This hot fix provides four registry keys to hide redundant notification/log created for cached messages.

Size: px

Start display at page:

Download "This hot fix provides four registry keys to hide redundant notification/log created for cached messages."

Calvin Watson
5 years ago
Views:

2 1203 This hot fix provides four registry keys to hide redundant notification/log created for cached messages. Add registry value, ExcludeNotification in type REG_DWORD, and set the value to "1". Key: ExcludeNotification Value: "1" = Enabled After applying this hot fix, the default value of this key is 1. If this key does not exist, the function will be disabled. Add registry value, ExcludeNotificationFolderList in type REG_SZ, and add value "Send Items". If the end user of the Exchange client uses a non-english Office Outlook, it will be in a different name. Customer should manually add it to this setting. Key: ExcludeNotificationFolderList Type: REG_SZ Value: ; Each folder name should be separated by a semicolon ';'. Be sure that there are no extra spaces before and after each folder name. Restart the ScanMail services for changes on this key to take effect. If this key is not defined, it will use "Sent Items" folder by default. Add registry value, ExcludeLogging in type REG_DWORD, and set the value to "1". Key: ExcludeLogging Value: "1" = Enabled

3 After applying this hot fix, the default value of this key is 1. If this key does not exist, the function will be disabled. Add registry value, ExcludeLoggingFolderList in type REG_SZ, and add value "Send Items". If the end user of the Exchange client uses a non-english Office Outlook, it will be in a different name. Customer should manually add it to this setting. Key: ExcludeLoggingFolderList Type: REG_SZ Value: ; Each folder name should be separated by a semicolon ';'. Be sure that there are no extra spaces before and after each folder name. Restart the ScanMail services for changes on this key to take effect. If this key is not defined, it will use "Sent Items" folder by default. For Exchange 2000/2003, use the following settings: ExcludeNotification: 1 ExcludeNotificationFolderList: Sent Items ExcludeLogging: 1 ExcludeLoggingFolderList: Sent Items For Exchange 2007, use the following settings: ExcludeNotification: 1 ExcludeNotificationFolderList: Sent Items;Outbox ExcludeLogging: 1 ExcludeLoggingFolderList: Sent Items;Outbox 1218 ScanMail is unable to change the subject of an that is already in the information store. This is a Microsoft Virus Scanning API (VSAPI) 2.0 limitation. If a user configures a content filtering rule against a particular subject the same will be quarantined again when touched. After applying this debug release, you can use the registry key to configure ScanMail real-time (on-access) scan to skip content filtering for the message received older than a period of time. Path: HKLM\Software\TrendMicro\ScanMail for Exchange\CurrentVersion Name: CFBypassAgingMail

4 Value: 0-Disable, In days If the default setting is "Disable", specify the definition of an aging in days. For example, if you specify 30, ScanMail will skip content filtering for s which arrived 30 days earlier. This registry key will only affect real-time/on-access scan. Each time you change the setting, restart the ScanMail Master Service for the changes to take effect To exclude the type of attachment that will not be blocked by attachment blocking. Name: ForceExcludeContentType Type: REG_SZ Value: ; If the default setting is "Disable", specify the definition of an aging in days. For example, if you specify 30, ScanMail will skip content filtering for s which arrived 30 days earlier. This registry key will only affect real-time/on-access scan. Each time you change the setting, restart the ScanMail Master Service for the changes to take effect. For example: *ForceExcludeContentType = message/disposition-notification;message/delivery-status 1227 Issue: ScanMail Real-time (on-access) Scan can trigger re-scanning of old s. Hence, old attachments can be deleted and quarantined again by the Attachment Blocking filter. After applying this hot fix, a new registry key can be added to configure ScanMail Real-time (onaccess) Scan to skip attachment blocking for messages received that are older than a certain time period. Path: HKLM\Software\TrendMicro\ScanMail for Exchange\CurrentVersion Name: ABBypassAgingMail Value: 0-Disable, In days If the default setting is "Disable", specify the definition of an aging in days.

