filips
-
Posts
160 -
Joined
-
Last visited
-
Days Won
3
Posts posted by filips
-
-
One more thing i forgot to mention: You can (should
) use rule action "Log to events" for some time to check if the rule works correctly before enabling action like reject/drop/quarantine
-
Hi davidenco,
The SPF check is evaluated using domain from HELO or MAIL FROM. It does not protect You against spoofing of "From" header. This means that if the sending domain (in HELO or MAIL FROM) does not have SPF record or has a valid SPF record, the mail is valid even if it is spoofing your domain in From header (it could be a valid mail forwarder).
This problem can be solved by using DMARC: https://blogs.technet.microsoft.com/eopfieldnotes/2015/02/26/using-dmarc-to-prevent-spoofing/
You could also create a transport rule like this:
Conditions:
Message headers match regular expression \nFrom: .*@OurDomain.co.uk
Sender's IP address is not one of (list of your IPs or IPs that are allowed to send mail for your domain)
Actions:
Quarantine messageOr something like this:
Conditions:
Message headers match regular expression "\nFrom: .*@OurDomain.co.uk"
Message headers do not match regular expression "\nReply-To: .*@OurDomain.co.uk"
Actions:
Quarantine message -
Hi davidenco,
You are right, if an email fails the SPF check or if there is no SPF record for the sending domain, greylisting will be performed.
-
Hi,
this option is not available
-
Hi,
this option is not available. Something similar will be available in EMSX v7 - it will have a customizable SMTP reject response message (apart from default "Invalid content").
-
You can create a new policy (it will be in default state) and apply only some changes to settings. And/or you can also use the policy to force the default value - so it cannot be changed using UI on client.
Some resources:
-
Hi,
1. You cannot delay an email, supported actions are: quarantine mail/reject mail/drop mail/delete attachment/quarantine attachment
2. Yes - Blocked senders list can be found in Server/Antispam protection section of advanced settings
3. You can create a transport rule to do that -
That's true - You don't need to apply any policy to run the product with default configuration
-
Hi,
as i wrote in my previous post EFSW should disable Windows Defender after installation - you can check registry and UI to see if it was done. However, the Windows Defender Service will be still running.
-
Hi,
all ESET server products are designed to run fine with the default configuration. We don't have any additional configuration steps for domain controllers.
The policy you mentioned is definitely not a best-practice for EFSW deployments. You would sacrifice some security features for performance - while it disables some less important protections (e.g. Web and email), it disables HIPS as well.
-
Hi,
it is recommended to uninstall Windows Defender before installing ESET server products. However, if Defender is present after EFSW installation, it will be automatically disabled just like it's described in this article
-
Hi,
If you are interested in collecting data on servers, maybe you could change the product to ESET File Security for Windows Server (EFSW) - our product intended for servers.
EFSW supports WMI (http://help.eset.com/efsw/6.5/en-US/idh_config_wmi_provider.htm) and ships with ESET Shell - command line interface (http://help.eset.com/efsw/6.5/en-US/work_eshell.htm)
-
Just run installer (e.g. from control panel) and Hit modify: http://help.eset.com/efsw/6.5/en-US/index.html?installation_steps.htm
-
Hi,
Web and email protection is not a part of Typical installation on Windows 2008, you can modify your installation and add it.
Just make sure you have this hotfix installed: https://support.microsoft.com/en-us/kb/2664888
-
Hi Gregor,
1. Best practice is installing on every supported role
2. It's not possible to select protected mailboxes - we will count all mailboxes reported by mailbox count tool. It is possible to skip scanning of some mailboxes using rules but it has no effect on licensing.
-
Hi,
there are 2 options:
1. using Mail transport rules in EMSX - create a rule with action "Log to events" - can log only limited set of message properties
2. contact your local customer care to get information how to enable logging of all messages to mailserver protection log -
Hi,
i meant transport rules in ESET Mail Security (You can find them in EMSX/advanced settings/Server/Rules) - there is an option to log into EMSX events log (more info: http://help.eset.com/emsx/6.5/en-US/index.html?idh_wizard_rules_list.htm)
You are right - quarantine report is only sent if there is something in user's quarantine. If released/deleted the mail will stay in "trash" for a period specified by setting "Clear deleted files after" in advanced settings/Server/Quarantine. It can be recovered using eShell.
-
Hi Michelle,
Does the web page quarantine automatically update?
NoIs there a log of all processed mail?
There is a log of all modified mail - "Mailserver protection" log, but You can create a transport rule to log all processed mail.The quarantine report does not seem to be sending, where do I check that?
I don't know the steps You already did, but generally:
1. Create scheduled task "Send mail quarantine reports"
2. Select a user to test it on
3. Send a spam mail with GTUBE string to this user
4. Make sure the mail is in quarantine (check quarantine manager or mailserver log)
5. Right click Your task in Scheduler and hit "Run now"If You don't receive the report within few minutes then temporarily enable diagnostic logging in Setup/Tools and repeat steps 3-5
-
Hi,
open logs/mail server protection and double click your log record to open detail dialog. You should see something like: "Rule Activated: Dangerous executable file attachments"
Attachment name is not visible in the mailserver log when scanning on transport - please go to logs/detected threats and find matching log record. Open detail dialog and check column "Object" - you should see all objects deleted from a particular mail
-
Hi,
You should contact Your local ESET customer care - they can remove the domain/IP from cloud blacklist.
In the meantime, You can add the domain to "Server/Antispam protection/Filtering and verification/Approved Domain to IP list"
-
Hi,
MS help says "The Warning event indicates that Exchange anti-spam agents are enabled and that the list of internal Simple Mail Transfer Protocol (SMTP) servers is empty." (https://technet.microsoft.com/en-us/library/ff359741(v=exchg.140).aspx)
Are you sure the event is caused by EMSX? Because all EMSX does is register transport agents - that means no changes to list of internal SMTP servers or Exchange anti-spam agents.
-
Hi,
Database protection is not available on Exchange 2013 and newer. We used a scanning API that is discontinued - only on-demand database scan is available on newer versions of Exchange.
-
Hi ocs,
run eshell and open "Server" context and enter "mail-quarantine?". This will show you help.
To see deleted items run "mail-quarantine deleted" - each item has unique ID. To restore deleted item run "restore mail-quarantine 123" - replace 123 by ID of your item.
-
Hi ronmanp,
If you don't have the latest EFSW version please try upgrading (https://forum.eset.com/topic/12540-eset-file-security-for-microsoft-windows-server-version-65120100-has-been-released/)
If it doesn't help, you can try removing Web and email protection completely - just run installer > Modify > uncheck Web and email
) use rule action "Log to events" for some time to check if the rule works correctly before enabling action like reject/drop/quarantine
Eset Mail Security, Quarantine notification return to sender
in ESET Products for Windows Servers
Posted
Hi,
unfortunately, the message "Infected attachment has been deleted by ESET Mail Security" cannot be changed