PureMessage for Windows/Exchange release notes ---------------------------------------------- Version 2.6.1, June 2006 www.sophos.com Important information you need before installation -------------------------------------------------- * Exclusion of Microsoft Exchange and IIS related folders from desktop virus scanning (as recommended by Microsoft). When you install PureMessage, Sophos Anti-Virus is also installed (if not already present) and on-access virus scanning starts automatically. However, PureMessage excludes certain Microsoft Exchange and IIS folders from virus scanning as recommended by Microsoft. When PureMessage is uninstalled these exclusions are not removed. More information can be found below in section 4.h. * The \Temp folder under the PureMessage installation folder is also automatically excluded from virus scanning. However, when PureMessage is uninstalled this exclusion setting will be removed from Sophos Anti-Virus. * You can upgrade from Sophos PureMessage for Windows/Exchange, version 2.1.0 and later Sophos PureMessage for Windows/Exchange (Small Business Edition), version 1.0.2 and later You cannot upgrade a version of PureMessage that includes both anti-virus and anti-spam support to a version that includes only anti-virus support. * Microsoft Windows clustering support: Active/Active clustering configurations are not supported. For Active/Passive clustering configuration information, please refer to the "Support for Windows clusters" section in the Startup Guide. * The installation program will restart IIS and Microsoft Exchange services (if present) during the installation. Under certain circumstances it may also require the computer to be restarted. * Windows 2003 Service Pack 1 Security Configuration Wizard If the Security Configuration Wizard (SCW) is detected on your system, then the installer will register a PureMessage knowledge base and start SCW when installation has completed. If you use SCW to harden your system, then you should run the wizard once the PureMessage installation has completed, and check the PureMessage option to allow access via the firewall. This will create an appropriate policy for you to apply. Contents -------- 1. New in this version 2. Key features of PureMessage for Windows/Exchange 3. Known issues in this version 4. Additional information 1. New in this version ---------------------- * PureMessage now provides new types of reports and allows administrators to generate reports for a specified time period. The reports available are: a) Message categorization b) Quarantine database size c) Quarantine folder size d) Top virus recipients e) Top spam recipients f) Top viruses g) Spam score range volumes * End users can now access the quarantine website anytime to review their emails that have been classified as spam. They no longer need to wait for the quarantine digest email. This feature uses Active Directory to check user credentials before allowing access to the quarantine website. * Support for Microsoft SQL Server 2005. * You can use the wild characters '?' and '*' while specifying phrases to be searched for within body text and attachments of the message. * Reduces spam false positives by allowing administrators to check only the first external relay found in the message for DNS blacklisting. * Recipients alerts can be sent to internal recipients only. * Separate recipient alerts for content threats. * Support for unattended installation of PureMessage. * Bugs fixes: - Fix for resrcmon.exe leaking memory on a cluster. - Fix for problem with mail being held in IIS queue up because of the update process not completing when SMTP scanning is active. 2. Key features of PureMessage for Windows/Exchange --------------------------------------------------- * Detects up to 98% of incoming unsolicited commercial email (spam). * Allows end-users to retrieve miss-classified spam from their quarantine area using a web-based interface (if installed on Windows® 2000 or 2003 server). * Provides real-time scanning of incoming and outgoing mail and Usenet newsgroups for virus infection. * Protects the Exchange Information Store from virus infection by integration with Microsoft's Virus Scanning API. * SMTP-only installation is available for users of IIS without Exchange 2000 or 2003. * Threat reduction features allow a range of attachment and message blocking options. * Allows administrators to generate various reports on virus and spam finds. * Allows administrators to use a remote database to store quarantined items. * Supports clustered installations. * Allows the addition of disclaimers to outgoing mail. 3. Known issues in this version ------------------------------- a) If you install PureMessage on a computer in a workgroup (or in a domain where the DNS does not work properly), you cannot use a remote quarantine database. You can specify a remote database during installation, but PureMessage does not set the necessary access rights. b) PureMessage installation will fail if attempted on Windows XP Professional with no service pack. On this platform PureMessage requires SP1 or above. c) If the locale is changed to English on a Japanese operating system, the PureMessage administration console will display "????" for certain strings and they may be saved when the console is closed. Sophos recommends that you do not change language settings on Japanese platforms. d) During installation, you can specify the database where quarantined items are kept. If you have an SQL server or servers, a "Browse" button is available for doing this. However, you may see incorrect entries in the browser dialog. In this case, close the browser and type the database name into the text box provided. e) When using a database on a different computer (i.e. remote database, or virtual SQL Server instance on the same cluster but a different node) the PureMessage service may sometimes fail to connect to the database because Windows authentication has failed. Possible reasons are: * the DNS is not correctly setup * the time is not synchronized on the two computers * the servicePrincipalName property