Kaspersky Anti-Virus 8.0 for Lotus Domino Administrator's Guide

Transcription

1 Kaspersky Anti-Virus 8.0 for Lotus Domino Administrator's Guide APPLICATION VERSION: 8.0 MAINTENANCE PACK 2

2 Dear User, Thank you for choosing our product. We hope that this documentation will help you in your work and provide answers to most of your questions regarding this software product. Warning! This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation, and by international treaties. Illegal reproduction or distribution of this document or parts hereof will result in civil, administrative, or criminal liability under applicable law. Any type of reproduction or distribution of any materials, including translations, is allowed only with the written permission of Kaspersky Lab. This document and graphical images related to it may be used exclusively for informational, non-commercial, and personal purposes. This document is subject to change without prior notice. For the latest version of this document please refer to Kaspersky Lab's website at Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any third-party materials used in this document, or for any potential damages associated with the use of such documents. Last revised: 07/04/ Kaspersky Lab ZAO. All Rights Reserved

3 CONTENTS ABOUT THIS GUIDE... 6 In this document... 6 Document conventions... 9 SOURCES OF INFORMATION ABOUT THE APPLICATION Sources of information to research on your own Contacting the Sales Department Contacting the Technical Writing and Localization Unit KASPERSKY ANTI-VIRUS 8.0 FOR LOTUS DOMINO What's new Distribution kit Hardware and software requirements APPLICATION ARCHITECTURE About Kaspersky Anti-Virus functional modules About Kaspersky Anti-Virus databases Anti-Virus server protection layout Application operation layout Attachment filtering algorithm Anti-virus scanning for threats algorithm Processing objects and actions taken on them Managing Kaspersky Anti-Virus settings Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file MANAGING USER PRIVILEGES Managing privileges at the ACL level of the Kaspersky Anti-Virus databases Functional group privileges Granting functional group privileges to users Managing privileges at the level of profile / server settings APPLICATION LICENSING About the license agreement About the License About the key file Applying a key file Downloading a key file via the Lotus Notes client or web browser Downloading a key file via the Lotus Domino server console APPLICATION INTERFACE Accessing the Control Center database Layout of Control center window Protection management tab Viewing and editing profile settings Viewing and editing server settings Event log and statistics tab Help tab

4 A D M I N I S T R A T O R ' S G U I D E STARTING AND STOPPING THE APPLICATION SERVER PROTECTION STATUS DEFAULT SERVER PROTECTION DATABASE UPDATES Obtaining information about anti-virus databases Anti-virus database update sources Ways to update anti-virus databases Selecting an update source Scheduled updates Manual updates MAIL PROTECTION Mail protection algorithm Enabling and disabling mail protection Selecting mail protection objects Actions on mail objects Configuring actions to take on mail objects Configuring mail attachment filter settings REPLICATION PROTECTION Replication protection algorithm Enabling and disabling replication protection Selecting replication protection objects Actions objects in replication protection mode Configuring actions on objects in replication protection mode Configuring the filtering of attachments in replication protection mode SCANNING DATABASES Database scanning algorithm Enabling and disabling database scanning Selecting database objects to be scanned Actions on objects in database scanning mode Configuring actions on objects in database scanning mode Configuring attachment filtering in database scanning mode Scheduled scanning of databases Manual scanning of databases CONFIGURING PERFORMANCE SETTINGS QUARANTINE About the Quarantine database Viewing quarantined objects Actions on quarantined objects Configuring Quarantine EVENT LOG AND STATISTICS About the Event log and statistics database Configuring the Event log Configuring the statistics settings Viewing the Event log and statistics database Viewing general Event log and statistics

5 C O N T E N T S Event log Statistics Viewing the Event log for a server Deleting information from the Event log and statistics database NOTIFICATIONS CONFIGURATION MANAGEMENT Creating and deleting profiles Designating profile administrators Designating server administrators Moving a server to another profile Configuring individual server settings REMOTE MANAGEMENT OF KASPERSKY ANTI-VIRUS VIA A WEB BROWSER CHECKING APPLICATION SETTINGS EICAR test file and its modifications Testing mail protection Testing replication protection Testing database scanning USING THE SERVER CONSOLE CONTACTING TECHNICAL SUPPORT Ways to receive technical support Technical Support by phone Getting technical Support via Kaspersky CompanyAccount GLOSSARY KASPERSKY LAB INFORMATION ABOUT THIRD-PARTY CODE TRADEMARK NOTICES INDEX

6 ABOUT THIS GUIDE This document is the Administrator's Guide for Kaspersky Anti-Virus 8.0 for Lotus Domino (hereinafter also referred to as Kaspersky Anti-Virus). The Guide is intended for technical specialists who carry out the installation and administration of Kaspersky Anti-Virus and provide support for organizations that use Kaspersky Anti-Virus. Information about installing Kaspersky Anti-Virus is provided in the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide. This Guide is intended to: Explain how to install and use Kaspersky Anti-Virus. Provide a readily searchable source of information for questions related to operation of Kaspersky Anti-Virus. Describe additional sources of information about the application and ways of receiving technical support. IN THIS SECTION In this document...6 Document conventions...9 IN THIS DOCUMENT The Administrator's Guide for Kaspersky Anti-Virus 8.0 for Lotus Domino includes the following sections: Sources of information about the application (see page 10) This section lists the sources of information about the application. Kaspersky Anti-Virus 8.0 for Lotus Domino (see page 12) This section lists the primary functions of Kaspersky Anti-Virus 8.0 for Lotus Domino and describes how Kaspersky Anti- Virus 8.0 for Lotus Domino differs from the previous version of the application. This section specifies the minimum computer hardware and software requirements for installation and operation of Kaspersky Anti-Virus, describes the contents of the distribution kit and the range of services available to registered users of the application. Application architecture (see page 17) This section outlines how Kaspersky Anti-Virus operates and provides information about managing application settings. Managing user privileges (see page 24) This section describes how to manage user privileges. 6

7 A B O U T T H I S G U I D E Application licensing (see page 27) This section covers application licensing and activation and provides instructions for adding and removing a Kaspersky Anti-Virus key file. Application interface (see page 31) This section describes the main elements of application GUI that are used to manage the application via the Lotus Notes client and web browser. Starting and stopping the application (see page 38) This section describes how to start and stop the application on the server and how to connect to the server in order to configure application settings. Server protection status (see page 39) This section describes how to determine the protection status of a server and how to enable or disable individual antivirus protection components. Default server protection (see page 40) This section describes how Kaspersky Anti-Virus operates with default settings. Database update (see page 42) This section describes how to configure database update settings for a single server or a group of servers, which update sources can be used, and how to start an anti-virus database update manually or based on a schedule. This section also describes the ways to update Kaspersky Anti-Virus deployed on one or several servers. Mail protection (see page 48) This section describes how to enable or disable mail protection for a Lotus Domino server, how to select objects to be scanned, how to configure the filtering of attachments, and how to configure objects processing based on anti-virus scan results. Replication protection (see page 53) This section describes how to enable or disable replication protection, how to select replication objects for scanning, how to configure filtering of attachments, and how to configure the processing of replication objects after an anti-virus scan. Database scanning (see page 57) This section describes how to enable or disable database scanning, how to select database objects for anti-virus scanning, how to configure filtering of attachments, how to configure the processing of database objects after an antivirus scan, and how to configure scan settings. Configuring performance settings (see page 64) This section describes the settings that determine application performance and how to configure them. Quarantine (see page 65) This section describes how to view quarantined objects, how to configure the processing of quarantined objects, and how to configure quarantine settings. 7

8 A D M I N I S T R A T O R ' S G U I D E Event log and statistics (see page 69) This section describes how to configure the Event log and statistics settings and how to view the Event log and statistics database (information for one server and general information about all servers). Notifications (see page 77) This section describes how to configure the settings of notifications about dangerous objects detected during scanning. Configuration management (see page 79) This section describes how to add or delete profiles, how to move a server to a different profile, and how to configure server settings. Remote management of Kaspersky Anti-Virus via a web browser (see page 84) This section describes how to manage the protection settings and the primary application tasks on protected Lotus Domino servers via a web browser. Checking application settings This section describes the algorithm for checking the application settings for each protection component using the EICAR test file and its modifications. Using the server console (see page 88) This section describes how to manage Kaspersky Anti-Virus and its components using the command line via the Lotus Domino server console. Contacting Technical Support (see page 90) This section contains instructions for contacting Kaspersky Lab support. Glossary This section lists the terms used in the guide. Kaspersky Lab ZAO (see page 94) This section provides information about Kaspersky Lab. Information about third-party code (see page 95) This section provides information about third-party codes used in the application. Trademark notices This section lists trademarks of third-party vendors that are used in the document. Index You can use this section to find information easily in the document. 8

9 A B O U T T H I S G U I D E DOCUMENT CONVENTIONS The text herein is accompanied by semantic elements that should be given particular attention warnings, hints, and examples. Document conventions are used to highlight semantic elements. The following table shows document conventions and examples of their use. Table 1. Document conventions SAMPLE TEXT Note that... You are recommended to use... Example: DESCRIPTION OF DOCUMENT CONVENTION Warnings are highlighted in red and enclosed in frames. Warnings contain information about potential threats that may cause loss of data, hardware or operating system malfunctions. Notes are enclosed in frames. Notes may contain helpful hints, recommendations, specific values for application preferences, or noteworthy particular use cases. Examples are given against a yellow background under the "Example" heading.... An update is... The Databases are out of date event occurs. Press ENTER. Press ALT+F4. Click the ENABLE button. To configure the task schedule: In the command line, type help. The following message appears: Specify the date in dd:mm:yy format. <User name> The following semantic elements are italicized in the text: New terms Names of application statuses and events Names of keyboard keys appear in bold and are capitalized. Names of keys linked with a + (plus) sign indicate key combinations. Those keys must be pressed simultaneously. Names of application interface elements, such as text boxes, menu items, and buttons, are set off in bold. Introductory phrases of instructions are italicized and accompanied by the arrow sign. The following types of text content are set off with a special font: Text in the command line Text of messages that the application displays on the screen Data that the user must enter Variables are enclosed in angle brackets. Instead of a variable, the corresponding value should be inserted, with angle brackets omitted. 9

10 SOURCES OF INFORMATION ABOUT THE APPLICATION This section describes sources of information about the application and lists websites that you can use to discuss usage of the application. You can choose the most suitable of them, depending on the importance and urgency of your request. IN THIS SECTION Sources of information to research on your own Contacting the Sales Department Contacting the Technical Writing and Localization Unit SOURCES OF INFORMATION TO RESEARCH ON YOUR OWN You can use the following sources of information to research on your own: Page at the Kaspersky Lab website; Application page at the Technical Support website (Knowledge Base); Online help; Documentation. If you cannot find a solution for your issue, we recommend that you contact Kaspersky Lab Technical Support (see section "Technical support by phone" on page 90). An Internet connection is required to use information sources on the Kaspersky Lab website. Kaspersky Lab website The Kaspersky Lab website features an individual page devoted to each application. You can view general information about the application, its functions, and its features on the web page ( A link to estore is available on the website. There you can purchase the application or renew your license. Application page at the Technical Support website (Knowledge Base) Knowledge Base is a section of the Technical Support website that contains recommendations on how to use Kaspersky Lab applications. Knowledge Base comprises help articles that are grouped by topics. On the page of the application in the Knowledge Base ( you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to purchase, install, and use the application. 10

11 S O U R C E S O F I N F O R M A T I O N A B O U T T H E A P P L I C A T I O N The articles may contain answers to questions related not only to Kaspersky Anti-Virus, but to other Kaspersky Lab products too, as well as general Technical Support news. Online help Online help contains information on how to manage server protection: how to view protection status information, configure protection settings, enable and disable protection components, start a database scan and update anti-virus databases manually. To open online help, select the Help tab in the window of the Control center database. Documentation The application distribution kit includes documents that help to install and activate the application on local area network computers, configure application settings, and find tips on using the application. The Deployment Guide helps the administrator to plan deployment of the application on the network. The document contains practical recommendations on how to install, set up or delete the application on one server or on all protected servers in the network. The Administrator's Guide provides instructions for managing the application and configuring application settings. This document also describes how to manage the protection of a standalone server or a group of servers via the Lotus Notes client, the application web interface, or the Lotus Domino server console. CONTACTING THE SALES DEPARTMENT If you have any questions on how to select, purchase, or renew the application, you can contact our Sales Department specialists in one of the following ways: By calling our HQ office in Moscow by phone ( By sending a message with your question to sales@kaspersky.com. Our specialists speak English and Russian. CONTACTING THE TECHNICAL WRITING AND LOCALIZATION UNIT To contact the Technical Writing and Localization Unit, send an . Please use "Kaspersky Help Feedback: Kaspersky Anti-Virus 8.0 for Lotus Domino" as the subject of your message. 11

12 KASPERSKY ANTI-VIRUS 8.0 FOR LOTUS DOMINO Kaspersky Anti-Virus 8.0 for Lotus Domino provides comprehensive anti-virus protection for Lotus Domino servers. Kaspersky Anti-Virus protects traffic and replications and scans databases stored on the server. Kaspersky Anti-Virus is installed on servers running under Microsoft Windows and Linux operating systems. The application performs the following functions: Scanning all incoming, outgoing and routed messages on the Lotus Domino server. The following objects are scanned for threats: Message text; Files attached to messages; OLE objects embedded in messages. Kaspersky Anti-Virus detects malware objects inside attached archives and packed.exe files, except passwordprotected archives. The application scans documents that are hosted on the protected server and modified as a result of replication. Outgoing replications are not scanned. The following objects are scanned for threats: Field contents in Rich Text format; Field contents in MIME format; Files attached to a document; OLE objects embedded in documents. Scans of databases on the protected Lotus Domino server are performed by schedule or on demand. The following objects are scanned for threats: Field contents in Rich Text format; Field contents in MIME format; Files attached to a document; OLE objects embedded in documents. Objects are filtered by size and name mask when scanning messages, replications and databases. Filtered objects are processed according to rules set by the administrator. The application processes infected, potentially infected and not scanned objects detected while scanning messages, replicated documents and database documents. Depending on the protection / scan settings, Kaspersky Anti-Virus cures, deletes or skips the object, notifies administrators of detected threats and processing results, and saves statistical information. Senders and recipients of messages, as well as administrators, are notified about infected, potentially infected and not scanned objects that have been detected in messages and actions taken on them. Kaspersky Anti-Virus notifies administrators about dangerous objects detected when scanning replicated documents and database documents and about actions taken on them. 12

