files, release Trend Micro Incorporated reserves the right to make … · 2020. 7. 29. · of...

Trend Micro Incorporated reserves the right to make changes to thisdocument and to the product described herein without notice. Beforeinstalling and using the product, please review the readme files, releasenotes, and/or the latest version of the applicable documentation, which areavailable from the Trend Micro website at:

http://docs.trendmicro.com/en-us/enterprise/interscan-messaging-security.aspx

Trend Micro, the Trend Micro t-ball logo, Control Manager, eManager,InterScan, and TrendLabs are trademarks or registered trademarks of TrendMicro Incorporated. All other product or company names may betrademarks or registered trademarks of their owners.

© 2019. Trend Micro Incorporated. All Rights Reserved.

Document Part No.: MSEM98516/181030

Release Date: January 2019

Protected by U.S. Patent No.: Patents pending

http://docs.trendmicro.com/en-us/home.aspxhttp://docs.trendmicro.com/en-us/home.aspx

This documentation introduces the main features of the product and/orprovides installation instructions for a production environment. Readthrough the documentation before installing or using the product.

Detailed information about how to use specific features within the productmay be available in the Trend Micro Online Help and/or the Trend MicroKnowledge Base at the Trend Micro website.

Trend Micro always seeks to improve its documentation. If you havequestions, comments, or suggestions about this or any Trend Microdocument, please contact us at [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:%[email protected]://www.trendmicro.com/download/documentation/rating.asp

i

Table of ContentsAbout this Manual

About this Manual ............................................................... vii

What's New ........................................................................ viii

Audience ............................................................................. xi

InterScan Messaging Security Virtual Appliance Documentation............................................................................................ xi

Document Conventions ....................................................... xii

Chapter 1: Introducing InterScan Messaging Security VirtualAppliance

About InterScan Messaging Security Virtual Appliance ......... 1-3

IMSVA Main Features and Benefits ...................................... 1-3

About Cloud Pre-Filter ....................................................... 1-12

About Email Encryption .................................................... 1-12

About Spyware/Grayware .................................................. 1-13How Spyware/Grayware Gets into Your Network ........... 1-13Potential Risks and Threats .......................................... 1-14

About Web Reputation Services ......................................... 1-15

About Email Reputation .................................................... 1-15Types of Email Reputation ........................................... 1-15How Email Reputation Technology Works .................... 1-17

About Trend Micro Control Manager .................................. 1-18Control Manager Support ............................................ 1-19

About Graymail Scanning .................................................. 1-22

About Command & Control (C&C) Contact Alert Services .... 1-23

Trend Micro InterScan Messaging Security Virtual Appliance Installation Guide

ii

Chapter 2: Component DescriptionsAbout IMSVA Components .................................................. 2-2

Cloud Pre-Filter Service Overview ........................................ 2-2Sender Filtering ............................................................ 2-2Reputation-Based Source Filtering ................................. 2-2Virus and Spam Protection ............................................ 2-3

About Spam Prevention Solution ......................................... 2-3Spam Prevention Solution Technology ........................... 2-3Using Spam Prevention Solution .................................... 2-3

About Sender Filtering ........................................................ 2-3How IP Profiler Works .................................................. 2-4How SMTP Traffic Throttling Works .............................. 2-5

About End-User Quarantine (EUQ) ....................................... 2-6

About Centralized Reporting ............................................... 2-6

Chapter 3: Planning for DeploymentDeployment Checklist ......................................................... 3-2

Network Topology Considerations ....................................... 3-5IMSVA Deployment with Cloud Pre-Filter ....................... 3-5Deployment at the Gateway or Behind the Gateway ........ 3-6Installing without a Firewall .......................................... 3-9Installing in Front of a Firewall .................................... 3-10Installing Behind a Firewall ......................................... 3-11Installing in the De-Militarized Zone ............................ 3-12

About Device Roles ........................................................... 3-13

About Device Services ....................................................... 3-13Service Selection ......................................................... 3-14Deployment with Sender Filtering ............................... 3-14Understanding Internal Communication Port ............... 3-14

Understanding POP3 Scanning ........................................... 3-15Requirements for POP3 Scanning ................................. 3-16Configuring a POP3 Client that Receives Email ThroughIMSVA ........................................................................ 3-16

Table of Contents

iii

Opening the IMSVA Management Console .......................... 3-17

Chapter 4: Installing IMSVA 9.1 Patch 3System Requirements ......................................................... 4-2

Additional Requirements and Tools ............................... 4-3

Installing IMSVA ................................................................. 4-4

Setting Up a Single Parent Device ....................................... 4-21Step 1: Configuring System Settings .............................. 4-23Step 2: Configuring Deployment Settings ...................... 4-24Step 3: Configuring SMTP Routing Settings ................... 4-25Step 4: Configuring Notification Settings ...................... 4-27Step 5: Configuring the Update Source .......................... 4-28Step 6: Configuring LDAP Settings ................................ 4-30Step 7: Configuring Internal Addresses ......................... 4-33Step 8: Configuring Control Manager Server Settings ..... 4-35Step 9: Activating the Product ...................................... 4-37Step 10: Reviewing the Settings .................................... 4-38

Setting Up a Child Device ................................................... 4-39

Verifying Successful Deployment ....................................... 4-41

Chapter 5: Upgrading from Previous VersionsUpgrading from an Evaluation Version ................................. 5-2

Upgrading from IMSVA 9.0 Patches ...................................... 5-4Backing Up IMSVA 9.0 Patch 1 ....................................... 5-5Upgrading a Single IMSVA ............................................. 5-6Upgrading a Distributed Environment .......................... 5-17Batch Upgrade ............................................................ 5-20Offline Upgrade .......................................................... 5-28Rolling Back an Upgrade ............................................. 5-33

Migrating from Previous Versions ...................................... 5-34Migration Process ....................................................... 5-35Migrating from IMSS for Windows ............................... 5-38Migrating from IMSS for Linux .................................... 5-40Migrating from IMSS for Solaris ................................... 5-41


iv

Migrating from IMSVA 8.0 Patch 2, IMSVA 8.2 SP2 Patch 1,IMSVA 8.5 SP1 Patch 1 or IMSVA 9.0 Patch 2 .................. 5-41Exporting Debugging Files ........................................... 5-43

Chapter 6: TroubleshootingTroubleshooting Utilities ..................................................... 6-2Troubleshooting Communication Between Devices in a Group .......................................................................................... 6-3Troubleshooting Child Device Registration ........................... 6-4Troubleshooting Child Device Unregistration ....................... 6-5Troubleshooting the Hardware Identification Error .............. 6-5Troubleshooting Network Connectivity ................................ 6-9

Appendix A: Technical SupportTroubleshooting Resources ................................................. A-2

Trend Community ........................................................ A-2Using the Support Portal ............................................... A-2Security Intelligence Community .................................. A-3Threat Encyclopedia ..................................................... A-3

Contacting Trend Micro ...................................................... A-4Speeding Up the Support Call ........................................ A-4

Sending Suspicious Content to Trend Micro ......................... A-5File Reputation Services ............................................... A-5Email Reputation Services ............................................ A-5Web Reputation Services .............................................. A-5

Other Resources ................................................................. A-6TrendEdge ................................................................... A-6Download Center ......................................................... A-6TrendLabs ................................................................... A-7

Appendix B: Creating a New Virtual Machine Under VMware ESXfor IMSVA

Creating a New Virtual Machine .......................................... B-2

Table of Contents

v

Appendix C: Creating a New Virtual Machine Under MicrosoftHyper-V for IMSVA

Understanding Hyper-V Installation .................................... C-2IMSVA Support for Hyper-V .......................................... C-2

Installing IMSVA on Microsoft Hyper-V ............................... C-2Creating a Virtual Network Assignment ......................... C-2Creating a New Virtual Machine .................................... C-7

IndexIndex ............................................................................... IN-1

vii

About this ManualWelcome to the Trend Micro™ InterScan™ Messaging Security VirtualAppliance Installation Guide. This manual contains information aboutInterScan Messaging Security Virtual Appliance (IMSVA) features, systemrequirements, as well as instructions on installing and upgrading IMSVAsettings.

Refer to the IMSVA 9.1 Patch 3 Administrator's Guide for information aboutconfiguring IMSVA settings and the Online Help in the management consolefor detailed information about each field on the user interface.

Topics include:

• What's New on page viii

• Audience on page xi

• InterScan Messaging Security Virtual Appliance Documentation on page xi

• Document Conventions on page xii


viii

What's New

Table 1. IMSVA 9.1 Patch 3 New Features

New Feature Description

URL analysis In addition to suspicious files in email messages,IMSVA submits suspicious URLs included in emailmessages to Virtual Analyzer for further analysis.

