Transport protection for Exchange servers

 

As an introduction, you may wish to consult the Exchange server protection settings section in the Endpoint Protection online help. This section describes the antivirus, anti-spam and content filter protections for Exchange servers.

 

Protection for Exchange servers: Detection flow

The scan flow for the email messages scanned by the Exchange Server transport protection is divided into the following stages:

  1. Scan by the anti-spam protection.

  2. Scan by the antivirus protection.

  3. Scan by the content filter protection.

A malicious message may be detected by all three protections, in which case the solution will gradually take the action defined for each protection whenever possible.

Example

Suppose you have an email message which could be detected as malicious by all three protections. The message will be acted upon by each protection provided the action configured for the previous one allows it and the message has not been deleted or sent to quarantine.

For example, suppose you have configured the anti-spam protection for Exchange servers to delete malicious messages. In this case, the message will not be acted upon by the antivirus protection as the previous one -the anti-spam protection- will have deleted it as soon as it detected it was spam.

If the message were acted upon by the antivirus protection and malware were detected in it, the message would be moved to quarantine as defined in the antivirus protection settings. Therefore, the message would never be acted upon by the last protection: the content filter.

 

Protection for Exchange servers: Detection log

The email protection for Exchange servers saves in %AllUsersProfile%\Panda Security\Panda Cloud Office Protection\Exchange a log file called ExchangeLogDetections.csv with the detections it makes and the actions taken.

This is very useful to know if a message has been detected by the anti-spam protection or the content filter, as Endpoint Protection's Web console only reports detections made on email messages in the form of counters.

The log file is a CSV file with the following tab-separated fields:

The log file will contain as many lines per email message as detections made.

By default, the maximum size of the log file is 10 MB. When it reaches that size, the file is renamed as ExchangeLogDetections.old.csv and a new one is generated. If there already were a backup log, it would be deleted.

To change the log file size, find the HKLM\SOFTWARE\Wow6432Node\Panda Security\Nano Av\Exchange registry entry, and set a size (in MB) in the DWORD value SizeLogDetections.