13 K A S P E R S K Y A N T I - V I R U S 8. 0 F O R L O T U S D O M I N O The application saves scanned documents in the Quarantine database. Saved messages, documents detected during replication scanning, and also documents detected during database scanning are grouped by type (mail / replications / database scans). The application saves information about infected, potentially infected, protected, and not processed objects and actions taken on them. Information is saved in the Event log and statistics database and also displayed in the console of a Lotus Domino server. Information can be also saved to a text file (this option is disabled by default). Anti-virus databases are updated via the Internet both automatically and manually. FTP and HTTP update servers of Kaspersky Lab, FTP and HTTP servers containing update packages, and network catalogs can serve as update resources. Managing Kaspersky Anti-Virus installed on several servers using profiles. Access to Kaspersky Anti-Virus settings and control is restricted at the server and profile level. Managing Kaspersky Anti-Virus via the Lotus Notes client, Lotus Domino console server and web browser. The application can be installed or removed via the Lotus Notes client or web browser. IN THIS SECTION What's new Distribution kit Hardware and software requirements WHAT'S NEW Kaspersky Anti-Virus 8.0 for Lotus Domino supports the Lotus Domino 9.0 and Lotus Domino 9.01 platforms. DISTRIBUTION KIT You can purchase the application in one of the following ways: Boxed. Distributed via stores of our partners. At the estore. Distributed at online stores of Kaspersky Lab (for example, estore section) or via partner companies. If you purchase the boxed version of the application, the distribution package contains the following items: sealed sleeve with the setup CD, which contains application files and documentation files; brief User Guide with an activation code; The End User License Agreement that stipulates the terms on which you can use the application. The contents of the distribution kit can vary from region to region. If you purchase Kaspersky Anti-Virus at an online store, you copy the application from the website of the store. Information needed to active the application, including the activation code, will be ed to you when you complete payment. For more details on ways of purchasing the application and the distribution kit, contact the Sales Department by sending a message to sales@kaspersky.com. 13

14 A D M I N I S T R A T OR' S G U I D E HARDWARE AND SOFTWARE REQUIREMENTS To ensure Kaspersky Anti-Virus runs smoothly, the computer must meet the following minimum hardware and software requirements. Hardware requirements: Intel Pentium 32 bit / 64 bit or higher (or equivalent). 512 MB of RAM (1GB or more recommended). 1 GB of free space on the hard drive (3 GB or more recommended). Recommended size of swap file: two times larger than the physical memory. Software requirements: Supported operating systems: 32-bit platforms: Microsoft Windows Server 2003 Standard Edition (Service Pack 2 or higher). Microsoft Windows Server 2003 Enterprise Edition (Service Pack 2 or higher). Microsoft Windows 2003 R2 Server Standard Edition (Service Pack 2 or higher). Microsoft Windows 2003 R2 Server Enterprise Edition (Service Pack 2 or higher). Microsoft Windows Server 2008 Standard Edition (Service Pack 2 or higher). Microsoft Windows Server 2008 Enterprise Edition (Service Pack 2 or higher). Microsoft Windows Server 2012 Standard Edition. Microsoft Windows Server 2012 Datacenter Edition. Microsoft Windows Server 2012 R2 Standard Edition. Microsoft Windows Server 2012 R2 Datacenter Edition. Novell SuSE Linux Enterprise Server 10 (Service Pack 2). Novell SuSE Linux Enterprise Server 11. Red Hat Enterprise Linux 5.5. Red Hat Enterprise Linux 5.6. Red Hat Enterprise Linux 6.0. Red Hat Enterprise Linux bit platforms: Microsoft Windows 2003 Server Standard Edition (Service Pack 2 or higher). Microsoft Windows 2003 Server Enterprise Edition (Service Pack 2 or higher). 14

15 K A S P E R S K Y A N T I - V I R U S 8. 0 F O R L O T U S D O M I N O Microsoft Windows 2003 R2 Server Standard Edition (Service Pack 2 or higher). Microsoft Windows 2003 R2 Server Enterprise Edition (Service Pack 2 or higher). Microsoft Windows Server 2008 Standard Edition (Service Pack 2 or higher). Microsoft Windows Server 2008 Enterprise Edition (Service Pack 2 or higher). Microsoft Windows Server 2008 R2 Standard Edition (Service Pack 1 or higher). Microsoft Windows Server 2008 R2 Enterprise Edition (Service Pack 1or higher). Microsoft Windows Server 2012 Standard Edition. Microsoft Windows Server 2012 Datacenter Edition. Microsoft Windows Server 2012 R2 Standard Edition. Microsoft Windows Server 2012 R2 Datacenter Edition. Novell SuSE Linux Enterprise Server 10 (Service Pack 2). Novell SuSE Linux Enterprise Server 11. Novell SuSE Linux Enterprise Server 11 (Service Pack 3). Red Hat Enterprise Linux 5.5. Red Hat Enterprise Linux 5.6. Red Hat Enterprise Linux 6.0. Red Hat Enterprise Linux 6.1. Red Hat Enterprise Linux 6.5. Supported versions of Lotus servers: 32-bit platforms (for Linux and Windows operating systems): Lotus Notes/Domino version (with the set of updates Fix Pack 6). Lotus Notes/Domino version (with the set of updates Fix Pack 1). Lotus Notes/Domino version (with the set of updates Fix Pack 5). Lotus Notes/Domino version (with the set of updates Fix Pack 4). Lotus Notes/Domino version (with the set of updates Fix Pack 6). Lotus Notes/Domino version 9.0. Lotus Notes/Domino version bit platforms (for Windows operating systems only): Lotus Notes/Domino version (with the set of updates Fix Pack 6). Lotus Notes/Domino version (with the set of updates Fix Pack 1). 15

16 A D M I N I S T R A T O R ' S G U I D E Lotus Notes/Domino version (with the set of updates Fix Pack 5). Lotus Notes/Domino version (with the set of updates Fix Pack 4). Lotus Notes/Domino version (with the set of updates Fix Pack 6). Lotus Notes/Domino version 9.0. Lotus Notes/Domino version Supported browsers: Internet Explorer 7. Internet Explorer 9. Mozilla Firefox 3X. Google Chrome 3X. 16

17 APPLICATION ARCHITECTURE This section describes how Kaspersky Anti-Virus operates and provides information about managing application settings. IN THIS SECTION About Kaspersky Anti-Virus functional modules About Kaspersky Anti-Virus databases Anti-Virus server protection layout Managing Kaspersky Anti-Virus settings Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file ABOUT KASPERSKY ANTI-VIRUS FUNCTIONAL MODULES Kaspersky Anti-Virus includes three functional modules: the management module, the mail and replication scan module, and the database scan module. Management module Module provides the following functions in Kaspersky Anti-Virus: Managing the application. Module initiates scans of mail and replications, runs scans of databases and scheduled updates of anti-virus databases. Managing application settings. The module receives and applies new values of settings. Saving and analyzing statistics. Module logs statistical information and information about operational events in the Event log and statistics database and sends notifications to administrators. Notice. Module sends notifications about infected, potentially infected and damaged objects detected during a scan. Application licensing. This module is responsible for activating the application, analyzing licensing information, applying and deleting key files. Mail and replication scan module This module performs anti-virus scanning of messages and replications. Database scan module This module performs anti-virus scanning of databases of a Lotus Domino server. All modules are started automatically when the Lotus Domino server is launched. Information about modules can be saved in the Kaspersky Anti-Virus Event log and the Event log and statistics database, recorded in log files, and displayed on the Domino server console. 17

18 A D M I N I S T R A T O R ' S G U I D E ABOUT KASPERSKY ANTI-VIRUS DATABASES The application includes the following databases: Control center database (kavcontrolcenter.nsf.) is used to control and store Kaspersky Anti-Virus settings (see section "Managing Kaspersky Anti-Virus settings" on page 21); Quarantine database (kavquarantine.nsf) is used to store and manage objects placed in Quarantine (see section "Quarantine" on page 65); Event log and statistics database (kaveventslog.nsf) is used to store records of events registered in Kaspersky Anti-Virus operation and statistical information about scanned objects and actions taken on them (see section "Event log and statistics" on page 69); Help database (kavhelp.nsf) contains reference information about Kaspersky Anti-Virus. These databases are accessed through the Control center user interface (see section "Application interface" on page 31). All application databases are stored in the directory for Kaspersky Anti-Virus databases (by default, the kavdatabases folder). ANTI-VIRUS SERVER PROTECTION LAYOUT Kaspersky Anti-Virus protects mail and replications and scans databases stored on the server. Server protection comprises the following components: mail protection (see page 48), replication protection (see page 53), and database scan (see page 57) (see figure below). Figure 1. Lotus Domino anti-virus server protection layout 18

19 A P P L I C A T I O N A R C H I T E C T U R E IN THIS SECTION Application operation layout Attachment filtering algorithm Anti-virus scanning for threats algorithm Processing objects and actions taken on them APPLICATION OPERATION LAYOUT The application operation layout provides following: 1. Management module receives information from the Lotus Domino server about incoming messages in the mail.box service database or about an attempt to perform a replication on the protected server. Management module forwards messages or documents modified after being replicated, Message and replication scan module. 2. Mail and replication scan module scans the message / document and processes it in accordance with the mail or replication protection settings. The following actions are taken: a. Scanned objects are highlighted. messages are divided into header, message body, attachments and OLE objects. Fields in Rich Text and MIME format, attachments and OLE objects are selected in the document. b. Attached objects are filtered (see section "Attachment filtering algorithm" on page 19) by size and (or) by name. c. Objects are scanned for threats (see section "Anti-virus scanning algorithm" on page 20). d. Uninfected objects are skipped, other objects are processed according to the protection settings (see section "Processing objects and taking actions on them" on page 21). A copy of an object can be saved in the Quarantine database before it is processed. e. Processed messages are returned to the Lotus Domino system for sending. Processed documents are stored in databases of the Lotus Domino server. 3. In accordance with the database scanning schedule or after the database scan is started manually, the Management module sends a command to the Database scan module to begin scanning. Database scan module generates a list of scanned documents in accordance with the scan settings and then scans the documents according to this list. The document scanning algorithm of the Database scan module is identical to the document scanning algorithm in the Message and replication scan module. ATTACHMENT FILTERING ALGORITHM Kaspersky Anti-Virus filters objects attached to messages and documents. Filtering makes it possible to exclude objects that meet the filter criteria from anti-virus scanning. The application can apply the following filters to attachments: Filter by size. Kaspersky Anti-Virus checks the size of attached objects. If the size of an object exceeds the maximum value allowed, the object is assigned the status specified by the filter settings and is skipped by the scan. Objects that do not exceed the maximum size are sent for scanning. Filter by name. Kaspersky Anti-Virus checks the names of objects attached to a message. If the name of the object satisfies the filter mask, the object is assigned the status specified by the filter settings and is skipped by the scan. If the name of the object does not match any of the filter mask values, the object is sent for anti-virus scanning. 19

20 A D M I N I S T R A T O R ' S G U I D E If the protection settings are configured for both types of attachment filtering, Kaspersky Anti-Virus first scans the size of the object. If the size of the object is less than the value set in the filter settings, Kaspersky Anti-Virus scans the name of the object. If the size of the object is more than the value set in the filter settings, Kaspersky Anti-Virus does not scan the name of the object. Based on the scan results, the object may be assigned one of the following statuses: not infected the object does not contain any threats; infected the object contains a threat that matches a signature in Kaspersky Lab anti-virus databases; the disinfection operation is applied to such objects; not scanned Kaspersky Anti-Virus was unable to scan the object; the object scan may have returned an error or the time allocated for scanning has elapsed; probably infected the object code contains either modified code from a known virus or code that resembles a virus, but which has yet to be identified and described in Kaspersky Lab's anti-virus databases; protected the object is a password-protected archive. The attachment filter settings are configured in the mail protection, replication protection and database scan settings for each protection component individually. After filtering, objects are processed according to status labels assigned to them during filtering: objects are subjected to actions (see section "Processing objects and taking actions on them" on page 21) configured for objects with the relevant status in the mail protection, replication protection, or database scan settings. ANTI-VIRUS SCANNING FOR THREATS ALGORITHM Kaspersky Anti-Virus analyzes an object for threats according to the following algorithm: 1. Objects are scanned on the basis of records in the anti-virus databases. Kaspersky Anti-Virus compares objects with database records and determines whether they are harmful, which category of dangerous programs they belong to and which treatment methods should be applied. Anti-virus databases contain descriptions of all know malware and programs that, while not malicious, can be used to develop malware, and also ways to neutralize them. Based on the scan results, the object is assigned one of the following statuses: not infected the object does not contain any threats; infected the object contains a threat that matches a signature in Kaspersky Lab anti-virus databases; the disinfection operation is applied to such objects; not scanned Kaspersky Anti-Virus was unable to scan the object; the object scan may have returned an error or the time allocated for scanning has elapsed; probably infected the object code contains either modified code from a known virus or code that resembles a virus, but which has yet to be identified and described in Kaspersky Lab's anti-virus databases; protected the object is a password-protected archive. 2. Objects classified as uninfected after the scan using updated databases are then scanned by the heuristic analyzer. Kaspersky Anti-Virus analyzes the system activity of the object being scanned by means of Heuristic Analyzer. If such activity is typical of malicious objects, the object is labeled as potentially infected. 20

21 A P P L I C A T I O N A R C H I T E C T U R E PROCESSING OBJECTS AND ACTIONS TAKEN ON THEM Kaspersky Anti-Virus processes objects in accordance with their assigned status following attachment filtering (see section "Attachment filtering algorithm" on page 19) and anti-virus scanning (see section "Algorithm for scanning objects for threats" on page 20). Uninfected objects are returned without any modifications to the Lotus Domino server databases (the replication protection and database scan components) or to the Lotus Domino mail system (the mail protection component). The following actions can be taken on the remaining objects: Disinfect. Kaspersky Anti-Virus disinfects the object on the basis of information in the anti-virus databases about the threat detected. As a result, the threat is neutralized and the object is classified as uninfected and stored in the database by its source address or returned to the mail system. This action applies to infected objects only. OLE objects are not disinfected. Kaspersky Anti-Virus deletes infected OLE objects. Skip. Kaspersky Anti-Virus returns the object to the databases of the Lotus Domino server or to the mail system of the server without any modifications. Delete. Kaspersky Anti-Virus deletes the object from a document or message. Actions to be taken by the application are defined separately for each status of the object in the mail protection, replication protection and database scanning settings. A copy of an object can be saved in the Quarantine database before it is processed. Information about actions taken can be stored in the Event log and statistics database. Kaspersky Anti-Virus can notify administrators and the senders and recipients of messages (mail protection) about objects detected and actions taken on them (see section "Notifications" on page 77). MANAGING KASPERSKY ANTI-VIRUS SETTINGS Kaspersky Anti-Virus is managed using the profile and server settings. Profile is a set of Kaspersky Anti-Virus settings that define the behavior of the application with respect to one server or a group of servers included in this profile. The profile mechanism provides centralized control of Kaspersky Anti-Virus settings. You can use profiles to set Kaspersky Anti-Virus settings for a group of servers, for example, based on their geographical location, functions or other factors. This makes it easier to manage the application if it is installed on several servers and allows the anti-virus security status on all computers to be controlled centrally. A profile can contain several servers or just one. If Kaspersky Anti-Virus is deployed using an isolated model, the profile contains only one server. If the distributed deployment model is used, the profile includes several servers (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide). Profiles can be used to configure all application settings, except the server license and Quarantine storage period. These two settings are configured only for an individual server and defined in the server settings (see section "Configuring individual server settings" on page 82). In addition, a number of server settings can be redefined by the profile. This enables values to be set for an individual server that correspond to the role of the server in the anti-virus protection system and that differ from the values set in the profile. Classified as such, for example, are update settings, settings for saving information about events logged by Kaspersky Anti-Virus and statistical information. Servers are added to the profile automatically when Kaspersky Anti-Virus is installed on them. Servers are deleted from the profile when the application is deleted. Only protected Kaspersky Anti-Virus servers are included in the profile. You can create and delete profiles (see section "Adding and deleting profiles" on page 79). You can move the server on which Kaspersky Anti-Virus is installed from one server to another (see section "Moving a server to another profile" on page 82). 21

