Sie sind auf Seite 1von 592

Product Guide

Revision A

McAfee Email Gateway 7.6.400 Appliances

COPYRIGHT
Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com

TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Contents

Preface

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


9
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Working with your McAfee Email Gateway

11

How McAfee Email Gateway processes mail traffic through your network . . . . . . . . . . .
The interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Make changes to the appliance's configuration . . . . . . . . . . . . . . . . . . .
Using lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import and export information . . . . . . . . . . . . . . . . . . . . . . . . .
Ports used by Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Top Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . .
Using the McAfee Email Gateway 7.x troubleshooting tree . . . . . . . . . . . . . . . . .
Upgrading Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of upgrading from previous versions of the product . . . . . . . . . . . . .
Migrate settings from Email Gateway 7.5.3 or higher . . . . . . . . . . . . . . . .
Task Migrate settings from Email Gateway virtual appliances 7.5.3 or higher . . . . . .
Task Upgrade from Email Gateway 7.6.2 or higher appliances managed by McAfee ePolicy
Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with FIPS 140-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resetting user interface access . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reasons the user interface might be locked out . . . . . . . . . . . . . . . . . .
Reset user interface access . . . . . . . . . . . . . . . . . . . . . . . . . . .

Overview of Dashboard features

29
30
31
32
32
33

35

Benefits of using the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Dashboard portlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configurable thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Inbound Mail Summary portlet . . . . . . . . . . . . . . . . . . . .
Option definitions Outbound Mail Summary portlet . . . . . . . . . . . . . . . . . . .
Option definitions SMTP Detections portlet . . . . . . . . . . . . . . . . . . . . . .
Option definitions POP3 Detections portlet . . . . . . . . . . . . . . . . . . . . . .
Option definitions System Summary portlet . . . . . . . . . . . . . . . . . . . . . .
Option definitions Hardware Summary portlet . . . . . . . . . . . . . . . . . . . . .
Option definitions Network Summary portlet . . . . . . . . . . . . . . . . . . . . . .
Option definitions Services portlet . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Clustering portlet . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Advanced Threat Defense portlet . . . . . . . . . . . . . . . . . . .
Option definitions Tasks portlet . . . . . . . . . . . . . . . . . . . . . . . . . . .

McAfee Email Gateway 7.6.400 Appliances

11
13
15
17
17
20
21
24
26
26
26
26
27
28

36
37
37
38
41
43
46
47
47
49
50
52
54
55

Product Guide

Contents

Task Setting System Summary thresholds . . . . . . . . . . . . . . . . . . . . . . . 56


Task Setting Services thresholds . . . . . . . . . . . . . . . . . . . . . . . . . .
57

Overview of Reports features

59

Types of reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using Message Search . . . . . . . . . . . . . . . . . . . . . . . .
Message Search parameters . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search results . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message Search icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Identify quarantined email messages . . . . . . . . . . . . . . . . . . .
Task Find out which email messages are queued . . . . . . . . . . . . . . . . .
Task Find out which email messages are being blocked . . . . . . . . . . . . . .
Task Find the emails that were successfully delivered . . . . . . . . . . . . . . .
Task A user has requested that I release one of their quarantined email messages . . .
Task Export a message search report . . . . . . . . . . . . . . . . . . . . .
Task Find a message containing a named attachment . . . . . . . . . . . . . . .
Using multiple search parameters . . . . . . . . . . . . . . . . . . . . . . . .
Searching for archived content . . . . . . . . . . . . . . . . . . . . . . . . .
Task - Configure identification of archived content . . . . . . . . . . . . . . . . .
Task - Find content of archived files . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Blacklist/whitelist URLs . . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of creating scheduled reports . . . . . . . . . . . . . . . . . . . . . .
Option definitions Scheduled Reports . . . . . . . . . . . . . . . . . . . . . .
Task See the number of detections by protocol and threat type over the last week . . .
Task Send your manager an email activity report in PDF format every Monday at 10.00am
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Download a report in .csv format for further processing . . . . . . . . . . . .
Task Send the email administrator a report that shows virus detections in email messages
over the last week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports New Report dialog box . . . . . . . . . . . . . . . . . . . . . .
Scheduled Reports Edit Report dialog box . . . . . . . . . . . . . . . . . . . . . . .
Email Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to the Email Reports page . . . . . . . . . . . . . . . . . . . . . .
Benefits of using email reports . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Email report views . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of email report filters . . . . . . . . . . . . . . . . . . . . . . . . . .
Favorite reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Generate an email activity overview for a particular sender . . . . . . . . . . .
Task Show me the total viruses detected over the previous week . . . . . . . . . .
System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to the System Reports page . . . . . . . . . . . . . . . . . . . . .
Benefits of using system reports . . . . . . . . . . . . . . . . . . . . . . . .
Types of System reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of System report views . . . . . . . . . . . . . . . . . . . . . . . . .
Types of System report filters . . . . . . . . . . . . . . . . . . . . . . . . .
Favorite reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Generate a report that shows all threat detection updates . . . . . . . . . . .

