EVRY Security. Administrator's Guide

Transcription

1 EVRY Security Administrator's Guide

2 EVRY Security Administrator's Guide EVRY Security provides a variety of useful features within a user-friendly web console to manage the functions including whitelisting of sender domains, releasing an from quarantine and forensic search capability of logs. This document provides an detailed description of all features and settings enabling you to quickly and easily take advantage of WeCloud Security. EVRY Operating Status: Operating status: Administration: Parter Administration: Contact Information: Support: driftsenter@evry.com Date: Version:

3 The Overview 1. Domain selector - All logs and settings are domain specific so make sure that you have the correct domain selected Administration tabs 2.1. Overview - Quarantine and logs 2.2. Archive - Archived s (separate service) 2.3. Settings - Configuration options 2.4. Statistics Historical statistics 2.5. Logout Pre-defined filters 3.1. Quarantined - All s quarantined as spam for the domain 3.2. Admin Quarantine This quarantine contains s that are quarantined for other reasons than spam (note: Release of s from this quarantine requires domain or company admin rights) Delivered - All s (inbound and outbound) that has been delivered to the recipient server 3.4. Blocked - All s that has been blocked by the connection filters (see settings - Antispam for more info) 3.5. Failed - All s that has failed to be delivered to the recipient server Advanced filters and tools 4.1. Advanced Filter - This allows for advanced log searches across all types of s 4.2. Hold Queue - This contains all s that are queued for retry 4.3. Pending - This contains s that has been processed by the filter but hasn't been written to the log database yet

4 4.4. Release Selected - This tool allows you to select multiple s in the Quarantine and release them all at once (this is only available when the Quarantine is selected) 4.5. Export to csv - This allows you to export your current log search to a csv file (this will open a new tab in your browser)

5 Log Searches 1. Search options - This field allows you to define your search, the options available depends on what tool is selected in the left-hand menu. All options can be combined for granular searches. Please see the separate document on database searches for some guidelines on getting fast searches Wildcard search by checking this box Sender/Recipient/Subject are can be searched using partial addresses/subjects (this is only available in Advanced Filter, pre-filtered searches are automatically wildcard searches) 1.2. Sender The sending address 1.3. Recipient The recipient address 1.4. Subject The subject 1.5. Time ranges - Quick functions for defining a time frame for the search 1.6. Date from - Define the start date of the search 1.7. Date to - Define the end date of the search 1.8. Type - Define what type of you're searching for (this is only available in Advanced Filter) Search controls 2.1. Reset all search terms 2.2. Perform a search with the selected criterias 3. Search result Click any to get more detailed information (see details further on). Search results are shown using infinity scroll, so whenever the bottom of the result list is reached the service will collect more logs (20 at a time) The search result will be split up into days 3.2. Shows the status of the and also the country of origin of the sending server 3.3. Shows the time of the reaching WeCloud's servers 3.4. Shows the recipient address of the Shows the sending address of the (note: This is the envelope-sender) 3.6. Shows the subject of the

6 Quarantined details 1. Content selector 1.1. Shows the details and body of the Shows the headers of the Shows the audit logs for the 2. Status bar -This will either show that the is in quarantine or that the has been released (note: the released status is only visible until your server has accepted the released , then the is moved from the quarantine to the delivered logs) 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: this is only visible if the was delivered using TLS) Reason for quarantining the (the access to this depends on if your settings allow for content of the to be shown)

7 4. Content of the This will show the content of the in a safe text-only format (the access to this depends on if your settings allow for content of the to be shown) 5. Release functions 5.1. Enter the address to release the to (this will default to the original recipient) 5.2. Release the to the address specified in 5.1, this will automatically report the to WeCloud as a false positive

8 Delivered details 1. Content selector 1.1. Shows the details of the Shows the delivery logs for the Shows the audit logs for the 2. Status bar - This will show that the has been delivered 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: This is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: This is only visible if the was delivered using TLS) This shows the IP of the server that the has been delivered to This shows the response from the server the was delivered to

9 Blocked details 1. Content selector 1.1. Shows the details of the Shows the audit logs for the 2. Status bar - This will show why the was blocked 3. Message details 3.1. Subject of the (Note: This will be empty if the was blocked before the data of the was recieved) 3.2. Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the (Note: This will be shown as 0.0 kb if the was blocked before the data of the was recieved) 3.6. IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: This is only visible if the was delivered using TLS)

