eScan BlogeScan Blog    eScan WebsiteeScan Website    eScan ForumeScan Forum    eScan FeedseScan Feeds     
    
Languages:     

From eScan Wiki

Revision as of 07:58, 23 June 2008; view current revision
←Older revision | Newer revision→
Jump to: navigation, search


eMail Attachment Control

The latest version of eScan that has this feature is 9.x and is available in these editions - Virus Control(VC), Professional(PRO), Internet Security Suite(ISS), Corporate and Enterprise. It is compatible with Microsoft Windows operating systems like W'95,98,ME,NT 4(srv & wks),2000,2003,XP,Vista (32 & 64 bit)

This is the first option page available in the eScan Content Administrator. It can be accessed after installing eScan, by right clicking on the green 'e icon added to the systray.

It has different options like "Block Attachment types", "Port Configuration", "Compression and Decompression of Attachments" and "Advanced".

A) Block Attachment types:

This option holds a list of different file types, for example - *.exe, *.pif,* .scr, etc... which when encountered during an email download would be deleted by default (automatically). This option is set to ensure that emails having these types of known attachments (used by worms, trojans, spyware, etc...) would not be downloaded as they cannot be disinfected/ cleaned but deleted at the MWL (MicroWorld Winsock Layer).

This option can be customized based on requirements, for example - if you wish to receive the file type (*.pif), there are two options available within to set it. Firstly, delete it from the list that holds this file type or secondly you can add the file type to the Exclude Attachments (Whitelist), point no.8 explained below.

The other available options are:-

1. Delete all attachments in email if disinfection is not possible - this option is enabled by default. It would delete all attachments listed in the Block Attachments types section as they are the files that cannot be disinfected/ cleaned.

2. Delete entire email if disinfection is not possible - this option is also enabled by default. It would delete the entire email if the files within the email cannot be disinfected/cleaned.

3. Delete entire email if any virus is found - this option when enabled would delete the entire email if any virus is found in it.

4. Quarantine blocked sttachmetns - this option when enabled would quarant the attachments blocked.

5. Delete entire email if any blocked attachment is found - this option when enabled would delete the entire email if any blocked attachment is found in it.

6. Quarantine email if attachments are not scanned - this option when enabled would quarant emails if the attachments within are not scanned.

7. Quarantine attachments if they are not scanned - this option when enabled would quarant attachments when not scanned.

8. Exclude attachments (White list) - this option is useful in case a file type listed in the block attachment types section needs to be delivered into the user's mailbox/ inbox and should not be deleted. This option holds precedence over the Block Attachment types.

The other section is called "Action", which is set on the right hand side of the Block Attachments types and just below the Port Configuration option, this section is useful in setting up the action to be taken when an infection is found, the default value set is to "Disinfect" while the other is "Delete".

The options that can be set up here are of quaranting infected files and emails, if eScan is installed in the said path - by default then the path would be C:\PROGRA~1\eScan\INFECTED for infected files and C:\PROGRA~1\eScan\Quarant for emails and can be easily changed as per requirements.


B) Port Configuration:

This option is useful for setting up an outbreak alert or notification or warning messages that are sent by eScan when it detects any violation or breach of security.

There are two sections to this port configuration -

1. Mail Server settings - the mail server ip address and port details needs to be defined along with credentials like valid username and password (though optional) in case the mail server requires it, so that eScan can automatically use these details and send the notification alerts.

2. Port settings for eMail/Web Scan - the ports that are used for sending (smtp,25 )and receiving (pop3 ,110) emails are defined and if these emails need to be scanned or not.


C) Compression and Decompression of Attachments:

this option helps in Internet Bandwidth Management.

There are two options available within:-

1. Compress outbound attachments - this option when enabled will decrease the size of all attachments that are sent in emails.

2. Create self extracing zip files - this option when enabled overrides the above point no.1 and creates a self extractable .zip file which when clicked on automatically uncompresses itself thereby eliminating the need at the receiver's end from using any unzipping tool.

3. Do not compress files with extensions (Exclude following attachments) - this option is helpful in excluding the file types {attachments} that need not be compressed when being sent out.