in Active Directory is missing the entry for that SQL Server instance (this may happen if SQL Server was installed using a local administrator account without rights to write to the Active Directory) Contact Sophos technical support for more help to identify the problem, or to use SQL Server authentication instead of Windows authentication. f) If right click is used to choose a substitution symbol for an alert body or incident text then PureMessage may replace the entire text with the chosen substitution symbol instead of inserting it at the correct cursor position. The administration console may also display an error message when it is closed after this operation is performed. Users can type in the desired substitution symbols instead of using the right-click context menu. The list of substitution symbols is provided in the help file. g) The message categorization report will display an empty bar chart when a date range of more than 3 months is chosen and if the start date is not the first of the month. 4. Additional information ------------------------- a) The default action in the case of a 'scanner error' is 'No action - ignore the event'. Sophos strongly recommends that this action is not changed. b) When PureMessage is uninstalled, the quarantine directory INSTALLDIR\Quarantine is left on the server. This enables you to retain quarantined items during uninstallation and reinstallation of PureMessage. If you no longer need this directory, delete it. c) When PureMessage is uninstalled, the logs directory INSTALLDIR\Logs is left on the server. If you no longer need this directory delete it. d) When PureMessage is uninstalled the following files are left behind in the C:\WINDOWS\system32\ folder. These files are shared files installed by Microsoft supplied Merge Modules (.MSM) that PureMessage uses. It is recommended that these files are not deleted. RichTX32.ocx (From RICHTEXT.MSM - Rich Text ActiveX Control Merge Module) mschrt20.ocx (From MSCHRT20.MSM - Microsoft Chart Control 6.0) mscomct2.ocx (From MSCOMCT2.MSM - Microsoft Common Controls 2.0) msstdfmt.dll (From MSSTDFMT.MSM - Microsoft Standard Data Formatting Object DLL) msxml2a.dll (From Microsoft MSXML 2.0) e) When PureMessage is uninstalled the files PMClustResType261.dll and PMClustResTypeEx.dll are left behind in the C:\WINDOWS\system32\ folder. These are PureMessage cluster resource DLLs that can be deleted from all nodes in a cluster after PureMessage is uninstalled from all the nodes. f) When trying to view the end-user web quarantine area directly, your browser may ask you to enter your credentials every time you click on the web page. This can happen if your system time is not synchronized with your server time. This is not a PureMessage issue and is caused by the way Windows Authentication works. g) PureMessage does not support multiple administration consoles running simultaneously on the same machine or multiple administration consoles connecting to the same server at the same time. h) The following is a list of Microsoft Exchange and IIS related folders excluded from desktop scanning as recommended by Microsoft: (see Microsoft knowledgebase articles- http://support.microsoft.com/?kbid=328667 http://support.microsoft.com/kb/328841 http://support.microsoft.com/?kbid=823166) * The whole Exchsrvr folder and its sub-folders * The Exchange server Installable File System (IFS), usually the M: drive (a different drive letter may be used) * Internet Information Server (IIS) system files (usually in \%systemroot%\system32\inetsrv) * All Exchange database and log files (if they are not in \Exchsrvr\Mdbdata) * Virtual server folders (if they are not in \Exchsrvr\Mailroot) * Message tracking logs (if they are not in \Exchsrvr\.log) * Exchange files with the extension .MTA (if they are not in \Exchsrvr\Mtadata) * Site Replication Services (SRS) files (if they are not in \Exchsrvr\Srsdata) * The working folder for streaming temporary files (if they are not in \Exchsrvr\Mdbdata) * The Exchange folder \Exchsrvr\IMCData i) The following is a detailed listing of the attachment file types detected by this version of PureMessage: Archives -------- ARJ Archive BZIP2 CMZ GZIP InstallShield Cabinet (Up to version 5) LHA MacBinary MacBinHex MS CAB MS CHM MS Compress RAR 1.5 - 2.9 (2.9 is sometimes referred to as version 3) StuffIt Up to version 5 TAR ZIP All formats except encrypted Self Extracting Archives ------------------------ Petite 2.1 - 2.2 PKLITE 1.0, 1.3, 1.12, 1.13, 1.14, 1.15, 1.20, 1.5, 2.01 32-bit version is not currently supported Self Extracting Archive UPX Common Virus Carriers --------------------- DOS/Windows EXE All PE formats (.exe) Office Documents With Macros For PureMessage, Office consists of Access, Word, Excel, PowerPoint and Project for all released suites (95, 97, 2000, XP, 2003). Visio 5 onwards to 2003 is also supported. All dangerous content (macros) will be filtered for all versions of Office, with the following exceptions: * Excel 95 and 97 formula files * Office 2003 XML-formatted documents However, these files will always be disinfected if infected. Safe Office documents will not be filtered. Unix/Linux EXE Format ELF Graphics -------- GIF JPG PNG RIF TIF BMP Others ------ PDF 1.1-1.4 (1.4 is often referred to as 1.5) HTML 4.0 (Doesn't filter XHTML) Mac data and resource forks MIME formats version 1.0 (up to stated standards in RFC 2822, 2045 - 2049 and 2231) RTF j) The following is a list of file types that PureMessage supports for content filtering within attachments: 1. Microsoft Office documents (comprising Word documents and Excel worksheets from Office 95 onwards, and PowerPoint presentations from Office 97 onwards) 2. HTML documents 3. Plain text 4. Rich text format (RTF) The following is a list of archive file types that PureMessage supports for content filtering within archive file attachments: ARJ Archive BZIP2 CMZ GZIP InstallShield Cabinet (Up to version 5) LHA MS CAB MS CHM MS Compress RAR 1.5 - 2.9 (2.9 is sometimes referred to as version 3) StuffIt Up to version 5 TAR ZIP All formats except encrypted ----------------