10 Failed details 1. Content selector 1.1. Shows the details of the Shows the delivery logs for the Shows the audit logs for the 2. Status bar - This will show that the delivery failed 3. Message details 3.1. Subject of the Recipient of the Sender of the (Note: this is the envelope-sender), click the drop-down to get a quickaccess to whitelist or blacklist the sender 3.4. The time the arrived in the filter 3.5. Size of the IP of the server sending the , click the drop-down to get a quick-access to whitelist or blacklist the sender 3.7. Country of origin of the server sending the , click the drop-down to get a quick-access to set actions based on the country of origin 3.8. WeCloud ID of the TLS info for the (Note: This is only visible if the was delivered using TLS) This shows the IP of the server that the has been delivered to This shows the response from the server the was delivered to

11 Archive 1. Domain selector - All archived s are indexed on the domain so make sure that you have the correct domain selected Archive tools 2.1. Restore Selected - This allows you to restore the selected s to the original recipients 2.2. Export to csv - This allows you to export your current log search to a csv file (this will open a new tab in your browser) Search options 3.1. Sender - Define parts of or a full sender address (any term entered will automatically start and end with wildcards) 3.2. Recipient - Define parts of or a full recipient address (any term entered will automatically start and end with wildcards) 3.3. Time ranges - Quick functions for defining a time frame for the search 3.4. Date from - Define the start date of the search 3.5. Date to - Define the end date of the search Search controls 4.1. Reset all search terms 4.2. Perform a search with the selected criterias 5. Search result - Any can be clicked to get more detailed information (see details further on). Search results are shown using infinity scroll, so whenever the bottom of the result list is reached the service will collect more logs (20 at a time) The search result will be split up into days 5.2. Shows the status of the and also the country of origin of the sending server 5.3. Shows the time of the reaching WeCloud's servers 5.4. Shows the recipient address of the Shows the sending address of the (note: This is the envelope-sender) 5.6. Shows the subject of the Shows the size of the

12 Archived details 1 Content selector 1.1 Shows the details of the 1.2 Shows the headers of the (the access to this depends on if your settings allow for content of the to be shown) 1.3 Shows the audit logs for the 1.4 Advanced tools Report the as a missed spam Open the original (the acces to this depends on if your archive settings allows for content of the to be shown) Download the original.eml file (the acces to this depends on if your archive settings allows for content of the to be shown) 2 Message details 2.1 Subject of the 2.2 Recipient of the 2.3 Sender of the (Note: this is the envelope-sender) 2.4 The time the arrived in the filter 2.5 Size of the 2.6 IP of the server sending the 2.7 Country of origin of the server sending the 2.8 WeCloud Archive ID of the 2.9 A list of the attached files in the (Note: This is only visible if there are attached files in the )

13 3 Content - This shows the content of the in a safe text-only format (the acces to this depends on if your archive settings allows for content of the to be shown) 4 Restore functions 4.1 Address part of the address to restore the to (this will default to the original recipient) 4.2 Domain part of the address to restore the to (this will be locked to the original domain) 4.3 Restore options

14 Settings menu 1. Overview of the functions activated 2. Antispam settings 3. QMS settings (Spam digest) 4. Antivirus settings 5. Inbound settings 6. Outbound settings 7. Archive options (these are read-only) 8. Custom lists for blocking and allowing s 9. Diagnostic tool for troubleshooting mailflow 10. Creating and editing Administrators 11. True Users is to define what addresses exists for the domain 12. Admin access to users quarantine zones and personal black-/whitelists 13. Interface settings 14. Define what domains should be controlled by a company profile 15. Change password for the current admin account

15 Overview Settings 1. Settings overview 1.1. AntiSpam status 1.2. QMS status 1.3. AntiVirus status 1.4. Archive status 1.5. True Users status 2. Entries overview 2.1. Number of administrators registered for the domain 2.2. Number of True Users addresses registered for the domain 2.3. Number of addresses/domains whitelisted for the domain 2.4. Number of addresses/domains blacklisted for the domain 2.5. Number of originating countries with a default action defined for the domain 2.6. Number of file extensions blocked for the domain 2.7. Number of IP addresses whitelisted for the domain 2.8. Number of IP addresses blacklisted for the domain 2.9. Number of addresses/domains bypassing the antivirus for the domain