4. a)Uncompress inbound attachments - this option when enabled will automatically open/unpack the compressed file and be scanned. b)Uncompress inbound attachments (Local Domain) - this option when enabled will automatically open/unpack the compressed file and be scanned when sent within the local domain.

5. Compression options

a) Compress only if compression % greater than - the default value set is 25, this option will compress all attachments in emails to 25 % or more.

b) Compress if attachment size is above (KB) - the default value set is 50, this option will compress all attachments that are and above 50 KB in size and not below.

c) Select the compression ratio - the default value set is of Max. Speed, this option will utilize the system resources to the best and compress the attachments in emails quicker and send it out too.


D) Advanced:

Internet Explorer (IE) has vulnerabilities and using them as the base, malwares easily transmit themselves onto the system and email clients like Outlook and Outlook Express thus making it easier for malware authors to get their malicious code propagating.

To overcome them, MicroWorld with it's security range of solutions is committed to securing your data and system from such vulnerabilities.

1. IE Vulnerabilities 1

a) Delete attachments with CLSID extensions - this option is enabled by default. It deletes Class ID file extensions [CLSID - files that are hidden and do not show the actual file extension] to prevent dangerous files from exploiting the vulnerabilities of IE.

b) Delete HTML attachments with Scripts - this option is not enabled by default. In general, eMails are sent and received in different formats and one of them being HTML, this HTML can have Scripts {similar to a batch file - .bat) with Tags to perform a particular or a set of task/s (embedded), such emails when encountered are deleted to prevent exploiting the vulnerabilities.

c) Script & Content check disabled for mails From - this option is useful when you know and want to add a user who is genuine and sends legitimate html email with scripts. Once added, (for example - abc@xyz.net or *@xyz.net) all emails coming from this user or domain would automatically be delivered to the receiver's inbox/mailbox.

d) Script & Content check disabled for mails To - this option is useful when you know and want to add a user who is genuine and sends legitimate html email with scripts. Once added, (for example - suzanne@xyz.net or *@xyz.net) all emails being sent from this user or domain would automatically be delivered to the receiver's inbox/mailbox.


2. IE Vulnerabilities 2

a) Select action on mails with Multiple Extension Attachment - the default option set is to "No Action", the other is "Delete mail", this option is very useful to prevent malware like worms from propagating itself using multiple (double or triple) extensions via email attachments, for example -nimda, sircam, etc...

b) Allow Multiple Extension attachment for ZIP file - the default option set is to "Yes" or "Allowed", this option is very useful and helps in transmitting multiple extensions attachments in email, for example - compressed files like .zip, .pdf that have multiple extensions can be allowed.


3. Archival

a) Archive emails - this option is not enabled by default. This option is useful to archive or backup all emails that are sent and received via eScan. The folder or the path to this destination is customizable as per one's requirements.

b) Archive attachments - this option is not enabled by default. This option is useful to archive or backup all email attachments that are sent and received via eScan. The folder or the path to this destination is customizable as per one's requirements.

c) Do not archive attachments of type - With this option certain file types can be excluded from being archived, for example - *.vcf, *.htm, *.html, etc...

Other options -

Save - this option enables the user to Save the settings done.

Refresh - this option refreshes itself and displays the latest status.

eMail Content Scanning

The latest version of eScan that has this feature is 9.x and is available in these editions - Virus Control(VC), Professional(PRO), Internet Security Suite(ISS), Corporate and Enterprise. It is compatible with Microsoft Windows operating systems like W'95,98,ME,NT 4(srv & wks),2000,2003,XP,Vista (32 & 64 bit)

This is the second option page available in the eScan Content Administrator. It can be accessed by right clicking on the green 'e icon added to the systray after installing eScan.

It has different options like "Phrases to check" and "Advanced", "Disclaimer" and "Advanced" and lastly the "View Quarantined Mails" and View Ham Mails".

A) Phrases to check:

This feature has different options within -

1. Default white list of words/phrases - this is pre-defined white list of words/phrases that would be allowed to be sent and received.

2. User specified white list of words/phrases - this is a user specified white list of words/phrases that would be allowed to be sent and received.

3. Default black list of words/phrases - this is pre-defined black list of words/phrases that would not be allowed to be sent and received.

4. User specified black list of words/phrases - this is a user specified black list of words/phrases that would not be allowed to be sent and received.