To protect you from malicious URLs, IMSVA firstcompares URLs in email messages with knownmalicious URLs in the Web reputation database, andthen further analyzes URLs at the time of click.However, untested URLs may pass the first two layersof analysis. IMSVA provides enhanced protection byleveraging the URL sandbox available in VirtualAnalyzer to perform sandbox simulation and analysis.

Table 2. IMSVA 9.1 Patch 2 New Features


Domain-based MessageAuthentication, Reporting andConformance (DMARC)

As an email validation system to detect and preventemail spoofing, DMARC is intended to fight againstcertain techniques used in phishing and spam, such asemail messages with forged sender addresses thatappear to originate from legitimate organizations.

DMARC is designed to fit into the existing emailauthentication process of IMSVA, allowing you todefine DMARC settings, including the actions to takeon messages that fail DMARC verification.

Table 3. IMSVA 9.1 New Features


Syslog integration To provide enterprise-class logging capabilities, IMSVAsupports sending logs through the syslog protocol tomultiple external syslog servers in a structuredformat. On the IMSVA management console, you canadd, delete, import and export syslog servers.

ix


Multiple Virtual Analyzer servers To achieve better load balancing and failovercapabilities, IMSVA allows you to add multiple serversfor Virtual Analyzer. You can also enable, disable anddelete Virtual Analyzer servers on the IMSVAmanagement console.

SMTP Traffic Throttling SMTP Traffic Throttling blocks messages from a singleIP address or sender for a certain time when thenumber of connections or messages reaches thespecified maximum.

Audit log support As an enhanced log category of system events, Auditlog replaces Admin activity on the IMSVAmanagement console. Audit logs record variousadministrator operations and provide a way to queryactivities of specified administrator accounts.

Enhanced queue management IMSVA uses mail transfer agent (MTA) queues to storemessages that just arrived, messages ready to bedelivered to the next MTA, messages deferred due todelivery failure, and messages kept on hold for latermanual delivery. Specific actions can be taken on themessages in MTA queues.

Enhanced Smart Protection IMSVA supports both Trend Micro Smart ProtectionNetwork and Smart Protection Server as smartprotection sources. Smart Protection Servers aresupported to localize smart protection services to thecorporate network to reduce outbound traffic andoptimize efficiency.

External database support IMSVA allows you to use not only the internal but alsoexternal PostgreSQL database as the admin databaseor the EUQ database.

Time-of-Click Protection IMSVA provides time-of-click protection againstmalicious URLs in email messages. If you enable Time-of-Click Protection, IMSVA rewrites URLs in emailmessages for further analysis. Trend Micro analyzesthose URLs at the time of click and will block them ifthey are malicious.


x


Connected Threat Defense Configure IMSVA to subscribe to the suspicious objectlists on the Trend Micro Control Manager server. Usingthe Control Manager console, you can specifycustomized actions for objects detected by thesuspicious object lists to provide custom defenseagainst threats identified by endpoints protected byTrend Micro products specific to your environment.

Control Manager facilitates the investigation oftargeted attacks and advanced threats usingsuspicious objects. Files and URLs that have thepotential to expose systems to danger or loss will bedetected.

DomainKeys Identified Mail (DKIM)signature

IMSVA supports adding DKIM signatures to outgoingemail messages. On the IMSVA management console,you can add or delete DKIM signatures and import orexport DKIM signature files.

Report delivery through email IMSVA allows you to send newly generated reports andarchived reports through email. Detailed views ofreports will be included.

Keyword and expressionenhancement

To improve visibility of triggered keywords andexpressions, the entity name (where the keywordexpression appears in a message) and the matchedexpressions now appear in the policy event log querydetails page. Administrators can also add adescription to new keyword expressions for bettertracking.

Attachment names supported bymessage tracking logs

Message tracking logs include attachment names as anew attribute. Multiple attachment names can bespecified to query message tracking logs.

Logon notice support Customizable logon notices are available both on theadministrator logon page and End-User Quarantinelogon page.

Quarantine event summary IMSVA provides quarantine event logs and reports forusers to learn information about quarantine events,for example, the percentage of release events in all thequarantine events.

xi


LDAPS support IMSVA supports LDAP over SSL (LDAPS) that providesusers a secure and encrypted channel tocommunicate with LDAP servers.

Ransomware detection IMSVA gives you more visibility on ransomwaredetected by IMSVA. You can either query ransomwaredetections in logs or add a widget for ransomwaredetections on the dashboard.

Virtual Analyzer integrationimprovement

IMSVA allows you to define rules to send emailmessages with specified attachment names orextensions to Virtual Analyzer for analysis.

AudienceThe IMSVA documentation is written for IT administrators in medium andlarge enterprises. The documentation assumes that the reader has in-depthknowledge of email messaging networks, including details related to thefollowing:

• SMTP and POP3 protocols

• Message transfer agents (MTAs), such as Postfix or Microsoft™ Exchange

• LDAP

• Database management

• Transport Layer Security

The documentation does not assume that the reader has any knowledge ofantivirus or antispam technology.

InterScan Messaging Security Virtual ApplianceDocumentation

The IMSVA documentation consists of the following:


xii

Administrator’s GuideHelps you get IMSVA up and running with post-installationinstructions on how to configure and administer IMSVA.

Installation GuideContains introductions to IMSVA features, system requirements,and provides instructions on how to deploy and upgrade IMSVA invarious network environments.

Online HelpProvides detailed instructions on each field and how to configure allfeatures through the user interface. To access the online help, openthe web management console, then click the help icon.

Readme FileContain late-breaking product information that might not be foundin the other documentation. Topics include a description offeatures, installation tips, known issues, and product releasehistory.

The documentation is available at:

http://docs.trendmicro.com

Document ConventionsThe documentation uses the following conventions:

Table 4. Document Conventions

Convention Description

UPPER CASE Acronyms, abbreviations, and names of certain commandsand keys on the keyboard

Bold Menus and menu commands, command buttons, tabs, andoptions

Italics References to other documents

http://docs.trendmicro.com

xiii

Convention Description

Monospace Sample command lines, program code, web URLs, file names,and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

1-1

Chapter 1

Introducing InterScan™ MessagingSecurity Virtual Appliance

This chapter introduces InterScan™ Messaging Security Virtual Appliance(IMSVA) features, capabilities, and technology, and provides basicinformation on other Trend Micro products that will enhance your antispamcapabilities.

Topics include:

• About InterScan Messaging Security Virtual Appliance on page 1-3

• IMSVA Main Features and Benefits on page 1-3

• About Cloud Pre-Filter on page 1-12

• About Email Encryption on page 1-12

• About Spyware/Grayware on page 1-13

• About Web Reputation Services on page 1-15

• About Email Reputation on page 1-15

• About Trend Micro Control Manager on page 1-18

• About Graymail Scanning on page 1-22


1-2

• About Command & Control (C&C) Contact Alert Services on page 1-23

Introducing InterScan Messaging Security Virtual Appliance

1-3

About InterScan Messaging Security VirtualAppliance

InterScan Messaging Security Virtual Appliance (IMSVA) integrates multi-tiered spam prevention and anti-phishing with award-winning antivirus andanti-spyware. Content filtering enforces compliance and prevents dataleakage. This easy-to-deploy appliance is delivered on a highly scalableplatform with centralized management, providing easy administration.Optimized for high performance and continuous security, the applianceprovides comprehensive gateway email security.

IMSVA Main Features and BenefitsThe following table outlines the main features and benefits that IMSVA canprovide to your network.

Table 1-1. Main Features and Benefits

Feature Descriptions Benefits

Data and system protection

Cloud-basedpre-filtering ofmessages

Cloud Pre-Filter integrates with IMSVAto scan all email traffic before itreaches your network.

Cloud Pre-Filter can stopsignificant amounts of spam andmalicious messages (up to 90% ofyour total message traffic) fromever reaching your network.

Emailencryption

Trend Micro Email Encryptionintegrates with IMSVA to encrypt ordecrypt all email traffic entering andleaving your network.

Trend Micro Email Encryptionprovides IMSVA the ability toencrypt all email messages leavingyour network. By encrypting allemail messages leaving a networkadministrators can preventsensitive data from being leaked.


1-4


Advanced anti-malwareprotection

The Advanced Threat Scan Engine(ATSE) uses a combination of pattern-based scanning and aggressiveheuristic scanning to detectdocument exploits and other threatsused in targeted attacks.

