en-US
search-icon

Email Security 9.0 Admin Guide

Anti-Virus

SonicWall Email Security Anti-Virus features protect from inbound email viruses and prevent your employees from sending viruses with outbound email. The Anti-Virus feature uses virus-detection engines to scan email messages and attachments for viruses, Trojan horses, worms, and other types of malicious content. Once Email Security has identified the email message or attachment that contains a virus, or is likely to contain a virus, you can determine how to manage the email message. The virus-detection engines receive periodic updates to keep them current with the latest definitions of viruses.

This chapter provides configuration information specific to the Anti-Virus feature. Topics include:

Inbound Anti-Virus Protection

Anti-Virus protection can be configured on the inbound and outbound paths. You are able to define separate actions for Definite Viruses and Likely Viruses.

To configure Anti-Virus protection on the inbound path:
1
Navigate to the Anti-Virus page and select Inbound.
 
* 
NOTE: If you have licensed more than one virus-detection engines, they all work in tandem.

2
Choose one of the actions in Actions to take for Definite Viruses and Likely Viruses to take in response to a Definite Virus.
 

Actions to take for Definite Viruses and Likely Viruses

Response

Effect

No Action

No action is taken for messages.

Permanently Delete

The email message is permanently deleted.

CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved.

Reject with SMTP error code 550

The message is rejected and responds with a 550 error code, which indicates the user’s mailbox was unavailable (for example, not found or rejected for policy reasons).

Store in Junk Box
(default setting)

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting.

Send To

Forward the email message for review to the specified email address. For example, you could Send To postmaster.

Tag With

The email is tagged with a term in the subject line, for example [VIRUS]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted.

Add X-Header

This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header.

For example, a header of type X-EMSJudgedThisEmail with value “Virus” results in the email header as:
X-EMSJudgedThisEmail:Virus

3
Choose one of the actions in Actions to take for Definite Viruses and Likely Viruses to take in response to a Likely Virus. Change the text fields, if needed, to define the response appropriately.
4
In the Miscellaneous section, select the Allow Users to Unjunk Viruses check box to allow users to view messages with viruses from Junk Box.

The virus is removed before the user accesses the message. This setting allows both Viruses and Likely Viruses to be unjunked.

5
Click Apply Changes.

Outbound Anti-Virus Protection

Use this page to guard your organization's outbound email from malicious viruses and against email that is likely to contain viruses.

General Settings

The general settings apply to all users.

To define the Action Settings:
1
Navigate the Anti-Virus page and select the Outbound button.
 

2
Choose one of the actions in Actions to take for Definite Viruses and Likely Viruses to take in response to a Definite Virus.
 

Actions to take for Definite Viruses and Likely Viruses

Response

Effect

No Action

No action is taken for messages.

Permanently Delete

The email message is permanently deleted.

CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved.

Reject with SMTP error code 550

The message is rejected and responds with a 550 error code, which indicates the user’s mailbox was unavailable (for example, not found or rejected for policy reasons).

Store in Junk Box
(default setting)

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting.

Send To

Forward the email message for review to the specified email address. For example, you could Send To postmaster.

3
Choose one of the actions in Actions to take for Definite Viruses and Likely Viruses to take in response to a Likely Virus.
4
Scroll down to the bottom of the page and select Apply Changes.

Zombie Protection Settings

Unauthorized software may be running on a computer within your organization and sending out junk email messages such as: Spam, phishing, virus, or other unauthorized content. This scenario could happen if your organization was subjected to a virus attack called Trojans or a user downloaded something from the web and unauthorized software got installed without user’s knowledge. These unauthorized software programs that send out malicious content are called Zombies or Spyware.

Email Security's Zombie and Spyware Protection technology brings the same high standard of threat protection available on the inbound email path to email messages leaving your organization through the outbound path.

To enable Zombie and Spyware Protection:
1
Navigate to the Anti-Virus page, and click on the Outbound tab.