5 For example, if you specify 30, ScanMail will skip content filtering for s which arrived 30 days earlier. This registry key will only affect real-time/on-access scan. Each time you change the setting, restart the ScanMail Master Service for the changes to take effect When SMEX 8.0 is running in a cluster environment, it will frequently update/access the cluster registry and decrease the performance of the cluster. The following logs will frequently appear in the "cluster.log" file: cc8::2007/11/01-21:48: INFO [DM] DmUpdateSetValue cc8::2007/11/01-21:48: INFO [DM] Setting value of PR_Profile for Software\TrendMicro\ScanMail for Exchange\CurrentVersion key. This hot fix enlarges the Product Registration registry key polling interval from one minute to one day. This means that if you update the license from one node, it will be reflected on other nodes for, at most, 1 day. If a user thinks the interval is too long, he/she can also create a registry key and specify the polling interval he/she wants. Name: PRPollingInterval Value: In minutes 1241 Some users would like an option to disable VS API from scanning certain mailbox store. To disable it, you can set the registry value "VirusScanEnabled" to 0 under HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\[ServerName]\[Mailbox DB GUID]\. However, whenever SMEX_Master service is restarted, this key reverts back to 1. To prevent SMEX_Master service from resetting the "VirusScanEnabled" key, a registry value named "ResetVirusScanAfterRestart" can be added under each Mailbox database GUID. If "ResetVirusScanAfterRestart" is set to 0, whenever SMEX_Master restarts, it will not reset the value of "VirusScanEnabled" back to 1. Path: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\[ServerName]\[Mailbox DB GUID]\ Name: ResetVirusScanAfterRestart 1243 To enable SMEX 8.0 EUQ support on Microsoft Exchange Server 2007 MailBox Server Role. Procedure: Customers who want to use EUQ on Microsoft Exchange Server 2007 MailBox Server

6 Role need to install the ExchangeMAPICDO component on their server first. Refer to the following site: E17E7F31-079A-43A9-BFF2-0A E&displaylang=en Applying this patch unlocks the pages for EUQ activation by patching the EUQ activation modules so that it will perform correct operations on Microsoft Exchange Server 2007 platforms. Manually updates the "Junk Integration" registry key to 0. Path: HKLM\Software\TrendMicro\ScanMail for Exchange\CurrentVersion Key: Junk Integration Value: 0 Make sure you update this registry key on all the server roles specified. (Microsoft Exchange Server 2007 Edge Transport/Hub Transport/MailBox Server Role.) Enable EUQ. 1. Go to the SMEX 8.0 Console on Microsoft Exchange Server 2007 MailBox Server Role. 2. Click Administration > Spam Maintenence. 3. Activate EUQ. Make sure you are using an account with domain administrator privileges before enabling EUQ. This feature is only for 64bit environment. Restrictions: After the patch is applied, the "MapiSvc.inf: file under [Windows directory]\syswow64\mapisvc.inf will be modified and the original "MapiSvc.inf" file will be backed up as "mapisrvc.inf.backedup-by-smex-[count]". The system can save up to 10 files. If the customer has already installed MAPI and this is being used in the server, manually merge the files to make existing applications work. Automatic importing of the white list is not supported by this hot fix if some addresses have already been entered as white lists using the Junk folder feature of Outlook. This means that the user needs to manually add these addresses into the approved sender list. After the customer activates EUQ, customer cannot rollback this patch anymore.

7 1247 SMEX 8.0 (SMEX) will generate multiple log entries and notification messages for each file inside a compressed file that is password protected, encrypted, or meets the over restriction rule. After applying this hot fix, a user can exclude the redundant log/notification for "protected file" and "over restriction" rule by adding the registry key below. If this key is enabled, SMEX will only write to the log and send notification one time for each compressed file. Key: ExcludeRedundantUnscannableLog "1" = Enabled (default 0) 1264 In SMEX (SMEX) 8.0, if users select the "Block attachment types or names within compressed files" option in the "Attachment Blocking" filter, SMEX blocks specific file types (e.g., JPG files) inside Microsoft Office 2007 files if the file type is selected in attachment blocking filter. This hot fix provides a registry key that prevents SMEX from blocking files inside Microsoft Office 2007 documents: Key: SkipBlockingFilesInsideOffice2007Files "1" = Enabled (default) Note: If this registry key is enabled, the attachment blocking filter ignores the files inside Microsoft Office 2007 documents This hot fix restarts SQL service whenever a virtual server is online by adding the registry key below. Key: RestartSQLServiceWhenResourceOnline "1" = Enabled (default 1) Restart all SMEX related services for changes on this key to take effect.

