q. You might get 550 Access denied - Invalid HELO name from receiving domain (certain domain only) What fine tuning need to be done?
a. There are few things that you can check. First, verify that your MX record has reverse MX record. Some receiving domain will check for this and if you don't comply you will be rejected.
Please refer below for configuration that you might want to fine tune:
1. http://esupport.trendmicro.com/Pages/Receiving-mail-server-replies-with-504-5.5.2-machinename-Helo-command.aspx
2. http://esupport.trendmicro.com/pages/Bogus-HELO-name-used-and-HELO-command-rejected-errors-appear-on-outbou.aspx
3. http://esupport.trendmicro.com/pages/InterScan-Messaging-Security-Suite-IMSS-for-70-Windows-is-unable-to-de.aspx
If you have tried all, but still the problem persist do escalate and make sure you attach together tsmtpd.ini, log.imss and tsmtpd.log in debug mode.
Note: To enable debug you can use CDT else login to IMSS web console Choose Logs > Settings from the menu. Application log level option change to "debug". Replicate the issue. Don't forget to disable the debug option once done.
Reference link for basic info and troubleshooting:
http://esupport.trendmicro.com/Pages/IMSS-70-Windows-basic-info-and-troubleshooting-guide.aspx#P25_1130
Showing posts with label IMSS. Show all posts
Showing posts with label IMSS. Show all posts
Tuesday, April 13, 2010
Friday, March 26, 2010
Missing mail log entry for IMSS 7.0
When you want to trace a mail, you normally will query Message Tracking and put in the sender or recipient name. Let say you tried that and no relevant log entry appear.
You might want to try and query the log file itself. Locate Log folder in IMSS installation folder. Look for file with the name 'mailtrace.log.########'. The # indicates the date.
Probably there is a problem to upload the logs to database.
You might also want to do the following to rectify this issue:
1. Stop all IMSS related services
2. Backup mail_trace_bookmark file which can be found in Program Files\Trend Micro\IMSS\bin by renaming it.
3. Restart all IMSS related services
Note: This should generate new bookmark
4. Install the latest patch (if applicable)
You might want to try and query the log file itself. Locate Log folder in IMSS installation folder. Look for file with the name 'mailtrace.log.########'. The # indicates the date.
Probably there is a problem to upload the logs to database.
You might also want to do the following to rectify this issue:
1. Stop all IMSS related services
2. Backup mail_trace_bookmark file which can be found in Program Files\Trend Micro\IMSS\bin by renaming it.
3. Restart all IMSS related services
Note: This should generate new bookmark
4. Install the latest patch (if applicable)
Friday, March 19, 2010
IMSVA sizing
q: How many mailboxes can IMSVA handle?
a: It doesn't count by mailboxes in sizing the IMSVA. I have checked with Trend Micro TAM (Technical Account Manager) that 50,000 msg/hr is a good number.
a: It doesn't count by mailboxes in sizing the IMSVA. I have checked with Trend Micro TAM (Technical Account Manager) that 50,000 msg/hr is a good number.
Thursday, March 11, 2010
Query on IMSVA
IMSVA (InterScan Messaging Security Virtual Appliance)
Q:How many users can it support?
A:The sizing is not based on users. Literally, IMSVA can take up to 50,000 msg/hr
Click here for Datasheet
Q:How many users can it support?
A:The sizing is not based on users. Literally, IMSVA can take up to 50,000 msg/hr
Click here for Datasheet
Tuesday, December 8, 2009
IMSS 7.1 - an upgrade from IMSS 7.0
Becareful when you inplace upgrade 7.0 to 7.1. It works for me. All the required settings still preserved. However, the IMSS is set to open relay!
You have to remove 0.0.0.0 from IMSS console > Administration > SMTP Routing > Message Rule> Permitted Senders of Relayed Mail.
Test out to telnet IMSS potr 25 and run mail from and rcpt to command to verify that it is now closed relay.
good luck!
You have to remove 0.0.0.0 from IMSS console > Administration > SMTP Routing > Message Rule> Permitted Senders of Relayed Mail.
Test out to telnet IMSS potr 25 and run mail from and rcpt to command to verify that it is now closed relay.
good luck!
Monday, November 23, 2009
Utilpolicy for IMSS for Linux
I posted earlier on this tool here. It has got a linux version as well. Let me know if you need it. :-)
utilPolicy.tar.gz is a tool to import/export the following
settings:
1. UI->Policy
> Policy List
> Scanning Exceptions
> Internal Addresses
2. UI->IP Filtering
> Overview--enable/disable IP Filtering
> Rules
> NRS
> Approved List
> Blocked List
> Suspicious IP
3. Reports
> Settings--of scheduled reports
4. Logs
> Settings
5. Quarantine & Archive
> Settings (Qurantine & Archive)
6. Administrator
> Updates
> Schedule
> Source
> Notifications
> Events
> Delivery Settings
> Web EUQ Digest
> IMSS Configuration
> Connections
> Components
> LDAP
> POP3
> TMCM Server
> SMTP Routing
> SMTP
> Connections
> Message Rule
> Domain-based Delivery
7. User Quarantine Access
> Select LDAP groups to enable access
utilPolicy.tar.gz is a tool to import/export the following
settings:
1. UI->Policy
> Policy List
> Scanning Exceptions
> Internal Addresses
2. UI->IP Filtering
> Overview--enable/disable IP Filtering
> Rules
> NRS
> Approved List
> Blocked List
> Suspicious IP
3. Reports
> Settings--of scheduled reports
4. Logs
> Settings
5. Quarantine & Archive
> Settings (Qurantine & Archive)
6. Administrator
> Updates
> Schedule
> Source
> Notifications
> Events
> Delivery Settings
> Web EUQ Digest
> IMSS Configuration
> Connections
> Components
> LDAP
> POP3
> TMCM Server
> SMTP Routing
> SMTP
> Connections
> Message Rule
> Domain-based Delivery
7. User Quarantine Access
> Select LDAP groups to enable access
Friday, October 23, 2009
malformed email
Issue:
I have IMSA 7.0 Patch 1. Recently, one of my email is quarantined which can be seen from the web console with the reason "malformed". I noticed from the mail, it has about ~70 image attachments which are the company logo/symbol in that particular mail. I believe that is the reason for the "malformed" issue.