ATSE identifies both known andunknown advanced threats,protecting your system from newthreats that have yet to be addedto patterns.

Command &Control (C&C)Contact AlertServices

C&C Contact Alert Services allowsIMSVA to inspect the sender,recipients and reply-to addresses in amessage's header, as well as URLs inthe message body, to see if any ofthem matches known C&C objects.

C&C Contact Alert Servicesprovides IMSVA with enhanceddetection and alert capabilities tomitigate the damage caused byadvanced persistent threats andtargeted attacks.

Graymail Graymail refers to solicited bulk emailmessages that are not spam. IMSVAdetects marketing messages andnewsletters and social networknotifications as graymail.

IMSVA manages graymailseparately from common spam toallow administrators to identifygraymail messages. IP addressesspecified in the graymail exceptionlist bypass scanning.

Regulatorycompliance

Administrators can meet governmentregulatory requirements using thenew default policy scanningconditions Compliance templates.

Compliance templates provideadministrators with regulatorycompliance. For a detailed list ofavailable templates, see http://docs.trendmicro.com/en-us/enterprise/data-protection-reference-documents.aspx.

Smart Scan Smart Scan facilitates a more efficientscanning process by off-loading alarge number of threat signaturespreviously stored on the IMSVA serverto the cloud.

Smart Scan leverages the SmartProtection Network to:

• Enable fast, real-time securitystatus lookup capabilities inthe cloud

• Reduce the time necessary todeliver protection againstemerging threats

• Lower memory consumptionon the server

http://docs.trendmicro.com/en-us/enterprise/data-protection-reference-documents.aspxhttp://docs.trendmicro.com/en-us/enterprise/data-protection-reference-documents.aspxhttp://docs.trendmicro.com/en-us/enterprise/data-protection-reference-documents.aspxhttp://docs.trendmicro.com/en-us/enterprise/data-protection-reference-documents.aspx


1-5


IntelliTrap Virus writers often attempt tocircumvent virus filtering by usingdifferent file compression schemes.IntelliTrap provides heuristicevaluation of these compressed files.

Because there is the possibility thatIntelliTrap may identify a non-threatfile as a security risk, Trend Microrecommends quarantining messageattachments that fall into thiscategory when IntelliTrap is enabled.In addition, if your users regularlyexchange compressed files, you maywant to disable this feature.

By default, IntelliTrap is turned on asone of the scanning conditions for anantivirus policy, and is configured toquarantine message attachments thatmay be classified as security risks.

IntelliTrap helps reduce the riskthat a virus compressed usingdifferent file compression schemeswill enter your network throughemail.

Contentmanagement

IMSVA analyzes email messages andtheir attachments, traveling to andfrom your network, for appropriatecontent.

Content that you deeminappropriate, such as personalcommunication, largeattachments, and so on, can beblocked or deferred effectivelyusing IMSVA.

Real-timeStatistics andMonitor

Administrators can monitor the scanperformance and Sender Filteringperformance of all IMSVA devices(within a group) on the managementconsole.

IMSVA provides administratorswith an overview of the systemthat keeps administrators informedon the first sign of mail processingissues. Detailed logging helpsadministrators proactively manageissues before they become aproblem.

Protection against other email threats


1-6


DoS attacks By flooding a mail server with largeattachments, or sending messagesthat contain multiple viruses orrecursively compressed files,individuals with malicious intent candisrupt mail processing.

IMSVA allows you to configure thecharacteristics of messages thatyou want to stop at the SMTPgateway, thus reducing thechances of a DoS attack.

Malicious emailcontent

Many types of file attachments, suchas executable programs anddocuments with embedded macros,can harbor viruses. Messages withHTML script files, HTML links, Javaapplets, or ActiveX controls can alsoperform harmful actions.

IMSVA allows you to configure thetypes of messages that are allowedto pass through the SMTP gateway.

Degradation ofservices

Non-business-related email traffic hasbecome a problem in manyorganizations. Spam messagesconsume network bandwidth andaffect employee productivity. Someemployees use company messagingsystems to send personal messages,transfer large multimedia files, orconduct personal business duringworking hours.

Most companies have acceptableusage policies for their messagingsystem—IMSVA provides tools toenforce and ensure compliancewith existing policies.

Legal liabilityand businessintegrity

Improper use of email can also put acompany at risk of legal liability.Employees may engage in sexual orracial harassment, or other illegalactivity. Dishonest employees can usea company messaging system to leakconfidential information.Inappropriate messages that originatefrom a company's mail server damagethe company's reputation, even if theopinions expressed in the messageare not those of the company.

IMSVA provides tools formonitoring and blocking contentto help reduce the risk thatmessages containing inappropriateor confidential material will beallowed through your gateway.


1-7


Mass mailingviruscontainment

Email-borne viruses that mayautomatically spread bogus messagesthrough a company’s messagingsystem can be expensive to clean upand cause panic among users.

When IMSVA detects a mass-mailingvirus, the action performed againstthis virus can be different from theactions against other types of viruses.

For example, if IMSVA detects a macrovirus in a Microsoft Office documentwith important information, you canconfigure the program to quarantinethe message instead of deleting theentire message, to ensure thatimportant information will not belost. However, if IMSVA detects amass-mailing virus, the program canautomatically delete the entiremessage.

By auto-deleting messages thatcontain mass-mailing viruses, youavoid using server resources toscan, quarantine, or processmessages and files that have noredeeming value.

The identities of known mass-mailing viruses are in the MassMailing Pattern that is updatedusing the TrendLabs℠ActiveUpdate Servers. You can saveresources, avoid help desk callsfrom concerned employees andeliminate post-outbreak cleanupwork by choosing to automaticallydelete these types of viruses andtheir email containers.

Protection from spyware and other types of grayware

Spyware andother types ofgrayware

Other than viruses, your clients are atrisk from potential threats such asspyware, adware and dialers. Formore information, see About Spyware/Grayware on page 1-13.

IMSVA’s ability to protect yourenvironment against spyware andother types of grayware enablesyou to significantly reduce security,confidentiality, and legal risks toyour organization.

Integrated antispam features


1-8


SpamPreventionSolution (SPS)

Spam Prevention Solution (SPS) is alicensed product from Trend Microthat provides spam detection servicesto other Trend Micro products. To useSPS, obtain an SPS Activation Code.For more information, contact yoursales representative.

SPS works by using a built-in spamfilter that automatically becomesactive when you register and activatethe SPS license.

The detection technology used bySpam Prevention Solution (SPS) isbased on sophisticated contentprocessing and statistical analysis.Unlike other approaches toidentifying spam, content analysisprovides high-performance, real-time detection that is highlyadaptable, even as spam senderschange their techniques.

Spam Filteringwith IP Profiler,EmailReputation andSMTP TrafficThrottling

IP Profiler is a self-learning, fullyconfigurable feature that proactivelyblocks IP addresses of computers thatsend spam and other types ofpotential threats. Email reputationblocks IP addresses of known spamsenders that Trend Micro maintains ina central database. SMTP TrafficThrottling blocks messages from asingle IP address or sender for acertain time when the number ofconnections or messages reaches thespecified maximum.

NoteActivate SPS before youconfigure IP Profiler and EmailReputation.

With the integration of SenderFiltering, which includes IP Profiler,Email Reputation and SMTP TrafficThrottling, IMSVA can blockspammers at the IP level.


1-9


SocialEngineeringAttackProtection

Social Engineering Attack Protectiondetects suspicious behavior related tosocial engineering attacks in emailmessages.

When Social Engineering AttackProtection is enabled, the TrendMicro Antispam Engine scans forsuspicious behavior in severalparts of each email transmission,including the email header, subjectline, body, attachments, and theSMTP protocol information. If theAntispam Engine detects behaviorassociated with social engineeringattacks, the Antispam Enginereturns details about the messageto IMSVA for further action, policyenforcement, or reporting.

Administration and integration

LDAP anddomain-basedpolicies

You can configure LDAP settings if youare using LDAP directory servicessuch as Lotus Domino™ or Microsoft™Active Directory™ for user-groupdefinition and administratorprivileges.

Using LDAP, you can definemultiple rules to enforce yourcompany’s email usage guidelines.You can define rules for individualsor groups, based on the sender andrecipient addresses.

Web-basedmanagementconsole

The management console allows youto conveniently configure IMSVApolicies and settings.

The management console is SSL-compatible. Being SSL-compatiblemeans access to IMSVA is moresecure.