16 Antispam Settings Save your changes - The changes takes effect immediately 2. Audit logs 3. First layer defense 3.1. HeloCheck - This will block s where the sending server does not give a proper FQDN in the initial server greeting 3.2. SPF engine - This will block any where the sending domain has a hardfail in their SPF and the sending server/ip is not included in the SPF record (Note: This needs to be enabled for the other SPF options to be functional, it is also required for the Protected Domains function) 3.3. Quarantine SPF softfail - This will quarantine any where the sending domain has a softfail in their SPF and the sending server/ip is not included in the SPF record 3.4. SPF Block Temperror This will block any s where the lookup of the sedners SPF Record causes temporary error 3.5. SPF Block permerror This will block any s where the resolve of the senders SPF Record causes a permanent error 3.6. Enable IP Reputation (RBL) - This checks if the sending IP is blacklisted and blocks s from blacklisted IPs 3.7. Block Mailer-demons - This will block mailer-daemon delivery reports 3.8. Quarantine Newsletters This will quarantine newsletters based on the presense of unsubscribe links the headers 3.9. Sender domain check - This checks if the sending domain is valid and otherwise blocks the

17 4. Content scanner options 4.1. Content scanner On/Off 4.2. Threshold for detecting spam based on content, the higher the threshold the "softer" the filter is, Wecloud do not recommend setting a higher score than 5 or lower than Action for s detected by the content engine. The options are: Quarantine - Quarantine the Tag Subject - Allow the but tag the subject with [SPAM] Tag Header - Allow the but tag it with an X-Header

18 QMS Settings 1. Save your changes - The changes takes effect immediately 2. Audit logs 3. QMS On/Off If On a spam digest will be sent out regularly according to the QMS settings 4. QMS Type This defines the format of the QMS report, the options are: notification This is a notification containing the number of new s in quarantine and a link to the online quarantine overview This is a notification containing a full list of the new s in quarantine (please see the separate QMS guide for an example) 5. QMS Interval This defines the interval of the QMS report, the options are: 1 day This schedules a daily QMS report 1 week This schedules a weekly QMS report 6. QMS Recipient If this field contains an address on your domain the QMS report for the domain will be sent to this address instead of personal QMS reports being sent to the end-users 7. QMS black/whitelist This defines if the end-users should be allowed to create personal black/whitelists within their quarantine portal (please see the separate QMS guide for more information)

19 Antivirus Settings 1. Save your changes - The changes takes effect immediately 2. Audit logs 3. Antivirus On/Off 4. Block nested zips On/Off If this is set to on the filter will block any s containing nested zips (a zipfile within a zipfile) 5. BMA On/Off Please see the section on BMA Enchanced Malware Analyzer for more information 6. Ignored BMA rules Tick the box for any rule in the current BMA set that you want to ignore for your flow

20 Inbound Delivery settings This is where you configure the server and port to use for the delivery of clean inbound s to your server. 1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect s in the hold que as well) 2. Audit logs 3. Delivery settings 3.1. Delivery server - The hostname or IP address that we should deliver your s to (Note: we recommend always using a hostname if possible) 3.2. Delivery port - The port which we should deliver s over, 25 is the default for SMTP, but we can do delivery over any port you specify 3.3. This will allow you to test the connectivity with your server

21 Inbound Routing settings This allows for third party integration with other services (for example, but not limited to, encryption services). The details of this is covered in a separate chapter of this guide. 1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect s in the hold que as well) 2. Delete settings - This will clear all routing configuration, this can take up to 20 minutes to take full effect (Note: changes here will affect s in the hold que as well) 3. Audit logs 4. Routing settings 4.1. Routing server - The hostname or IP address that we should reroute the s to (Note: we recommend always using a hostname if possible) 4.2. Delivery port - The port which we should route the s over 4.3. Enable relay On/Off - This defines if the routing rule is enabled or not 4.4. route Relay smime only - If set to On only s encrypted with smime will be sent over the relay 4.5. Enable archive - If set to On an additional copy of the will be stored after it is sent back to us from the external party (Note: this requires the domain to have archiving enabled)

22 Inbound Force TLS settings This allows you to set the default TLS behaviour for your inbound traffic, and also to add exceptions to that behaviour 1. Add exceptions - This allows you to add sender and/or recipient exceptions (more info below) 2. Save your changes - The changes takes effect immediately 3. Delete settings - This will remove all exceptions that are marked in section 6 (Note: Delete is only visible if you have one or more excetion selected) 4. Audit logs 5. Default setting - This is the defasult setting for the domain, if set to Off (Note: this is the recommended setting) all inbound s will use Opportunistic TLS except for the exceptions defined which will use Force TLS. If set the On all inbound s will have Force TLS except for the exceptions which will use Opportunistic TLS.