Answer:
Malformed email is quarantined in IMSA due to the following rules setting:
1. Maximum number of entities allowed in each mail message ( usually Maximum attachment or embedded item)
LimitEntities = 64
2. Maximum number of parameters allowed in each header field ( You can change this field to CC and BCC field as well)
LimitHeaderParams=100
3. Maximum number of header fields allowed in each entity
LimitHeaders=500
You will have to edit this setting.
Access the hyperterminal console and log in as root. Locate the following imss.ini file located in /opt/trend/imss/config/ directory.
Change the value of the following parameters to the maximum value needed:
LimitEntities
References:
http://esupport.trendmicro.com/Pages/Frequently-Asked-Questions-FAQ-about-the-mail-transfer-agent-MTA-of-In.aspx
http://esupport.trendmicro.com/7/What-is-malformed-email-and-how-to-avoid-it.aspx
I have IMSA 7.0 Patch 1. Recently, one of my email is quarantined which can be seen from the web console with the reason "malformed". I noticed from the mail, it has about ~70 image attachments which are the company logo/symbol in that particular mail. I believe that is the reason for the "malformed" issue.
Answer:
Malformed email is quarantined in IMSA due to the following rules setting:
1. Maximum number of entities allowed in each mail message ( usually Maximum attachment or embedded item)
LimitEntities = 64
2. Maximum number of parameters allowed in each header field ( You can change this field to CC and BCC field as well)
LimitHeaderParams=100
3. Maximum number of header fields allowed in each entity
LimitHeaders=500
You will have to edit this setting.
Access the hyperterminal console and log in as root. Locate the following imss.ini file located in /opt/trend/imss/config/ directory.
Change the value of the following parameters to the maximum value needed:
LimitEntities
References:
http://esupport.trendmicro.com/Pages/Frequently-Asked-Questions-FAQ-about-the-mail-transfer-agent-MTA-of-In.aspx
http://esupport.trendmicro.com/7/What-is-malformed-email-and-how-to-avoid-it.aspx
Tuesday, October 20, 2009
Procedure to reimage IMSA
1.1. Backup current config: http://www.trendmicro.com/ftp/documentation/guides/IMSA7.0_SP1_AG.pdf (Page: 93)
1.2. Save the config file after re-imaging IMSA
1.3. Instruction on how to rescue (re-image) can be found in Page 165. You need to download the Solution CD using this link: http://www.trendmicro.com/ftp/products/imsa/IMSA_7.0_Solution_CD.zip
Thanks Law!
1.2. Save the config file after re-imaging IMSA
1.3. Instruction on how to rescue (re-image) can be found in Page 165. You need to download the Solution CD using this link: http://www.trendmicro.com/ftp/products/imsa/IMSA_7.0_Solution_CD.zip
Thanks Law!
Monday, September 28, 2009
spam pattern update failed
Problem:
My customer reported that he can't perform update for the spam pattern of IMSS 7.0 Linux
Refer below information:
1. What was the current build of their IMSS 7.0
* Make it sure that the latest patch was already been applied.
Linux_1633
2. What was the last changes made before the issue occured?
No changes made
3. Are they running another program on the same IMSS server where the database is utilized?
No
4. What is the specs of the server and how many mails are they processing.
Power Edge 6800 Server (Linux RedHat Enterprise) 2nd Dual Core Xeon Processor 7120M, 4MB L3 Cache. 3.00 GHz, 800 FSB 146GB hardrive 4Gb DDR2 RAM
Attached also the screen shot of the error message. Please find the attached CDT log uploaded at ftp://ftp.myatsc.net/UPLOAD/ACA/
MATRADE folder.