End-UserQuarantine(EUQ)

IMSVA provides web-based EUQ toimprove spam management. Theweb-based EUQ service allows end-users to manage the spam quarantineof their personal accounts and ofdistribution lists that they belong to.IMSVA quarantines messages that itdetermines are spam. The EUQindexes these messages into adatabase. The messages are thenavailable for end-users to review,delete, or approve for delivery.

With the web-based EUQmanagement console, end-userscan manage messages that IMSVAquarantines.

IMSVA also enables users to applyactions to quarantined messagesand to add senders to theApproved Senders list throughlinks in the EUQ digest.


1-10


Delegatedadministration

IMSVA offers the ability to createdifferent access rights to themanagement console. You canchoose which sections of the consoleare accessible for differentadministrator logon accounts.

By delegating administrative rolesto different employees, you canpromote the sharing ofadministrative duties.

Centralizedreporting

Centralized reporting gives you theflexibility of generating one time (ondemand) reports or scheduledreports.

Helps you analyze how IMSVA isperforming.

One time (on demand) reportsallow you to specify the type ofreport content as and whenrequired. Alternatively, you canconfigure IMSVA to automaticallygenerate reports daily, weekly, andmonthly.

IMSVA allows you to send bothone-time and scheduled reportsthrough email.

Systemavailabilitymonitor

A built-in agent monitors the health ofyour IMSVA server and deliversnotifications through email or SNMPtrap when a fault condition threatensto disrupt the mail flow.

Email and SNMP notification ondetection of system failure allowsyou to take immediate correctiveactions and minimize downtime.

POP3 scanning You can choose to enable or disablePOP3 scanning from the managementconsole.

In addition to SMTP traffic, IMSVAcan also scan POP3 messages atthe gateway as messaging clientsin your network retrieve them.

Clusteredarchitecture

The current version of IMSVA has beendesigned to make distributeddeployment possible.

You can install the various IMSVAcomponents on differentcomputers, and some componentscan exist in multiples. For example,if your messaging volumedemands, you can installadditional IMSVA scannercomponents on additional servers,all using the same policy services.


1-11


Integration withVirtual Analyzer

IMSVA integrates with Virtual Analyzer,which is an isolated virtualenvironment used to manage andanalyze samples in Deep DiscoveryAdvisor and Deep Discovery Analyzer.

IMSVA sends suspicious files andURLs to the Virtual Analyzersandbox environment forsimulation. Virtual Analyzer opensfiles, including password-protectedarchives and document files, andaccesses URLs to test for exploitcode, C&C and botnet connections,and other suspicious behaviors orcharacteristics.

Integration withTrend MicroControlManager™

Trend Micro Control Manager™(TMCM) is a software managementsolution that gives you the ability tocontrol antivirus and content securityprograms from a central locationregardless of the program’s physicallocation or platform. This applicationcan simplify the administration of acorporate virus and content securitypolicy.

Outbreak Prevention Servicesdelivered through Trend MicroControl Manager™ reduces the riskof outbreaks. When a Trend Microproduct detects a new email-bornevirus, TrendLabs issues a policythat uses the advanced contentfilters in IMSVA to block messagesby identifying suspiciouscharacteristics in these messages.These rules help minimize thewindow of opportunity for aninfection before the updatedpattern file is available.

Integration withsyslog servers

IMSVA integrates with syslog serversthat use the syslog protocol to receivelog messages. Syslog protocol is anetwork logging standard supportedby a wide range of network devicesand contains information on networkevents and errors.

Syslog server integrationimplements centralized logcollection and management formultiple IMSVA servers andconsolidates log data from all overthe network into a single centralrepository. Collecting andanalyzing syslog messages isessential for maintaining networkstability and auditing networksecurity.


1-12


Time-of-ClickProtection

IMSVA provides time-of-clickprotection against malicious URLs inemail messages.

If you enable Time-of-ClickProtection, IMSVA rewrites URLs inemail messages for furtheranalysis. Trend Micro analyzesthose URLs at the time of click andwill block them if they aremalicious.

About Cloud Pre-FilterCloud Pre-Filter is a cloud security solution that integrates with IMSVA toprovide proactive protection in the cloud with the privacy and control of anon-premise virtual appliance.

Cloud Pre-Filter reduces inbound email message volume up to 90% byblocking spam and malware outside your network. Cloud Pre-Filter isintegrated with IMSVA at the gateway allowing flexible control over sensitiveinformation. And local quarantines ensure your email message stays private.No email message is stored in the cloud. With Cloud Pre-Filter, you canreduce complexity and overhead to realize significant cost savings.

About Email EncryptionTrend Micro Email Encryption provides IMSVA with the ability to performencryption and decryption of email messages. With Email Encryption,IMSVA has the ability to encrypt and decrypt email messages regardless ofthe email client or platform from which it originated. The encryption anddecryption of email messages on Trend Micro Email Encryption is controlledby a Policy Manager that enables an administrator to configure policiesbased on various parameters, such as sender and recipient email addresses,keywords or where the email messages (or attachments) contain credit cardnumbers. Trend Micro Email Encryption presents itself as a simple mailtransfer protocol (SMTP) interface and delivers email messages out overSMTP to a configured outbound mail transport agent (MTA). This enables


1-13

easy integration with other email server-based products, be them contentscanners, mail servers or archiving solutions.

About Spyware/GraywareYour clients are at risk from potential threats other than viruses/malware.Grayware can negatively affect the performance of the computers on yournetwork and introduce significant security, confidentiality, and legal risks toyour organization.

Table 1-2. Types of Grayware

Type Description

Spyware Gathers data, such as account user names and passwords, andtransmits them to third parties

Adware Displays advertisements and gathers data, such as user web surfingpreferences, to target advertisements at the user through a webbrowser

Dialers Changes computer Internet settings and can force a computer to dialpre-configured phone numbers through a modem

Joke Programs Causes abnormal computer behavior, such as closing and openingthe CD-ROM tray and displaying numerous message boxes

Hacking Tools Helps hackers enter computers

Remote Access Tools Helps hackers remotely access and control computers

Password CrackingApplications

Helps hackers decipher account user names and passwords

Other Other types not covered above

How Spyware/Grayware Gets into Your NetworkSpyware/grayware often gets into a corporate network when users downloadlegitimate software that has grayware applications included in theinstallation package.


1-14

Most software programs include an End User License Agreement (EULA),which the user has to accept before downloading. Often the EULA doesinclude information about the application and its intended use to collectpersonal data; however, users often overlook this information or do notunderstand the legal jargon.

Potential Risks and Threats

The existence of spyware/grayware on your network has the potential tointroduce the following:

Table 1-3. Types of Risks

Type Description

Reduced computerperformance

To perform their tasks, spyware/grayware applications often requiresignificant CPU and system memory resources.

Increased webbrowser-relatedcrashes

Certain types of grayware, such as adware, are often designed tocreate pop-up windows or display information in a browser frame orwindow. Depending on how the code in these applications interactswith system processes, grayware can sometimes cause browsers tocrash or freeze and may even require a system reboot.

Reduced user efficiency By needing to close frequently occurring pop-up advertisementsand deal with the negative effects of joke programs, users can beunnecessarily distracted from their main tasks.

Degradation of networkbandwidth

Spyware/grayware applications often regularly transmit the datathey collect to other applications running on your network or tolocations outside of your network.

Loss of personal andcorporate information

Not all data that spyware/grayware applications collect is asinnocuous as a list of websites users visit. Spyware/grayware canalso collect the user names and passwords users type to access theirpersonal accounts, such as a bank account, and corporate accountsthat access resources on your network.


1-15

Type Description

Higher risk of legalliability

If hackers gain access to the computer resources on your network,they may be able to utilize your client computers to launch attacksor install spyware/grayware on computers outside your network.Having your network resources unwillingly participate in these typesof activities could leave your organization legally liable to damagesincurred by other parties.

About Web Reputation ServicesTrend Micro web reputation technology helps break the infection chain byassigning websites a “reputation” based on an assessment of thetrustworthiness of an URL, derived from an analysis of the domain. Webreputation protects against web-based threats including zero-day attacks,before they reach the network. Trend Micro web reputation technologytracks the lifecycle of hundreds of millions of web domains, extendingproven Trend Micro antispam protection to the Internet.

About Email ReputationTrend Micro designed Email reputation to identify and block spam before itenters a computer network by routing Internet Protocol (IP) addresses ofincoming mail connections to Trend Micro Smart Protection Network forverification against an extensive Reputation Database.

Types of Email ReputationThere are two types of Email reputation: Standard on page 1-15 and Advancedon page 1-16.