23 6. Exceptions 6.1. Senders - This will list exceptions based on the sending address/domain 6.2. Recipients - This will list exc eptions based on the recipient address/domain 6.3. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Senders - select Senders exceptions only Recipients - select Recipients exceptions only 6.4. Each exception will have a selection box to allow for deletion 6.5. This will list the exceptions

24 Inbound Force TLS settings Add exceptions 1. Sender exceptions - Enter any sending domains and/or addresses that should be an exception to the default TLS setting (Note: separate multiple entries with comma, tab, newline or semi-colon) 2. Recipient exceptions - Enter any recipient addresses that should be an exception to the default TLS setting (Note: separate multiple entries with comma, tab, newline or semi-colon) 3. Close without saving 4. Add the exceptions to your TLS configuration

25 Inbound Rewrite settings This will allow you to rewrite the recipient for specific inbound s 1. Add a new rule - More info below 2. Delete - This will delete the rules that are marked in section 4 (Note: Delete is only visible if you have one or more rule selected) 3. Audit logs 4. Rules - This will list the rules that you have configured 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. Each rule will have a selection box to allow for deletion This will list the sender value for the rule This will list the recipient value of the rule This will list the rewritten recipient value This will state if the original is discarded (i.e. If the is rerouted to the new recipient or if a copy is made) This will loist the priority of the rule (rules with lower priority has precedence over rules with higher priority) This allows you to edit a rule

26 Inbound Rewrite settings Add rule This will allow you to have the scanning service to insert custom headers on inbound s 1. Sender(s) Add one or more senders (addresses and/or domains) that the rule should be active for 2. Recipient(s) - Add one or more recipient addresses that the rule should be active for (Note: Leave this empty if you want the rule to be valid for the whole domain) 3. New recipient(s) - Add one or more recipient addresses and/or domains that the should be rerouted to (Note: The recipients need to be on one of the domains on your account). If domains are entered here the address part of the recipient will stay the same and only the domain part will be rewritten 4. Discard original Checking this box will create a reroute rule (the original recipient will not recieve the ) and leaving this box unchecked will create copies of the to the new recipient(s) but still deliver the to the original recipient 5. Close the window without saving changes 6. Add the rule to your rewrite configuration

27 Inbound Header settings This will allow you to have the scanning service to insert custom headers on inbound s 1. Add a new header More info below 2. Delete This will delete the header inserts that are marked in section 4 (Note: Delete is only visible if you have one or more header insert selected) 3. Audit logs 4. Header inserts This will list the Headers inserts that you have configured Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection This will list the Header key to be inserted This will list the value to be insterted for the Header key Each Header insert will have a selection box to allow for deletion 1. Key Enter the key to be added to the header 2. Value Enter the value to be added for the specified key 3. Close without saving 4. Save the setting

28 Inbound Notification settings Here you can configure in wich cases the user on your end should be notified when the filter blocks an addressed to the user. 1. Save your changes - The changes takes effect immediately 2. Audit logs 3. Quarantined by BMA This will generate a notification evry time an is put into quarantine by BMA 4. Blocked by BMA This will generate a notification evry time an is blocked by BMA 5. Blocked by RBL - This will generate a notification every time an is blocked because the sending IP is blacklisted 6. Blocked by Country - This will generate a notification every time an is blocked because the sending country has been blacklisted under Lists Countries 7. Blocked by IP - This will send a notification every time an is blocked because the sending IP has been blocked under Lists IP 8. Blocked by Antivirus - This will generate a notification every time an is blocked by the antivirus scanning 9. Blocked by File extension - This will generate a notification every time an is blocked due to containing files listed under Lists Fileextensions 10. Blocked by Nested Zip - This will generate a notification every time an is blocked due to nested zips being blocked under Antivirus settings