8 This feature is only for Exchange Server 2007 Single Copy Cluster (SSC) If the "disable8dot3" option in Windows is enabled before installing ScanMail, some images in the ScanMail reports sent through are displayed as broken links and cannot be viewed. After applying this hot fix, SMEX uses the http protocol instead of the file path to generate the report template. This is done by adding the registry key below. Key: UseHttpToConvertReport "1" = Enabled (default 1) You must restart the ScanMail Master Service after making the necessary changes resolves the issue wherein when users create a content filter using keywords containing HTML character entities, such as double quotes, ScanMail does not filter some messages with HTML format. This hot fix adds the following new registry key to help SMEX in blocking special HTML messages: Key: EnableDeescape (default) "1" = Enabled The default value for "EnableDeescape" registry key is "0". By default, this new registry key is disabled. Each time you change the setting, restart the ScanMail Master Service for the changes to take effect If a mail triggers anti-spam rules and the corresponding action is "Delete entire message", there is no detailed information logged into the "smex_master.log" file for deleted spam s. Hot Fix Build 1328 resolves this issue. To enable ScanMail to log details into the "smex_master.log" file for deleted spam s, add a new registry key and set its value to "1" as shown in the example below. HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion\LogCriticalInfo=1 The default value of "LogCriticalInfo" is "0". By default, this key means that logging is disabled.

9 Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing this hot fix The ScanMail Master Service stops when the emanager/dmc module encounters issues adds the following new registry key that enables ScanMail Master Service to automatically restart when the emanager/dmc module encounters issues: Key: AutoRestartProcess "1" = Enabled (default) By default, "AutoRestartProcess=1". This key is enabled by default. If this key does not exist or is deleted, the ScanMail Master Service will automatically restart when the emanager/dmc module encounters issues. To disable the option, set "AutoRestartProcess=0". When this option is disabled, the ScanMail Master Service will stop when the emanager/dmc module encounters issues. Each time you change the setting, restart the ScanMail Master Service for the changes to take effect To prevent ScanMail from re-registering SMTP event sinks for Microsoft Exchange server 2000/2003, or register the SMTP event sinks back, set the following registry key and then restart the ScanMail Master Service: Key: DisableSMTPOnSubmissionEventSink Type: REG_SZ (DWORD) Value: 0 (set to 1 to enable this key) Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing this hot fix ScanMail uses one third-party component to extract Microsoft Office/ Adobe PDF documents for content scanning. However, when this component encounters some special samples, it stops unexpectedly or causes the server to stop responding. Both events stop the ScanMail Master Service.

10 1337 adds an option that enables ScanMail to use a separate process for scanning attachments. When this option is enabled, ScanMail Master Service will not stop unexpectedly even when processing special samples. Users will also be able to set the timeout period and specific action for this scenario also upgrades the third-party component from version 4.0 to 4.2 to provide a more stable functionality. To disable the separate process for scanning attachments: Set the following registry key to "0": Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\ CurrentVersion Key: DmcIsolate "1" = Enabled Restart the ScanMail Master Service Some users want to unregister the SMTP event sinks for Microsoft Exchange server 2000/2003, but ScanMail for Exchange registers back the previously unregistered SMTP event sinks after restarting the ScanMail Master Service or restarting the server adds the "DisableSMTPOnSubmissionEventSink" registry key that is enabled, by default. With this key, ScanMail does not register back the SMTP event sinks for Microsoft Exchange server 2000/2003, even after restarting the master service or the server. Note: Make sure that you want to unregister the SMTP event sinks before installing hot fix After applying hot fix 4138, the register key is enabled and thus, SMTP event sinks are unregistered, by default Issue: A customer requests for a way to replace suspicious URLs with a dead link in Web Reputation Service (WRS) notifications. Solution: 4178 enables users to specify a prefix for ScanMail to add at the beginning of suspicious URLs in WRS notifications. This converts the URLs to dead links. For example, if a user specifies "SuspiciousURL" as a prefix, and WRS detects a malicious URL: " WRS notification messages display: "SuspiciousURLhttp://