Reply from Support:
1. Since the build is 1633 (GM) please download and install the latest service pack and patch: http://www.trendmicro.com/download/product.asp?productid=12
2. Now if issue persists after that step 1, do the following:
- root# mv /opt/trend/imss/temp /opt/trend/imss/temp_090509
- root# mkdir /opt/trend/imss/temp
- root# chown -R imss:imss /opt/trend/imss/temp
- root# mv /opt/trend/imss/lib/AU_Temp /opt/trend/imss/lib/AU_Temp_090509
- root# mv /opt/trend/imss/lib/AU_Cache /opt/trend/imss/lib/AU_Cache_090509
- root# mv /opt/trend/imss/lib/download /opt/trend/imss/lib/download_090509
- root# chown -R imss:imss /opt/trend/imss/lib/AU_Temp /opt/trend/imss/lib/AU_Cache /opt/trend/imss/lib/download
3. If issue still persists, do the following:
- Look and open the file: /opt/trend/imss/lib/aucfg.ini
- Change the debug_level from 5 to "-1" without quotes
- Save the changes and do this command: root# /opt/trend/imss/bin/script/S99IMSS restart
- Enable debug log in UI => Log => Settings => Debug
- Reproduce the issue by clicking the Update in the Summary Page of IMSS for components to be updated or wait for the time the scheduled update to be triggered (screenshot please)
- Collect the following logs
1. All logs inside this folder with same timestamp of the replication: /opt/trend/imss/log/*
2. Get this file: /opt/trend/imss/lib/AU_Log/TmuDump.txt
My customer reported that he can't perform update for the spam pattern of IMSS 7.0 Linux
Refer below information:
1. What was the current build of their IMSS 7.0
* Make it sure that the latest patch was already been applied.
Linux_1633
2. What was the last changes made before the issue occured?
No changes made
3. Are they running another program on the same IMSS server where the database is utilized?
No
4. What is the specs of the server and how many mails are they processing.
Power Edge 6800 Server (Linux RedHat Enterprise) 2nd Dual Core Xeon Processor 7120M, 4MB L3 Cache. 3.00 GHz, 800 FSB 146GB hardrive 4Gb DDR2 RAM
Attached also the screen shot of the error message. Please find the attached CDT log uploaded at ftp://ftp.myatsc.net/UPLOAD/ACA/
MATRADE folder.
Reply from Support:
1. Since the build is 1633 (GM) please download and install the latest service pack and patch: http://www.trendmicro.com/download/product.asp?productid=12
2. Now if issue persists after that step 1, do the following:
- root# mv /opt/trend/imss/temp /opt/trend/imss/temp_090509
- root# mkdir /opt/trend/imss/temp
- root# chown -R imss:imss /opt/trend/imss/temp
- root# mv /opt/trend/imss/lib/AU_Temp /opt/trend/imss/lib/AU_Temp_090509
- root# mv /opt/trend/imss/lib/AU_Cache /opt/trend/imss/lib/AU_Cache_090509
- root# mv /opt/trend/imss/lib/download /opt/trend/imss/lib/download_090509
- root# chown -R imss:imss /opt/trend/imss/lib/AU_Temp /opt/trend/imss/lib/AU_Cache /opt/trend/imss/lib/download
3. If issue still persists, do the following:
- Look and open the file: /opt/trend/imss/lib/aucfg.ini
- Change the debug_level from 5 to "-1" without quotes
- Save the changes and do this command: root# /opt/trend/imss/bin/script/S99IMSS restart
- Enable debug log in UI => Log => Settings => Debug
- Reproduce the issue by clicking the Update in the Summary Page of IMSS for components to be updated or wait for the time the scheduled update to be triggered (screenshot please)
- Collect the following logs
1. All logs inside this folder with same timestamp of the replication: /opt/trend/imss/log/*
2. Get this file: /opt/trend/imss/lib/AU_Log/TmuDump.txt
patch 1 for sp1 installation problem on IMSA
1. Did the client already update the IMSA for SP1 prior to patch 1?
2. If yes and this happens, we need to ask the client to collect some logs to analyze
a. Connect the pc to IMSA to the CLI (command line) via SSH
b. Go to $IMSA_Home/cdt
c. Open the cdt.ini and check SilentMode=1 is set to zero "0"
bash-3.0# cd /opt/trend/imss/cdt
bash-3.0# vi cdt.ini
d. Save the changes and run it. bash-3.0# ./cdt
e. Select All Events and once the CDT is running, replicate the patch installation.
f. Once the issue occurs, allow CDT to continue running for about 5 mins more. Afterwards, stop CDT and collect the CDT logs. Move the CDT*.zip to /tmp folder and using UI console, export the logs/CDT. Otherwise, you can try the following to move the logs out from the IMSA.
Transferring files to / from IMSA
=======
Using FTP
=======
Use the ncftp FTP client to access the external FTP servers (in our case you can upload it here ftp.trend.com.au; user: xxxx and pass: yyyy) and exchange files. The command-line arguments must include username, password and the port number if it is not 21:
bash-3.00# ncftp -u -p -P 2121 10.13.130.253 NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.13.130.253...
transfer Microsoft FTP Service (Version 5.0).
Logging in...
User training logged in.
Logged in to 10.13.130.253.
ncftp / >
Example:
bash-3.00# cd /tmp
bash-3.00# ncftp -u xxxx -p yyyyy ftp.trend.com.au NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to ...
transfer Microsoft FTP Service (Version 5.0).
Logging in...
User training logged in.
Logged in.
ncftp / >cd _asiasupport/upload/logs/1-1-271644771
ncftp > put
=======
Using the NFS Client
=======
Using the NFS client from the shell allows one to set up a remote filesystem to which files can be copied:
mount -t nfs -o nolock 10.13.9.186:/data /mnt
Note: Since there is no locking daemon available on IMSA, you have to tell the mount command to not use locking.
