allowed domains in databases of the Anti-Spam module and the message passed the DMARC sender authentication.

Based on the scan results, the X-MS-Exchange-Organization-SCL X-header may be added to the message. The value of this header contains the SCL rating. You can configure this header to be added the message processing settings.

By default, the Anti-Spam module is enabled. If required, you can disable the Anti-Spam module or disable Anti-Spam scanning for any rule.

Anti-Phishing protection

KSMG filters messages passing through the mail server to remove phishing.

Messages are scanned for phishing by the Anti-Phishing module. The Anti-Phishing module analyzes the message content (including the Subject header) and attached files.

You can configure the maximum duration of an Anti-Phishing scan.

Based on the results of the scan, the Anti-Phishing module assigns a status to the message:

• Not detected means the message does not contain phishing URLs, images or text that could trick users into disclosing confidential data to hackers, or links to websites with malware.
• Phishing means the message was found to contain a link, image, or text that could trick users into disclosing confidential data to hackers.
• Error means the scan returned an error.
• Bases error means the message could not be scanned because of an application database error.
• Not scanned means the message was not scanned in accordance with the application settings.

The Anti-Phishing module is enabled by default. If required, you can disable the Anti-Phishing module or disable Anti-Phishing scanning of messages for any rule.

Content filtering of messages

KSMG performs Content Filtering of messages that pass through the mail server. You can restrict transmission of messages with specific parameters by the mail server.

You can configure the following settings of Content Filtering:

• Maximum duration of message scan
• Maximum depth of archive analysis

As a result of content filtering, the ScanLogic message scanning control module assigns one of the following content filtering statuses to messages:

• Not detected means the no violations of any of the restrictions specified in content filtering settings were detected in the message.
• Matched content means the message matches the conditions specified in the Content Filtering settings.
• Error means the message scan returned an error.
• Not scanned means the message was not scanned in accordance with the application settings.

By default, Content filtering of messages is enabled. If necessary, you can enable Content Filtering in general protection settings or per rule.

Mail Sender Authentication

Mail Sender Authentication is designed to provide additional protection for your corporate mail infrastructure against spam and phishing.

KSMG uses the following Mail Sender Authentication technologies:

• SPF authentication (Sender Policy Framework).

  SPF Mail Sender Authentication – comparing IP addresses of mail senders with the list of possible message sources that has been created by the mail server administrator.

  KSMG receives lists of possible message sources from the DNS server.

  SPF authentication should be enabled if KSMG receives messages directly from the internet. You may disable SPF authentication if KSMG receives messages from an internal intermediate server.

• DKIM authentication (DomainKeys Identified Mail).

  DKIM Mail Sender Authentication – verification of the digital signatures of messages.

  A digital signature associated with the name of the organization's domain is added to messages. KSMG verifies this digital signature.

  After the message has passed SPF and DKIM authentication, the program verifies that the domain containing the sender address in the From field of the message header matches the SPF and DKIM IDs.

• DMARC authentication (Domain-based Message Authentication, Reporting and Conformance).

  DMARC Mail Sender Authentication – Verification that determines the policy and actions taken on messages based on the results of SPF and DKIM Mail Sender Authentication.

  SPF and DKIM authentication must be enabled to perform DMARC authentication. If SPF- or DKIM authentication is disabled, DMARC authentication will also be disabled.

• Sender domain alignment.

  Sender domain alignment checks whether the message sender domains specified in the SMTP session (the value of the MAIL FROM command) and in the message (the value of the From MIME header) match.

To enable SPF, DKIM, and DMARC Mail Sender Authentication, you must allow KSMG to connect to the DNS server. If the connection to the DNS server is prohibited, SPF, DKIM, and DMARC Mail Sender Authentication is disabled.

Based on the results of Mail Sender Authentication, one of the following statuses is assigned to the message:

• Error means an error occurred during authentication.
• Bases error means authentication could not be performed.
• Not scanned means the message was not scanned in accordance with application settings.
• Violation found means at least one authentication was violated.
• Violation not found means authentication violations were not detected.

By default, all Mail Sender Authentication checks are enabled. If necessary, you can disable Mail Sender Authentication in general protection settings or per rule.

You can configure an action to be applied to the message for each SPF and DMARC authentication result.

Mail sender authentication is performed in accordance with the combination of enabled technologies. The action that is actually applied to the message is the strictest of all applicable actions according to the authentication results by all enabled technologies. If the strictest of all actions is Skip, the Violation not found status is assigned to the message. If the strictest of all actions is Reject or Delete message, the Violation found status is assigned to the message.

To let the remote mail server perform Message Sender Authentication of outgoing messages (when the message sender is KSMG), you must take steps to add SPF and DMARC records to the settings of your DNS server.

In this Help section About computer protection against certain legitimate applications Configuring the Anti-Virus module Configuring link scanning Configuring the Anti-Spam module Configuring the Anti-Phishing module Configuring Content Filtering Configuring external services Preparing to configure SPF and DMARC Mail Sender Authentication for outgoing messages

Page top