29 Outbound User settings SMTP authentication is one of the options to authenticate your outbound traffic trough the WeCloud scanning (this is suitable if you want the end-users to send s thorugh WeCloud directly from their clients or if you for example have a dynamic IP and still want to be able to send your s out via the service. Please note that this feature requires the communication to be protected by TLS and to use port Add user More info below 2. Delete This will delete the users that are marked in section 4 (Note: Delete is only visible if you have one or more users selected) 3. Audit logs 4. Users 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the users, domain users will be marked with a * (Note: A domain user is a user/password combination that can authenticate traffic for the whole domain) 4.3. This will allow you to send a new password to a user 4.4. Each user will have a selection box to allow for deletion

30 Outbound User settings Add user 1. User entries Enter the user(s) that should be created, separate multiple entries by using comma, tab, newline or semi-colon (Note: all users must be in the form of an address and the domain part needs to match the currently selected domain) 2. Notify user If this is checked an will be sent to the created user(s) with their password, if this is unchecked the password will instead be showed on screen when the user is created 3. Domain user If this is checked the user(s) will be allowed to authorize s for the whole domain (this is used when the authentication is setup on server level, if this is unchecked the user(s) created will only be allowed to authorize s sent from their own address (this is used when the authentication is setup on the end-user level 4. Close without saving 5. Save the settings

31 Outbound IP settings IP authentication is the preferred option to authenticate your outbound traffic trough the WeCloud scanning (this is the recommended setting as long as you have a static IP) 1. Add IP More info below 2. Delete This will delete the IPs that are marked in section 4 (Note: Delete is only visible if you have one or more IPs selected) 3. Audit logs 4. IPs 4.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 4.2. This will list the IPs 4.3. Each IP will have a selection box to allow for deletion

32 Outbound IP settings Add IP 1. Entries Enter the IPs to be added, miltiple entries should be separated by comma, tab, newline or semi-colon 2. Close without saving 3. Add my IP Add the IP that you are currently accessing the interface from to the Entries 4. Save the settings

33 Outbound Routing settings This allows for third party integration with other services (for example, but not limited to, encryption services). The details of this is covered in a separate chapter of this guide. 1. Save your changes - It can take up to 20 minutes for the changes to take full effect (Note: changes here will affect s in the hold que as well) 2. Delete settings - This will clear all routing configuration, this can take up to 20 minutes to take full effect (Note: changes here will affect s in the hold que as well) 3. Audit logs 4. Routing settings 4.1. Routing server - The hostname or IP address that we should reroute the s to (Note: we recommend always using a hostname if possible) 4.2. Delivery port - The port which we should route the s over 4.3. Enable relay On/Off - This defines if the routing rule is enabled or not 4.4. Enable archive - If set to On an additional copy of the will be stored after it is sent back to us from the external party (Note: this requires the domain to have archiving enabled)

34 Archiving Settings This will show the settings configured by Wecloud for your archive. These settings require an additional license and can not be changed by the customers administrator.

35 Lists Settings - Whitelist 1. Add Use this to add entries to the whitelist 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type (Note: You do not have to write complete addresses or domains when searching) 4. Audit logs 5. Total amount of entries 6. Entries 6.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains - selects all domains s - selects all addresses 6.2. This lists the addresses and/or domains in your whitelist 6.3. This shows the date and time that the entry was created 6.4. Each entry will have a selection box to allow for deletion

36 Lists Settings Blacklist 1. Add Use this to add entries to the blacklist 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type (Note: You do not have to write complete addresses or domains when searching) 4. Audit logs 5. Total amount of entries 6. Entries 6.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains - selects all domains s - selects all addresses 6.2. This lists the addresses and/or domains in your blacklist 6.3. This shows the date and time that the entry was created 6.4. Each entry will have a selection box to allow for deletion

37 Lists Settings - Countries This will allow you to set default actions based on the Geo-IP mapping we do on all sending IPs for inbound s. 1. Add More info below 2. Delete This will delete the entries that are marked in section 6 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Whitelisted - selects all whitelist entries Quarantined - selects all quarantine entries Blacklisted selects all blacklis entries 5.2. This lists the countries you have set default actions for 5.3. This shows the action for the listed countries 5.4. This allows you to edit the default action for the listed countries 5.5. Each entry will have a selection box to allow for deletion

38 Lists Settings Countries Add entry 1. Country Use the dropdown to select the country that you want to create a default action for 2. Action Use the dropdown to select the action for s from servers in the selected country, the options are: Whitelist Don't spam scan s from the selected country Blacklist Block all s from the selected country Quarantine Quarantine all s from the selected country 3. Close without saving 4. Save the entry

