If anti-spam detects an e-mail as not definitely categorized as clean, it moves the e-mail to the "Temporary Quarantine" for 50 minutes to re-scan it with updated anti-spam databases. 

If upon after this 50 minutes' time the e-mail is not defined as spam, it is released automatically without any interaction with the user. 

The administrator has an option to manually release such e-mails from "Temporary Quarantine" before the 50 minute period ends. At the same time, the e-mail will remain in quarantine with the status "Released".

If multiple e-mails are selected in Security for Microsoft Office 365, they cannot be saved to disk. You can only save them one by one.

KSO365 is a cloud solution. It does not work in the cloud by itself but together with Microsoft Exchange Online (EOL) and its anti-spam and anti-virus protection.

In more than 95% of cases, Microsoft Forefront (Ff) performs the spam and virus scans first, due to Microsoft's cloud architecture. Thus, if Ff has identified an email as spam, virus, phishing, etc., and has done with it any action (according to the settings) except “Skip”, we do not check this email and do nothing with it. We cannot change the verdicts given by other applications.

If an email went to the user's box without Ff detects or with the “Skip” action, KSO365 comes into play. It performs all the scans that the user has enabled, gives its verdicts and performs the actions configured by the user. Special mention should be made of the SCL parameter, which is necessary when working with spam detection. This is the only general letter parameter that KSO365 can change but only upwards.

Scenario:

Phishing links are detected but some emails are allowed through, even though the selected Action is Move to Junk Email folder .

Solution:

The original e-mail was already located in the Junk folder when our product started to scan it.

The "Allow through" action was performed, in this case it means that we've added the phishing tag to the e-mail and left it in the Junk folder.
Most likely this e-mail was detected by some third-party anti-malware/phishing solution (Microsoft anti-malware filters in EWS, for example) and was moved to Junk, then we've scanned it and there was nothing to do with it except adding the tag to it.

When administrator attempts to establish a connection between KS4O365 workspace and their Exchange online organization by doing the following in the administration console:

Office 365 connection → Exchange Online connection → Grant Access →  passes the consent validation algorithm but in the end gets the Error processing the request error:

This error is usually triggered by the browser settings on the client host that is performing the consent validation. 

Upon executing consent validation algorithm we get the access token from Microsoft. Then we redirect browser to our web site's URL and attach access token as a cookie. Upon redirecting, cookie with access token is lost/blocked somehow, usually this is caused by one of the following reasons:

1. Browser filters cookies on its own. For instance due to some extensions, browser settings, or due to some beta version of browser with paranoid default security settings. 
2. Some 3rd party program, for example a file anti-virus, is blocking access to the file with the browser's cookies on the local hard drive. 

Thus, the following action plan is suggested.

Step-by-step guide

Clear all history, cache and cookie in the web-browser, restart it and check the reproduction.
If it doesn’t help, then please make sure that the same error occurs if you try to do the same operation in another web-browser supported by the product (https://support.kaspersky.com/KS4MO365/1.2/en-US/141858.htm) or in incognito mode of the browser. Also, temporarily disabling anti-malware solutions or any 3-rd party products that might be blocking/locking/inspecting browser's cookie files is called for.

If the issue will persist, then please do the following:

1. Open Google Chrome web-browser.
2. Press F12 keyboard button.
3. Enable Preserve log option in Network tab.
4. Reproduce the whole scenario from the begging (log into business hub account) and the issue itself.
5. Make an error screenshot with time stamp.
6. Export Network debugging results to HAR-file.
7. Provide HAR-file + screenshot to the Kaspersky Support. Also we will be interested in the URL that will be shown when the error will pop-up in the browser.

Problem

OAuth consent validation algorithm is the same for Exchange online, OneDrive and SharePoint online. 

Initial steps of consent validation algorithm are basically the following:

1. A user is redirected to the Microsoft website, where the user agrees to provide necessary permissions for our Azure application.
2. KS365 receives an OAuth callback confirming that the consent was received. But we do not trust this callback as it can be forged.
3. The user is redirected to the Microsoft website to receive an access token that will be used for the validation of the user authenticity.
4. KS365 receives the callback with the access token. After that, the user is redirected to the KS365 website, where the user's session will be started.

Step-by-step guide

When the user is redirected back to our website on the 4th step, they can encounter the HTTP 401 error:

In theory, the user should have successfully authorized as all the necessary data is stored in the browser cookies. Thus, the issue must be on the user's browser side.

In such cases, we recommend to attempt the following:

1. Try to add the integration with Exchange Online/Sharepoint Online/OneDrive in a different browser (or even try a different host with different browser versions/settings).
2. Check browser settings related to cookies: if they are supported/enabled, try disabling auto-delete of cookies if it is enabled, etc.

Why are emails detected by Microsoft Exchange Online not being detected by KS365? Because "first come, first served"?