These files can then be accessed from non-IMSA devices (Linux, Windows, etc.) that have an NFS client. In other words, in windows machine, create a folder and have it shared (Everyone with Read & Write). Example. I have a machine 10.0.0.1 and I created IMSA folder and shared it so if I access it using windows, it is like: \\10.0.0.1\imsa
2. If yes and this happens, we need to ask the client to collect some logs to analyze
a. Connect the pc to IMSA to the CLI (command line) via SSH
b. Go to $IMSA_Home/cdt
c. Open the cdt.ini and check SilentMode=1 is set to zero "0"
bash-3.0# cd /opt/trend/imss/cdt
bash-3.0# vi cdt.ini
d. Save the changes and run it. bash-3.0# ./cdt
e. Select All Events and once the CDT is running, replicate the patch installation.
f. Once the issue occurs, allow CDT to continue running for about 5 mins more. Afterwards, stop CDT and collect the CDT logs. Move the CDT*.zip to /tmp folder and using UI console, export the logs/CDT. Otherwise, you can try the following to move the logs out from the IMSA.
Transferring files to / from IMSA
=======
Using FTP
=======
Use the ncftp FTP client to access the external FTP servers (in our case you can upload it here ftp.trend.com.au; user: xxxx and pass: yyyy) and exchange files. The command-line arguments must include username, password and the port number if it is not 21:
bash-3.00# ncftp -u
Connecting to 10.13.130.253...
transfer Microsoft FTP Service (Version 5.0).
Logging in...
User training logged in.
Logged in to 10.13.130.253.
ncftp / >
Example:
bash-3.00# cd /tmp
bash-3.00# ncftp -u xxxx -p yyyyy ftp.trend.com.au NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to ...
transfer Microsoft FTP Service (Version 5.0).
Logging in...
User training logged in.
Logged in.
ncftp / >cd _asiasupport/upload/logs/1-1-271644771
ncftp > put
=======
Using the NFS Client
=======
Using the NFS client from the shell allows one to set up a remote filesystem to which files can be copied:
mount -t nfs -o nolock 10.13.9.186:/data /mnt
Note: Since there is no locking daemon available on IMSA, you have to tell the mount command to not use locking.
These files can then be accessed from non-IMSA devices (Linux, Windows, etc.) that have an NFS client. In other words, in windows machine, create a folder and have it shared (Everyone with Read & Write). Example. I have a machine 10.0.0.1 and I created IMSA folder and shared it so if I access it using windows, it is like: \\10.0.0.1\imsa
Friday, September 11, 2009
NRS activation problem for IMSS 5.7
Problem:
My customer is still using IMSS 5.7 build 1121 on Windows 2000. No plan to upgrade yet since the hardware is of low specs. Recently he activated the NRS. Upon saving the changes, refer below for message that he received:
-------------------------------------------
The configuration changes have been saved.
However, local DNS server seemed not responding to DNS A-record query for Network Reputation initialization test in time and timed out. As a result, Network Reputation during scan may not be functioning properly. Although mail flow will still continue, it is recommended to follow manual's instructions to troubleshoot, reconfigure and tune local DNS server before fully utilizing this feature.
Some possible reasons may lead to this testing failure are listed here as reference and please refer to manuals for further information:
1. Local DNS server can not respond to A record query.
2. Local DNS server can not look up its root DNS server for sub-domains of a.mail-abuse.com.
3. Slow response from local DNS server and/or intermittent networking connectivity for outgoing DNS queries.
-------------------------------------------
Solution:
Do the following;
1) Stop all IMSS services.
2) Look in the IMSS folder then backup and delete the following files.
licenseprofile3.dat is for NAS
licenseprofile4.dat is for RBL+
You might night not have both files. Just delete these two files if you see them.
3) Restart all IMSS services
4) Enter the NRS Activation Code again.
Open the GUI and click 'Configuration'
Under 'Configuration', click 'Product Licenses'
Under 'Network Reputation Services', click 'View license details'
Enter the NRS Activation Code.
Under 'Configuration', select 'Network Reputation'
Check the box next to 'Enable Network Reputation Service'
Under 'Action:', select 'Default intelligent action'
Click 'Save'
My customer is still using IMSS 5.7 build 1121 on Windows 2000. No plan to upgrade yet since the hardware is of low specs. Recently he activated the NRS. Upon saving the changes, refer below for message that he received:
-------------------------------------------
The configuration changes have been saved.
However, local DNS server seemed not responding to DNS A-record query for Network Reputation initialization test in time and timed out. As a result, Network Reputation during scan may not be functioning properly. Although mail flow will still continue, it is recommended to follow manual's instructions to troubleshoot, reconfigure and tune local DNS server before fully utilizing this feature.
Some possible reasons may lead to this testing failure are listed here as reference and please refer to manuals for further information:
1. Local DNS server can not respond to A record query.
2. Local DNS server can not look up its root DNS server for sub-domains of a.mail-abuse.com.
3. Slow response from local DNS server and/or intermittent networking connectivity for outgoing DNS queries.
-------------------------------------------
Solution:
Do the following;
1) Stop all IMSS services.
2) Look in the IMSS folder then backup and delete the following files.
licenseprofile3.dat is for NAS
licenseprofile4.dat is for RBL+
You might night not have both files. Just delete these two files if you see them.
3) Restart all IMSS services
4) Enter the NRS Activation Code again.
Open the GUI and click 'Configuration'
Under 'Configuration', click 'Product Licenses'
Under 'Network Reputation Services', click 'View license details'
Enter the NRS Activation Code.
