Académique Documents
Professionnel Documents
Culture Documents
www.mcafee.com
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Scanning in GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 McAfee Transport Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Scanning with VSAPI v2.5 and v2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Exchange Server Versions and Roles supported by GSE 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 GroupShield Installation and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Buffer Overflow Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Blocking Unsolicited Bulk Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Installation and Configuration (Best Practices) Based on Exchange Version and Role . . . . . . . . . . . . . . . . . . . . . . . . 3 Exchange 2003 Server in Bridge Head Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Exchange 2003 Mailbox Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Exchange 2007 Mailbox + Hub Role (Typical setup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exchange 2007 Mailbox Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exchange 2007 Hub Transport Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Exchange 2007 Edge Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Clustering on Exchange 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Clustering on Exchange 2007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Scheduling Tasks in GSE 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 On-Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Common Settings Applicable to All Exchange Versions and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 User Interface Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
www.mcafee.com
New Features
New DHTML based (non-java) web user interface Integration with V2 API scanning DATs and engine Capability of detecting more recent threats like PUPs and packers Supports micro-incremental AVVDAT update, incremental AVVDAT update and component based AV engine update Live streaming update for more accurate spam detection Integration with Spam Assassin SDK 2.1 for phishing detection Improved local quarantine management using Postgres database New centralized quarantine management using McAfee Quarantine Manager v5.0 Graphical reporting for detections Dashboard graphs and detection counters
New detection type based segregation in Detected Items Database Option to submit samples to McAfee Avert Labs Centralized alert, rules and scanner settings Filter for detecting protected content (password protected MS Office files)
www.mcafee.com
Filter for detecting password protected archive files (ZIP, tar and Rar files) Filter for removing unwanted scripts and ActiveX components in a HTML file Filter for detecting and managing partial and broken MIME messages. Handling different encodings for MIME messages Separate filter for detecting encrypted and corrupted attachments Time based scanning for all scanners and filters Sub-policy creation and editing the policy priorities Support for Exchange 2007 server in Mailbox, Mailbox+Hub, Hub Transport, and Edge Transport roles Scanning using VSAPI version 2.6 for Exchange 2007 server mailboxes Improved background scanning options for Exchange 2007 server Scheduling background scanning Option to have both VSAPI and McAfee Transport Scanning enabled Direction-based Transport Scanningoption to scan inbound, outbound and/or internal mails Option to purge and optimize detected item database Option to purge DATs folder Option to personalize dashboard settings and graphical reports Option to reset the product configuration settings Usage of AV stamping feature between GSE installed on Edge Transport, Hub Transport, and Mailbox roles to prevent re-scan of already scanned mails by a specific DAT version IPV6 integration: scheduled status and configuration report
www.mcafee.com
So, to utilize this feature from GSE 7.0.1 the user must have McAfee VirusScan Enterprise (VSE) version 8.5i installed before running the setup. After VSE is installed when user selects the buffer overflow option during the setup, the installer will add the important GSE 7.0.1 processes to VirusScans registry key value AdditionalBOPProcesses under HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\ On Access Scanner\BehaviourBlocking. As of now the following GSE 7.0.1 specific processes are protected from buffer overflow attack: RPCServ.exe PrfCtrs.exe RunScheduled.exe SAFeService.exe SDEDIT.exe StandaloneUI.exe. For a customer who has VirusScan installed on the exchange server, it is recommended to select the buffer overflow protection during the installation. It has to be noted that Buffer overflow protection is not available on 64-bit servers.
CustomThis option is for the advanced and customized installation. The user can choose to install GSE 7.0.1 with standalone UI and/or web based UI. You can also choose to install only the UI part of the GSE 7.0.1 product without installing scanning components of GSE7. With only the UI installed, the user can have the interface frame connect to another GSE 7.0.1 server installed and available in your network. After installing GSE 7.0.1 successfully, the installer prompts three options for the user: Open the Readme/User Guide Run Product update Launch the Product User Interface. Select all three options to ensure you read the user guide, you update the product with the latest virus and spam definitions, and you can launch the user interface.
Installation and Configuration (Best Practices) Based on Exchange Version and Role
Exchange 2003 Server in Bridge Head Server Role
As we know bridge head servers are typically used as a mail routing server that delivers the inbound messages to the respective mailbox servers. If the server has VirusScan 8.5i installed in it, we recommend choosing the buffer overflow protection option during installation. Select Anti-Spam for GroupShield add-on, this enables GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway and hence avoids unwanted messages reaching the mail box server. The bridge head server is directly exposed to all types of inbound and outbound messages in the network. Hence, administrators may not prefer to have the web component of IIS installed on the bridge head servers. While installing GSE 7.0.1 on the exchange server without IIS installed, select the Typical installation option that installs only standalone UI.
www.mcafee.com
VSAPI Scan Settings VSAPI settings can be disabled on a bridge head server.