Yes. In more than 95% of cases, Microsoft Exchange anti-malware and anti-spam filters are processing all objects before KS4O365. That being said, all the detections performed by our application are actually detections of mail flow that has already been scanned by Microsoft filters if they are not disabled.

If some email was already scanned and quarantined by Microsoft, then we do not receive it for scanning, as it was already done on the Microsoft side.

Access to the Microsoft quarantine is carried out immediately after the issuance of the consent. Additional quarantine access accounts, that were subject to the MFA restriction in the previous versions, are no longer required for quarantine access. The connection is carried out using the application to which the consent is issued.

Is there any capacity limit of mails in the Quarantine zone? If any, can we modify it?

Unfortunately, there is no possibility to customize this setting per user, it is hardcoded in the product (30 days for objects in the backup and 92 days for statistics). 

Is there any limit on the number of emails that can be stored in the Quarantine?

On the KS4O365 side, there isn't a limit to the number of emails that can be saved in the backup. KS4O365 stores only metadata information about the emails in the backup, which is quite small in comparison to the email itself.

Whereas the backup emails themselves are stored in the mailbox (in a hidden folder) on the Exchange online server that hosts mailboxes. When the object is restored from the Quarantine, the email from a hidden folder is simply moved to the inbox.
That being said, the only limit that can be identified in the said scenario is the one from the Exchange online itself (the size of the mailbox for a particular user). I.e. if the total amount of emails in the inbox + emails in the backup will hit the limit of the free space in the Exchange Online mailbox, then the you will need to increase the size of the mailbox or remove the exceeding emails, etc.

The emails from quarantine can be deleted from the Quarantine tab of the console, there you can also sort by date to delete the old ones.

Description

When installing or upgrading KSE, you may encounter various issues when installing or starting our service. If a user has repeated the installation many times and changed many settings manually, we recommend to remove KSE completely using the instructions below. 

Cause

There are files that remain in the system from a previous KSE installation, so a new installation cannot be successful.

Solution

Delete the remaining KSE files from the Exchange server manually. Follow the instructions below.

1. Delete all the remaining KSE agents. To do so, start Exchange Management Shell and run the following command:

       If the KSE agent is on the list, run the command:

2. Run the following command:

See what KSE agents are on the list.

Run the command below for every KSE agent.

For example:

Insert the names of KSE agents from your list.

3. Restart the Transport Agent service using the command:

4. To make sure that there are no more KSE agents, run the following commands again:

and

5. Set Disabled for Kaspersky Security For Microsoft Exchange Servers service startup and stop our service.

6. Import the removeregkeys.zip archive to the registry.

7. Restart the MSExchangeIS service:

8. Remove the folder where KSE was installed.

If possible, restart the server.

The table below contains the criteria for Kaspersky Security for Microsoft Exchange Servers 9.0 MR6 settings health check. Using the settings as specified in the table ensures meeting the recommended security level of the system.

In order to send messages from backup with headings without saving them, please navigate to:

In most cases the issue is related to processing downloaded bases on the server drive.
Databases are downloaded from our sites successfully, but the problem appears during compiling and copying the downloaded bases locally on the KSE server.
Such behavior may be caused by the following:

1. Not configured exclusions for KSE in Kaspersky Security for Windows Server or Kaspersky Endpoint Security.
2. Other utilities (backup, for example), that may interfere with the file processing.
3. Incorrect operation of the delete function on high-speed drives, for example, SSD drives.

Solution:

1. Configure Kaspersky Security for Windows Server or Kaspersky Endpoint Security for correct simultaneous work with KSE. Completely exclude the KSE folder, all subfolders and KSE processes from the scan scope: 

Kavscmesrv.exe 
Antiphishing.OutprocScanner.exe
Antispam.OutprocScanner.exe
Antivirus.OutprocScanner.exe
Kse.Ksn.exe
Kse.Licensing.exe
Kse.Updater.exe 

2. Set the startup type of KSE service to manual.

3. Stop the KSE service.

4. If issue is related to corrupted AS bases, delete all contents from the folders:

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\as\bases 
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\bases
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\cache

If issue is related to corrupted AV bases, delete all contents from the folders:

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\bases
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache

If issue is related to corrupted AS and AV bases, delete all contents from the all folders:

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\as\bases 
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\bases
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\cache
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\bases
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache

5. Set the startup type of KSE service back to automatic/ automatic (Delayed Start), as it was before adjustment at step 2.

6. Start the KSE service.

7. Update anti-spam or/and anti-virus bases manually through KSE Management Console.

8. If the issue persists, contact Kaspersky Support.

Version: Kaspersky Security for Exchange 9.5.10000.64, 9.6.96

Scenario

In Kaspersky Security 9.0 for Microsoft Exchange Servers  there's the following error event: "AM Error Kernel: The Anti-Virus (Anti-Spam) module has been switched to limited scan mode for next 30 minutes. Some objects may be skipped without being scanned."