Under 'Configuration', select 'Network Reputation'
Check the box next to 'Enable Network Reputation Service'
Under 'Action:', select 'Default intelligent action'
Click 'Save'
Thursday, August 27, 2009
problem in updating your IMSS for linux?
look for tmudumpt.txt file located in /opt/trend/imss/lib/AU_Log/TmuDump.txt
You should have some indication. If it looks garbage to you, send it to Trend Support.
You might want to run Case Diagnostic Tool as well. Type /opt/trend/imss/cdt/cdt
Case Diagnostic GUI will prompt up. Follow through the wizard.
Collect the log/folder and submit to Trend Support.
You should have some indication. If it looks garbage to you, send it to Trend Support.
You might want to run Case Diagnostic Tool as well. Type /opt/trend/imss/cdt/cdt
Case Diagnostic GUI will prompt up. Follow through the wizard.
Collect the log/folder and submit to Trend Support.
Wednesday, July 29, 2009
IMSS 7.0 and IWSS 3.1 on the same server machine
Issue:
When running both IMSS 7.0 and IWSS 3.1 on the same server machine, I notice once the IWSS console service is up, the IMSS console service cannot start and same goes the other way. Is there any workaround for this?
Workaround:
Please note, it is not recommended to install both on the same machine.
It is because both tomcat is using same port 8005 to start the service. You need change the port on either IMSS or IWSS tomcat.
Please do EITHER of the two steps below:
A) On IMSS,
1) Go to\ui\adminUI\conf
2) Edit the file server.xml
3) Search for "8005"
4) Replace it with available port such as "8006"
5) Save
6) Start "Trend Micro IMSS Web Console" service
OR
B) On IWSS
1) Go to\ui\adminUI\conf
2) Edit the file server.xml
3) Search for "8005"
4) Replace it with available port such as "8006"
5) Save
6) Start "Trend Micro Interscan Web Security Suite Console" service
When running both IMSS 7.0 and IWSS 3.1 on the same server machine, I notice once the IWSS console service is up, the IMSS console service cannot start and same goes the other way. Is there any workaround for this?
Workaround:
Please note, it is not recommended to install both on the same machine.
It is because both tomcat is using same port 8005 to start the service. You need change the port on either IMSS or IWSS tomcat.
Please do EITHER of the two steps below:
A) On IMSS,
1) Go to
2) Edit the file server.xml
3) Search for "8005"
4) Replace it with available port such as "8006"
5) Save
6) Start "Trend Micro IMSS Web Console" service
OR
B) On IWSS
1) Go to
2) Edit the file server.xml
3) Search for "8005"
4) Replace it with available port such as "8006"
5) Save
6) Start "Trend Micro Interscan Web Security Suite Console" service
Thursday, July 23, 2009
replicating imss 7.0 policy and configuration
issue:
existing imss 7.0 server behaving funny and we suspect that it's going to crash soon. We actually prepare another server with the same IP address and hostname then start to install IMSS 7.0. Now, how do we replicate the settings on existing server to the newly installed server?
solution:
Use utilpolicy ( you can ask from Trend Support or myself for a copy). It's not published in the KB (ASFAIK). The tool will backup policies and IMSS settings. It doesn't matter if the database user name and password different from the earlier server settings.
Overview of the tool
+++++++++++++++++++++
utilPolicy.exe is a simple tool to import/export policy rules and internal addresses using SQL script.
How to use the tool
+++++++++++++++++++++++++
Run to corresponding command line.
a. To export the policy rules and internal addresses:
utilPolicy.exe -e %exported_file_name%
example: "utilPolicy -e policy.txt"
b. To import the policy rules and internal addresses:
utilPolicy.exe -i %exported_file_name%
example: "utilPolicy -i Policy.txt"
3. Restart the IMSS Policy Service.
existing imss 7.0 server behaving funny and we suspect that it's going to crash soon. We actually prepare another server with the same IP address and hostname then start to install IMSS 7.0. Now, how do we replicate the settings on existing server to the newly installed server?
solution:
Use utilpolicy ( you can ask from Trend Support or myself for a copy). It's not published in the KB (ASFAIK). The tool will backup policies and IMSS settings. It doesn't matter if the database user name and password different from the earlier server settings.
Overview of the tool
+++++++++++++++++++++
utilPolicy.exe is a simple tool to import/export policy rules and internal addresses using SQL script.
How to use the tool
+++++++++++++++++++++++++
Run to corresponding command line.
a. To export the policy rules and internal addresses:
utilPolicy.exe -e %exported_file_name%
example: "utilPolicy -e policy.txt"
b. To import the policy rules and internal addresses:
utilPolicy.exe -i %exported_file_name%
example: "utilPolicy -i Policy.txt"
3. Restart the IMSS Policy Service.
Wednesday, June 3, 2009
Questions on IMSS event logs
Questions:
Currently, we found a lot of errors from Trend Micro Interscan Messaging Security Suite (IMSS).
1. What are these errors about?
-----------------error#1----------------------
2009/05/23 00:15:50 GMT+08:00
Write socket FAIL!2009/05/23 00:15:50 GMT+08:00
D1B55AA6-934D-4BF7-AE5F-D8DD6AA7489E
ERROR: id, WRITE ERROR AT 2232
2009/05/23 00:15:50 GMT+08:00
D1B55AA6-934D-4BF7-AE5F-D8DD6AA7489E
>> .\r\n
2009/05/23 00:16:40 GMT+08:00
ERROR: Downstream server close the connection, the reason maybe excess downstream mail size limit or local disk is full.
