This article enumerates and explains the different scanning technologies in SMEX.
Administrators can choose the appropriate level of malware detection for the company’s security policy by configuring the scan engine. The following are the scanning technologies available in SMEX:
The Virus Scan Engine is the standard malware scan engine in ScanMail. This scan engine employs pattern matching and heuristic scanning technology to identify threats before malware can infect a system.
Advanced Threat Scan Engine (ATSE) performs aggressive heuristic scanning to check files for less conventional threats and conducts further observation on some detected files that might be safe. This scan engine enhances the features of Virus Scan Engine.
To enable ATSE:
- Go to the Security Risk Scan screen by navigating to one of the following:
- For Real-time scans: Security Risk Scan
- For Manual scans: Manual Scan > Security Risk Scan
- For Scheduled scans: Scheduled Scan > [Add or Edit] > Security Risk Scan
- Click the Target tab. The Target screen displays.
- Select Enable Advanced Threat Scan Engine.
- Select one of the following for security risk scan:
- All attachment files: ScanMail scans for viruses/malware, worms, Trojans, and other malicious code in all files except unscannable files. Unscannable files are password protected files, encrypted files, or files that exceed the user-defined scanning restrictions.
- IntelliScan: IntelliScan uses Trend Micro recommended settings to perform efficient scan.
- Specify file types: This option enables you to select the specific files you want to scan. The scan engine examines the file header rather than the file name to ascertain the actual file type. You can also select this to create a list of file extensions by selecting Specify file extensions.
- To scan the message body, select Scan message body.
- To use IntelliTrap technology, select Enable IntelliTrap.
- To scan for spyware/grayware, select Select All for Spyware/Grayware Scan or select from the list.
- Click Scan Restriction Criteria if performance improvement is required.
- Click Save.
Deep Discovery Advisor is a separately licensed product that gives a unique security visibility through Virtual Analyzer. SMEX integrates with Virtual Analyzer, which performs content simulation and analysis to identify the characteristics associated with different malwares. Virtual Analyzer checks if the attached files in messages contain exploit code.
Before configuring the Deep Discovery Advisor settings, select the Enable Advanced Threat Scan Engine option on the Security Risk Scan: Target screen. Then, enable the Exchange pickup folder to allow Deep Discovery Advisor integration.
To configure the Deep Discovery Advisor:
- Go to Deep Discovery Advisor.
- Select Send messages to Deep Discovery Advisor for analysis.
- Configure the Deep Discovery Advisor server connection settings:
- Type the Server name (in FQDN formats) or IP address (in IPv4 format).
- Type the Port number.
- Type the API key.
- Select Use a proxy to connect to the Deep Discovery Advisor server if ScanMail requires a proxy for server communication with Deep Discovery Advisor.
- Click the expand button to display the proxy settings.
- Type the server name or IP address of the proxy server and its port number.
- If your proxy server requires a password, type your user name and password.
- Click one of the following buttons:
- Register: Establishes the connection and enables sending messages to Deep Discovery Advisor.
- Test Connection: Verifies the connection settings to Deep Discovery Advisor but does not register ScanMail to the server.
- Select the traffic direction of the messages to analyze.
- Choose the recipients of the messages to analyze by searching and selecting AD Users/Groups/Contacts/Special Groups and adding them to the Selected Account(s) list.
- Select the attachment types to analyze. As application and executable files pose the greatest threats in respect to advanced threats, Trend Micro recommends only selecting to analyze these file types.
- Configure the Security Level settings for the messages and files to be analyzed.
- Security level: The security level determines the action to be performed on the messages and files analyzed and rated by the Deep Discovery Advisor. The available security level settings are: High, Medium, or Low. For messages and files with a rating that violates the configured security level, ScanMail performs the action configured for Advanced threats on the Security Risk Scan Actions tab (Security Risk Scan > Action).
- Maximum wait time for analysis ratings: Select the maximum amount of time to temporarily quarantine messages while Deep Discovery Advisor analyzes the risk of the message.
- Action on time out: Select the action that ScanMail performs on messages for which Deep Discovery Advisor did not return a rating within the configured wait time.