Email Reputation: StandardThis service helps block spam by validating requested IP addresses againstthe Trend Micro reputation database, powered by the Trend Micro Smart


1-16

Protection Network. This ever-expanding database currently contains over 1billion IP addresses with reputation ratings based on spamming activity.Trend Micro spam investigators continuously review and update theseratings to ensure accuracy.

Email reputation: Standard is a DNS single-query-based service. Yourdesignated email server makes a DNS query to the standard reputationdatabase server whenever an incoming email message is received from anunknown host. If the host is listed in the standard reputation database, Emailreputation reports that email message as spam.

Tip

Trend Micro recommends that you configure IMSVA to block, not receive, anyemail messages from an IP address that is included on the standard reputationdatabase.

Email Reputation: Advanced

Email reputation: Advanced identifies and stops sources of spam while theyare in the process of sending millions of messages.

This is a dynamic, real-time antispam solution. To provide this service, TrendMicro continuously monitors network and traffic patterns and immediatelyupdates the dynamic reputation database as new spam sources emerge, oftenwithin minutes of the first sign of spam. As evidence of spam activity ceases,the dynamic reputation database is updated accordingly.

Like Email reputation: Standard, Email reputation: Advanced is a DNS query-based service, but two queries can be made to two different databases: thestandard reputation database and the dynamic reputation database (adatabase updated dynamically in real time). These two databases havedistinct entries (no overlapping IP addresses), allowing Trend Micro tomaintain a very efficient and effective database that can quickly respond tohighly dynamic sources of spam. Email reputation: Advanced has blockedmore than 80% of total incoming connections (all were malicious) incustomer networks. Results will vary depending on how much of your


1-17

incoming email stream is spam. The more spam you receive, the higher thepercentage of blocked connections you will see.

How Email Reputation Technology Works

Trend Micro Email reputation technology is a Domain Name Service (DNS)query-based service. The following process takes place after IMSVA receivesa connection request from a sending mail server:

1. IMSVA records the IP address of the computer requesting theconnection.

2. IMSVA forwards the IP address to the Trend Micro Email reputation DNSservers and queries the Reputation Database. If the IP address hadalready been reported as a source of spam, a record of the address willalready exist in the database at the time of the query.

3. If a record exists, Email reputation instructs IMSVA to permanently ortemporarily block the connection request. The decision to block therequest depends on the type of spam source, its history, current activitylevel, and other observed parameters.


1-18

The figure below illustrates how Email reputation works.

Figure 1-1. How Email reputation works

For more information on the operation of Trend Micro Email reputation,visit https://ers.trendmicro.com/.

About Trend Micro Control ManagerTrend Micro™ Control Manager™ is a software management solution thatgives you the ability to control antivirus and content security programs froma central location-regardless of the program’s physical location or platform.This application can simplify the administration of a corporate virus/malware and content security policy.

https://ers.trendmicro.com/


1-19

• Control Manager server: The Control Manager server is the machineupon which the Control Manager application is installed. The web-basedControl Manager management console is hosted from this server.

• Agent: The agent is an application installed on a managed product thatallows Control Manager to manage the product. The agent receivescommands from the Control Manager server, and then applies them tothe managed product. The agent collects logs from the product, andsends them to Control Manager.

• Entity: An entity is a representation of a managed product on theProduct Directory link. Each entity has an icon in the directory tree. Thedirectory tree displays all managed entities residing on the ControlManager console.

Control Manager Support

The following table shows a list of Control Manager features that IMSVAsupports.

Table 1-4. Supported Control Manager Features

Feature Description Supported?

Two-way communication Using 2-way communication,either IMSVA or ControlManager may initiate thecommunication process.

No.

Only IMSVA can initiate acommunication process withControl Manager.


1-20


Outbreak PreventionPolicy

The Outbreak Prevention Policy(OPP) is a quick response to anoutbreak developed byTrendLabs that contains a list ofactions IMSVA should performto reduce the likelihood of theIMSVA server or its clients frombecoming infected.

Trend Micro ActiveUpdateServer deploys this policy toIMSVA through ControlManager.

Yes

Log upload for query Uploads IMSVA virus logs,Content Security logs, andEmail reputation logs to ControlManager for query purposes.

Yes

Single Sign-on Manage IMSVA from ControlManager directly without firstlogging on to the IMSVAmanagement console.

No.

You need to first log on to theIMSVA management consolebefore you can manage IMSVAfrom Control Manager.

Configuration replication Replicate configuration settingsfrom an existing IMSVA server toa new IMSVA server fromControl Manager.

Yes

Pattern update Update pattern files used byIMSVA from Control Manager

Yes

Engine update Update engines used by IMSVAfrom Control Manager.

Yes

Product componentupdate

Update IMSVA productcomponents such as patchesand hot fixes from ControlManager.

No.

Refer to the specific patch orhot fix readme file forinstructions on how to updatethe product components.


1-21


Configuration by userinterface redirect

Configure IMSVA through theIMSVA management consoleaccessible from ControlManager.

Yes

Renew productregistration

Renew IMSVA product licensefrom Control Manager.

Yes

Customized reportingfrom Control Manager

Control Manager providescustomized reporting and logqueries for email-related data.

Yes

Control Manager agentinstallation/uninstallation

Install or uninstall IMSVAControl Manager agent fromControl Manager.

No.

IMSVA Control Manager agent isautomatically installed whenyou install IMSVA. To enable/disable the agent, do thefollowing from the IMSVAmanagement console:

1. Go to Administration >Connections.

2. Click the TMCM Servertab.

3. To enable/disable theagent, select/clear thecheck box next to EnableMCP Agent.

Event notification Send IMSVA event notificationfrom Control Manager.

Yes

Command tracking for allcommands

Track the status of commandsthat Control Manager issues toIMSVA.

Yes


1-22

About Graymail ScanningGraymail refers to solicited bulk email messages that are not spam. IMSVAdetects marketing messages and newsletters and social network notificationsas graymail. IMSVA identifies graymail messages in two ways:

• Email Reputation Services scoring the source IP address

• Trend Micro Antispam Engine identifying message content

NoteNote that while IMSVA detects these kinds of email messages, these messagesare not tagged as spam.

Administrators define the rule criteria to take an action on those emailmessages. Every graymail message rule has an exception list containingaddress objects that bypass message filtering. An address object is a single IPaddress or address range (IPv4 or IPv6), or the Classless Inter-DomainRouting (CIDR) block.

Administrators have several options to understand graymail message trafficin the network. Reports illustrate the highest senders and recipients ofgraymail messages from external or internal sources. Administrators canalso query detailed log information or view the email quarantine and releasemessages identified as permitted graymail messages when necessary.

The graymail exception list can be exported and imported.

NoteEnsure that IMSVA can query external DNS servers for graymail scanning. Ifyou change any DNS server settings, restart the scanner server to load the newsettings.


1-23

About Command & Control (C&C) Contact AlertServices

Trend Micro Command & Control (C&C) Contact Alert Services providesIMSVA with enhanced detection and alert capabilities to mitigate the damagecaused by advanced persistent threats and targeted attacks. It leverages theGlobal Intelligence list compiled, tested, and rated by the Trend Micro SmartProtection Network to detect callback addresses.

With C&C Contact Alert Services, IMSVA has the ability to inspect the sender,recipients and reply-to addresses in a message's header, as well as URLs inthe message body, to see if any of them matches known C&C objects.Administrators can configure IMSVA to quarantine such messages and send anotification when a message is flagged. IMSVA logs all detected email withC&C objects and the action taken on these messages. IMSVA sends these logsto Control Manager for query purposes.

2-1

Chapter 2

Component DescriptionsThis chapter explains the requirements necessary to manage IMSVA and thevarious software components the product needs to function.

Topics include:

• About IMSVA Components on page 2-2

• Cloud Pre-Filter Service Overview on page 2-2

• About Spam Prevention Solution on page 2-3

• About Sender Filtering on page 2-3

• About Email Reputation on page 1-15

• About End-User Quarantine (EUQ) on page 2-6

• About Centralized Reporting on page 2-6


2-2

About IMSVA ComponentsThe new architecture of IMSVA separates the product into distinctcomponents that each perform a particular task in message processing. Thefollowing sections provide an overview of each component.

Cloud Pre-Filter Service OverviewCloud Pre-Filter service is a managed email security service powered by theTrend Micro Email Security Platform. By routing your inbound messagesthrough the service, you protect your domains against spam, phishing,malware, and other messaging threats before the threats reach yournetwork.