22 A D M I N I S T R A T O R ' S G U I D E You can also use profiles to create a protection system with various levels of security, for example, for mail servers or database servers. To do so, you can create several profiles with different settings. To assign a specified security level to a server or group of servers, simply move the servers to the profile with the required settings. You can use the server settings to configure individual values that match the functions of a specific server on the corporate network (see section "Configuring individual server settings" on page 82). For example, the server settings can be used to configure a centralized scheme to update anti-virus databases (see section "Update schemes" on page 43). All information about Kaspersky Anti-Virus settings is stored in the Control center database kavcontrolcenter.nsf. The Control center database is created in the Kaspersky Anti-Virus database directory when the application is installed (the default folder is kavdatabases). At the same time, in the database a profile is created to which the protected server is added. The profile and server settings are assigned the default values. Since the password for accessing the proxy server is stored in the kavcontrolcenter.nsf database, users having access to this database can know this password. In light of this, we recommend granting users access to the kavcontrolcenter.nsf database only when absolutely necessary, and monitoring access. When a user who had access to the kavcontrolcenter.nsf database is dismissed or reassigned, we recommend changing the proxy server access password. If Kaspersky Anti-Virus uses a distributed deployment scheme (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide), the kavcontrolcenter.nsf database contains information about the operation of Kaspersky Anti-Virus for each protected server. A database is created on one of these servers during installation and a replica of the existing Control center database is created on each subsequent server. A database from one of the servers on which Kaspersky Anti-Virus is already installed (selected by the Administrator) is taken as a basis. The new protected server is added to the profile containing the server from which the replica kavcontrolcenter.nsf database was created. The server settings are assigned the default values. When Kaspersky Anti-Virus is deleted from one of the servers, information about this server is deleted from the profile and from the Control Center database. If there is an isolated deployment scheme, the kavcontrolcenter.nsf database is placed on one server and contains information about the configuration of only this server. To configure and manage Kaspersky Anti-Virus, open the kavcontrolcenter.nsf database. Rights to open the kavcontrolcenter.nsf database and configure and manage Kaspersky Anti-Virus are granted only to authorized users from one of three functional groups: Security administrators, Control Center administrators and Administrators with restricted privileges (see section "Managing privileges at the ACL level of the Kaspersky Anti-Virus databases" on page 24). Before opening the database, make sure that the user account is authorized to perform the required operations (create, delete, and configure profiles, configure servers, etc.). The kavcontrolcenter.nsf can be opened on any protected server using a Lotus Notes client or web browser (see section "Application interface" on page 31). By default, changes to the profile and server settings are made to the database replica on the server which is connected. During the replication process, any changes are distributed to all other protected servers. There may be some delay before the new settings are applied. For this reason, the topology of the replications should be taken into account when selecting the server on which to configure the settings. If you are using Kaspersky Anti-Virus through a Lotus Notes client, changes to the settings can be made to the Control Center database replica located on the server whose settings you are editing, regardless of which server is connected. In this case, the new server settings are applied much faster. When a browser is used, this option is not supported and changes to the server settings are always made to the open replica. The Control center database can be opened from several workstations or in parallel via a web browser or Lotus Notes client. In such case, a conflict in the replications could occur if the settings of a profile or server are modified by two or more users simultaneously. In addition, it is not advised to modify the server settings and the settings of the profile that contains the server. The server settings can be automatically redefined when the new profile settings are applied. 22

23 A P P L I C A T I O N A R C H I T E C T U R E CONFIGURING KASPERSKY ANTI-VIRUS SETTINGS USING THE NOTES.INI CONFIGURATION FILE Kaspersky Anti-Virus settings can be managed either through the application interface or by changing the notes.ini configuration file. When managing application settings by means of the configuration file, you can specify the values of the settings that are not available via the application interface (such as enabling or disabling incremental scanning of objects) and manage some of the primary Kaspersky Anti-Virus functions via the command line of the Lotus Domino server console. To change the configuration file settings: 1. Open the Lotus Domino notes.ini configuration file at the following location: under Microsoft Windows operating systems in the Domino server's catalog of binary files; under Linux operating systems in the Lotus Domino server's data catalog. 2. Edit the settings (see table below) and save changes. 3. Reboot the Lotus Domino server. The settings in the notes.ini file are not synchronized with the settings in the Kaspersky Anti-Virus interface. The configuration file settings take precedence over the interface settings. Table 2. List of editable settings SETTING VALUE DESCRIPTION KAVCustomUpdUrlOnly 1 The server receives updates only from the update source that you have specified. You can specify the update source in the profile settings or the server settings. 2 / no set value Used by default If the update from your specified source fails, Kaspersky Anti-Virus attempts to connect to a different update source, from which the most recent successful update was performed, or to Kaspersky Lab's update server. KAVLicenseNotifyDays This setting is not available by default. Kaspersky Anti-Virus notifies the administrator 14 days prior to the expiry of the key file. KAVProcExclude KAVDatabasesPath The default values are updall, nupdate, ldap, event, statlog, fixup, and compact. Path to the application installation folder. The default value is kavdatabases. These are the processes excluded from scanning by Kaspersky Anti-Virus. The application does not monitor these processes during its operation. Kaspersky Anti-Virus is installed. The value of this setting defines the path to Kaspersky Anti-Virus databases relative to the Domino data catalog. KAVArchDepthLevel 32 The allowed nesting level of archives to be scanned. 0 / no set value Archive nesting level is unlimited. KAVNonIncrementalScan 0 / no set value Incremental scanning enabled. 1 Used by default Incremental scanning disabled. 23

24 MANAGING USER PRIVILEGES This section describes how to manage user privileges. User privileges are managed at the ACL level of the Kaspersky Anti-Virus databases and at the level of individual documents (profile settings and server settings). Privileges at the ACL level are granted through functional groups. Privileges at the document level are granted through functional roles (see section "Managing privileges at the level of profile / server settings" on page 26). IN THIS SECTION Managing privileges at the ACL level of the Kaspersky Anti-Virus databases Managing privileges at the level of profile / server settings MANAGING PRIVILEGES AT THE ACL LEVEL OF THE KASPERSKY ANTI-VIRUS DATABASES To grant privileges at the ACL level of the Kaspersky Anti-Virus databases, the application provides three functional groups: Security administrators, Control Center administrators and Administrators with restricted privileges. The composition of each functional group is defined during installation. The administrator who installs the application creates the functional groups by selecting users and (or) user groups from the Address Book of the Lotus Domino server. During installation the elements of each functional group are automatically included in the ACL of the Kaspersky Anti- Virus Lotus Notes databases. The ACL of the Kaspersky Anti-Virus databases also includes the Default and Anonymous records and the servers on which the application is installed. The administrator specifies the serves to be included in the ACL during installation of the application (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide). The servers are assigned the Manager access level with rights to create, delete, replicate and copy documents. The No access level is set for the Default and Anonymous records in the ACL of the Kaspersky Anti-Virus databases. IN THIS SECTION Functional group privileges Granting functional group privileges to users

25 M A N A G I N G U S E R P R I V I L E G E S FUNCTIONAL GROUP PRIVILEGES The privileges of the functional groups in the ACL of the Kaspersky Anti-Virus databases are listed in the table below. Table 3. Functional group privileges FUNCTIONAL CONTROL CENTER DATABASE EVENT LOG AND QUARANTINE DATABASE HELP GROUPS STATISTICS DATABASE DATABASE SECURITY ADMINISTRATORS Manager access level with rights to create, delete, replicate and copy documents. AppAdmin role. Manager access level with rights to create, delete, replicate and copy documents. Manager access level with rights to create, delete, replicate and copy documents. Manager access level. CONTROL СENTER ADMINISTRATORS Author access level with rights to create, delete, replicate and copy documents. AppAdmin role. Author access level with rights to create, delete, replicate and copy documents. Author access level with rights to create, delete, replicate and copy documents. Reader access level. ADMINISTRATORS WITH RESTRICTED PRIVILEGES Author access level with the right to replicate or copy documents. Author access level with the right to replicate or copy documents. Author access level with the right to replicate or copy documents. Reader access level. Following installation of Kaspersky Anti-Virus users and user groups included in the functional groups are granted privileges required to use the application. Users included in the Security administrators group have the maximum number of privileges in Kaspersky Anti-Virus and can perform the following actions: Managing privileges at the ACL level of the Kaspersky Anti-Virus databases. Creating / deleting profiles. Editing the settings of all profiles and servers. Deleting records from the Quarantine and Event log and statistics databases. Users included in the Control сenter administrators group can perform the following actions in Kaspersky Anti-Virus: Creating / deleting profiles. Editing the settings of all profiles and servers. Deleting records from the Quarantine and Event log and statistics databases. Users included in the Administrators with restricted privileges group do not, by default, have the right to edit profile / server settings or delete records from the Quarantine and Event log and statistics databases. Users are granted the rights needed to use the application through functional roles (see section "Managing privileges at the level of profile / server settings" on page 26). Users in all three functional groups have privileges to view records in the Quarantine, Event log and statistics, and Help databases. GRANTING FUNCTIONAL GROUP PRIVILEGES TO USERS During installation of Kaspersky Anti-Virus, the administrator can include both individual users of Lotus Domino and groups of users in each of the three functional groups. To simplify the process of granting privileges, you are recommended to include not individual users, but groups created in the Address Book of the Lotus Domino server (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide). During installation these groups are included in the ACL of the Kaspersky Anti-Virus databases and are assigned the functional group privileges (see section "Managing functional groups" on page 25). The Lotus Domino server administrator can subsequently grant privileges to users or restrict them by modifying the groups in the Address Book (including or excluding users). 25

26 A D M I N I S T R A T O R ' S G U I D E If during installation of the application only individual users, not user groups, were included in the functional groups, the ACL of all the Kaspersky Anti-Virus databases will need to be edited manually to manage the privileges. To deny a user functional group privileges, the user account must be deleted from the ACL of all the Kaspersky Anti-Virus databases. To grant a user functional group privileges, the user account must be included in the ACL of all databases. The ACL of the Kaspersky Anti-Virus databases can only be modified by users with privileges belonging to the Security administrators functional group. It is recommended that user accounts in the ACL of the Kaspersky Anti-Virus databases be included in the group. To grant a user functional group privileges: 1. Create in the Address book of the Lotus Domino server a group with a unique name, for example, ControlCenterAdmins. 2. To this group add the user to be granted the privileges of a particular functional group, for example, the Control сenter administrators group. 3. Log on to the system under a user account with the privileges of the Security administrators functional group. 4. Add the ControlCenterAdmins group to the ACL of the Kaspersky Anti-Virus databases (Control Center, Event log and statistics, Quarantine, Help) and define the privileges for the ControlCenterAdmins group as those for the Control сenter administrators functional group (see section "Functional group privileges" on page 25). MANAGING PRIVILEGES AT THE LEVEL OF PROFILE / SERVER SETTINGS To restrict access to the application at the level of individual documents (profile and server settings), the following functional roles are provided: Profile administrator has the rights to perform the following actions: Editing the profile settings and the settings of all servers in the profile. Removing records from the Quarantine and Event log and statistics databases for servers in the profile. Server administrator has the rights to perform the following actions: Editing the server settings, including moving a server to another profile. Removing records from the Quarantine and Event log and statistics databases for the server. Profile and server administrators are assigned following installation of the application. Administrators are assigned for each server (see section "Assigning server administrators" on page 81) and profile separately (see section "Assigning profile administrators" on page 81). Only users with the privileges of one of the three functional groups can be assigned as profile and server administrators (see section "Managing privileges at the ACL level of the Kaspersky Anti-Virus databases" on page 24). By default, users and (or) user groups included in the Control сenter administrators functional group during installation are specified as administrators in the profile and server settings. Users from the Security administrators and Control сenter administrators functional groups are granted the right to edit the settings of all servers and profiles, regardless of their functional role. To grant restricted privileges, for example, to edit the settings of only one profile / server, users from the Administrators with restricted privileges functional group should be assigned as profile / server administrators. Users from this group are granted the right to edit the settings of only the profiles / servers for which they have been assigned as administrators. If a user of this group is assigned as a profile administrator, he/she is also granted the right to edit the settings of all servers under this profile. 26

27 APPLICATION LICENSING This section covers application licensing and activation and provides instructions for adding and removing a Kaspersky Anti-Virus key file. IN THIS SECTION About the license agreement About the license About the key file Installing the key file ABOUT THE LICENSE AGREEMENT The End User License Agreement is a binding agreement between you and Kaspersky Lab ZAO, stipulating the terms on which you may use the application. Read through the terms of the End User License Agreement carefully before you start using the application. You are deemed to agree to be bound by the terms of the License Agreement if you confirm your acceptance of the License Agreement text upon application installation. If you disagree with the terms of the License Agreement, you must abort the installation or refrain from using the application. ABOUT THE LICENSE The License is a temporary right to use the application granted on the basis of the End User License Agreement. The license contains a unique code for activating your copy of Kaspersky Anti-Virus. A current license entitles you to the following kinds of services: The right to use the application on one or several devices. The number of devices on which you may use the application is specified in the End User License Agreement. Assistance from Kaspersky Lab Technical Support. Other services available from Kaspersky Lab or its partners during the license period. The scope of services and application usage term depend on the type of license under which the application is activated. 27

28 A D M I N I S T R A T O R ' S G U I D E The following types of licenses are provided: Trial a free license for trying out the application. Trial license usually has a short validity period. As soon as the license expires, all Kaspersky Anti-Virus features are disabled. To continue using the application, you should purchase a commercial license. Commercial a paid license offered upon purchase of the application. When the commercial license expires, the application continues to operate with limited functionality (for example, updates and Kaspersky Security Network are unavailable). You will still be able to use all application components and scan the computer for viruses and other threats but only with databases installed before the license expired. To continue using Kaspersky Anti-Virus in fully functional mode, you must renew your commercial license. We recommend renewing the license before its expiration to ensure that your computer stays fully protected against all threats. ABOUT THE KEY FILE A key file is a file of the form xxxxxxx.key. The application downloads a key file from the activation server based on your activation code. The application can be used only with a key file. If the key file is accidentally deleted, you can restore it in one of the following ways: Send a request to Technical Support (see section "Contacting Technical Support" on page 90). Obtain a key file on the website based on your existing activation code. A key file contains the following data: Key a unique alphanumeric sequence. A key is used, for example, to receive technical support from Kaspersky Lab. Limit on number of computers the maximum number of computers on which the application can be activated with the given key file. Key file creation date the date when the key file was created on the activation server. License term a time period defined by the conditions of the License Agreement during which you may use the application. The term elapses from the date when the key file is first used to activate the application. For example, 1 year. The license expires no later than the validity period of the key file that was used to activate the application under this license. Key file validity period a specific period that counts down from the time of key file creation. The key file validity period may be several years. The application may be activated with this key only before this term expires. The key file used to activate the application automatically expires at the same time as the license for the application. 28