2009/05/23 00:16:40 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: id, WRITE ERROR AT 1528
2009/05/23 00:16:40 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
>> .\r\n
-----------------end error#1----------------------
2. Where can we configure the period of expiry for the email?
3. Does IMSS notify the user if the message has expired?
-----------------error#2----------------------
2009/05/23 00:24:39 GMT+08:00
f0208a7b-afa8-4e8f-b434-88fe441a1ee7
Push email into OK
2009/05/23 00:24:39 GMT+08:00
BAD MAIL FROM, Unable to deliver message to .
2009/05/23 00:24:39 GMT+08:00
ca273a4c-5244-4507-9df1-b6b030b495da
Push email into OK
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: AF file expired
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: ERROR DELIVERING MAIL - TIMESTAMP AND REASON HAS BEEN UPDATED IN AF FILE
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: MDA finish, delivery fail since, spend <4299633> ms. eMail is deleted
-----------------end error#2----------------------
Answers:
1. The possible reasons for this issue are:
• Issues with the downstream server (e.g. filter settings for attachments)
• Insufficient space in the local hard drive where IMSS is installed
• Compatibility issues with the Gigabit Ethernet Network Interface Card (NIC)
The WRITE ERROR occurs because these required resources for writing data are not available. To resolve the issue, do either of these options:
• Modify the IsntSmtp.ini file
• If IMSS is installed in the local hard drive, make sure that 500 MB (minimum required free disk space) is available for mail storage
• Ensure compatibility if using a Gigabit Ethernet NIC
Modify the IsntSmtp.ini file:
a. Open the ..\IMSS\IsntSmtp.ini file.
b. Add the following parameter under the “[Delivery-Advanced]” section: "Transfer827=yes"
c. Save the changes.
Ensure compatibility if using a Gigabit Ethernet NIC:
a. Upgrade the NIC driver or downgrade to a 100 MBPS network card.
b. If using either a half-duplex or full duplex setting, change the switch from one setting to the other by configuring the port switch.
2. Where can we configure the period of expiry for the email?
==> You can configure it through:
a. IMSS console > Configuration > SMTP Routing > Delivery > Advance
b. Check 'Maximum retry period' value. This is the period of expiry for the mail.
3. Does IMSS notify the user if the message has expired?
==> By default, IMSS will send NDR notification to senders if the mail/s were not successfully sent.
You can check this settings also in\ISNTSmtp.ini:
Delivery-Advanced]
MaximumHopCount=15
MasqueradeDomain=
DisableReceivedHeader=no
DNSAuthoritativeBitCheck=no
Currently, we found a lot of errors from Trend Micro Interscan Messaging Security Suite (IMSS).
1. What are these errors about?
-----------------error#1----------------------
2009/05/23 00:15:50 GMT+08:00
Write socket FAIL!2009/05/23 00:15:50 GMT+08:00
D1B55AA6-934D-4BF7-AE5F-D8DD6AA7489E
ERROR: id, WRITE ERROR AT 2232
2009/05/23 00:15:50 GMT+08:00
D1B55AA6-934D-4BF7-AE5F-D8DD6AA7489E
>> .\r\n
2009/05/23 00:16:40 GMT+08:00
ERROR: Downstream server close the connection, the reason maybe excess downstream mail size limit or local disk is full.
2009/05/23 00:16:40 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: id, WRITE ERROR AT 1528
2009/05/23 00:16:40 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
>> .\r\n
-----------------end error#1----------------------
2. Where can we configure the period of expiry for the email?
3. Does IMSS notify the user if the message has expired?
-----------------error#2----------------------
2009/05/23 00:24:39 GMT+08:00
f0208a7b-afa8-4e8f-b434-88fe441a1ee7
Push email into
2009/05/23 00:24:39 GMT+08:00
BAD MAIL FROM
2009/05/23 00:24:39 GMT+08:00
ca273a4c-5244-4507-9df1-b6b030b495da
Push email into
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: AF file expired
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: ERROR DELIVERING MAIL - TIMESTAMP AND REASON HAS BEEN UPDATED IN AF FILE
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: MDA finish, delivery fail since
-----------------end error#2----------------------
Answers:
1. The possible reasons for this issue are:
• Issues with the downstream server (e.g. filter settings for attachments)
• Insufficient space in the local hard drive where IMSS is installed
• Compatibility issues with the Gigabit Ethernet Network Interface Card (NIC)
The WRITE ERROR occurs because these required resources for writing data are not available. To resolve the issue, do either of these options:
• Modify the IsntSmtp.ini file
• If IMSS is installed in the local hard drive, make sure that 500 MB (minimum required free disk space) is available for mail storage
• Ensure compatibility if using a Gigabit Ethernet NIC
Modify the IsntSmtp.ini file:
a. Open the ..\IMSS\IsntSmtp.ini file.
b. Add the following parameter under the “[Delivery-Advanced]” section: "Transfer827=yes"
c. Save the changes.
Ensure compatibility if using a Gigabit Ethernet NIC:
a. Upgrade the NIC driver or downgrade to a 100 MBPS network card.
b. If using either a half-duplex or full duplex setting, change the switch from one setting to the other by configuring the port switch.
2. Where can we configure the period of expiry for the email?
==> You can configure it through:
a. IMSS console > Configuration > SMTP Routing > Delivery > Advance
b. Check 'Maximum retry period' value. This is the period of expiry for the mail.