2
Select the check box Enable Zombie and Spyware Protection.
3
Use the Monitoring for Zombie and Spyware Activity section to configure several alerts to notify the administrator. The following alerts can be sent:
Email is sent from an address not in LDAP
More than (specify number) messages are identified as possible threats (within the last hour)
More than (specify number) messages are sent by one user within the last hour

Zombie Protection Options describes the available Action and Miscellaneous Settings for the Zombie Protection feature.

Zombie Protection Options

Action

Description

Action for messages leaving your organization that are identified as spam, phishing attacks, or other threats

Select one of the following settings:

Allow Delivery—Allows the delivery of the message without interference.

Permanently Delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.

Store in Junk Box—Stores messages with potential threats in the outbound Junk Box.

 

Action for messages leaving your organization in which the “From” address is not in LDAP

Select one of the following settings:

Allow any “From” address— Allows messages from all email addresses. Note that this is the only option you are able to use if you have not configured LDAP.

Permanently delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.

Store in Junk Box—Stores messages from unknown senders in the Junk Box.

 

Activate/Deactivate Outbound Safe Mode preventing any dangerous attachments from leaving your organization

Outbound Safe Mode blocks all emails with potentially dangerous attachments from leaving your organization. When there is a new virus outbreak and one or more of your organization’s computers is affected, the virus can often propagate itself using your outbound email traffic. Outbound Safe Mode also minimizes the possibility of new virus outbreaks spreading through your outbound email traffic.

 

When Outbound Safe Mode is on, take this action for any message with dangerous attachments

If you have enabled Outbound Safe Mode, select one of the following actions when a message with dangerous attachments is received:

Permanently delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.

Store in Junk Box—Stores messages from unknown senders in the Junk Box.

 

Automatically turn Outbound Safe Mode on and alert administrators every 60 minutes that Safe Mode is on if

These settings do not take any action other than alerting the administrator of a potential zombie infection.

Select any of the check boxes to send and alert to the administrator if:

Email is sent from an address not in the LDAP (within the last hour)

More than (specify number) messages are identified as possible threats within the last hour

More than (specify number) messages are sent by one user within an hour

 

Specify senders that will not trigger alerts or actions

Enter email addresses in this box that you want exempt from Zombie Protection. (This list might include any email addresses that are not in LDAP and email addresses that are expected to send a lot of messages.)

 

Flood Protection

The Flood Protection feature supports Zombie Protection by automatically blocking specified users from sending outbound mail when it exceeds the specified Message Threshold.

To enable Flood Protection:
1
Navigate to the Anti-Virus page, and click the Outbound tab.
2
Scroll down to the Flood Protection section. Then, click the Enable Flood Protection check box.

3
Configure the following settings:
Message Threshold—Specify the amount of outbound messages (between 1-10,000) that are sent by a sender. Then, specify the interval (in hours) by selecting a value from the drop down list. The Flood Protection service activates when a sender has exceeded the amount of messages sent within the specified interval of hours.
Alert sender when threshold is crossed—Enable this option to alert the sender that he/she has exceeded the organizational threshold. Note that as a result, outbound emails are now affected.
Action on outbound message from Flood Senders—Select one of the following options to determine what action is taken on outbound messages from flood sender(s):
Permanently delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.
Store in Junk Box—The message moves to the Junk Box and flagged as ‘likely virus’ with the category name ‘flood_protection.’ The administrator is able to unjunk the message, which is then delivered from the outbound path.
None—No action is taken; messages go through as usual.
Flood Protection Senders Exception List—Found under the Miscellaneous section, specify the list of outbound senders that are exempt from the Flood Protection rule.
Flood Senders List—Users that exceeded the specified Message Threshold values are added to this table by Email Address and the time which the Flood Sender was found exceeding the threshold. To remove a user from the Flood Senders List, select the check box next to the email address(es) you wish to remove, then click the Delete button.
4
When finished configuring the Flood Protection settings, click the Apply Changes button.