  • To add a new word/phrase to the available list, select any word/phrase from the list, right click on it, then add the desired word/phrase to the existing list and Save the settings.
  • To modify any existing word/phrase from the available list, select the desired word/phrase from the list, right click on it, then change the desired word/phrase and / or the desired action to be taken, lastly Save the settings.
  • The default action set within eScan is to "Quarant". The above listed white and black lists when viewed on a color monitor would be visible in different colors like 1. Default white list of words/phrases in Yellow , 2. User specified white list of words/phrases in Blue , Default black list of words/phrases in Purple, User specified black list of words/phrases in Green.
  • Now, there may arise a point where genuine emails are also being blocked due to the occurence of a word/phrase in the available list, so, to overcome the same, one should always ensure and define , the desired word/phrase in Double Quotes so that it is blocked appropriately, for example - "test" , here, when an email arrives and if there is a defined word called test in the list, then, the content filter will scan the email BUT will not tag the email or take the necessary action defined on this email, because the word is defined in quotes, i.e unless and until the exact word/phrase is matched no action would be taken, this is how False Positives are taken care off.


B) Advanced:

This option page has different options like when to check emails, anti-spam configuration and mail tagging.

1. When to check emails - this option is very important and relevant and can help the user customize as to how the email content filter should work.

The options available within:-

a) Send Original mail to user - this option is not enabled by default, once enabled it helps to send the email (though tagged as spam) to the original receipient of the email.

b) Do not check content of Replied or Forwarded emails - this option is not enabled by default, once enabled it will not check contents in all emails that are either replied or forwarded. This eventually helps is releasing system resources on an email that is already scanned and come into the mailbox/ inbox.

c) Content check of Outgoing emails - this option is not enabled by default, once enabled it will start checking all outgoing emails for restricted contents.


2. Mail Tagging - this option is very important as it helps in identifying emails as Spam (bad) or Ham (good).

a) Only (Spam) tag is added in Subject, the Body is left unchanged - this is the default action set within the software so that all spam emails are identified.

There are many other options that can be set as per the user's requirements like,

b) Do not change at all - this option will not tag the email at all.

c) Both subject and body is changed, [Spam] tag is added in subject, Actual Spam content is embedded in the body - this option helps identify the email as spam based on the subject and body.

d) X-MailScan-Spam: 1" header line is added, Actual Spam content is embedded in the body - this option helps identify the email as spam based on the header.

e) X-MailScan-Spam: 1" header line is added - Body and Subject both remain unchanged - this option helps identify the email as spam based on the header.


3. Spam Filter (Anti-Spam) Configuration - this option is enabled by default, it helps to block/prevent spam emails from entering into the mailbox/inbox of the user/s.

The options available within:-

a) Check content of HTML mails - this option is enabled by default, it helps to scan emails in HTML format alongwith Text.

b) Treat mails with Chinese/Korean character set as Spam - this option is enabled by default, it is observed from the reports received from our world wide sample collection centres that emails with Chinese/Korean characters are used by spammers to send as spam and hence when received such emails are first analyzed based on a number of conditions afterwhich then tagged as Spam.

c) Treat Subject with more than 5 Whitespaces as Spam - this option is enabled by default, it is observed from the reports received from our world wide sample collection centres that spammers are applying a technique of "spacing" (leaving spaces) in the subject of the email to get their malicious emails inside the user's mailbox/inbox by fooling the spam filters.

d) Treat HTML mails with "SRC=" string as Spam - It is also observed from the reports received from our world wide sample collection centres that spammers are skillfully inserting SRC (source) within an email. SRC= Source is basically inserting of a source, for example - a weblink/s (url), image/s within a email that can run/ execute itself automatically in the background and download data from a remote server/ site even without being viewed or executed.

e) Quarantine Advertisement mails - this option is enabled by default. Advertisement emails are big in size, use a lot of the internet bandwidth and are known [from reports] to be carrying malicious and/or unwanted content/data within, hence, when such emails are encountered\, they are Quarantined.