29 A P P L I C A T I O N L I C E N S I N G APPLYING A KEY FILE A Kaspersky Anti-Virus key file is applied to each server separately. You can download active and additional key files. The active key is valid as soon as it is installed. Only one key can be installed in the application as the active key. The additional key becomes active right after the license linked to the active key expires. Key files can be downloaded while you install Kaspersky Anti-Virus (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide). You can download a key file via the interface of the Lotus Domino server console, via the Lotus Notes client or web browser. The active or additional key file can only be deleted via the command line of the Lotus Domino server console (see section "Using the server console" on page 88). DOWNLOADING A KEY FILE VIA THE LOTUS NOTES CLIENT OR WEB BROWSER Prior to installing the key file via the Lotus Notes client or web browser, make sure that it is accessible via the file system of the client computer from which the Control center database has been opened. To download a key file via the Lotus Notes client or web browser: 1. Select the server for which you want to install the key file (see section "Viewing and editing server settings" on page 36). 2. In the control panel select the License tab. 3. Click the Add key link. 4. In the window that will open, select the key file with the key extension and click the Open button. The selected key file is downloaded to the server. On the License tab, you can view the following information about the active license: Functionality. The following restrictions on functionality are possible: Full the key has been added. Management only the key has not been added or the validity period of a trial license has expired. Update only an error occurred when updating the anti-virus databases, the anti-virus databases are corrupted, or the key is black-listed. Full functionality without update the validity period of a commercial license has expired. Type. Type of license: trial or commercial. Expiration date. License validity period expiry date. Days remaining. Number of days before expiration of the license. Key. Unique alphanumeric sequence. End user. Information about license owner: organization, name, country, address, and other information. 29

30 A D M I N I S T R A T O R ' S G U I D E DOWNLOADING A KEY FILE VIA THE LOTUS DOMINO SERVER CONSOLE Prior to downloading the key file via the Lotus Domino server console, move the key file to a random folder in the file system of the protected server on which the key file will be used. If the computer runs on a Linux operating system, do the following before downloading the key file via the interface of the Lotus Domino server console: 1. Specify the account that has the privileges to run the Lotus Domino server as the owner of the key file. 2. Specify the following modes of access to the key file: For the file owner: read, write, execute; For the file owner's group: read, execute; For other accounts: read, execute. To download a key file via the interface of the Lotus Domino server console: 1. Start the Lotus Domino server console. 2. Type the following in the command line: tell kavcontrol AddKey <path_to_key_file> where <path_to_key_file> is the full path to the key file on the Lotus Domino server. 30

31 APPLICATION INTERFACE This section describes the main elements of application GUI that are used to manage the application via the Lotus Notes client and web browser. IN THIS SECTION Accessing the Control Center database Layout of Control Center database window Protection management tab Event log and statistics tab Help tab ACCESSING THE CONTROL CENTER DATABASE All operations to configure and manage Kaspersky Anti-Virus are performed through the Control center user interface. The Quarantine, Event log and statistics, and Help databases can also be managed via the interface of the Control Center database. The Control Center database can only be accessed via a Lotus Notes client or web browser. The web interface makes it possible to manage the application from computers without the Lotus Notes client installed (see section "Remote management of Kaspersky Anti-Virus via a web browser" on page 84). Commands are also available to manage Kaspersky Ant-Virus via the Lotus Domino server console (see section "Using the server console" on page 88). Rights to open the Control center database and configure and manage Kaspersky Anti-Virus are granted only to authorized users in one of the three functional groups: Security administrators, Control center administrators, and Administrators with restricted privileges (see section "Managing privileges at the ACL level of the Kaspersky Anti-Virus databases" on page 24). Before opening the database, make sure that the user account is authorized to perform the required operations. The layout of the Control center window and actions for performing operations are the same when using a Lotus Notes client or web browser. Therefore, the following sections in this guide describe how to operate Kaspersky Anti-Virus via a Lotus Notes client. To open the window of the Control Center database via the Lotus Notes client: 1. Run the Lotus Notes client. 2. Open the kavcontrolcenter.nsf database located in the folder with Kaspersky Anti-Virus databases. To open the window of the Control Center database via the web browser: 1. Open the web browser. 2. Type the following in the address field: 31

32 A D M I N I S T R A T O R ' S G U I D E where: <server_name> the name or IP address of the server on which Kaspersky Anti-Virus is installed; <path_to_file_kavcontrolcenter.nsf> the path to the file kavcontrolcenter.nsf from the data catalog of the Lotus Domino server. This opens the Control center window (see figure below). Figure 2. Control center window Images of the Kaspersky Anti-Virus main window, opened using a Lotus Notes client, are presented throughout the document. A database icon is automatically created in the Lotus Notes work area when the Control center database is opened for the first time. The icon can be used to open the Control center window. If you are using Kaspersky Anti-Virus in a web browser, the path to access the kavcontrolcenter.nsf database can be saved as a link and used to open the Control center window. LAYOUT OF CONTROL CENTER WINDOW The Control center window consists of the following main elements (see figure below). Switch panel located in the upper part of window, it contains tabs to switch between the Control center, Event log and statistics and Help databases. Status panel located in the upper part of the window, it contains the name of the server which is connected and the name of the server on which the document is being edited. When using a Lotus Notes client, the server on which the Control center database replica is being edited may be different to the one connected. 32

33 A P P L I C A T I O N I N T E R F A C E Action panel located in the upper part of the control panel; it contains buttons that can be used to edit the profile or server settings. Navigation panel located in the left part of the window; depending on which tab is selected in the switch panel, it contains the following elements: list of profiles and the servers they contain; list of Event log and statistics sections. Control panel located in the right part of the window; designed for managing the settings of profiles / servers and records in Kaspersky Anti-Virus databases. Viewing panel located in the lower part of the window; designed for viewing Event log records. Figure 3. Layout of Control Center database window The contents of the navigation panel, control panel and viewing panel depend on which tab is selected in the switch panel. The privileges of the current user determine the accessibility of the interface elements and the input fields in the Control center window. PROTECTION MANAGEMENT TAB The Protection management tab on the switch panel is designed for managing the Control Center database: Configuring the settings of Kaspersky Anti-Virus operation on protected servers; Configuring anti-virus protection settings (mail protection, replication protection, database scan, anti-virus database updates, and so forth). In the Protection management tab navigation panel contains a list of profiles and their servers. 33

34 A D M I N I S T R A T O R ' S G U I D E The list of servers included in the profile can be minimized on the navigation panel. To maximize the list of servers, click the icon located to the left of the profile name. The upper part of the navigation panel contains the Add profile button used to create a profile (see section "Creating and deleting a profile" on page 79). If a profile is selected in the navigation panel, the following tabs (see figure below) with the profile settings are displayed in the viewing panel: Information. The tab contains the profile name and a list of servers it contains. General settings. The tab displays the name of the administrator / group of administrators of the profile, the performance settings of the application (see section "Configuring performance settings" on page 64), and the Event log and statistics for servers in the profile settings (see section "Configuring Event log settings" on page 70). Mail protection. The tab is used to configure mail protection settings for servers included in the profile (see section "Mail protection" on page 48). Replication protection. The tab is used to configure replication protection for servers contained in the profile (see section "Replication protection" on page 53). Database scanning. The tab is used to configure replication protection for servers contained in the profile (see section "Replication protection" on page 57). Anti-virus databases update. The tab is used to configure update settings for servers contained in the profile (see section "Selecting an update source" on page 45). Figure 4. The Control center window in profile view mode 34

35 A P P L I C A T I O N I N T E R F A C E If a server is selected in the navigation panel, tabs containing the server settings are displayed in the control panel and Event log and statistics database records for the server are displayed in the viewing panel (see figure below). Figure 5. Window of the Control Center database in the anti-virus protection status viewing mode The server settings are displayed on the following tabs (see figure above). Information. The tab displays the name of the server, the name of the administrator / group of administrators of the server, and the status of the protection components (see section "Server protection status" on page 39). General settings. The tab is designed for configuring the Quarantine settings (see section "Configuring Quarantine" on page 68) and the individual Event log and statistics settings for the server (see section "Configuring the Event log" on page 70). License. The tab is used to manage licenses (see section "Managing licenses" on page 27). Anti-virus databases update. The tab is used to configure anti-virus database updates for the server (see section "Anti-virus database update sources" on page 42) and launch updates (see section "Manual update" on page 47). Database scanning. The tab is used to run database scans manually for the server (see section "Manual scan" on page 63). The upper part of the control panel displays the action panel containing buttons. To edit the profile or server settings, change from view mode to edit mode by clicking the Modify button in the action panel. The set of buttons in the action panel is different in the editing mode and in the viewing mode. The purpose of buttons for managing profile settings is described in the table below. 35

36 A D M I N I S T R A T O R ' S G U I D E Table 4. Buttons in the action panel for managing profile settings BUTTON Modify Apply Cancel Delete Restore defaults FUNCTION Change to profile edit mode. Save new profile settings. Cancel new settings. Delete profile. Restore default profile settings. The purpose of buttons for managing server settings is described in the table below. Table 5. Buttons in the action panel for managing server settings BUTTON Modify Apply Switch profile Cancel Open Quarantine database Delete records FUNCTION Change to profile edit mode. Save new server settings. Move server to another profile. Cancel new settings. Open the list of objects placed in Quarantine as a result of scanning messages, replications or databases (see section "Quarantine" on page 65). Delete Quarantine (see section "Actions on quarantined objects" on page 67) or Event log and statistics records for this server (see section "Deleting information from the Event log and statistics database" on page 75). VIEWING AND EDITING PROFILE SETTINGS To view profile settings: 1. In the switch panel select the Protection management tab. 2. In the navigation panel select the profile whose settings you want to view. You can switch from the profile settings viewing mode to the editing mode by clicking the Modify button on the action panel. VIEWING AND EDITING SERVER SETTINGS To view server settings: 1. In the switch panel select the Protection management tab. 2. In the navigation panel select the profile containing the server whose settings you want to view. 3. Select a server. The list of servers contained in a profile can be closed. To maximize the list of servers, click the of the profile name. icon located to the left You can switch from the server settings viewing mode to the editing mode by clicking the Modify button on the action panel. 36

37 A P P L I C A T I O N I N T E R F A C E EVENT LOG AND STATISTICS TAB The Event log and statistics tab in the switch panel is designed for managing the Event log and statistics database and viewing the following records: details of application events recorded on all protected servers; statistics of threats detected during anti-virus scanning and actions taken on them (see section "Viewing the Event log and statistics database" on page 73). The Event log and statistics tab in the navigation panel contains a list of Event log and statistics chapters and sections. Records of the Event log and statistics database are displayed in the control panel in the right part of the window. HELP TAB The Help tab is designed for viewing the Help database that contains the help system of Kaspersky Anti-Virus. When the Help tab is selected in the switch panel, an icon of the Help database appears in the Lotus Notes workspace. 37

38 STARTING AND STOPPING THE APPLICATION Kaspersky Anti-Virus starts automatically when the Lotus Domino server is launched. Anti-Virus protection starts after installing Kaspersky Anti-Virus and loading the server. You can start and stop Kaspersky Anti-Virus manually from the console of the Lotus Domino server by means of command line commands (see section "Using the server console" on page 88). 38

39 SERVER PROTECTION STATUS Anti-virus protection of the server comprises the following components: mail protection, replication protection, and database scan. All protection components are enabled by default and start automatically when the Lotus Domino server is launched. Database scanning starts by default at 00h 00m once a month, beginning on the day of installation. To receive information about which protection components are enabled or disabled: 1. Select the server whose protection status details you want to view (see section "Viewing and editing server settings" on page 36). 2. In the control panel select the Information tab. The status of the protection components is displayed under Protection status (see figure below). Figure 6. Window of the Control Center database in the anti-virus protection status viewing mode You can enable or disable any protection component. To enable or disable a protection component: 1. Select the server for which you want to enable or disable a protection component (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the Information tab (see figure above). 3. Under Protection status in the line that matches the component you require, select one of the two options: Enable or Disable. 4. In the action panel click the Apply button to save the changes. 39

40 DEFAULT SERVER PROTECTION Anti-Virus protection begins to work after installing Kaspersky Anti-Virus and loading the Lotus Domino server. All application modules and protection components are loaded automatically when the server is launched. Kaspersky Anti- Virus performs the following actions by default: Scans mail traffic. The following mail protection settings are used during scanning: scan message body, attached files and OLE objects; disinfect infected objects, delete potentially infected objects, skip protected and not scanned objects; scan one object no longer than 120 s; objects less than 1024 KB in size are processed in the server's RAM without being saved on the hard drive; move a copy of an infected or potentially infected object to Quarantine; save information about detected objects and actions taken on them in the Event log and statistics database; add a notification to the body of the original message (see section "Notifications" on page 77). Scans all new and modified documents following replication. During scanning the following replication protection settings are used: scan RTF and MIME fields of documents, attached files and OLE objects; disinfect infected objects, delete potentially infected objects, skip protected and not scanned objects; scan one object no longer than 120 s; objects less than 1024 KB in size are processed in the server's RAM without being saved on the hard drive; move a copy of an infected or potentially infected object to Quarantine; Save information about detected objects and actions taken on them in the Event log and statistics database; send a notification about actions taken to administrators (see section "Notifications" on page 77). Saves information about Kaspersky Anti-Virus events in the Event log and statistics database and displays it on the Lotus Domino server console (the level of detail of information that is saved is set to standard). Information about events and statistical information about the results of scanning objects are stored in the Event log and statistics database for 30 days. Starts anti-virus database updates every hour on a daily basis. The Kaspersky Lab servers are used as an update source. Database scanning is disabled by default. The administrator can start the scan manually or configure a scheduled scan. By default Kaspersky Anti-Virus uses the following values of database scan settings: scan RTF and MIME fields of documents, attached files and OLE objects; scan databases located in the root of the data directory (the directory containing all Lotus Domino server data) and in all its subdirectories; exclude Quarantine database from scanning; 40

41 D E F A U L T S E R V E R P R O T E C T I O N disinfect infected objects, delete potentially infected objects, skip protected and not scanned objects; scan one object no longer than 120 s; objects less than 1024 KB in size are processed in the server's RAM without being saved on the hard drive; move a copy of an infected or potentially infected object to Quarantine; save information about detected objects and actions taken on them in the Event log and statistics database; send a notification about actions taken to administrators (see section "Notifications" on page 77). 41