39 Lists Settings - Fileextensions This will allow you to block s containing specific files 1. Add More info below 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This lists the file extensions that will cause a block 5.3. Each entry will have a selection box to allow for deletion

40 Lists Settings Fileextensions - Add 1. Add fileblock This dropdown will give you access to different default groupings of file extensions, the options are: Programs This is a collection of executable files Scripts This is a collection of script files Shortcuts This is a collection of shortcut files Others This is a collection of other files you might wish to block Office This is a collection of office files All This will include all the predefined file sets above 2. Entries This is where you can add entries to block, multiple entries should be separated by comma, tab, newline or semi-colon 3. Close without saving 4. Save the entries

41 Lists Settings - IP This will allow you to blacklist or whitelist IPs or IP ranges 1. Add More info below 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Whitelisted selects all whitelist entries Blacklisted selects all blacklist entries 5.2. This lists the IPs 5.3. This will show if the IP is whitelisted or blacklisted 5.4. Each entry will have a selection box to allow for deletion

42 Lists Settings IP - Add This will allow you to blacklist or whitelist IPs or IP ranges 1. Action Use the dropdown to select if the IPs should be blacklisted or whitelisted 2. Entries Enter the IPs and/or IP ranges to add to the list, multiple entries should be separated by comma, tab, newline or semi-colon 3. Close without saving 4. Save the entries

43 Lists Settings Bypass AV This will allow you to whitelist senders in the antivirus scanner 1. Add Use this to add entries to the antivirus bypass list 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection Domains selects all listed domains s selects all listed addresses 5.2. This lists the addresses and/or domains 5.3. Each entry will have a selection box to allow for deletion

44 Lists Settings Domain Protection This will allow you add domain protection to specific domains (see separate chapter on Domain Protection for more details) 1. Add Use this to add entries to the domain protection list 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This lists the domains 5.3. Each entry will have a selection box to allow for deletion

45 Diagnostics This will allow you to run a simple diagnostics of your configuration 1. Run This will initiate the test 2. MX Record Check This will check the MX Records you have configured for the domain 2.1. Result of the test 2.2. This will show your configured MX Records 3. Delivery check This will test the connectivity to your server 3.1. Result of the test 3.2. This will list the server and port you have configured under your inbound settings 3.3. This will show a transcript of the communication test with your server

46 User Settings This will allow you to manage the administrators and user profiles for your account 1. User control 1.1. Add new user More info below 1.2. This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 1.3. This will enable the entries that are marked in section 5 (Note: Enable is only visible if you have one or more entries selected) 1.4. This will disable the entries that are marked in section 5 (Note: Disable is only visible if you have one or more entries selected) 2. Search box Use this to search for entries, the search result will show while you type 3. Audit logs 4. Total amount of entries 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This will list the name of the users 5.3. This will list the type of the user (Note: If the type is marked with a * the user also has a User Profile enabled) 5.4. This will list the address of the user (Note: The address is also the user name) 5.5. This will list the time and date of creation for the user 5.6. This will allow you to edit the settings for the user 5.7. Each entry will have a selection box to allow for deletion and enable/disable

47 User Settings Add User 1. Firstname 2. Lastname 3. address This will also be the username 4. Readonly Setting this to On will render the user unable to change anything in the interface (Note: This needs to be combined with one or more of the user rights in sections 5-7) 5. User profile Setting this to On will allow the user to have their settings separated from the domains settings (Note: This also means that the user will not get any changes to the settings made on a domain level) 6. Domain admin Setting this to On will allow you to select one or more of your domain that this user will get access to (Note: This type of user will not automatically get access to new domains that you add to the account) 7. Company admin Setting this to On will give the user access to all domains on your account (Note: This will automatically give the user access to new domains that are added to your account as well) 8. Notify user Setting this to On will send an with the login credentials to the user when created, setting this to Off will instead show the credentials on screen when the user is created (Note: We highly recommend setting this to Off and then ask the user to use the Forgot Password function on the login page so that no credentials are sent via ) 9. Close without saving 10. Save the entries