VSAPI Scan Settings Exchange 2003 uses VSAPI (Virus Scanning API) version 2.5. It is a virus scanning API provided by Microsoft to enable third party anti-virus vendors to write virus scanning applications for Microsoft Exchange. When a new message reaches the information store, VSAPI will notify GroupShield to scan this message. The email message (MIME) will be decomposed into different MIME parts (Header, Subject, Mail body and Attachment) and handed over to GroupShield for scanning. Unlike McAfee Transport Scanner where GroupShield acts on the entire MIME message, in VSAPI the scanning is done on each mime parts or item. VSAPI gives few more useful scanning options like proactive scanning and background scanning. It can also scan the outbound messages in Outbox and Sent Items folders. Proactive ScanningPuts the unscanned and modified messages in the scanning queues based on a priority. Message attachment is put in the priority one queue and message body in the priority 2. Background ScanningScans the messages in the user mail box and public folders whenever there is a new version of DATs (virus definitions) updated on GroupShield and whenever exchange information store is dismounted and mounted. It is recommended that the administrator enables the background scanning option to make it scan the messages. For GroupShield version 7.0.1, there is an additional option given in the user interface to Start and Stop the background scan at a scheduled time and date using the option Enable At and Disable At. The background scan should be scheduled during a non-peak hour of the day or during the weekend. Note: GroupShield installed on Exchange 2003 does not have a scan stamping mechanism, so the VSAPI scanner will always scan all the messages reaching information store, despite it being scanned by McAfee Transport Scanner.
www.mcafee.com
Though implementation of VSAPI scanning is same in the Exchange 2007 server, implementation of McAfee Transport Scanning is entirely different. With Exchange 2003, GSE 7.0.1 uses the SMTP protocol integrated with the Microsoft IIS server and registers the McAfee Transport within IIS service. With Exchange 2007, SMTP protocol comes along with Exchange server installation and does not use the SMTP protocol from IIS server. So when GSE 7.0.1 is installed on Exchange 2007, the Mailbox + Hub role registers McAfees Transport agents with Exchange 2007 SMTP transport events. In the Exchange 2007 Mailbox + Hub role, both VSAPI and McAfee Transport Scanner are available. So, administrators can disable the McAfee Transport Scanner if the organization contains more than one hub server and/or an edge server with GSE 7.0.1 installed. In Exchange 2007, any mail (inbound, outbound, and internal) has to pass through a hub transport server. An organization should have at least one hub transport server and can have multiple hub transport servers based on the number of mail box servers. It has to be noted that if they have VirusScan 8.5i installed then the buffer overflow protection will not be available on 64-bit servers. Select the Anti-Spam for GroupShield add-on, this enables GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway and prevent unwanted messages from reaching the users mail box. Select this option if you dont have another hub server or edge server configured and there is no GSE 7.0.1 installed on it. Choose Complete type of installation for this role. This will install complete GSE 7.0.1 feature along with two user interfaces. They are standalone UI and web UI.
VSAPI Scanner Settings Exchange 2007 comes with VSAPI version 2.6 to scan messages at the information store level. Compared to the VSAPI version 2.5 in Exchange 2003, this version has more granular control and options in the background scanning feature. It also gives an option to scan or not to scan the Outbox. Proactive ScanningThis feature remains the same as in the Exchange 2003 version and is used to scan the unread and modified messages in the user inbox with its own priority queue. This option is enabled by default. Outbox ScanningThis option enables GSE to scan the outbound messages in the outbox folder. By default, this option is disabled. To use this feature, administrators have to enable Proactive Scanning along with enabling Outbox Scanning option. It is recommended to have this option enabled if you dont have GSE 7.0.1 installed on hub or edge servers. Background ScanningBy default, background scanning is disabled in Exchange 2007. Administrators have to enable the background scan and schedule it to Start and Stop at specified times, using Enable At and Disable At options. It is recommended that a background scan is scheduled to run during non-peak hours, ensuring performance of the mailbox server does not degrade. VSAPI version 2.6 gives the following options for background scanning: To scan only un-scanned messages To scan messages only with attachments To scan Administrators can also specify an upper and lower age limits for background scanning to scan messages based on the time stamp of the message.
www.mcafee.com
Administrators should ensure that VSAPI scanning is always enabled under the Settings and Diagnostics page of GSE 7.0.1. Other VSAPI version 2.6 features (like proactive scanning and background scanning) and its recommended settings will remain same as given in the Mailbox + Hub server role.