42 DATABASE UPDATES This section describes how to configure database update settings for a single server or a group of servers, which update sources can be used, and how to start an anti-virus database update manually or based on a schedule. This section also describes the ways to update Kaspersky Anti-Virus deployed on one or several servers. IN THIS SECTION Obtaining information about anti-virus databases Anti-virus database update sources Ways to update anti-virus databases Selecting an update source Scheduled update Manual update OBTAINING INFORMATION ABOUT ANTI-VIRUS DATABASES Kaspersky Anti-Virus searches for malware and cures infected objects on the basis of the anti-virus databases. It is vital to keep the anti-virus databases up-to-date since new viruses, Trojans and other types of malware appear every day. We recommend that you update the anti-virus databases immediately after installing the application, since the databases included in the distribution kit will be outdated by the time you install. Anti-Virus database updates are started for each server individually. The anti-virus databases are updated hourly on Kaspersky Lab update servers. Information about whether or not the anti-virus databases are current can be found in the server settings on the Anti-virus databases update tab. To get information about the anti-virus databases Kaspersky Anti-Virus is using: 1. Select the server whose information you want to view (see section "Viewing and editing server settings" on page 36). 2. In the control panel select the Anti-virus databases update tab. Information about current anti-virus databases is given in the top part of the tab. ANTI-VIRUS DATABASE UPDATE SOURCES An update source is a resource containing updates for Kaspersky Anti-Virus databases. Update sources can be HTTP or FTP servers, and local or network folders. Kaspersky Anti-Virus copies anti-virus database updates over the Internet from Kaspersky Lab update servers or from an FTP / HTTP server or from a network resource specified by the administrator. The updates that are received are stored on the server in the kavcommon\updater service folder (under Linux operating systems in kavcommon/updater). This directory is created when the application is installed and stored at the following address: under Microsoft Windows operating systems in the Lotus Domino server's directory of binary files (default path: C:\Program Files\IBM\Lotus\Domino); under Linux operating systems in the Lotus Domino server's data directory (default path: /local/notesdata). 42

43 D A T A B A S E U P D A T E S Updates received from one of the servers can be used to update Kaspersky Anti-Virus installed on other Domino servers. To this end, the kavcommon\updater\retranslation service folder must be specified as the update source (under Linux operating systems kavcommon/updater/retranslation), which is located on the update source server at the following address: under Microsoft Windows operating systems in the Lotus Domino server's directory of binary files (default path: C:\Program Files\IBM\Lotus\Domino); under Linux operating systems in the Lotus Domino server's data directory (default path: /local/notesdata). If Kaspersky Anti-Virus is installed on several servers, one of them can copy updates over the Internet and the others can access the network resource on which this server placed the newly-received updates (see section "Anti-virus database update schemes" on page 43). During the update process Kaspersky Anti-Virus compares the anti-virus databases located on the server and in the update source. If the anti-virus databases differ in content, the missing section is copied from the update source. The fact that not all the databases are downloaded significantly increases the speed of copying files and considerably reduces Internet traffic. Loading of updates can be scheduled or manual. Information about events registered by Kaspersky Anti-Virus during the update process is recorded in the Event log and statistics database (see section "Event log and statistics" on page 69). You can configure the update settings for several servers by using a profile, or set values for each server individually (see section "Configuring Kaspersky Anti-Virus" on page 21). If Kaspersky Lab update servers are unavailable (for example, your Internet connection is down), contact Kaspersky Lab Technical Support Service (see section "Ways to receive technical support" on page 90 and section "Contacting Technical Support" on page 90) to receive the updates in ZIP format. You can copy the updates to an FTP or HTTP site, or save them in a local or network folder. WAYS TO UPDATE ANTI-VIRUS DATABASES If Kaspersky Anti-Virus is installed on only one server, you can download updates from either Kaspersky Lab update servers or another source of anti-virus updates: FTP / HTTP server, local or network folder (see figure below). Figure 7. Distributed scheme of Kaspersky Anti-Virus updates 43

44 A D M I N I S T R A T O R ' S G U I D E If Kaspersky Anti-Virus is installed on several servers, you can use the following update schemes: distributed updates are downloaded directly from the Internet onto every protected server (see figure above); centralized updates are downloaded from the Internet onto one of the servers, while the other servers refer to the directory on this server in which Kaspersky Anti-Virus has stored the updates (see figure below). Figure 8. Centralized scheme of Kaspersky Anti-Virus updates To create a centralized update scheme: 1. Select the server that will receive updates over the Internet and be used as the update source for other servers. In the update settings for this server, specify the Kaspersky Lab update servers as the update source (see section "Selecting an update source" on page 45). 2. Grant all servers that will be receiving updates from the selected server read access to the kavcommon\updater\retranslation folder located on this server (under Linux operating systems kavcommon/updater/retranslation). 3. Specify the kavcommon\updater\retranslation folder (under Linux operating systems kavcommon/updater/retranslation) as the update source for all servers that will be receiving updates from the selected server. If you use the centralized update scheme, we recommend setting the value KAVCustomUpdUrlOnly=1 in the notes.ini file (see section "Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file" on page 23) for the servers to be receiving updates from the selected server. 44

45 D A T A B A S E U P D A T E S SELECTING AN UPDATE SOURCE Update settings can be configured for a group of servers or an individual server. To specify a single update source for a group of servers, use the profile settings. To specify an update source for an individual server, use the server settings. To specify an update source: 1. Select one of the following options to configure update settings: If you are configuring the update settings for a group of servers, select a profile (see section "Viewing and editing profile settings" on page 36). If you are configuring the update settings for a separate server, select a server (see section "Viewing and editing server settings" on page 36). 2. On the action panel click the Modify button to switch to settings editing mode. 3. In the control panel select the Anti-virus databases update tab. If you are configuring the update settings for a server, clear the Use profile settings check box in the Update settings section. If the check box is selected, the update settings cannot be changed. If you want to use the values set in the update profile, select the Use profile settings check box. 4. Specify the update source. To do so, under Update settings select one of the following values in the Update source dropdown list: Kaspersky Lab update servers Kaspersky Lab's Internet sites which host updates for all the company's applications will be used as an update source. This source of updates is selected by default. Other HTTP, FTP servers or network resources the resource specified in the URL address (in the profile settings) or Update source address (in the server settings) is used as the update source. Specify an FTP or HTTP server, local or network directory. The path to the resource should be entered in UNC (Universal Naming Convention) format. FTP servers with authorization can be used as update sources. HTTP servers with authorization cannot be used as update sources. If you want updates to be copied from the Kaspersky Anti-Virus service folder located on a different protected server, in the URL address (profile settings) or the Update source address (server settings) specify the path to the kavcommon\updater\retranslation folder (under Linux operating systems kavcommon/updater/retranslation). Under Microsoft Windows operating systems, the path to the folder is specified relative to the Lotus Domino server's directory of binary files (by default C:\Program Files\IBM\Lotus\Domino). Under Linux operating systems, the path to the directory is specified relative to the Lotus Domino server's data directory (by default /local/notesdata). If the update from your specified source fails, Kaspersky Anti-Virus connects to a different update source from which the most recent successful update was performed, or to a Kaspersky Lab update server. If you want the server to receive updates only from the update source that you specify, set the value of the setting KAVCustomUpdUrlOnly=1 in the notes.ini configuration file (see section "Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file" on page 23). 5. Configure the proxy server settings if the connection to the update source is via a proxy server. To do this: Select the Use proxy server check box and enter the IP address or symbol name of the proxy server in the Address field and the port number of the proxy server through which the connection will be established in the Port field. 45

46 A D M I N I S T R A T O R ' S G U I D E Select the Use proxy server authentication check box if the connection to the proxy server requires user authentication. Enter the user account data in the User and Password fields. Since the password for accessing the proxy server is stored in the kavcontrolcenter.nsf database, users having access to this database can know this password. In light of this, we recommend granting users access to the kavcontrolcenter.nsf database only when absolutely necessary, and monitoring access. When a user who had access to the kavcontrolcenter.nsf database is dismissed or reassigned, we recommend changing the proxy server access password. 6. In the action panel click the Apply button to save the changes. If you configure update settings for a group of servers, you can restore the default settings (see section "Default server protection" on page 40). To do so, click the Restore defaults button. SCHEDULED UPDATES Kaspersky Anti-Virus updates the anti-virus databases in accordance with the update schedule. You can set common settings for a group of servers using a profile or set individual values for an individual server through the server settings. To configure the update schedule for a server or a group of servers: 1. Select one of the following options to configure update settings: If you are configuring the update settings for a group of servers, select a profile (see section "Viewing and editing profile settings" on page 36). If you are configuring the update settings for a separate server, select a server (see section "Viewing and editing server settings" on page 36). 2. On the action panel click the Modify button to switch to settings editing mode. 3. In the control panel select the Anti-virus databases update tab. If you are configuring the update settings for a server, clear the Use profile settings check box in the Update settings section. If the check box is selected, the update settings cannot be changed. If you want to use the values set in the update profile, select the Use profile settings check box. 4. In the Schedule section (see figure above), select one of the following values in the Startup frequency dropdown list: Daily an update is performed every day at the specified time. The first update will be at 00h 00m by default. Monthly an update is performed once a month on the set date at the specified Startup time. To specify the update start time, specify the relevant value in the Startup time field in HH:MM format. If the number of days in the months is less than the set value, the update is performed on the last day of the month. Weekly the databases are updated every week on set days at the specified Startup time. To specify the update start schedule, select check boxes opposite the days of the week when the update should be started, and enter the relevant value in the Startup time field in HH:MM format. Manually a scheduled update will not be performed. You can run an update for an individual server by clicking the Start update link (see section "Manual update" on page 47) or from the command line of the Lotus Domino server console (see section "Using the server console" on page 88). Manual updates are not available for a group of servers. 5. In the action panel click the Apply button to save the changes. If you are configuring the update settings for a group of servers, you can restore the default values. To do so, click the Restore defaults button. 46

47 D A T A B A S E U P D A T E S MANUAL UPDATES You can launch a manual update of the anti-virus databases only for one server. This update mode is not available for a group of servers. To perform a manual update of the anti-virus databases: 1. Select the server for which you want to start the anti-virus database update (see section "Viewing and editing server settings" on page 36). 2. In the control panel select the Anti-virus databases update tab. The tab displays information about the date and time of the previous and next database update according to the schedule. You can monitor the update process through the Lotus Domino console. 3. Click the Start update link to run the anti-virus update for the server. Anti-virus database updates can also be launched manually from the command line of the Lotus Domino server console (see section "Using the server console" on page 88). 47

48 MAIL PROTECTION This section describes how to enable or disable mail protection for a Lotus Domino server, how to select objects to be scanned, how to configure the filtering of attachments, how to configure objects processing based on antivirus scan results. IN THIS SECTION Mail protection algorithm Enabling and disabling mail protection Selecting mail protection objects Actions on mail objects Configuring actions to take on mail objects Configuring mail attachment filtering MAIL PROTECTION ALGORITHM If mail anti-virus protection is enabled (see section "Enabling and disabling mail protection" on page 49), Kaspersky Anti- Virus scans and processes all incoming, outgoing and routed messages on the Lotus Domino server. Delivery of messages is delayed while they are scanned and processed. messages are broken into their constituent parts: body, attachments and OLE-objects. After this, attached objects are filtered by size and (or) filename (see section "Attachment filtering algorithm" on page 19) and scanned for viruses (see section "Anti-virus scanning algorithm" on page 20). Kaspersky Anti-Virus uses the kavmonitor task to scan messages on the Lotus Domino server. If the kavmonitor has been stopped (or has not been started), anti-virus scanning of mail is not performed. Unprocessed messages are not delivered to users, and are instead stored in the mail.box database. The kavmonitor task has to be started in order for messages to be delivered to users. Infected and potentially infected objects, as well as ones unprocessed due to system failure or damage, which are detected as a result of scanning are processed in accordance with the mail protection settings (see section "Actions on objects50" on page ). A separate procedure may be assigned for attachments that exceed the maximum allowed size and / or whose names match the filename mask (see section "Configuring mail attachment filtering" on page 52). After installation the application uses the default mail protection settings (see section "Default server protection" on page 40). You can change them in accordance with the security requirements of the protected Lotus Domino server. Some of the default settings listed in this section are disabled or can be disabled by the administrator. By default, before being processed, a copy of the whole message or a copy of the object is placed in Quarantine (see page 65). Information that a message has been scanned by Kaspersky Anti-Virus and a description of actions taken are added to the subject and message body. Notifications about actions taken during mail processing are sent to the sender and recipients of the message and administrators (see section "Notifications" on page 77). Information about the results of scanning and actions taken is recorded in the Event log and statistics database (see section "Event log and statistics" on page 69). 48

49 M A I L P R O T E C T I O N After objects have been scanned and processed, the message is returned to the Lotus Domino system for subsequent delivery. You can disable scanning of attachments, OLE objects and message body (see section "Selecting protection objects" on page 50). You can also limit the time taken to scan an object, which can increase the overall speed of scanning messages (see section "Configuring performance settings" on page 64). Objects that do not exceed the set value can be scanned in the server's operational memory without being saved on the hard drive (see section "Configuring performance settings" on page 64). The mail protection settings are defined by the profile that applies to the protected server. It is not possible to configure mail protection settings for an individual server. However, it is possible to disable (enable) mail protection only for each server individually (see section "Enabling and disabling mail protection" on page 49). Please note the following restrictions in the operation of mail protection: Threats cannot be detected in messages encrypted with the public key of the recipient. The electronic signature of messages signed by the sender is violated when a scanning report is added to the text of a message or attached files with threats are replaced with disinfected ones. ENABLING AND DISABLING MAIL PROTECTION Mail protection is enabled by default and starts automatically when the Lotus Domino server is launched. Information about the launch of mail protection modules is recorded in the Kaspersky Anti-Virus Event log. To enable or disable mail protection: 1. Select the server for which you want to enable or disable mail protection (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the Information tab (see figure below). Figure 9. Enabling / disabling mail protection 49

50 A D M I N I S T R A T O R ' S G U I D E 3. Under Protection status in the Mail protection line (see figure below), select the required option: Enable or Disable. 4. In the action panel click the Apply button to save the changes. SELECTING MAIL PROTECTION OBJECTS If mail anti-virus protection is enabled, Kaspersky Anti-Virus scans the body of the message, all file attachments in any format and embedded OLE objects. You can disable scanning of the listed objects as required. When scanning multi-volume archives, Kaspersky Anti-Virus processes each of them as a separate object. Malicious code can be detected only if it is wholly contained in one of these volumes. If code is divided into parts across several volumes, it cannot be detected during scanning. Therefore, it is recommended that multi-volume archives be scanned after being saved on the hard drive by the Anti-Virus application on the computer. To select mail protection objects: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Mail protection General. 3. In the Object protection section, select the objects to scan. To do so, select the following check boxes: Attachments. Kaspersky Anti-Virus scans all files attached to the message. OLE objects. Kaspersky Anti-Virus scans all OLE objects embedded in the message. Message text. Kaspersky Anti-Virus scans the body of the message. If a check box is not selected, the relevant objects will not be scanned. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. ACTIONS ON MAIL OBJECTS Kaspersky Anti-Virus processes objects in accordance with their assigned status following anti-virus scanning and filtering of attachments (see section "Processing objects and taking actions on them" on page 21). Uninfected objects are returned to the mail system without any changes. Actions on infected, potentially infected, protected, and not scanned objects can be configured by the administrator. Actions to be taken by the application are defined separately for each object status. The following actions are taken on objects by default: If an object is labeled as infected, Kaspersky Anti-Virus disinfects it and returns the disinfected object to the mail system. If an object is declared potentially infected, Kaspersky Anti-Virus deletes it from the message. If an object could not be scanned (for example, the time assigned for scanning has elapsed) or the object is a password-protected archive, Kaspersky Anti-Virus skips this object. By default, copies are stored in the Quarantine database before objects are cured or deleted. Information about detected objects and actions taken is recorded in the Event log and statistics database (on page 69). 50