48 True Users settings This will allow you to specify what addresses are vaild for your domain (Note: If you specify addresses here WeCloud will only accept s for those addresses, s to any other recipients will be rejected) 1. Add Add one or more addresses to your list of true users 2. Delete This will delete the entries that are marked in section 5 (Note: Delete is only visible if you have one or more entries selected) 3. Search box Use this to search for entries, the search result will show while you type 4. Audit logs 5. Entries 5.1. Multi-selection tool for a quick selection of multiple items, the options are: All - selects all items None - deselects all selected entries Invert - inverts the selection 5.2. This will list the addresses registered as true users 5.3. Each entry will have a selection box to allow for deletion and enable/disable

49 Token Manager Any user that recieves a QMS report will automatically be created as a token user. The Token Manager allows an admin to login to the personal quarantine as the selected user in order to manage their quarantine and (if activated in the QMS settings) their black/whitelists 1. This will list all users created by the QMS system 2. This allows the administrator to login as the selected user This is not available to read only administrators (Note: The login will open a separate tab so the administrator will not be logged out from the administrator interface)

50 Interface Settings This will allow you to specify what timezone you want for your selected domain, and also what domain should be the default domain when logging into your account 1. Save your changes - The changes takes effect immediately 2. Audit logs 3. Timezone Use the dropdown to select the timezone for your domain (Note: This will control the timestamps in you logs and also the time of day that your QMS reports are sent out) 4. Default domain Use the dropdown to select what domain should be the default selected domain when you log into your account 5. Notify/QMS Language Use the dropdown to select the language for s generated by the system to your users

51 Company Profile settings By activating the Company Profile you can easily manage the settings for multiple of your domains by changing a single profile. If company Profile is activated a new option "Company Profile" becomes available in the domain selector and all changes of settings on the specified slave domains will be deactivated. Any settings on the slave domains will be overriden when the Company Profile is activated. The Company Profile controls the following settings for its slave domains: Antispam > All settings QMS > All settings Antivirus > all settings Inbound > Delivery, Routing, Inbound headers, Notification Outbound > IP, Routing, Outbound headers Archive > All settings Lists > All settings Interface > All settings 1. Enable This will enable the company profile according to your settings (Note: When you have a company profile active this will instead read Edit and allow you to change your settings to the profile) 2. Source domain Use the dropdown to select the source domain that the settings for the profile will be copied from (Note: even though only some settings are controlled by the profile, all settings will be copied from it and used as a foundation on any domain that you include in the profile) 3. Slave domain(s) This will allow you to select which domains your company profile should take control of (Note: All settings on these domains will be overwritten by the company profile settings) 4. Master domain The master domain selected in section 2 will automatically be selected

52 WeCloud 3rd party routing With WeClouds 3rd party routing function it is easy to combine WeClouds scanning with a wide range of 3rd party products (for example for encrypting/decrypting s). The WeCloud service can easily be configured to route inbound and/or outbound s via a 3 rd party product before they are sent to the recipient (see next page for a traffic overview). The routing settings are located in Settings Inbound Routing, for inbound routing, and Settings Outbound Routing, for outbound routing. 1. Save the current routing configuration (Please note that it can take up to 20 minutes for the changes to become active) 2. Delete the current routing configuration (Please note that it can take up to 20 minutes for the changes to become active) 3. Audit logs to track the changes to the routing configuration 4. The hostname or the IP of the server that s should be routed to 5. The target port that the s should be routed to 6. Enable or disable the routing configuration 7. Enable or disable Smime only routing. When set to off all s are sent via the route, when set to on only s encrypted with smime are sent via the route (Note: This is for inbound routing only) 8. Enable or disable archiving. When set to off s are only archived before the routing takes place, when set to off s are archived both before and after routing. (Please note that this requires a subscription to WeCloud Archiving feature)

53 WeCloud 3rd party routing - Traffic overview

54 Searching the database This is a guide on how the searches in WeCloud's system works. If your account with WeCloud has high volumes this document will help you understanding the logic behind the searches and also how to effectively search for s in our system. Definitions Indexed dataset This is the indexed selection that the string search will be applied to. The smaller this dataset is the faster the search will be. Final dataset This is the final selection after the string search has been applied. The larger this dataset is the faster the search will be. Please see next page for a definition on what filters alters what dataset