With Exchange 2003 in an Active-Passive configuration, make sure: GSE 7.0.1 is installed on all the nodes The startup type of GSE service is set to manual and is stopped by default GSE 7.0.1 is installed on the same drive and path of all the nodes The GSE 7.0.1 service is restarted manually at least once before creating the resource To install GSE 7.0.1 on Exchange 2003 in Active-Active configuration, make sure: GSE 7.0.1 should be installed on all the nodes The startup type of GSE service should be changed to Automatic so that the service starts at boot GSE 7.0.1 should be managed individually on all the nodes of the cluster Note: Before installing GSE 7.0.1 on a cluster, make sure that the fail over of all resources happens without errors.
www.mcafee.com
To install GSE 7.0.1 on LCR or CCR or SCR: GSE 7.0.1 is installed on all the nodes Startup type of GSE 7.0.1 service should be Automatic so that the service starts at boot GSE 7.0.1 should be managed individually on all the nodes of the cluster
GSE 7.0.1 has six different on-demand scan policies: On-Demand Default On-Demand Full Scan On-Demand Find Banned Content On-Demand Remove Banned Content On-Demand Find Viruses On-Demand Remove Viruses Each of these policies contains pre-configured settings and is used for different purposes as stated in the policy name. Administrators can alter these settings as per the requirements or use the policy without any change. While scheduling on-demand scans, administrators can choose any of these policies to scan the messages. Auto-update is used to get the latest DATs, AV engine, spam rules and spam engine updates from the master update repository. If GSE 7.0.1 is in not McAfee ePolicy Orchestrator (ePO) managed, then by default GSE 7.0.1 will get product updates from www.mcafee.com. There is a fallback NAIFTP repository as well that a user can access, if required. This repository information will be present in SITELIST.XML that is found under \doc settings\ all users\app data\McAfee\Common Framework folder. By default, auto-update is scheduled every midnight. Administrators can change the update frequency through the Edit Schedule option given in the dashboard. We recommend configuring the auto-update task to run every eight hours. Status Report is an option for the administrators to obtain the GSE 7.0.1 detection and scanning information over an email at a scheduled interval of time. Administrators can schedule this task to run once, daily, weekly, and monthly by specifying the SMTP email address of the administrator. This task is not scheduled by default and should be exclusively scheduled by the administrator as needed. Purging of Old Items Frequency is not scheduled by default. Administrators have to schedule this task to delete the records from the detected items database leaving only the recent detections. Optimization Frequency is not scheduled by default. This task can be scheduled to improve the database performance by recovering the empty spaces created due to deletion of records.
7
www.mcafee.com
Policy Manager
On-Access Settings
Anti-Virus ScannerThe anti-virus scanner settings are used by both VSAPI (at store level) and McAfee Transport Scanner (at post cat level). GSE 7.0.1 uses the new virus scanning engine version 5200 and has the capability to detect viruses, Trojans, malware, PUPs and packers. By default GSE 7.0.1 is configured to clean every infected message. If cleaning fails, then the infected item will be replaced with an alert text Warning.txt and the original infected item will get quarantined in the postgres database. We recommend using the default settings provided by GSE 7.0.1 for the anti-virus scanner. If needed, administrators can select the secondary action Notify Administrator to have an email notification about the infection detection sent. Content ScanningThis filter is used to block unwanted bad content to reach the user inbox. By default, content scanning is disabled. We recommend enabling the content scanning by assigning default or custom (newly created) content rules assigned to the content scanner. On Content Scanning page, users can select the two options: Include documents and database formats or Extend scan to all attachments to make GSE 7.0.1 scan for banned content in all types of attachments including documents, PDF files, database and MS Excel files. While assigning a content rule to the scanner, the user has the option to apply the content rule to Everything or to selected file formats. We recommend assigning the content rule to scan only Documents, Messages, and HTML Files. File FilterUsing this filter, administrators can block the unwanted files from user mailboxes. This filter is disabled by default. Administrators need to create new file filter rules and apply them to the filter. File filter rules can be created based on filename or extensions, True filetype detection, and file size. There are no recommended settings for this filter. However, it is used mostly to block executables, packed files and archives based on extensions and true type file filtering. For other filters (Corrupted Content, Encrypted Content, Password Protected Files, Protected Content, Signed Content, HTML Files, MIME Settings and Scanner Control) under On-Access settings, administrators can configure specific actions based on companys requirements or simply use the default settings given by GSE 7.0.1.