51 M A I L P R O T E C T I O N After all objects included in the message undergo anti-virus scanning and the configured actions are taken on them, the entire message can be subjected to one of the following additional actions: additional information can be added to a subject or message body. notifications are composed and delivered to senders, recipients and administrators (notification is disabled by default). the entire original message is moved to the Quarantine database if the message has been found to contain an infected or probably infected object. CONFIGURING ACTIONS TO TAKE ON MAIL OBJECTS To configure actions on mail objects: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Mail protection Actions. 3. On the Actions tab, select the settings section that corresponds to the status of the object the processing of which you want to configure. You can select the following settings sections: Infected object configure settings for processing infected objects. Probably infected object configure settings for potentially infected objects. Protected object configure settings for processing protected objects. Not scanned object configure settings for not scanned objects. 4. Select the action to be taken on the detected object. You can do so by selecting the Disinfect, Skip or Delete option and select the corresponding check boxes: Move to Quarantine a copy is stored in the Quarantine database before the object is processed. Save statistics information about the object detected and actions taken on it is stored in the locations specified in the Save information section on the General settings tab. If several information storage locations have been selected, information is saved in all of the specified locations: To console (Domino log.nsf system log); To event log; To file (default filename: server(n).log, where N is the sequential number of the log). 5. Configure the settings for notifications to administrators about detected objects and actions taken (see section "Notifications" on page 77). 6. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. To configure actions to be taken by Kaspersky Anti-Virus after scanning messages and all their component objects: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Mail protection Additional. 51

52 A D M I N I S T R A T O R ' S G U I D E 3. On the Additional tab you can select the action to be taken by Kaspersky Anti-Virus after scanning a message and all of its component objects. To do so, select the Add label to message subject check box. Kaspersky Anti-Virus adds the text specified in the Message label field to the subject of the scanned message. By default, the Message label field contains the words Scanned by Kaspersky Anti-Virus for Lotus Domino. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. CONFIGURING MAIL ATTACHMENT FILTER SETTINGS Kaspersky Anti-Virus can filter objects attached to messages (see section "Attachment filtering algorithm" on page 19). You can use filtering to exclude from anti-virus scanning attachments that satisfy the filter settings and set a separate procedure for them. By default, attachments are not filtered. To configure the attachment filtering settings: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Mail protection General. 3. In the Attachment filtering section (see figure above), you can configure the filtering settings for objects attached to messages. To do so, select the following check boxes and specify the values of their corresponding settings: Filter by size. Check this box if you want Kaspersky Anti-Virus to check the size of objects attached to messages. In the Do not scan objects larger than field, specify the value in kilobytes above which objects is filtered and excluded from anti-virus scanning. In the dropdown list, select an item corresponding to the status to be assigned by Kaspersky Anti-Virus to this object. Objects are assigned not scanned status by default. Filter by name. Select this check box if you want Kaspersky Anti-Virus to check the names of objects attached to messages. In the Do not scan objects by mask field, set the masks of the filenames that will be filtered and excluded from anti-virus scanning. In the dropdown list, select an item corresponding to the status to be assigned by Kaspersky Anti-Virus to this object. Objects are assigned not scanned status by default. Filtering by filename is case-sensitive. You can specify several file name masks separated by the ";" symbol. Use the following symbols to create a mask: * an arbitrary string of characters of any length. For example, if the mask is set to abc*, no file whose name begins with abc is scanned: abc.exe, abc1.com, abc2.rar.? any single character. For example, if the mask is set to abc?.exe, no file whose name begins with abc followed by one other character after c is scanned: abc1.exe. However, the file abc12345.exe will be scanned. If the Filter by size and Filter by name check boxes are not selected, the objects corresponding to them are not filtered. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. 52

53 REPLICATION PROTECTION This section describes how to enable or disable replication protection, how to select replication objects for scanning, how to configure filtering of attachments, and how to configure the processing of replication objects after an anti-virus scan. IN THIS SECTION Replication protection algorithm Enabling and disabling replication protection Selecting replication protection objects Configuring actions on objects in replication protection mode Configuring actions on objects in replication protection mode Configuring the filtering of attachments in replication protection mode REPLICATION PROTECTION ALGORITHM If anti-virus replication protection is enabled (see section "Enabling and disabling replication protection" on page 54), Kaspersky Anti-Virus scans documents placed on the protected server that have been modified at the time replication started. Contents of the fields in Rich Text and MIME format, attached files, and embedded OLE objects undergo a scan for threats. Outgoing replications are not scanned. Infected and potentially infected objects, protected objects and also objects unprocessed due to system failure or corruption, which are detected as a result of scanning are processed in accordance with the replication protection settings (see section "Actions on objects in replication protection mode" on page 55). After installation the application uses the default replication protection settings (see section "Default server protection" on page 40). You can change them in accordance with the security requirements of the protected Lotus Domino server. A separate procedure may be assigned for attachments that exceed the maximum allowed size and (or) whose names match the filename mask (see section "Configuring the filtering of attachments in replication protection mode" on page 56). By default, before being processed, a copy of the dangerous object moved to Quarantine (see page 65). The document in which the dangerous object is contained is not placed in quarantine. A notification that the document has been scanned by Kaspersky Anti-Virus and a description of actions taken are sent to administrators (see section "Notifications" on page 77). Information about the results of object scanning and actions taken is recorded in the Event log and statistics database (see section "Event log and statistics" on page 69). You can disable scanning of attachments, OLE objects and the contents of RTF and MIME fields (see section "Selecting replication protection objects" on page 54). To increase the overall speed of replication scanning, you can limit the time that can be spent on scanning a single object (see section "Configuring performance settings" on page 64). If the size of the object does not exceed the set value, the object is scanned in the server's operating memory without being saved on the hard drive. The replication protection settings are defined by the profile that applies to the protected server. It is not possible to configure replication protection settings for an individual server. However, it is possible to disable / enable replication protection only for each server individually (see section "Enabling and disabling replication protection" on page 54). It is impossible to disable or enable replication protection for a group of servers. 53

54 A D M I N I S T R A T O R ' S G U I D E ENABLING AND DISABLING REPLICATION PROTECTION Replication protection is enabled by default and starts automatically when the Lotus Domino server is launched. Information about the launch of mail protection modules is recorded in the Kaspersky Anti-Virus Event log. You can enable and disable replication protection as required. This operation is performed for each server individually. To enable or disable replication protection: 1. Select the server for which you want to enable or disable replication protection (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the Information tab (see figure below). Figure 10. Enabling / disabling replication protection 3. Under Protection status in the Replication protection line (see figure below), select the required option: Enable or Disable. 4. In the action panel click the Apply button to save the changes. SELECTING REPLICATION PROTECTION OBJECTS If anti-virus replication protection is enabled, Kaspersky Anti-Virus scans the content of the Rich Text and MIME fields in the modified document, attached files in any format, and embedded OLE objects by default. You can disable scanning of the listed objects as required. When scanning multi-volume archives, Kaspersky Anti-Virus processes each of them as a separate object. Malicious code can be detected only if it is wholly contained in one of these volumes. If code is divided into parts across several volumes, it cannot be detected during scanning. Therefore, it is recommended that multi-volume archives be scanned after being saved on the hard drive by the Anti-Virus application on the computer. 54

55 R E P L I C A T I O N P R O T E C T I O N To select replication protection objects: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Replication protection General. 3. In the Object protection section, select the objects to scan. To do so, select the following check boxes: Attachments. Kaspersky Anti-Virus scans all files attached to the document. OLE objects. Kaspersky Anti-Virus scans all OLE objects embedded in the document. RTF and MIME fields. Kaspersky Anti-Virus scans document fields in Rich Text and MIME format. If the check box is not selected, the relevant objects are not scanned. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. ACTIONS OBJECTS IN REPLICATION PROTECTION MODE Kaspersky Anti-Virus processes objects in accordance with their assigned status following anti-virus scanning and filtering of attachments (see section "Processing objects and taking actions on them" on page 21). Uninfected objects are left in the document without any changes. Actions on infected, potentially infected, protected, and skipped objects can be configured by the administrator. Actions to be taken by the application are defined separately for each object status. The following actions are taken on objects by default: If an object is declared infected, Kaspersky Anti-Virus tries to disinfect it and the disinfected object is stored in the document at the source address. If an object is declared potentially infected, Kaspersky Anti-Virus deletes it from the document. If an object could not be scanned (for example, the time assigned for scanning has elapsed) or the object is a password-protected archive, Kaspersky Anti-Virus skips this object. By default, copies are stored in the Quarantine database before objects are disinfected or deleted (see page 65). Information about detected objects and actions taken can be sent to administrators (see section "Notifications" on page 77) and stored in the Event log and statistics database (on page 69). CONFIGURING ACTIONS ON OBJECTS IN REPLICATION PROTECTION MODE To configure actions on objects in replication protection mode: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Replication protection Actions. 3. On the Actions tab, select the settings section that corresponds to the status of the object the processing of which you want to configure. You can select the following settings sections: Infected object configure settings for processing infected objects. Probably infected object configure settings for processing potentially infected objects. Protected object configure settings for processing protected objects. Not scanned object configure settings for processing not scanned objects. 55

56 A D M I N I S T R A T O R ' S G U I D E 4. Select the action to be taken on the detected object. You can do so by selecting the Disinfect, Skip or Delete option and select the corresponding check boxes: Move to Quarantine a copy is stored in the Quarantine database before the object is processed. Save statistics information about the object detected and actions taken on it is stored in the locations specified in the Save information field on the General settings tab. If several information storage locations have been selected at once, information is saved in all of the specified locations: To console (Domino log.nsf system log); To event log; To file (default filename: server(n).log, where N is the sequential number of the log). 5. Configure the settings for notifications about detected objects and actions taken (see section "Notifications" on page 77). 6. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. CONFIGURING THE FILTERING OF ATTACHMENTS IN REPLICATION PROTECTION MODE Kaspersky Anti-Virus can filter objects attached to documents (see section "Attachment filtering algorithm" on page 19). You can use filtering to exclude from anti-virus scanning attachments that satisfy the filter settings and set a separate procedure for them. By default, attachments are not filtered. To configure the settings of attachment filtering in replication protection mode: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Replication protection General. 3. In the Attachment filtering section, you can configure the filtering settings for objects attached to documents. To do so, select the following check boxes and specify the values of their corresponding settings: Filter by size. Select this check box if you want Kaspersky Anti-Virus to check the size of objects attached to documents. In the Do not scan objects larger than field, specify the value in kilobytes above which objects will be excluded from anti-virus scanning. In the dropdown list, select an item corresponding to the status to be assigned by Kaspersky Anti-Virus to this object. Such objects are assigned not scanned status by default. Filter by name. Select this check box if you want Kaspersky Anti-Virus to check the size of objects attached to documents. In the Do not scan objects by mask field, set the masks of the filenames that will be excluded from anti-virus scanning. In the dropdown list, select an item corresponding to the status to be assigned by Kaspersky Anti-Virus to this object. Such objects are assigned not scanned status by default. Filtering by filename is case-sensitive. You can specify several file name masks separated by the ";" symbol. Use the following symbols to create a mask: * an arbitrary string of characters of any length. For example, if the mask is set to abc*, no file whose name begins with abc is scanned: abc.exe, abc1.com, abc2.rar.? any single character. For example, if the mask is set to abc?.exe, no file whose name begins with abc followed by one other character after c is scanned: abc1.exe. However, the file abc12345.exe will be scanned. If the Filter by size and Filter by name check boxes are cleared, the objects are not filtered. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. 56

57 SCANNING DATABASES This section describes how to enable or disable database scanning, how to select database objects for anti-virus scanning, how to configure filtering of attachments, how to configure the processing of database objects after an antivirus scan, and how to configure scan settings. IN THIS SECTION Database scanning algorithm Enabling and disabling database scanning Selecting database objects to be scanned Actions on objects in database scanning mode Configuring actions on objects in database scanning mode Configuring attachment filtering in database scanning mode Scheduled scanning of databases Manual scanning of databases DATABASE SCANNING ALGORITHM Databases are scanned according to schedule or by user request. Database scan settings are configured through a profile; it is not possible to configure individual settings for a server. Database scanning can be enabled or disabled (see section "Enabling and disabling database scanning" on page 58) only for each server individually. By default, database scanning is disabled. When the scan is started (either manually by the user or as scheduled), fields in database documents in Rich Text format, objects attached to documents and embedded OLE objects are scanned for threats by default. If anti-virus scanning of databases is enabled, by default Kaspersky Anti-Virus scans databases located in the root of the data folder (the folder containing all Lotus Domino server data) and in all its subfolders and external folders connected via links. You can enable or disable scanning of databases located in subfolders of the data folder and in external folders all the way down the hierarchy. Infected and potentially infected objects, as well as ones not scanned due to system failure or damage, which are detected as a result of scanning are processed in accordance with the database scan settings (see section "Actions on objects in database scanning mode" on page 60). After installation, the application uses the default settings (see section "Default server protection" on page 40). You can change them in accordance with the security requirements of the protected Lotus Domino server. Some of the default settings listed in this section are disabled or can be disabled by the administrator. You can set masks for database filenames being scanned (see section "Selecting database objects to be scanned" on page 59). In this case, Kaspersky Anti-Virus only scans database files that match a mask. By default, before being processed, a copy of the original object is created in Quarantine (see page 65). 57

58 A D M I N I S T R A T O R ' S G U I D E A notification that the document has been scanned by Kaspersky Anti-Virus and a description of actions taken are sent to administrators (see section "Notifications" on page 77). Information about the results of object scanning and actions taken is recorded in the Event log and statistics database (see section "Event log and statistics" on page 69). Kaspersky Anti-Virus lets you exclude individual databases from scanning (see section "Selecting database objects to be scanned" on page 59). The Quarantine database (kavquarantine.nsf) is excluded from the scan by default. You can disable scanning of attachments, OLE objects, and Rich Text and MIME fields (see section "Selecting database objects to be scanned" on page 59). To increase the overall speed of database scanning, you can limit the time that can be spent on scanning a single object (see section "Configuring performance settings" on page 64). ENABLING AND DISABLING DATABASE SCANNING By default, database scanning is disabled and is started according to schedule or manually by the user. Information about the launch of database scanning modules is recorded in the Kaspersky Anti-Virus Event log. You can enable and disable database scanning as required. This operation is performed for each server individually. To enable or disable database scanning: 1. Select the server for which you want to enable or disable database scanning (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the Information tab (see figure below). Figure 11. Enabling / disabling database scanning 3. Under Protection status in the Database scanning line (see figure below), select the required option: Enable or Disable. 4. In the action panel click the Apply button to save the changes. 58