The Advanced option within -

a) Enable Non Intrusive Learning Pattern (NILP) check - this option is enabled by default. Non Intrusive Learning Pattern (NILP) is an advanced Bayesian Filtering method with the intelligence to analyze each mail according to the Behavioral Patterns of the user and comes with a self learning capability. It is one of the component of the Anti-Spam Module that helps prevent spam emails from reaching the user's mailbox/inbox.

b) Enable eMail Header check - this option is enabled by default. The generic fields of an email like the email From, To, CC are checked for it's validity before accepting the email. This is another component of the Anti-Spam Module that helps prevent spam emails from reaching the user's mailbox/inbox.

c) Enable X-Spam Rules check - this option is enabled by default. A database of words /phrases used by spammers is in-built within the software and each word / phrase is assigned a particular score or threshold level. If any of these words /phrases appear in an email, using this database, different validations along with a score or threshold level check is also done [match] and here if the score or threshold value is found to be True [matching], the mail is tagged as spam or otherwise. This is one more component of the Anti-Spam Module that helps prevent spam emails from reaching the user's mailbox/inbox.

d) Enable Sender Policy Framework {SPF) check - this option is not enabled by default. When enabled, it will check the SPF record of a particular domain from where the email is being downloaded from. This is an additional component of the Anti-Spam Module that helps prevent spam emails from reaching the user's mailbox/inbox.

e) Enable Spam URI Real Time Blacklist (SURBL) check - this option is not enabled by default. When enabled, it checks for spammers IP addresses using SURBL technology (Spam URI Realtime Black List), which help identify spam URLs in the message body. This is an additional component of the Anti-Spam Module that helps prevent spam emails from reaching the user's mailbox/inbox.

f) Enable Real Time BlackHole list (RBL) check - this option is not enabled by default.When enabled, it check for the spammers IP addresses in RBL's (databases of known spammer IP Addresses), which help identify and block an email from being downloaded from a spammer IP. This is an additional component of the Anti-Spam Module that helps prevent spam emails from reaching the user's mailbox/inbox.

and...

RBL servers -

These are the different servers which hold databases of spammers IP Addreses and can be changed as per one's requirement/s (add/delete).

Auto Spam Whitelist -

This is a whitelist generated of email addresses (valid email addresses) from the mail clients. This is a list of addresses to whom emails have been sent to earlier.


C) Disclaimer and Advanced:

this option is not enabled by default. Disclaimer is a footer or signature that gets added/appended to all outbound (outgoing) emails when enabled. It can be customized to be added to all incoming emails using the Add Disclaimer to Incoming emails option within the Advanced option and further can be restricted too from being added/appended to certain or specific email addresses or domains using the option of Outgoing mails excluded from adding disclaimer.


D) View Quarantined Mails:

this option is set right at the bottom end of the eMail Content Scanning page. When clicked on, one can view all the emails that have been quarantined (marked as spam) by eScan for any of the above mentioned rules/policies.

This has different options set within -

1. View - this option helps in viewing the emails that have been quarantined.

2. Delete - this option is for permantely deleting/purging the email quarantined (if it is not required)

3. Message Source - this option helps in finding out more details of the email that has been quarantined (email from, email to,cc, ip address,etc...)

4. Add Sender's eMail-ID to White List - this option helps in releasing the email that has been quarantined (will not be quarantined in future).

As a result, the email that had been quarantined will now be received by the user(receipient).


E) View Ham Mails:

this option is set right at the bottom end of the eMail Content Scanning page. When clicked on, one can view all the emails that are not spam (not marked as spam).

This has different options set within -

1. View - this option helps in viewing the emails that are not quarantined (spam).

2. Delete - this option is for permantely deleting/purging the email that is not marked as spam (if it is not required)

3. Message Source - this option helps in finding out more details of the email that has been quarantined (email from, email to,cc, ip address,etc...)

4. Train as spam - this option helps the eScan software in training (analysis) such emails as spam.

As a result, such an email that was not quarantined earlier, after training will be quarantined and will not be received by the user(receipient).

Other options -

Save - this option enables the user to Save the settings done.

Refresh - this option refreshes itself and displays the latest status.


eScan Copyright © 2015 MicroWorld Technologies Inc.- AntiVirus & Content Security.       Send your feedback to solutions@escanav.com eScan Wiki

    Privacy policy  About eScan Wiki  Disclaimers