Gateway PolicyAll the scanners and filters under gateway policy are applied at the initial transport level (at SMTP submit level). So, it is recommended to block the unwanted bulk messages and phishing messages at the gateway level. Anti-Spam settingsThe Anti-Spam GroupShield addon scanner is used to block unsolicited bulk mails from entering the organization. It applies rules and respective scores to each MIME component of a message and takes action based on the total spam score. By default, GSE has three levels of spam scores. The messages with scores between 5 and 10 are called Low, messages with scores between 11 and 15 are called Medium and messages that score 16 and above are called High. GSE 7.0.1 blocks (Delete Message) the high and medium level spam messages by default and allows the message with ****SPAM**** as the prefix in the subject line. It is recommended to have the default settings on for spam messages. This scanner is only applicable to inbound messages. Anti-Phish ScannerAdministrators can block the phishing messages at the gateway, using the spam rules and engine. GSE 7.0.1 detects and takes action on the Phish messages. By default phishing messages are deleted and quarantined. This is the recommended configuration. This is applicable only to inbound messages. Mail Size FilterThis is a very useful filter that administrators can use to block a message based on its size, an attachments size, or the number of attachments. Blocking the message at the gateway level is recommended and preferred by many organizations. Based on an organization policy, this filter can block any unwanted messages. This filter is applicable to both inbound and outbound messages. Adding DisclaimersThis is an option to attach the companys disclaimer text to all the outbound messages. This is not enabled by default. Administrators can attach a disclaimer to all messages with the following three options: before the message, after the message, or as an attachment.
www.mcafee.com
Anti-Spam ScannerEnter the SMTP email address of the mailbox that is identified as System Junk Folder. Now, if administrators want to move bulk and spam mails to a different mailbox, they can do so by using Route to System Junk Folder primary action of anti-spam scanner. Select the check box Enable Routing to the User Junk Folders on this server to route spam messages to the specific junk folder. These settings are only required on a GSE 7.0.1 server containing the Anti-Spam add-on. These settings can be ignored on servers where there is no Anti-Spam add-on installed and on Exchange 2003 and 2007 Mail Box only roles. Quarantining Detected ItemsIf you want to use McAfee Quarantine Manager (MQM), then you need to select the Enabled check box found under the MQM heading and enter the correct IP Address of the server. After making these settings, GSE 7.0.1 will detect and quarantine messages on the MQM server. If you intend to store quarantined messages locally, then do not select any option under McAfee Quarantine Manager heading. Scheduled reportsThis feature enables GroupShield administrators to receive status and configuration update from GroupShield for Exchange via e-mail on a periodic basis. The frequency of this update is configurable by the administrator. DatabasesIf you intend to change a database location, select the path and folder name for the database under Local Databases. If no change is desired, it is good to have the database at the default location. Maximum item size (MB) is the option that allows the administrator to limit the largest size of the item that is allowed to be quarantined and logged into the database by GSE. The default value is 100 MB. It can be changed as the requirement/policy of an organization demands. Maximum query size (records) is an option that allows the administrator to limit the number of records displayed on the Detected Items page. By default, it is set to 1000 but can be increased up to 20,000 records. This means that whatever may be the total detections in your database, GSE 7.0.1 can display only 20,000 records.
Maximum Item Age (days) is the number of days that GSE 7.0.1 has to retain the detected items in the DB. The default value is 14. This means that the detected items that are more than 14 days old would be deleted from the database. The limit for this field is 365 days. Purge of old items frequency is an option to schedule to purging old items on a specified date and time. GSE 7.0.1 will purge the old detected items that are older than the number of days selected in Maximum Item Age (days). By default, this task is in Not Scheduled state. Optimization Frequency is a task that can be scheduled by the administrator to optimize the postgres database at the specified time and date. This task recovers disk space taken up by deleted database records. By default, this task is in Not Scheduled state.
www.mcafee.com
DAT SettingsThis page is to specify the number of DAT folders that needs to be retained by the administrator. The maximum default value is 10 and minimum default value is 3. This can be changed if necessary. Import and Export ConfigurationUnder Configuration tab, the user can import the configuration XML (McAfeeConfig.xml) from a different GSE 7.0.1 server to retain the same settings on the newly installed GSE server. The user can also export the present settings and keep it as a back-up or use the exported XML on another GSE 7.0.1 server. Restore Default is an option using that administrators can always go back to default settings of GSE 7.0.1. Under SiteList tab, the user can import or export the sitelist.xml file from Common Framework folder and use the same update repository settings on another GSE 7.0.1 server. SiteList.xml is the file with the information about the product update repositories that GSE 7.0.1 can contact during product updates.
McAfee, Inc. 3965 Freedom Circle Santa Clara, CA 95054, 888.847.8766 www.mcafee.com
trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2009 McAfee, Inc. All rights reserved. 5032wp_tops_sec-msft_best-prac_1108
10