11 which is an invalid link. This prevents users from opening such URLs. Procedure: To specify a prefix for ScanMail to add at the beginning of suspicious URLs in WRS notifications, set the following registry key: Key: SuspiciousURLPrefix Type: REG_SZ (customized value), must not include TAB and space characters 4182 Issue: During public folder replication between Microsoft Exchange servers, each Exchange server sends replication messages to the other Exchange server. Some examples of these replication messages are those that contain "Folder Content Backfill Response" or "Folder Content" in the subject field. When the Active Message Filter tags the generated replication messages in the public folder with its signature, SMEX quarantines or deletes the replication messages. As a result, the tagged replication messages will not be replicated to the other Exchange server. Solution: 4182 allows users to enable the SMEX Active Message Filter to ignore messages from a specified sender and with a specified subject during public folder replication. This facilitates successful public folder replication. Procedure: To enable the SMEX Active Message Filter to ignore messages from a specified sender and with a specified subject during public folder replication: 1. Add and configure the following keys: Key: AmfExemptedSubjectList = Specifies the subject that will be ignored by the Active Message Filter. AmfExemptedSenderList = Specifies the sender that will be ignored by the Active Message Filter. Type: REG_MULTI_SZ An message's subject and sender should both match the values in the registry keys for the Active Message Filter to ignore a message. For example, you can set:

12 AmfExemptedSubjectList: Folder Content Backfill Response Folder Content 2. Restart the ScanMail Master Service to apply the changes Issue: ScanMail tags voice mail and missed call notifications from Microsoft Exchange Unified Messaging as spam. Solution: After applying 4191 ScanMail allows users to specify whether a voice mail or missed call notifications from Microsoft Exchange Unified Messaging should be scanned by the anti-spam filter. It checks whether an messages is a voice mail or missed call notification from Microsoft Exchange Unified Messaging. It also checks whether the message comes from an approved domain. If the message satisfies both conditions, the anti-spam filter skips the scanning of the message and ScanMail does not tag the message as spam. Procedure: Users need to specify the approved domain names. ScanMail checks whether an message comes from an approved domain. To configure this option, follow any of the below options below: Option 1: 1. Log on to the product console. 2. Click Spam Prevention from the main menu. A drop-down menu appears. 3. Click Content Scanning from the drop-down menu. The "Content Scanning" screen appears. 4. Add the domain name to the list of Approved Senders. 5. Click Save. Option 2: Add the following registry key Name: AntiSpamWhiteList Type: REG_SZ Value: Approved domain list (this value only supports these three formats: and *@domain.com)

13 If a user chooses Option 1, the anti-spam filter does not scan all messages from the approved domain. If a user chooses Option 2, only the voice mail and missed call notifications from the approved domain will not be scanned by the antispam filter. This feature is disabled by default. If the customer wants to enable this feature, set the following registry key value to "1". Name: AntiSpamSkipScanningVoic "1" = Enable this feature "0" = Disable this feature Patch 2 To prevent SMEX_Master from consuming a lot of memory when scanning large mails, Trend Micro recommends adding the following registry on 32-bit version of SMEX after the patch has been installed. Path: HKLM\Software\Trend Micro\ScanMail for Exchange \Current Version Key: MaxAllowedVsapiMessageSize Value: Recommend to set to Decimal value of (Which is equal to 32*1024*1024, 32 mb) After the registry has been added, restart the ScanMail Master Service. The registry will limit the size of the VSAPI share resource pool. Important: By doing this, attachments hooked by VSAPI larger than the limit will NOT be scanned. For example, if the limit is set to 30 MB, and an attachment is 35 MB, the last 5 MB content will not be scanned (The first 30MB will be). Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice.

CAS Quick Deployment Guide January 2018

CAS Quick Deployment Guide January 2018 CAS January 2018 Page 2 of 18 Trend Micro CAS January 2018 This document is to guide TrendMicro SE and Solution Architect team run a successful Cloud App Security POC with prospective customers. It is