55 Filters A. Filters altering the Indexed dataset (these should be set as narrow as possible for a fast search) A1. Domain Selector This is where the domain for the search is selected (both inbound and outbound s will be searched) A2/A3. Mail Filters & Tools These are the pre-indexed actions for the s: Quarantined These s were marked up as spam by the content scanner Delivered These s were delivered to the recipient server Blocked These s were rejected by the filter Failed These s were rejected by the recipient server Advanced Filter This allows for searches without using the pre-indexed action Hold Queue These s are on retry in our system (we are having problems delivering them to the recipient server) Pending These are s that have been handled by the system but the logs are pending to be entered into the database A4. Time Frame This allows you to select the time frame for your search B. Filters altering the Final dataset (these should be set as wide as possible for a fast search) B1. Recipient The whole recipient address of the or parts of it B1. Sender The whole sending address of the or parts of it B1. Type The Action for the (this is not the same as a pre-indexed filter) B2. Subject The whole subject of the or parts of it

56 Log search The Basics The Indexed dataset defines the amont of logs that the search will go through to find the Final dataset. So if you for example have s being handled in the filter everyday and you do a 7 day search wihtout any other filter set for the Indexed dataset the search will go through logs to find the Final dataset. If, however, only 500 of those daily s are clean s that are being delivered you could minimize the Indexed dataset to s for the search to go through by setting the pre-indexed filter to delivered before searching. The search will go through the whole Indexed dataset to find the Final dataset (set by your search parameters), and the larger the Indexed dataset is and the smaller the Final dataset is the longer the search will take. Log search Infinity Scroll WeCloud's Infinity Scroll feature means that the system will return a search result as soon as 20 matching s have been found. For more results all you need to do is to scroll down to the bottom and a new set of logs will be collected. This means that the search only needs to run until 20 matches has been found. In other words a wider filter for the Final dataset will produce faster results than a narrow filter for the same. If we take our example above a search without pre-indexed filters had a Indexed dataset of s. If we set very specific search filters that will only generate one match that would mean that the search has to go through all s before it returns a result (as it needs to make sure that no more matches are found). If, however, we instead widen the filters so that the search would result in 20+ matches we would get the initial result faster since that would be returned as soon as the first 20 matches are found. Log search The Logic So in other words, the smaller the Indexed dataset is the smaller the amount of s the search goes through is (this will result in a fast complete search time). And the wider the filters (the non pre-indexed filters) are set, the faster we will start getting results from the searches. Log search Conclusion Try to minimize the Indexed dataset as much as possible (if you know that the you're looking for is 2 days old, there's really no meaning to search 7 days back for example). If a search is taking a long time for you try widening the filters (for an inbound you could for example search on the recipient address instead of the sending address). On a domain with little traffic you probably won't need to take any precautions, but if you have several thousands of s you might want to consider your tactics when searching the filter in order to get your results faster (looking through millions of s for one single match is a bit like finding a needle in a haystack).

57 Heuristic Phishing Protection You might have seen one or more s blocked by WeCloud's Anti Virus engine with the following explanation: Contains virus: Heuristics.Phishing. .SpoofedDomain Since the description might be a bit cryptic this document will breakdown what this means and how this part of the protection works. In our systems we have a number of domains listed as protected. These are domains that are frequently abused on a global scale when it comes to Phishing attempts. In this specific case I'll use americanexpress.com as an example. So, let's say that an circulates where the content looks as follows. Of course American Express wouldn't send an like this out, but the scammers know that many unaware end-users might actually follow the link believing that the communication is from American Express. A mouse-over shows that the link doesn't go to the correct website at all.

58 In this case a spamfilter might have problems with this type of if the following applies: 1. The sending address isn't spoofed (the spoof is only in the From: Header) 2. The sending IP isn't blacklisted 3. The true target link isn't classified as bad (the website isn't known as hacked or perhaps a Google form is used) 4. The content is too generic to be classified as spam or too new to have been seen before by the filter Whenever a protected domain is visible in the link WeCloud will check the visible domain with the actual domain that the link leads to, in order to check if this is a scam or not. To illustrate this a simplified version of a hyperlink is shown below. 1. This is the link that is visible to the end-user 2. This is the actual target of the link If part 1 above contains a domain protected by WeCloud's Phishing engine, the filter will check and make sure that the same domain is the target in part 2. If these two do not match then the filter will block the with the reason Contains virus: Heuristics.Phishing. .SpoofedDomain Please note that this is only in effect for the domains identified as protected and not for all hyperlinks.