Sender Filtering

By approving senders, Cloud Pre-Filter Service subscribers automaticallyallow messages from trusted mail servers or email addresses. Messages fromapproved senders are not checked for spam or source reputation. Messagesfrom approved senders are scanned for viruses.

By blocking senders, subscribers automatically block messages fromuntrusted sources.

Reputation-Based Source Filtering

With Trend Micro Email Reputation, Cloud Pre-Filter service verifies emailsources against dynamic and self-updating reputation databases to blockmessages from the latest botnets and other IP addresses controlled byspammers, phishers, and malware distributors.

Component Descriptions

2-3

Virus and Spam Protection

With Trend Micro antivirus technology, Cloud Pre-Filter Service protectsagainst infectious messages from mass-mailing worms or manually craftedmessages that contain Trojans, spyware, or other malicious code.

Cloud Pre-Filter Service checks messages for spam characteristics toeffectively reduce the volume of unsolicited messages.

About Spam Prevention SolutionSpam Prevention Solution (SPS) is a licensed product from Trend Micro thatprovides spam-detection services to other Trend Micro products. The SPSlicense is included in the Trend Micro Antivirus and Content Filter license.For more information, contact to your sales representative.

Spam Prevention Solution Technology

SPS uses detection technology based on sophisticated content processingand statistical analysis. Unlike other approaches to identifying spam, contentanalysis provides high performance, real-time detection that is highlyadaptable, even as spammers change their techniques.

Using Spam Prevention Solution

SPS works through a built-in spam filter that automatically becomes activewhen you register and activate the Spam Prevention Solution license.

About Sender FilteringIMSVA includes optional Sender Filtering, which consists of the followingparts:


2-4

IP ProfilerAllows you to configure threshold settings used to analyze emailtraffic. When traffic from an IP address violates the settings, IPProfiler adds the IP address of the sender to its database and thenblocks incoming connections from the IP address.

IP profiler detects any of these four potential Internet threats:

• Spam: Email messages with unwanted advertising content.

• Viruses: Various virus threats, including Trojan programs.

• Directory Harvest Attack (DHA): A method used by spammersto collect valid email addresses by generating random emailaddresses using a combination of random email names withvalid domain names. Emails are then sent to these generatedemail addresses. If an email message is delivered, the emailaddress is determined to be genuine and thus added to thespam databases.

• Bounced Mail: An attack that uses your mail server to generateemail messages that have the target's email domain in the"From" field. Fictitious addresses send email messages andwhen they return, they flood the target's mail server.

Email ReputationBlocks email from known spam senders at the IP-level.

SMTP Traffic ThrottlingBlocks messages from a single IP address or sender for certain timewhen the number of connections or messages reaches the specifiedmaximum.

How IP Profiler Works

IP Profiler proactively identifies IP addresses of computers that send emailmessages containing threats mentioned in the section About Sender Filteringon page 2-3. You can customize several criteria that determine when IMSVAstarts taking a specified action on an IP address. The criteria differ

Component Descriptions

2-5

depending on the potential threat, but commonly include a duration duringwhich IMSVA monitors the IP address and a threshold.

The following process takes place after IMSVA receives a connection requestfrom a sending mail server:

1. FoxProxy queries the IP Profiler's DNS server to see if the IP address ison the blocked list.

2. If the IP address is on the blocked list, IMSVA denies the connectionrequest.

If the IP address is not on the blocked list, IMSVA analyzes the emailtraffic according to the threshold criteria you specify for IP Profiler.

3. If the email traffic violates the criteria, IMSVA adds the sender IPaddress to the blocked list.

How SMTP Traffic Throttling WorksSMTP Traffic Throttling identifies IP addresses or sender addresses thatdeliver connection requests or email messages too frequently and blocksthese addresses if they trigger specific rules. You can customize IP-based andsender-based throttling rules to monitor behaviors of all IP addresses andsenders and take actions on them if necessary. The rule criteria include theduration to monitor, maximum number of connections or messages allowed,and block duration. The difference is that sender-based throttling does notallow you to specify the maximum number of connections while IP-basedthrottling does.

The following process takes place after IMSVA receives a connection requestfrom a sending mail server or a sender:

1. SMTP Traffic Throttling records the number of connections from this IPaddress in the specified duration to monitor.

2. SMTP Traffic Throttling records the number of email messages fromthis IP address in the specified duration to monitor.

3. SMTP Traffic Throttling records the number of email messages fromthis sender in the specified duration to monitor.


2-6

4. When the number of connections or messages from this IP addressreaches the threshold you set, SMTP Traffic Throttling will add this IPaddress to the Blocked List and block subsequent connections ormessages from this IP address temporarily.

5. When the number of messages from this sender reaches the thresholdyou set, SMTP Traffic Throttling will add this sender to the Blocked Listand block subsequent messages from this sender temporarily.

About End-User Quarantine (EUQ)IMSVA provides web-based EUQ to improve spam management. The Web-based EUQ service allows end users to manage their own spam quarantine.Messages that Spam Prevention Solution (licensed separately from IMSVA),or administrator-created content filters, determine to be spam, are placedinto quarantine. These messages are indexed into a database by the EUQagent and are then available for end users to review and delete or approve fordelivery.

About Centralized ReportingTo help you analyze how IMSVA is performing, use the centralized reportingfeature. You can configure one time (on demand) reports or automaticallygenerate reports (daily, weekly, and monthly). IMSVA allows you to send bothone-time and scheduled reports through email.

3-1

Chapter 3

Planning for DeploymentThis chapter explains how to plan for IMSVA deployment. For instructionson performing initial configuration, see the Administrator’s Guide.

Topics include:

• Deployment Checklist on page 3-2

• Network Topology Considerations on page 3-5

• About Device Roles on page 3-13

• About Device Services on page 3-13

• Understanding POP3 Scanning on page 3-15

• Opening the IMSVA Management Console on page 3-17

• Setting Up a Single Parent Device on page 4-21

• Setting Up a Child Device on page 4-39

• Verifying Successful Deployment on page 4-41


3-2

Deployment Checklist

The deployment checklist provides step-by-step instructions on the pre-installation and post-installation tasks for deploying IMSVA.

1. Deploy IMSVA with Cloud Pre-Filter

Tick whencompleted Tasks Optional Reference

Deploy with CloudPre-Filter

Yes IMSVA Deploymentwith Cloud Pre-Filteron page 3-5

2. Identify the location of IMSVA

Tick whencompleted Tasks Optional Reference

Select one of the following locations on your network where youwould like to install IMSVA.

At the gateway Deployment at theGateway or Behindthe Gateway onpage 3-6

Behind the gateway Deployment at theGateway or Behindthe Gateway onpage 3-6

Without a firewall

In front of a firewall

Behind a firewall

In the De-MilitarizedZone

3. Plan the scope

Planning for Deployment

3-3

Tickwhen

completed

Tasks Optional Reference

Decide whether you would like to install a single IMSVA device or multipledevices.

Single device installation About Device Roles on page3-13

Multiple IMSVA devices About Device Roles on page3-13

4. Deploy or Upgrade

Tickwhen

completed


Deploy a new IMSVA device or upgrade from a previous version.

Upgrade from a previousversion

Upgrading from PreviousVersions on page 5-1

5. Start services

Tickwhen

completed


Activate IMSVA services to start protecting your network against variousthreats.

Scanner IMSVA Services section of theAdministrator's Guide

Policy

EUQ Yes

6. Configure other IMSVA settings


3-4

Tickwhen

completed


Configure various IMSVA settings to get IMSVA up and running.

Sender Filtering Rules Yes Sender Filtering Service sectionof the Administrator's Guide

SMTP Routing Scanning SMTP Messagessection of the Administrator'sGuide

POP3 Settings Yes Scanning POP3 Messagessection of the Administrator'sGuide

Policy and scanningexceptions

Managing Policies section ofthe Administrator's Guide

Perform a manual update ofcomponents and configurescheduled updates

Updating Scan Engine andPattern Files section of theAdministrator's Guide

Log settings Configuring Log Settingssection of the Administrator'sGuide

7. Back up IMSVA

Tickwhen

completed


Perform a backup of IMSVA as a precaution against system failure.

Back up IMSVA settings Backing Up IMSVA section ofthe Administrator’s Guide.


3-5

Network Topology ConsiderationsDecide how you want to use IMSVA in your existing email and networktopology. The following are common scenarios for handling SMTP traffic.

IMSVA Deployment with Cloud Pre-Filter

Cloud Pre-Filter has no impact on how IMSVA should be deployed.