The same error message appears on the KSE console:

Solution

Sometimes Exchange tries to give KSE more emails to check than KSE is able to to check. In order to prevent delays in mail delivery, the anti-virus or/and anti-spam engine switches to a special mode of operation called "Limited scan mode".

This mode lasts for 30 minutes. During this period, some emails may be skipped for checking.
The transition to normal mode is carried out automatically after the time specified above.
You can find out about this mode of operation in our Online Help:

https://support.kaspersky.com/KS4Exchange/9.6/en-US/28854.htm
https://support.kaspersky.com/KS4Exchange/9.6/en-US/99915.htm
https://support.kaspersky.com/KS4Exchange/9.6/en-US/28871.htm

Completely exclude the KSE folder with all its subfolders and all KSE processes from the scan scope:

Kavscmesrv.exe 
Antiphishing.OutprocScanner.exe
Antispam.OutprocScanner.exe
Antivirus.OutprocScanner.exe
Kse.Ksn.exe
Kse.Licensing.exe
Kse.Updater.exe

Description

When upgrading KSE, the following error can occur: 

The CheckFilesLockActionStep action resulted in an error:
File C:\Program Files(x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\NativeResources.dll is locked.

The installation log contains the following:

Exception: System.ApplicationException: File C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\NativeResources.dll is locked.

Solution

This error means that somewhere (locally or remotely) Event Viewer is open and viewing events from this server. The best solution is to find where Event Viewer is open, close it and repeat the installation.

The second solution: you need to find the file from the error message in the specified folder, rename it and then move it to any other folder (for example, to the Desktop). Then repeat the upgrading or click the Retry button. After installing KSE, you can remove this file. A new one will already be in the installation folder. 

Scenario

Kaspersky Security for Exchange installation failed with the following error: "Failed to grant rights to run under a different name (impersonation) for Kse Watchdog Service".

Solution

If you get the error message about impersonation, execute the following command in PowerShell:

Add-PsSnapin Microsoft.Exchange.Management.PowerShell.E2010
Remove-ManagementRoleAssignment KSE_IMPERSONATION -Confirm:$False

Press the Retry button.

Problem Description, Symptoms & Impact

Sometimes an error might occur when installing KSE:

KseCheckServicePortIsFreeActionStep has completed with an error: Service network port 13100 is occupied by another application…

Diagnostics

• Screenshot or KSEInfoCollector.

•  Make sure that port 13100 is open and not used by any application, and repeat the installation. This can be done using the command below. You will see a chart with a process ID (PID column) next to the address and port:

netstat -aon | findstr 13100

• You can then find this process by the ID in Task Manager or using the command below. Use the process ID you found in the previous command instead of the %PID% below:

tasklist /fi "pid eq %PID%"

Example

tasklist /fi "pid eq 18060"

Workaround & Solution

There's no way to change the port used by KSE. So, the only option here is to free the port used by an application and repeat the installation.

Sometimes ISS or W3WP.exe might be using the port. In some cases, this port is occupied after the Exchange updates, and the port should be released after the server restart.

RCA

Some application is using the port 13100.

Scenario

In certain cases one may need to move an SQL database that stores KSE operational data to another SQL server/instance. The following procedure can be used to achieve that:

Step-by-step guide

1. Change the startup type of KSE services to Manual.
2. Stop the KSE services which use this database (may be located on several hosts in case of DAG, for example).
3. Create a backup of the KSE database using MS SQL tools.
4. Restore the database on a new SQL server/instance using MS SQL tools.

5. Assign the required rights for this database according to this article.

6. Manually edit the file BackendDatabaseConfiguration*.config on every KSE server that will use this database. See this article for instructions. 

7. In the scenario when KSE doesn't use the DB default port, we must edit the BackendDatabaseConfiguration*.config file properly, here is an example when custom port is 1435:

   <SqlServerName>sqlag02ls,1435</SqlServerName>

8. Manually change the values of BackendDatabaseName and BackendSqlServerName with the new ones in the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Server" on every KSE server that will use this new database.

9. Return the startup type for the KSE services back to original values.
10. Start the KSE services.
11. Verify that there are no errors in event logs after the service will be started.

Administrator receives the notification about outdated anti-spam (AS) and/or anti-virus (AV) bases because a large time interval for updating AS and/or AV databases is set (every 5 hours or more for AS and every 24 hours or more for AV). Anti-spam and anti-virus bases should be updated much more often. Accordingly, Kaspersky Security Center should also update anti-spam and anti-virus bases more frequently.

The best way is to update anti-spam bases directly via Internet from Kaspersky Update servers every 5 minutes. Anti-virus bases should be updated every 1 hour.