59 S C A N N I N G D A T A B A S E S SELECTING DATABASE OBJECTS TO BE SCANNED By default, Kaspersky Anti-Virus scans databases located in the data directory (including subdirectories). In accordance with the scan settings, Kaspersky Anti-Virus generates a list of documents to be scanned and then scans the Rich Text and MIME fields of each document, all attached objects, including archives, and embedded OLE objects. You can disable scanning of the listed objects as required. When scanning multi-volume archives, Kaspersky Anti-Virus processes each of them as a separate object. Malicious code can be detected only if it is wholly contained in one of these volumes. If code is divided into parts across several volumes, it cannot be detected during scanning. Therefore, it is recommended that multi-volume archives be scanned after being saved on the hard drive by the Anti-Virus application on the computer. To select objects for anti-virus scanning of databases: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Database scanning General. 3. In the Object protection section, select the objects to scan. To do so, select the following check boxes: Attachments. Kaspersky Anti-Virus scans all files attached to the document. OLE objects. Kaspersky Anti-Virus scans all OLE objects embedded in the document. RTF and MIME fields. Kaspersky Anti-Virus scans document fields in Rich Text and MIME format. If the check box is cleared, the relevant objects are not scanned. 4. In the Scan objects by mask field, set masks for the names of the database files that will be scanned by Kaspersky Anti-Virus. You can specify several file name masks separated by the ";" symbol. Use the following symbols to create a mask: * an arbitrary string of characters of any length. For example, when the abc* mask is entered the application does not scan files whose name begins with the abc sequence: abc.exe, abc1.com, abc2.rar.? any single character. For example, if the mask is set to abc?.exe, no file whose name begins with abc followed by one other character after c will be scanned: abc1.exe. However, the file abc12345.exe will not be scanned. The value * or *.* is specified by default, which means that databases with any names are scanned. 5. Select the Scan subfolders check box if you want Kaspersky Anti-Virus to scan database files located in subfolders of the data directory down to the lowest level of the hierarchy. If you want Kaspersky Anti-Virus to scan only database files located in the root of the data directory, clear the Scan subfolders check box. You can also specify a mask for scanning folders taking into account the path where the database is located: If the path is not specified in the mask, all databases whose names match the mask in all folders are scanned. For example, when the m*.nsf mask is entered, all databases whose names begin with an "m" are scanned. If the path is specified in the mask and the Scan subfolders check box is selected, the databases are scanned in the specified folder and in its subfolders in accordance with the specified mask. For example, when the DATA/Acme/m*.nsf mask is entered and the Scan subfolders check box is selected, the application scans all databases whose name begins with an "m" and which are located in the Acme folder and its subfolders. 59

60 A D M I N I S T R A T O R ' S G U I D E If the path is specified in the mask and the Scan subfolders check box is cleared, the application scans only databases in the specified folder. For example, when the DATA/Acme/m*.nsf mask is entered and the Scan subfolders check box is cleared, the application scans all databases whose name begins with an "m" and which are located in the Acme folder. The application does not scan databases in subfolders of the Acme folder. 6. In the Exclude from scanning field, specify the names of the databases to be excluded from the scan. You can specify several values using the ";" symbol to separate them. Only the Quarantine database (kavquarantine.nsf) is excluded from the scan by default. 7. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. ACTIONS ON OBJECTS IN DATABASE SCANNING MODE Kaspersky Anti-Virus processes objects in accordance with their assigned status following anti-virus scanning and filtering of attachments (see section "Processing objects and taking actions on them" on page 21). Uninfected objects are allowed through without any modifications. Actions on infected, potentially infected, protected, and skipped objects can be configured by the administrator. Actions to be taken by the application are defined separately for each object status. The following actions are taken on objects by default: If an object is declared infected, Kaspersky Anti-Virus tries to disinfect it and the disinfected object is stored in the document at the original address. OLE objects are not disinfected. Kaspersky Anti-Virus deletes infected OLE objects. If an object is declared potentially infected, Kaspersky Anti-Virus deletes it from the document. If an object could not be scanned (for example, the time assigned for scanning has elapsed) or the object is a password-protected archive, Kaspersky Anti-Virus skips this object. A copy of the object is saved in the Quarantine database before the object is processed (see page 65). Information about detected objects and actions taken can be sent to administrators (see section "Notifications" on page 77) and stored in the Event log and statistics database (see section "Event log and statistics" on page 69). CONFIGURING ACTIONS ON OBJECTS IN DATABASE SCANNING MODE To configure actions on objects in database scanning mode: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Database scanning Actions. 3. On the Actions tab, select the settings section that corresponds to the status of the object the processing of which you want to configure. You can select the following settings sections: Infected object configure settings for processing infected objects. Probably infected object configure settings for processing potentially infected objects. Protected object configure settings for processing protected objects. Not scanned object configure settings for processing not scanned objects. 60

61 S C A N N I N G D A T A B A S E S 4. Select the action to be taken on the detected object. You can do so by selecting the Disinfect, Skip or Delete option and select the corresponding check boxes: Move to Quarantine a copy is stored in the Quarantine database before the object is processed. Save statistics information about the object detected and actions taken on it is stored in the locations specified in the Save information field on the General settings tab. If several information storage locations have been selected at once, information is saved in all of the specified locations: To console (Domino log.nsf system log); To event log; To file (default filename: server(n).log, where N is the sequential number of the log). 5. Configure the settings for notifications about detected objects and actions taken (see section "Notifications" on page 77). 6. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. CONFIGURING ATTACHMENT FILTERING IN DATABASE SCANNING MODE During database scanning, Kaspersky Anti-Virus makes it possible to exclude from anti-virus scanning the attachments to documents that match the filter criteria, and specify a separate processing procedure for them. When scanning databases the same principle is used for filtering attachments as for filtering mail attachments. By default, attachments are not filtered. To configure attachment filtering settings in database scanning mode: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control panel select Database scanning General (see figure below). Figure 12. Configuring the settings of attachment filtering in database scanning mode 61

62 A D M I N I S T R A T O R ' S G U I D E 3. In the Attachment filtering section, you can configure the filtering settings for objects attached to documents. To do so, select the following check boxes and specify the values of their corresponding settings: Filter by size. Select this check box if you want Kaspersky Anti-Virus to check the size of objects attached to documents. In the Do not scan objects larger than field, specify the value in kilobytes above which objects will be excluded from anti-virus scanning. In the dropdown list, select an item corresponding to the status to be assigned by Kaspersky Anti-Virus to this object. Such objects are assigned not scanned status by default. Filter by name. Select this check box if you want Kaspersky Anti-Virus to check the size of objects attached to documents. In the Do not scan objects by mask field, set the masks of the filenames that will be excluded from anti-virus scanning. In the dropdown list, select an item corresponding to the status to be assigned by Kaspersky Anti-Virus to this object. Such objects are assigned not scanned status by default. Filtering by filename is case-sensitive. You can specify several file name masks separated by the ";" symbol. Use the following symbols to create a mask: * an arbitrary string of characters of any length. For example, if the mask is set to abc*, no file whose name begins with abc is scanned: abc.exe, abc1.com, abc2.rar.? any single character. For example, if the mask is set to abc?.exe, no file whose name begins with abc followed by one other character after c is scanned: abc1.exe. However, the file abc12345.exe will be scanned. If the Filter by size and Filter by name check boxes are cleared, the objects are not filtered. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. SCHEDULED SCANNING OF DATABASES You can configure scheduled scans of databases. The database scan schedule settings can be specified only for a group of servers by means of profile settings. To configure a scheduled scan of databases: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. In the action panel click the Modify button and in the control area select the Database scanning tab (see figure below). Figure 13. Configuring scheduled scans of databases 62

63 S C A N N I N G D A T A B A S E S 3. In the Schedule section (see figure above), select one of the following values in the Startup frequency dropdown list: Weekly. Kaspersky Anti-Virus scans databases every week on set days at the specified Startup time. To specify the database scan start schedule, select check boxes opposite the days of the week when the scan should be started, and enter the relevant value in the Startup time field in HH:MM format. Monthly. Kaspersky Anti-Virus scans databases every month on set days at the specified Startup time. To specify the database scan start time, specify the relevant value in the Startup time field in HH:MM format. If the number of days in the month is less than the set value, the database scan is performed on the last day of the month. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. MANUAL SCANNING OF DATABASES You can start a manual scan of databases for a separate server. This scan mode is not available for a group of servers. To launch a manual database scan: 1. Select the server for which you want to start a database scan (see section "Viewing and editing server settings" on page 36). 2. In the control panel select the Database scanning tab. The tab displays information about the date and time of the most recent and next database scan, according to the schedule. 3. Click the Start scan link to start the database scan. Database scanning can also be launched manually from the command line of the Lotus Domino server console (see section "Using the server console" on page 88). 63

64 CONFIGURING PERFORMANCE SETTINGS You can control the performance of Kaspersky Anti-Virus while it scans objects using the following settings: Scan time for one object. Object scanning is stopped when the time limit is exceeded. Kaspersky Anti-Virus assigns not status to the object and proceeds to scanning the next object. Scanning an object in computer memory. If the size of the object does not exceed the set value, the object is scanned in the server's operating memory without being saved on the hard drive. Kaspersky Anti-Virus performance settings are configured for each protection component separately. To configure Kaspersky Anti-Virus performance settings: 1. Select the profile whose settings you want to edit (see section "Viewing and editing profile settings" on page 36). 2. On the action panel click the Modify button to switch to settings editing mode. 3. On the control panel, open the Mail protection, Replication protection or Database scanning tab and select the General tab (see figure below). Figure 14. Configuring Kaspersky Anti-Virus performance settings in database scanning mode 4. In the Performance section, configure the application performance settings. To do this: In the Maximum scan duration field, set the maximum scan time for one object in milliseconds. The default maximum scan duration is 120 s. Select the Scan objects in memory check box and in the Maximum object size fields, specify the maximum size in kilobytes of one object that can be scanned. The default maximum size of an object is 1024 KB. 5. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. 64

65 QUARANTINE This section describes how to view quarantined objects, how to configure the processing of quarantined objects, and how to configure quarantine settings. IN THIS SECTION About the Quarantine database Viewing quarantined objects Actions on quarantined objects Configuring Quarantine settings ABOUT THE QUARANTINE DATABASE During mail protection, replication protection, and database scanning, Kaspersky Anti-Virus processes objects in accordance with their assigned status following anti-virus scanning and filtering of attachments (see section "Processing objects and taking actions on them" on page 21). By default, before disinfecting and deleting an object Kaspersky Anti- Virus creates a copy of the object and saves it in the Quarantine database kavquarantine.nsf. The Quarantine database is used to store quarantined objects and take actions on them. The Quarantine database is stored on each one of the protected servers as a copy and contains the original objects moved to Quarantine by the Mail protection, Replication protection, or Database scanning tasks. When installing the application, you can choose whether to store Quarantine objects in all replicas or if the Quarantine database will store only objects from its respective server (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide). By default, objects labeled as infected or potentially infected following an anti-virus scan are moved to Quarantine before being disinfected or deleted. You can configure the criteria for quarantining objects separately for each object status in the mail protection, replication protection, and database scanning settings. It is not possible to place objects in quarantine manually. The database kavquarantine.nsf is created in the Kaspersky Anti-Virus database directory when the application is installed (the default directory is kavdatabases). Quarantined objects can only be accessed through the Control Center database user interface (see section "Application interface" on page 31). To make viewing and finding information in the Quarantine database more convenient, objects placed in quarantine as a result of scanning messages, replications and databases are shown in different sections (see section "Viewing quarantined objects" on page 66). The maximum duration of object storage in Quarantine is 30 days. You can change the storage time of objects in the server settings. If the object storage period is limited (see section "Configuring Quarantine" on page 68), when this time elapses the objects whose storage duration exceeds this limit are deleted from the Quarantine database. If necessary, you can delete objects from Quarantine manually. The total size of quarantined objects is limited to the physical size of the database. The maximum size of the Quarantine database is 64 GB. When this value is reached objects will no longer be placed in quarantine. In this case, we recommend that you manually delete objects already in quarantine (see section "Actions on quarantined objects" on page 67), or modify the settings for quarantined objects. 65

66 A DMI N I S T R A T O R ' S G U I D E VIEWING QUARANTINED OBJECTS Objects in the Quarantine database can be viewed via the user interface of the Control Center database. To make viewing and finding information in the database more convenient, objects placed in quarantine as a result of scanning messages, replications and databases are shown in different sections. You can view quarantined objects of the following types: messages, databases, replications. Each type of object is displayed in a separate window. You can open Quarantine records for all protected servers simultaneously. To view objects in the Quarantine database and information about them: 1. Select a random server included in any profile (see section "Viewing and editing server settings" on page 36). If the Store quarantined objects in all replicas check box was not selected during installation of the application in the deployment settings, each replica stores the records of only one (current) server (for details see the Kaspersky Anti-Virus 8.0 for Lotus Domino Implementation Guide). 2. On the action panel, click the Open Quarantine database button, and in the dropdown list select one of the following items: messages. Databases. Replications. As a result, Quarantine records for all protected servers are displayed on the control panel. Records of quarantined messages are grouped by the date they were placed in quarantine and the address of the sender. Records of objects placed in quarantine as a result of scanning replications and databases are grouped by the date when the objects were quarantined and the names of the databases in which the scanned documents are held. To open the full list of grouped records, click the ">" symbol. To close the list, click the icon. You can view additional information about each object placed in quarantine. The following details are displayed in the viewing panel under Details: For messages: Date the date and time when the object was placed in quarantine. Server name the name of the server on which the scan was performed. Sender the address of the sender of the message. Recipients the addresses of the recipients of the message. Copy the addresses of the recipients of a copy of the message. Bcc the addresses of the recipients of a blind copy of the message. Message subject subject of the quarantined message. List of attached files. Text information containing the object name, the reason why it has been moved to Quarantine, and the list of actions taken on the object. 66

67 Q U A R A N T I N E For replicated documents and database documents: Date the date and time when the object was placed in quarantine. Server the name of the server on which the scan was performed. Module the name of the module that performed the scan and placed the object in quarantine. Database the name of the database in which the object is located. Modified the name of the user who last modified the document and the name of the server on which it was performed in the User name / Server name format. Document the number (name) of the quarantine document on the Lotus Domino server. List of attached files. Text information containing the object name, the reason why it has been moved to Quarantine, and the list of actions taken on the object. ACTIONS ON QUARANTINED OBJECTS Prior to disinfecting or deleting an object that has been labeled as infected or potentially infected following an anti-virus scan, Kaspersky Anti-Virus moves an object copy to the Quarantine database. You can take the following actions on quarantined objects: delete objects manually; delete records created sooner than the specified number of days ago from the Quarantine database; forward messages from the Quarantine database to recipients. Kaspersky Anti-Virus automatically deletes objects from the Quarantine database on expiry of the object storage time period specified in the server settings. To delete objects from the Quarantine database manually: 1. Select a random server included in any profile (see section "Viewing and editing server settings" on page 36). 2. On the action panel, click the Open Quarantine database button, and in the dropdown list select one of the following items: messages. Databases. Replications. As a result, Quarantine records for all protected servers are displayed on the control panel. 3. On the control panel, maximize the list of grouped records by clicking the icon. 4. In the list of records, click the object that you want to delete from quarantine and then click the Delete button. You can select several objects using the Ctrl and Shift key combination. To forward an message from the Quarantine database to its recipients: 1. Select a random server included in any profile (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Open Quarantine database button and in the dropdown list select messages item. The control panel shows records of quarantined messages across all protected servers. 67