NoteCloud Pre-Filter uses port 9000 as the web service listening port. This port mustbe open on the firewall for IMSVA to connect to Cloud Pre-Filter.

However, when adding Cloud Pre-Filter policies you must change the MXrecords, of the domain specified in the policy, to that of the Cloud Pre-Filterinbound addresses. The address is provided on the bottom of Cloud Pre-Filter Policy List screen. Click Cloud Pre-Filter in the IMSVA managementconsole to display the Cloud Pre-Filter Policy List screen.

TipTrend Micro recommends adding IMSVA’s address to the domain’s MX records,and placing IMSVA at a lower priority than Cloud Pre-Filter. This allows IMSVAto provide email service continuity as a backup to Cloud Pre-Filter.


3-6

Deployment at the Gateway or Behind the GatewayTable 3-1. Common scenarios for handling SMTP traffic

Single Device Multiple Devices

At the Gateway The only setup if you plan touse Sender Filtering with thedevice. IMSVA is deployed atthe gateway to provideantivirus, content filtering,spam prevention and SenderFiltering services, whichinclude Network ReputationServices and IP Profiler. SeeFigure 3-1: Single IMSVA deviceat the gateway on page 3-7.

The only setup if you plan touse Sender Filtering with atleast one of the devices. Youcan enable or disable serviceson different devices. See thefollowing:

• Figure 3-3: IMSVA groupat the gateway on page3-8

• Service Selection on page3-14

Behind the Gateway The most common setup.IMSVA is deployed betweenupstream and downstreamMTAs to provide antivirus,content filtering and spamprevention services. SeeFigure 3-2: Single IMSVA devicebehind the gateway on page3-7.

The most common groupsetup. IMSVA devices aredeployed between upstreamand downstream MTAs toprovide antivirus, contentfiltering and spam preventionservices. You can enable ordisable services on differentdevices. See the following:

• Figure 3-4: IMSVA groupbehind the gateway onpage 3-8

• Service Selection on page3-14

Trend Micro Control Manager scenario

If you have multiple groups, you can use Trend Micro Control Manager (TMCM) to manage thedevices.


3-7

Figure 3-1. Single IMSVA device at the gateway

Figure 3-2. Single IMSVA device behind the gateway


3-8

Figure 3-3. IMSVA group at the gateway

Figure 3-4. IMSVA group behind the gateway


3-9

Installing without a Firewall

The following figure illustrates how to deploy IMSVA when your networkdoes not have a firewall.

Figure 3-5. Installation topology: no firewall

NoteTrend Micro does not recommend installing IMSVA without a firewall. Placingthe server hosting IMSVA at the edge of the network may expose it to securitythreats.


3-10

Installing in Front of a Firewall

The following figure illustrates the installation topology when you installIMSVA in front of your firewall.

Figure 3-6. Installation topology: in front of the firewall

Incoming Traffic

• Configure IMSVA to reference your SMTP server(s) and configure thefirewall to permit incoming traffic from the IMSVA server.

• Configure the Relay Control settings to only allow relay for localdomains.

Outgoing Traffic

• Configure the firewall (proxy-based) to route all outbound messages toIMSVA.

• Configure IMSVA to allow internal SMTP gateways to relay to anydomain through IMSVA.


3-11

TipFor more information, see the Configuring SMTP Routing section of the IMSVAAdministrator's Guide.

Installing Behind a FirewallThe following figure illustrates how to deploy IMSVA behind your firewall.

Figure 3-7. Installation scenario: behind a firewall

Incoming Traffic

• Configure your proxy-based firewall, as follows:

• Incoming SMTP messages go to IMSVA, and then to the SMTPservers in the domain.

• Configure IMSVA to route messages destined for your local domain(s) tothe SMTP gateway or your internal mail server.

• Configure relay restriction to only allow relay for local domain(s).

Outgoing Traffic

• Configure all internal SMTP gateways to send outgoing messages toIMSVA servers.


3-12

• If you are replacing your SMTP gateway with IMSVA, configure yourinternal mail server to send outgoing messages to IMSVA servers.

• Configure IMSVA to route all outgoing messages (to domains other thanlocal), to the firewall, or deliver the messages.

• Configure IMSVA to allow internal SMTP gateways to relay to anydomain using IMSVA.

Tip

For more information, see the Configuring SMTP Routing section of the IMSVAAdministrator's Guide.

Installing in the De-Militarized Zone

You can also install IMSVA in the De-Militarized Zone (DMZ).

Incoming Traffic

• Configure your packet-based firewall.

• Configure IMSVA to route email messages destined for your localdomain(s) to the SMTP gateway or your internal mail server.

Outgoing Traffic

• Configure your internal mail server to route all outgoing messages(destined for domains other than the local domains) to the firewall ordeliver them using IMSVA .

• Configure all internal SMTP gateways to forward outgoing mail toIMSVA.

• Configure IMSVA to allow internal SMTP gateways to relay to anydomain through IMSVA.


3-13

TipFor more information, see the Configuring SMTP Routing section of the IMSVAAdministrator's Guide.

About Device RolesIMSVA can act as a parent or child device. Parent and child devices composea group, where the parent provides central management services to the childdevices registered to it.

• Parent: Manages child devices. If you are deploying a single IMSVAdevice, select parent mode during setup so that all IMSVA componentsare deployed.

• Child: Managed by a single parent device and uses all global settingsthat you configure through the parent device’s management console.

A group refers to a parent device with at least one child device registered toit.

About Device ServicesYou can enable different kinds of services on IMSVA devices.

Parent-only services:

• Admin user interface service (management console): Manages globalsettings.

Parent and child services:

• Policy service: Manages the rules that you configure.

• Scanner service: Scans email traffic.

• EUQ service: Manages End-User Quarantine, which allows your users toview their messages that IMSVA determined were spam.


3-14

• Command Line Interface (CLI) service: Provides access to CLI features.

A child device is functional only when it is registered to a parent.

Service SelectionYou can enable different types of services on parent and child devices. Forexample, to increase throughput, add more child devices, enable all theirservices and allow the child devices to scan traffic and provide EUQ services.

You can deploy IMSVA devices in a parent/child group in either deploymentscenario. However, if you enable the scanner service on parent and childdevices, you must use the same type of deployment for all devices in a singlegroup. You cannot deploy some child devices at the gateway and othersbehind the gateway.

In addition to the above SMTP-scanning scenarios, you might want IMSVA toscan POP3 traffic. See Understanding POP3 Scanning on page 3-15 for moreinformation.

Deployment with Sender FilteringThe Trend Micro Sender Filtering, which includes IP Profiler, EmailReputation and SMTP Traffic Throttling, blocks connections at the IP level.

To use Sender Filtering, any firewall between IMSVA and the edge of yournetwork must not modify the connecting IP address as Sender Filtering is notcompatible with networks using network address translation (NAT). If IMSVAaccepts SMTP connections from the same source IP address, for instance,Sender Filtering will not work, as this address would be the same for everyreceived message and the sender filtering software would be unable todetermine whether the original initiator of the SMTP session was a knownsender of spam.

Understanding Internal Communication PortIMSVA supports multiple network interfaces. This means one IMSVA devicemay have multiple IP addresses. This introduces challenges when devices try


3-15

to communicate using a unique IP address. IMSVA incorporates the use of anInternal Communication Port to overcome this challenge.

• Users must specify one network interface card (NIC) as an InternalCommunication Port to identify the IMSVA device during installation.

• After installation, users can change the Internal Communication Port onthe IMSVA management console through the Configuration Wizard orthe command line interface (CLI).

• In a group scenario, parent devices and child devices must use theirInternal Communication Port to communicate with each other. Whenregistering a child device to parent device, the user must specify the IPaddress of the parent device’s Internal Communication Port.

TipTrend Micro recommends configuring a host route entry on each IMSVAdevice of the group to ensure that parent-child communication uses theInternal Communication Port.

• IMSVA devices use the Internal Communication Port’s IP address toregister to Control Manager servers. When users want to configureIMSVA devices from the Control Manager management console, themanagement console service on the Internal Communication Port needsto be enabled. By default, the management console service is enabled onall ports.

Understanding POP3 ScanningIn addition to SMTP traffic, IMSVA can scan POP3 messages at the gateway asyour clients retrieve them. Even if your company does not use POP3 email,your employees might access personal, web-based POP3 email accounts,which can create points of vulnerability on your network if the messagesfrom those accounts are not scanned.

The most common email scanning deployments will use IMSVA to scanSMTP traffic, which it does by default. However, to scan POP3 traffic that


3-16

your organization might receive from a POP3 server over the Internet, enablePOP3 scanning.