If it is not possible, try to update Kaspersky Security Center and Kaspersky Security for Microsoft Exchange anti-spam bases every 30 minutes or every 1 hour, but in this case you should not expect a high spam detection rate.

To install the solution in the silent mode, run the command line with administrator rights and execute the following command: 

 msiexec /i "<PATH_TO_MSI>" /qn ADDLOCAL="<FEATURES>" SQL_SERVER_NAME="<SQL_SERVER_NAME>" BACKUP_DATABASE_NAME="<DATABASE_NAME>" SQL_ACCOUNT_DLG_USER_TYPE="UserAccount" SQL_ACCOUNT_DLG_USER="<UserName>" SQL_ACCOUNT_DLG_PASSWORD="<Password>" SERVICE_ACCOUNT_DLG_USER_TYPE="UserAccount" SERVICE_ACCOUNT_DLG_USER="<UserName>" SERVICE_ACCOUNT_DLG_PASSWORD="<Password>" INSTALLDIR="<INSTALLATION_DIRECTORY>" DATADIR="<DATA_DIRECTORY>" /l*vx "<LOG_FILE_PATH>"

<PATH_TO_MSI>  - path to the installer msi file. For example, "c:\temp\kse80_en_us.msi"

<FEATURES> - list of components.

Examples:

All components: Anti-Spam, Anti-Virus for hub, Anti-Virus for mailbox, DLP, Administration console:

"Antispam,AvVsapi,Antivirus,AdminConsole,Service,Feature.Complete"

Console only:

"AdminConsole,Feature.Complete"

Anti-Spam only:

"Antispam,Service,Feature.Complete"

Only Anti-Virus on Hub:

"Antivirus,Service,Feature.Complete"

Only Anti-Virus on Mailbox:

"AvVsapi,Service,Feature.Complete"

The Feature.Complete component must always be incuded. The Service component must be included in all cases except for Console only installation.

<SQL_SERVER_NAME> - MS SQL SERVER name.

For example, MYSERVER\SQLEXPRESS. It is not possible to use a dot to specify a current server.

<DATABASE_NAME> - name of the database.

For example, "SecurityForExchange".

Parameters SQL_ACCOUNT_DLG_USER_TYPE, SQL_ACCOUNT_DLG_USER and SQL_ACCOUNT_DLG_PASSWORD are used for specifying a user account for accessing the SQL Server. If they are not specified, the application will use the parameters of the account under which installation is performed.

Example:

SQL_ACCOUNT_DLG_USER_TYPE="UserAccount" SQL_ACCOUNT_DLG_USER="Domain\Username" SQL_ACCOUNT_DLG_PASSWORD="Password"

Parameters SERVICE_ACCOUNT_DLG_USER_TYPE, SERVICE_ACCOUNT_DLG_USER and SERVICE_ACCOUNT_DLG_PASSWORD are used for specifying a user account under which the application service will run. If they are not specified, the service will run under the Local System account.

Example:

SERVICE_ACCOUNT_DLG_USER_TYPE="UserAccount" SERVICE_ACCOUNT_DLG_USER="Domain\Username" SERVICE_ACCOUNT_DLG_PASSWORD="Password"

<INSTALLATION_DIRECTORY> - path to the installation folder, by default: %ProgramFiles(x86)%.

<DATA_DIRECTORY> - path to the data folder. By default it is located in the installation folder.

<LOG_FILE_PATH> - path to log files, for example, "c:\temp\kseinstall.log"

Version: Kaspersky Security for Exchange 9.0 MR5 (9.5.10000.64)

Scenario

The following error message appears:

"Access denied. To manage application features, the user's account must be added to one of the following Active Directory groups:

• KSE Administrators
• KSE AV Security Officers
• KSE AV Operators
• KSE Security Officers."

Solution

This error means that the account under which the KSE management console is running is not part of any of the KSE management groups listed above in the error text.

The user needs to decide what role the user’s account will perform and include this account in the corresponding KSE group created in their Active Directory (AD).

You can learn more about the roles in our Online Help:
https://support.kaspersky.com/help/KS4Exchange/9.5/en-US/81511.htm

It is impossible to detect .bat and .cmd files by format, because these are regular plain text files.

If you want to block attachments, you can only configure detection of these files by masks: *.bat, *.cmd.

Please check the section "Configuring the general settings and conditions of rules" of the sites https://support.kaspersky.com/KS4Exchange/9.6/en-US/166855.htm

Add a condition for the Attachment filtering rule and select File name mask instead of File format and then add *.bat or *.cmd to the list.

There're only two known errors during KSMG installation. 

First one: 

Above error means that DNS and/or DHCP servers are not accessible.  Please reinstall and make sure that DNS and/or DHCP is configured properly.

Second error:

To fix the error just delete created VM and create a new one.