68 A D M I N I S T R A T O R ' S G U I D E 3. On the control panel, maximize the list of grouped records by clicking the icon. 4. In the list of records, use the mouse to select the message that you want to forward and then click the Forward to recipients button in the viewing panel. You can select several messages using the Ctrl and Shift key combination. To delete records created sooner than the specified number of days ago from the Quarantine database: 1. Select a random server included in any profile (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Delete records button and in the dropdown list select Quarantine. 3. In the window that opens, enter the number of days and click OK to delete Quarantine records created sooner than the specified period. CONFIGURING QUARANTINE You can change the period during which objects are stored in the Quarantine database. To change the storage time of objects in the Quarantine database: 1. Select the server whose settings you want to edit (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the General settings tab (see figure below). Figure 15. Configuring Quarantine settings 3. Under Quarantine settings specify the storage time of objects in the Quarantine database in days. The default storage time of objects is 30 days. 4. In the action panel click the Apply button to save the changes. 68

69 EVENT LOG AND STATISTICS This section describes how to configure the Event log and statistics settings and how to view the Event log and statistics database (information for one server and general information about all servers). IN THIS SECTION About the Event log and statistics database Configuring the Event log Configuring the statistics settings Viewing the Event log and statistics database Deleting information from the Event log and statistics database ABOUT THE EVENT LOG AND STATISTICS DATABASE Kaspersky Anti-Virus can store information about application events and statistical information about threats detected as a result of anti-virus scanning and actions taken on them in the Event log and statistics database. The Event log and statistics database is distributed as a replica and stored on each one of the protected servers. It contains the cumulative statistics of all events on all protected servers. All modifications are distributed through the standard replication mechanism in accordance with their schedule and topology. By default, information is saved in the Event log and statistics database kaveventslog.nsf. If Kaspersky Anti-Virus uses a distributed deployment scheme, information on all protected servers is saved in the kaveventslog.nsf database. The database kavquarantine.nsf is created in the Kaspersky Anti-Virus database catalog when the application is installed (the default catalog is kavdatabases). Information stored in the Event log and statistics database can only be accessed using the Control Center database user interface. You can view and delete records in the Event log and statistics database (see section "Viewing the Event log and statistics database" on page 73). The Event log records information about the activity of Kaspersky Anti-Virus modules at the server task level of the Lotus Domino server (see section "Application architecture" on page 17). The scope of information recorded in the Event log is specified in the Detailing level section (see section "Configuring the Event log" on page 70). By default, the most important information about the operation of all Kaspersky Anti-Virus modules involves events of critical importance pointing to problems in the application or vulnerability in the server's protection. The Event log settings (see section "Configuring the Event log" on page 70) also define the location where event information is displayed and the period for storing records in the kaveventslog.nsf database. You can configure the Event log settings both for a group of servers using a profile and for each server individually. The file to be used to save the Event log can only be specified in the server settings. This setting cannot be changed using the profile. Statistical information is recorded about objects scanned for viruses, threats detected and actions taken on them. Statistical information is kept separately for each protection component. You can specify what type of information should be saved in statistics while configuring the profile settings for the mail protection, replication protection, and database scanning tasks. By default, the application stores information following the scanning of infected, potentially infected, protected, and not scanned objects with reasons why they could not be scanned. By default, records in the Event log and statistics database are stored for 30 days. You can change the storage time of event records and statistics using both profile and server settings (see section "Configuring the Event log" on page 70, "Configuring statistics" on page 71). Records are deleted automatically on expiry of the specified time period. Information from the Event log and statistics database can be deleted manually for each protected server (see section "Deleting information from the Event log and statistics database" on page 75). 69

70 A D M I N I S T R A T O R ' S G U I D E Events recorded on the protected server during the current application session can be displayed on the Lotus Domino server console and saved in a text file (see section "Configuring the Event log" on page 70). By default, five cyclically rewritable log files are used with the name server(n).log, where N is the sequential number of the log. The log files are located on the protected server in logs service directory only for this server. You can change the number of log files in use and their names and maximum size using the settings in the notes.ini configuration file (see section "Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file" on page 23). CONFIGURING THE EVENT LOG You can configure the Event log settings for a group of servers using a profile or for each server individually in the server settings. By default, the Event log settings are defined by the profile that includes the protected server. To ensure that Kaspersky Anti-Virus uses the values configured in the server settings, clear the Use profile settings check box on the General settings tab in the Log settings section. To configure the Event log: 1. Select one of the following options: If you are configuring the Event log settings for a group of servers, select a profile (see section "Viewing and editing profile settings" on page 36). If you are configuring the Event log settings for a separate server, select a server (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the General settings tab (see figure below). If you are configuring the Event log for an individual server, clear the Use profile settings check box in the Log settings section. If the check box is selected, the Event log and statistics settings are not displayed. If you want the server to use the values set in the profile, select the Use profile settings check box. Figure 16. Configuring the Event log for a server 70

71 E V E N T L O G A N D S T A T I S T I C S 3. In the Log settings section (see figure above), set the following values: In the Detailing level section, select the level of detail of information recorded in the Event log. To do so, select one of the following items in the dropdown list: Standard. Kaspersky Anti-Virus records Critical events and also important application events (such as Error connecting to the update source). This list item is selected by default. In the notes.ini file, the KAVDefaultLogLevel parameter value is set to 0 (see section "Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file" on page 23). Advanced. Kaspersky Anti-Virus records Critical events pointing to vulnerability in the server's protection and problems in the application; information is recorded about the operation of all Kaspersky Anti-Virus modules. In the notes.ini file, the KAVDefaultLogLevel parameter value is set to 1 (see section "Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file" on page 23). In the Safe information section, specify the locations for storing information about recorded events. To do so, select the following check boxes: In the log Kaspersky Anti-Virus stores event information in the Event log and statistics database (kaveventslog.nsf). You can view the Event log via the Control Center database user interface (see section "Viewing the Event log and statistics database" on page 73). The database kavquarantine.nsf is created in the Kaspersky Anti-Virus database catalog when the application is installed (the default catalog is kavdatabases). To console. Kaspersky Anti-Virus displays information about the operation of Kaspersky Anti-Virus on the Lotus Domino server console. Information is provided for the current application session. The detail level of the information is defined in the settings. To file. Kaspersky Anti-Virus stores event information in the text file of the log. By default, five cyclically rewritable log files are used with the name server(n).log, where N is the sequential number of the log. The log files are located on the protected server in the logs service directory and contain information only about this server. The logs directory is created when the application is installed and is located at the following path: under Microsoft Windows operating systems in the Lotus Domino server's directory of binary files (default path: C:\Program Files\IBM\Lotus\Domino\kavcommon); under Linux operating systems in the Lotus Domino server's data directory (default path: /local/notesdata/kavcommon). The size of log files is determined by the KAVLogFileSize in the notes.ini configuration file (see section "Configuring Kaspersky Anti-Virus settings using the notes.ini configuration file" on page 23). To view the log files, use a standard text editor under Microsoft Windows or Linux. In the server settings you can specify a different file to save information about Kaspersky Anti-Virus events. To do so, enter the name of the file in the File name field in which you want to save information about events. As a result, the file with the specified name is created in the logs service catalog. The file name cannot be changed using profile settings. In the Store records in Event log no longer than field, specify the time in days after which records on events will be automatically deleted from the Event log and statistics database (kaveventslog.nsf). The default storage time of information is 30 days. 4. In the action panel click the Apply button to save the changes. If you are configuring the update settings for a group of servers, you can restore the default values. To do so, click the Restore defaults button. CONFIGURING THE STATISTICS SETTINGS Kaspersky Anti-Virus can keep separate statistics on threats detected and actions taken for each protection component. By default, information is stored on the results of scanning infected, potentially infected, protected, and not scanned objects with reasons why they could not be scanned. 71

72 A D M I N I S T R A T O R ' S G U I D E In the profile settings, you can specify the statistical information to be saved for each protection component. It is not possible to select objects for saving statistics for a separate server. The storage time of statistical information in the Event log and statistics database can be set for a group of servers and for each individual server. Use the profile settings to configure the duration of storage of statistics for a group of servers. Use the server settings to configure the duration of storage of statistics for an individual server. The default value is 30 days and is defined by the profile that includes the protected server. To ensure that Kaspersky Anti-Virus uses the values configured in the server settings, clear the Use profile settings check box on the General settings tab in the Log settings section. To set the storage time of statistical information: 1. Select one of the following options: If you are configuring the statistics settings for a group of servers, select a profile (see section "Viewing and editing profile settings" on page 36). If you are configuring the statistics settings for a separate server, select a server (see section "Viewing and editing server settings" on page 36). 2. In the action panel click the Modify button and in the control panel select the General settings tab (see figure below). If you are configuring statistics for an individual server, select the Use profile settings check box in the Log settings section. If the check box is selected, the Event log and statistics settings are not displayed. If you want the server to use the values set in the profile, select the Use profile settings check box. Figure 17. Configuring the statistics storage period 3. Under Log settings in the Store statistics no longer than field, set the time in days after which records will be automatically deleted from the Event log and statistics (kaveventslog.nsf) database. The default storage time of information is 30 days. 4. In the action panel click the Apply button to save the changes. To restore the default settings, click the Restore defaults button. In the profile settings, you can select objects for which Kaspersky Anti-Virus will store statistics for each protection component. 72

73 E V E N T L O G A N D S T A T I S T I C S VIEWING THE EVENT LOG AND STATISTICS DATABASE You can view information saved in the Event log and statistics database (kaveventslog.nsf) on the Event log and statistics tab in the following sections: Event log. Mail protection statistics. Database scanning statistics. Replication protection statistics. You can view information for one server (see section "Viewing Event log for a server" on page 75) and also general information about all servers (see section "Viewing general Event log and statistics" on page 73), regardless of which profile they belong to. IN THIS SECTION Viewing general Event log and statistics Viewing Event log for a server VIEWING GENERAL EVENT LOG AND STATISTICS To view the general Event log and statistics for all protected servers: 1. In the switch panel, select the Event log and statistics tab. 2. In the navigation panel select the section that contains the required information: Event log, Mail protection statistics, Databases monitoring statistics or Replication scanning statistics. 3. Left-click to select one of the sections. As a result, records of the selected section for all protected servers are displayed on the control panel. The General and General sections show all the information stored in the kaveventslog.nsf database for the selected section. In the remaining sections the records are grouped to make it easier to view and find information. To open the full list of grouped events, click the ">" symbol. To close the list of events, click the "<" symbol. You can sort the records on the control panel in ascending or descending order of the values in the Date and Time columns or in alphabetical order of the values in the Server name and Module columns. To sort the records, click the symbol to the left of the relevant column. EVENT LOG The Event log section contains the following subsections: General a full list of events without any grouping. By server name a list of events grouped by the name of the server on which the events were registered. By date a list of events grouped by the date and time when they were registered. By importance a list of events grouped by their level of importance (Critical events, Important events, Informational events). 73

74 A D M I N I S T R A T O R ' S G U I D E To open the full list of grouped events, click the ">" symbol. To close the list of events, click the "<" symbol. For each event, the following information is displayed: Icons are used to depict the severity level of the event: critical event. An event of critical importance pointing to problems in the operation of Kaspersky Anti- Virus. For example, the detection of a threat or a system crash belong to this group. warning. An event that requires attention because action needs to be taken, for example, License will soon expire. informational events. An event providing information, for example, Tasks loaded successfully. Date the date when the event was logged. Time the time when the event was logged. Server name the name of the server on which the event is logged. Module the name of the module which was running when the event was logged. Event a description of logged event, including its type and additional information about it. You can sort the records on the control panel in ascending or descending order of the values in the Date and Time columns or in alphabetical order of the values in the Server name and Module columns. To sort the records, click the symbol to the left of the relevant column. STATISTICS The statistics sections contain the following subsections: General complete statistical information on the selected section without any grouping. By server name statistical information grouped by the name of the server on which the statistics were registered. By date statistical information grouped by the date and time when it was registered. By object status statistical information grouped by object status (see section "Algorithm for scanning objects for threats" on page 20). By sender statistical information grouped by the address of the senders of the infected messages (only for mail protection statistics). By database name statistical information grouped by the name of the database on which the infected documents were detected (only for replication protection and database scanning statistics). By last author statistical information grouped by the name of the person who made the most recent changes to the document (only for replication protection and database scanning statistics). To open the full list of grouped records, click the ">" symbol. To close the list, click the icon. For each record, the following information is displayed: Icon representing the status of the scanned object: object deleted; object disinfected; 74

75 E V E N T L O G A N D S T A T I S T I C S object was not scanned; object probably infected. Date the date when the object was scanned. Time the time when the object was scanned. Server name the name of the server on which the scan was performed. Sender the address of the sender of the message in which the object was detected (only for mail protection statistics). Recipients the addresses of the recipients of the message in which the object was detected (only for mail protection statistics). Database name the name of the database in which the scanned document is located (only for replication protection and database scanning statistics). Module the name of the module that scanned the object. Detected the result of the project scanning. Last author the name of the user who made the last changes to the document, and the name of the server where the changes have been made in the <UserName/ServerName> format (only for replication protection and database scanning statistics). You can sort the records on the control panel in ascending or descending order of the values in the Date and Time columns or in alphabetical order of the values in the Server name and Module columns. To sort the records, click the symbol to the left of the relevant column. VIEWING THE EVENT LOG FOR A SERVER To view the Event log for an individual server Select the server whose information you want to view (see section "Viewing and editing server settings" on page 36). Event log records for the selected server are shown in the viewing panel. The application displays the same information that appears in the common Event log (see section "Event log" on page 73) but only for the server you have selected. Records are grouped by date. To open the full list of grouped records, click the icon. symbol. To close the list, click the DELETING INFORMATION FROM THE EVENT LOG AND STATISTICS DATABASE Event log and statistics database records are deleted automatically at the expiry of the period specified in the Event log and statistics settings (see sections "Configuring the Event log" on page 70, "Configuring statistics settings" on page 71). However, you can delete records manually if required. Records are deleted from the database separately for each server. 75

76 A D M I N I S T R A T O R ' S G U I D E To delete records from the Event log and statistics database manually: 1. Select the server for which you want to delete records from the Event log and statistics database (see section "Viewing and editing server settings" on page 36) (see figure below). Figure 18. Deleting records from the Event log and statistics database 2. On the action panel, click the Delete records button, and in the dropdown list select one of the following items: Event log. Mail protection statistics. Replication protection statistics. Database scanning statistics. As a result, information correspond to the selected list item is deleted from the kaveventslog.nsf database for the selected server. 76