3. Does IMSS notify the user if the message has expired?
==> By default, IMSS will send NDR notification to senders if the mail/s were not successfully sent.
You can check this settings also in
Delivery-Advanced]
MaximumHopCount=15
MasqueradeDomain=
DisableReceivedHeader=no
DNSAuthoritativeBitCheck=no
Tuesday, May 19, 2009
Mail queue issue
Question/Concern/Inquiry:
A customer reported his IMSS 7.0 has got problem with the mail queue issue. He started to notice this problem since early last week. The delivery queue could grow up to thousands. REstart the SMTP service will decrease the queue number but after a while it will grow again.
I notice the following error in System Event log since the date that my customer noticed of the problem.
"April 20, 2009 8:00:10 PM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with:"
Solution/Recommendation:
Based on your message, you have a queuing issue. This was caused by the DNS, policy and the network connection problem. In the logs; == April 24, 2009 11:42:23 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with:
April 24, 2009 11:44:34 AM,abcmail,IMSS Daemon is stopped April 24, 2009 11:45:08 AM,abcmail,IMSS Daemon Service starts running .....
April 24, 2009 11:45:25 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocessbig: Smtp server responded error with: 421 Internal configuration error April 24, 2009 11:45:25 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with: 421 Internal configuration error April 24, 2009 11:48:39 AM,abcmail,IMSS Daemon is stopped April 24, 2009 11:48:51 AM,abcmail,IMSS Daemon Service starts running .....
April 24, 2009 11:49:15 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocessbig: Smtp server responded error with: 552 Message exceeds fixed maximum message size ==
You have a lot of messages queued in \IMSS\queue\reprocess. It only happens when;
* Administrator requested reprocessing of the quarantined mail
* When the action "Change recipient to" is performed
* When the action "Send notifications" is performed and is configured to attach the original mail
To isolate the issue, do the following:
1. Do you have a policy (for example SPAM policy) which has an action "change recipient"? Do you have also an action of "send notifications"? Or do you have a frequest "reprocess" on the quarantined messages like "resend"?
2. If you have a lot of messages in \IMSS\queue\reprocess folder, do these:
a. Stop IMSS services
b. Rename the \IMSS\queue\reprocess folder (for example, reprocess_old) c. Create a new one (for example, reprocess under \IMSS\queue\) and restart the IMSS services
3. Please try increasing the following values on imss.ini to improve the performance of the scanner:
=======================
proc_max_worker_proc=25
proc_thread_per_proc=15
=======================
Save the changes and then restart the IMSS services and see if the problem will still persist.
4. Please check in tsmtpd.ini and set IdleWaitingSecond to "60". See below:
FROM
==
# 9.2
# SMTP client session timeout (seconds).
# If server does not respond for timeout period, then close session.
# Recommended maximum = 60 (to avoid wasting time on dead mails) # #IdleWaitingSecond=30 ==
TO
==
# 9.2
# SMTP client session timeout (seconds).
# If server does not respond for timeout period, then close session.
# Recommended maximum = 60 (to avoid wasting time on dead mails) # IdleWaitingSecond=60 ==
Save the file and restart IMSS SMTP service
5. Also, move files under /mque/resend/ to mque/outbox/pool then, a. Restart "Trend Micro IMSS SMTP Service.
b. Observe for few minutes
A customer reported his IMSS 7.0 has got problem with the mail queue issue. He started to notice this problem since early last week. The delivery queue could grow up to thousands. REstart the SMTP service will decrease the queue number but after a while it will grow again.
I notice the following error in System Event log since the date that my customer noticed of the problem.
"April 20, 2009 8:00:10 PM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with:"
Solution/Recommendation:
Based on your message, you have a queuing issue. This was caused by the DNS, policy and the network connection problem. In the logs; == April 24, 2009 11:42:23 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with:
April 24, 2009 11:44:34 AM,abcmail,IMSS Daemon is stopped April 24, 2009 11:45:08 AM,abcmail,IMSS Daemon Service starts running .....
April 24, 2009 11:45:25 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocessbig: Smtp server responded error with: 421 Internal configuration error April 24, 2009 11:45:25 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with: 421 Internal configuration error April 24, 2009 11:48:39 AM,abcmail,IMSS Daemon is stopped April 24, 2009 11:48:51 AM,abcmail,IMSS Daemon Service starts running .....
April 24, 2009 11:49:15 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocessbig: Smtp server responded error with: 552 Message exceeds fixed maximum message size ==
You have a lot of messages queued in \IMSS\queue\reprocess. It only happens when;
* Administrator requested reprocessing of the quarantined mail
* When the action "Change recipient to" is performed
* When the action "Send notifications" is performed and is configured to attach the original mail
To isolate the issue, do the following:
1. Do you have a policy (for example SPAM policy) which has an action "change recipient"? Do you have also an action of "send notifications"? Or do you have a frequest "reprocess" on the quarantined messages like "resend"?
2. If you have a lot of messages in \IMSS\queue\reprocess folder, do these:
a. Stop IMSS services
b. Rename the \IMSS\queue\reprocess folder (for example, reprocess_old) c. Create a new one (for example, reprocess under \IMSS\queue\) and restart the IMSS services
3. Please try increasing the following values on imss.ini to improve the performance of the scanner:
=======================
proc_max_worker_proc=25
proc_thread_per_proc=15
=======================
Save the changes and then restart the IMSS services and see if the problem will still persist.