With POP3 scanning enabled, IMSVA acts as a proxy, positioned betweenmail clients and POP3 servers, to scan messages as the clients retrieve them.

To scan POP3 traffic, configure your email clients to connect to the IMSVAserver POP3 proxy, which connects to POP3 servers to retrieve and scanmessages.

Requirements for POP3 Scanning

For IMSVA to scan POP3 traffic, a firewall must be installed on the networkand configured to block POP3 requests from all computers except IMSVA.This configuration ensures that all POP3 traffic passes through the firewall toIMSVA and that only IMSVA scans the POP3 traffic.

Note

If you disable POP3 scanning, your clients cannot receive POP3 mail.

Configuring a POP3 Client that Receives Email Through IMSVA

To configure a POP3 client using a generic POP3 connection, configure thefollowing:

• IP address/Domain name: The IMSVA IP address or domain name

• Port: IMSVA Generic POP3 port

• Account: account_name#POP3_Server_Domain-name

For example: user#10.18.125.168

To configure a POP3 client using dedicated POP3 connections, configure thefollowing:

• IP address: The IMSVA IP address


3-17

• Port: The IMSVA dedicated POP3 port

• Account: account_name

For example: user

Opening the IMSVA Management Console

You can view the IMSVA management console with a web browser from theserver where you deployed the program, or remotely across the network.

To view the console in a browser, go to the following URL:

https://{IMSS}:8445

where {IMSS} refers to the IP address or Fully Qualified Domain Name.

For example: https://196.168.10.1:8445 or https://IMSS1:8445

An alternative to using the IP address is to use the target server's fullyqualified domain name (FQDN). To view the management console using SSL,type "https://" before the domain name and append the port number after it.

The default logon credentials are as follows:

• Administrator user name: admin

• Password: imss9.1

Type the logon credentials the first time you open the console and click Logon.

WARNING!

To prevent unauthorized changes to your policies, Trend Micro recommendsthat you set a new logon password immediately after deployment and changethe password regularly.


3-18

NoteIf you are using Internet Explorer (IE) to access the management console, IEwill block the access and display a popup dialog box indicating that thecertificate was issued from a different web address. Simply ignore this messageand click Continue to this website to proceed.

4-1

Chapter 4

Installing IMSVA 9.1 Patch 3This chapter explains how to install IMSVA under different scenarios.

Topics include:

• System Requirements on page 4-2

• Installing IMSVA on page 4-4


4-2

System Requirements

The following table provides the recommended and minimum systemrequirements for running IMSVA.

Table 4-1. System Requirements

Specification Description

Operating System IMSVA provides a self-contained installation that uses a standardCentOS Linux operating system. This dedicated operating systeminstalls with IMSVA to provide a turnkey solution. A separate operatingsystem, such as Linux, Windows, or Solaris, is not required.

NoteIMSVA uses a 64-bit operating system. When installing a 64-bitOS on ESX/ESXi, you need to enter the BIOS and enable VT(Virtualization Technology).

CPU • Recommended: 8-core Intel™ Xeon™ processor or equivalent

• Minimum: dual-core Intel™ Xeon™ processor or equivalent

Memory • Recommended: 8GB RAM

• Minimum: 4GB RAM

Disk Space • Recommended: 250GB

NoteIMSVA automatically partitions the detected disk spacebased on recommended Linux practices.

• Minimum: 120GB

NoteIMSVA automatically partitions the detected disk spacebased on recommended Linux practices.

Monitor Monitor that supports 800 x 600 resolution with 256 colors or higher

Installing IMSVA 9.1 Patch 3

4-3

Additional Requirements and Tools

The following table lists the minimum application requirements to accessthe CLI and management console interfaces and to manage IMSVA withControl Manager.

Table 4-2. Minimum Software Requirements

Application System Requirements Remarks

SSHcommunications application

SSH protocol version 2 To connect to the MANAGED port,use an SSH communicationsapplication.

To adequately view the IMSVA CLIthrough an SSH connection, set theterminal window size to 80 columnsand 24 rows.

VMware™ ESXserver

• VMware ESXi 5.0 Update 3

• VMware ESXi 5.5 Update 2

• VMware ESXi 6.0

To install IMSVA as virtual machine,install IMSVA on a VMware ESXi 5.0,VMware ESXi 5.5 or VMware ESXi 6.0.

Hyper-V • Windows Server 2008 R2 SP1

• Windows Server 2012

• Windows Server 2012 R2

• Microsoft Hyper-V Server 2008R2 SP1

• Microsoft Hyper-V Server 2012R2

IMSVA supports Hyper-V on WindowsServer 2008 R2 SP1, Windows Server2012, Windows Server 2012 R2,Microsoft Hyper-V Server 2008 R2SP1, and Microsoft Hyper-V Server2012 R2.

InternetExplorer™

• Version 9.0

• Version 10.0

• Version 11.0

To access the web console, whichallows you to configure all IMSVAsettings, use Internet Explorer 9.0 orabove, Firefox 45.0 or above, orMicrosoft Edge 31 or above. Usingthe data port IP address you setduring initial configuration, enterthe following URL:https://[IPAddress]:8445

Mozilla Firefox™ Version 45.0

MicrosoftEdge™

Version 31


4-4

Application System Requirements Remarks

Java™ VirtualMachine

Version 5.0 or later or SUN JRE 1.4+ To view certain items in the webconsole, the computer must haveJVM.

PostgreSQLdatabase

Version 9.2 The IMSVA admin database and EUQdatabase can be installed either onthe internal or external databaseserver.

Trend MicroControlManager

• Version 5.5 SP1 Patch 4 or later

• Version 6.0 SP3 Patch 1 or later

• Version 7.0 or later

Install Trend Micro Control Manager6.0 SP3 Patch 1 hot fix build 3262 sothat Data Loss Prevention policiescan be deployed to IMSVA 9.1.

Installing IMSVAIMSVA 9.1 supports upgrading only from IMSVA 9.0 and migrates existingconfiguration and policy data during the upgrade.

The IMSVA installation process formats your existing system to installIMSVA. The installation procedure is basically the same for both a Bare Metaland a VMware ESX virtual machine platform. The Bare Metal installationboots off of the IMSVA installation DVD to begin the procedure and theVMware installation requires the creation of a virtual machine beforeinstallation.

WARNING!

Any existing data or partitions are erased during the installation process. Backup any existing data on the system (if any) before installing IMSVA.

Procedure

1. Start the IMSVA installation.

For system requirements, see System Requirements on page 4-2.


4-5

• On a Bare Metal Server

a. Make sure the Bare Metal server supports CentOS 6.4 x86_64.

b. Insert the IMSVA Installation DVD into the DVD drive of thedesired server.

c. Power on the Bare Metal server.

• On a VMware ESX Virtual Machine

a. Create a virtual machine on your VMware ESX server.

b. Start the virtual machine.

c. Insert the IMSVA Installation DVD into the virtual DVD drivewith any one of the following methods.

• Insert the IMSVA Installation DVD into the physical DVDdrive of the ESX server, and then connect the virtual DVDdrive of the virtual machine to the physical DVD drive.

• Connect the virtual DVD drive of the virtual machine to theIMSVA-9.1-xxxx-x86_64.iso file. The IMSVA-9.1-xxxx-x86_64.iso file is available at:

http://www.trendmicro.com/download

d. Restart the virtual machine by clicking VM > Send Ctrl+Alt+Delon the VMware web console.

For both a VMware ESX Virtual Machine and a Bare Metal Serverinstallation, a page appears displaying the IMSVA 9.1 Setup Wizard withthe following options:

• Fresh Install or version upgrade: Select this option to install IMSVAonto the new hardware or virtual machine or upgrade the existingIMSVA.

• System recovery: Select this option to fix operating system errorsand recover administrative passwords.

• System memory test: Select this option to perform memorydiagnostic tests.

http://www.trendmicro.com/download


4-6

• Exit installation: Select this option to exit the installation processand to boot from the local disk.

2. Select Fresh install or version upgrade.


4-7

The License Agreement page appears.

3. Click Accept to continue.


4-8

A keyboard language selection screen appears.

4. Select the keyboard language for the system, and then click Next.


4-9

A screen appears for you to select your installation type.

5. Select Fresh I

files, release Trend Micro Incorporated reserves the right to make … · 2020. 7. 29. · of...

Documents

Transcript of files, release Trend Micro Incorporated reserves the right to make … · 2020. 7. 29. · of...