4. Please check in tsmtpd.ini and set IdleWaitingSecond to "60". See below:
FROM
==
# 9.2
# SMTP client session timeout (seconds).
# If server does not respond for timeout period, then close session.
# Recommended maximum = 60 (to avoid wasting time on dead mails) # #IdleWaitingSecond=30 ==
TO
==
# 9.2
# SMTP client session timeout (seconds).
# If server does not respond for timeout period, then close session.
# Recommended maximum = 60 (to avoid wasting time on dead mails) # IdleWaitingSecond=60 ==
Save the file and restart IMSS SMTP service
5. Also, move files under /mque/resend/ to mque/outbox/pool then, a. Restart "Trend Micro IMSS SMTP Service.
b. Observe for few minutes
Thursday, February 12, 2009
Interpreting the X-header
What does the X-header means?
++++++++++++++++++++++++
The first line detailing the product in used which is IMSS version 7 and the spam pattern information as highlighted in green color.
The second line indicates the spam score for the message is 12.814 whereas the detection threshold is 6.0. The value ‘1’ indicates it is detected as a spam.
Report false-positives?
+++++++++++++++++
This can be done by following the steps below:
a. Save the original copies of the spam emails received in *.msg or *.eml format.
b. Put all the samples in a folder and compress/zip it with a password (example: novirus).
c. Send the message to the following email addresses:
Address false-positives to: false[at]support.trendmicro.com.
Address false-negatives to: spam[at]support.trendmicro.com.
Trend Micro Anti-spam engineer will fine tune their processes to avoid such incident from happening again.
Friday, December 19, 2008
MSDE/ SQL 2005 database installation
Something to take note when you install IWSS, IMSS or TMCM which require database component and your option is to install MSDE/SQL 2005 database, make sure the option for authentication is set to 'SQL Server Authentication'. If you are installing on existing SQL server, choose Mixed Authentication Mode.
You may refer to this knowledge base from Microsoft website should you need to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition.
You may refer to this knowledge base from Microsoft website should you need to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition.
Thursday, August 14, 2008
Reset IMSS 7.0 for Linux console
Thanks to CK for sharing this.
Please do the following using the psql tool that comes with PostgreSQL:
1. Run "/opt/trend/imss/PostgreSQL/bin/psql imss sa" command.
2. Run the following psql commands:
• Imss=# update tb_administrator set md5_digest='18e143b754dc7690ca2ab8ddcd0bfbe8' where admin_id=1;
Note: Optionally you can use "admin_name” as WHERE condition.
3. Verify that the password has been changed by executing the following command:
• Imss=# select admin_id, md5_digest from tb_administrator;
The result should be:
admin_id | md5_digest
-----------+-----------------------------------------------------------------
1 | 18e143b754dc7690ca2ab8ddcd0bfbe8
Important: After following the above procedure, the password will be reset to the default "imss7.0" without the quotes.
Please do the following using the psql tool that comes with PostgreSQL:
1. Run "/opt/trend/imss/PostgreSQL/bin/psql imss sa" command.
2. Run the following psql commands:
• Imss=# update tb_administrator set md5_digest='18e143b754dc7690ca2ab8ddcd0bfbe8' where admin_id=1;
Note: Optionally you can use "admin_name” as WHERE condition.
3. Verify that the password has been changed by executing the following command:
• Imss=# select admin_id, md5_digest from tb_administrator;
The result should be:
admin_id | md5_digest
-----------+-----------------------------------------------------------------
1 | 18e143b754dc7690ca2ab8ddcd0bfbe8
Important: After following the above procedure, the password will be reset to the default "imss7.0" without the quotes.
Thursday, July 31, 2008
Functions of the subfolder under mque folder
This is for IMSS 7.0 on Windows platform. If you are wondering what are the subfolders for, read the following:
Location of the folder C:\Program Files\Trend Micro\IMSS\mque
TMP folder - Incoming mails
INBOX - mails ready for scanning
PROC - Scanning phase
OUTBOX - Delivery phase
RESEND - for mail resending
FROZEN - mails that has already reached the maximum retry period.
These folders are used by IMSS when processing mails. Once IMSS received a mail, these will be placed on TMP folder. Once IMSS is not free to process the mail, then the particular mail will be moved to INBOX folder. Then IMSS will move the mail to PROC folder for scanning process. Once scanning is finished, the mail will be moved to OUTBOX folder for delivery. If the mail cannot be sent, the mail will be moved to RESEND folder for resending. If the mail already reached the maximum retry limit, then the mail will be moved to FROZEN folder.
Location of the folder C:\Program Files\Trend Micro\IMSS\mque
TMP folder - Incoming mails
INBOX - mails ready for scanning
PROC - Scanning phase
OUTBOX - Delivery phase
RESEND - for mail resending
FROZEN - mails that has already reached the maximum retry period.
These folders are used by IMSS when processing mails. Once IMSS received a mail, these will be placed on TMP folder. Once IMSS is not free to process the mail, then the particular mail will be moved to INBOX folder. Then IMSS will move the mail to PROC folder for scanning process. Once scanning is finished, the mail will be moved to OUTBOX folder for delivery. If the mail cannot be sent, the mail will be moved to RESEND folder for resending. If the mail already reached the maximum retry limit, then the mail will be moved to FROZEN folder.
Subscribe to:
Posts (Atom)