Overview of Email menu

59
60
61
62
65
68
69
71
72
72
72
73
73
74
75
76
76
77
77
78
80
81
81
81
82
82
82
84
84
84
85
86
87
89
90
91
91
92
92
92
92
93
93
94

95

Life of an email message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95


Email Configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
98
Option definitions Protocol Presets dialog box . . . . . . . . . . . . . . . . . . 113

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Contents

Option definition - New Protocol Preset . . . . . . . . . . . . . . . . . . . . .


Receiving Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sending Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sending Email Add Relay List dialog box and Add MX Lookup dialog box . . . . . . .
Anti-Relay Settings Add Relay Domain dialog box and Add MX Lookup dialog box . . .
Email Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to policies . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Custom Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Re-write the Subject of all messages matching a policy . . . . . . . . . . . .
Task Modify the headers of all messages matching a policy . . . . . . . . . . . .
Email Policies - Add Policy . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Add rule or Edit rule dialog . . . . . . . . . . . . . . . . . .
Option Definitions Scanning Policies New Policy Exception . . . . . . . . . . . .
Option definitions Scanning Policies | New Policy | Add user group . . . . . . . . .
Option definitions Scanning Policies | New Policy | Add network group . . . . . . .
Option definitions Subject Templates . . . . . . . . . . . . . . . . . . . . .
Option definitions Header Modification Templates . . . . . . . . . . . . . . . .
Option definitions Notification Templates . . . . . . . . . . . . . . . . . . . .
Option definitions Add/Edit Notification Template . . . . . . . . . . . . . . . .
Option definitions Add/Edit Header Modification Template . . . . . . . . . . . . .
Anti-Virus policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-spam policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compliance policy settings . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy Options settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions URL reputation blacklists and whitelists . . . . . . . . . . . . .
DLP and Dictionaries overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registered Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compliance Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Add Dictionary Details . . . . . . . . . . . . . . . . . . .
Option definitions Applicable File Formats . . . . . . . . . . . . . . . . . . .
Option definitions OR Condition . . . . . . . . . . . . . . . . . . . . . . .
Option definitions AND Condition . . . . . . . . . . . . . . . . . . . . . .
Option definitions Edit Regular Expression . . . . . . . . . . . . . . . . . . .
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Web Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PGP encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Web Mail Branding . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Encrypt all email that triggers against the HIPAA compliance dictionaries . . . .
Task Use S/MIME to encrypt all email to a specific target domain . . . . . . . . . .
Task Deliver all email from a specific customer using S/MIME encryption . . . . . . .
Task Use PGP to encrypt all email messages . . . . . . . . . . . . . . . . . .
Task Deliver all email from a specific customer using PGP encryption . . . . . . . .
Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Certificate Details dialog box . . . . . . . . . . . . . . . . .
Certificate Revocation Lists (CRLs) . . . . . . . . . . . . . . . . . . . . . . .
Hybrid configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using hybrid email scanning . . . . . . . . . . . . . . . . . . . . .
About the hybrid email registration and configuration process . . . . . . . . . . . .
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .

McAfee Email Gateway 7.6.400 Appliances

113
114
126
133
134
134
135
141
144
146
151
154
156
159
166
166
168
168
169
169
169
171
171
207
236
289
331
332
332
337
347
347
347
348
348
348
349
350
360
362
364
367
370
371
372
372
373
374
374
380
380
382
382
384
384
387

Product Guide

Contents

Group Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Add Network Group . . . . . . . . . . . . . . . . . . . .
Option definitions Add Rule . . . . . . . . . . . . . . . . . . . . . . . . .
Email Senders and Recipients . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Add User Group . . . . . . . . . . . . . . . . . . . . . .
Task Add a user group . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Directory Service wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of adding LDAP directory services . . . . . . . . . . . . . . . . . . . .
Option definitions Directory Service Details page . . . . . . . . . . . . . . . .
Option definitions Directory Service Queries page . . . . . . . . . . . . . . . .
Option definitions Directory Service Query page . . . . . . . . . . . . . . . . .
Option Definitions Test Directory Service Query page . . . . . . . . . . . . . . .
Task Set up the appliance to use a Microsoft Exchange Server as an LDAP server . . .
Task Create a sample LDAP query . . . . . . . . . . . . . . . . . . . . . .
Quarantine Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quarantine Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quarantine Digest Options . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions Digest Message Content . . . . . . . . . . . . . . . . . .
Quarantine Queue Settings . . . . . . . . . . . . . . . . . . . . . . . . . .

Overview of System menu

411

Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interfaces Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Gateway Certificate . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate and Key Export wizard . . . . . . . . . . . . . . . . . . . . . . .
UPS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add UPS Device Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Push . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cluster Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions MAC Addresses . . . . . . . . . . . . . . . . . . . . . .
Resilient Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Automatic Configuration Backups wizard . . . . . . . . . . . . . . . .
Database Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rescue Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions New Role dialog box . . . . . . . . . . . . . . . . . . . .
Option definitions Role Details dialog box . . . . . . . . . . . . . . . . . . .
Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . .
Forgotten password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Login Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add Login Services wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DoD CAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions CAC Certificate Attribute Mapping . . . . . . . . . . . . . . .
Option definitions Custom Text dialog box . . . . . . . . . . . . . . . . . . .

McAfee Email Gateway 7.6.400 Appliances

390
390
393
393
394
394
395
395
396
396
397
398
399
399
400
400
401
401
403
405
405

411
412
413
417
419
420
426
427
427
430
431
433
434
436
438
442
443
444
446
449
453
455
455
457
457
457
459
460
461
463
464
465
465

Product Guide

Contents

Option definitions User Details . . . . . . . . . . . . . . . . . . . . . . .


Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions - Edit Virtual Network . . . . . . . . . . . . . . . . . . . . .
Add Virtual Host wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Option definitions New Scanning Policy . . . . . . . . . . . . . . . . . . . .
Option definition - New Protocol Preset . . . . . . . . . . . . . . . . . . . . .
McAfee Advanced Threat Defense Server Configuration . . . . . . . . . . . . . . . . . .
Benefits of configuring McAfee Advanced Threat Defense Servers . . . . . . . . . . .
Option definitions ATD Servers . . . . . . . . . . . . . . . . . . . . . . . .
Task Configure Email Gateway to communicate with your Advanced Threat Defense
appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Configure the file types to be sent to Advanced Threat Defense . . . . . . . .
Option definitions Add ATD Server . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging, Alerting and SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Email Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Alert Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Monitor Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Logging Configuration Override events dialog boxes . . . . . . . . . . . . . . .
Configure System Log Archive wizard . . . . . . . . . . . . . . . . . . . . . .
Component Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Update Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Package Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Anti-virus engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Anti-Virus Updates wizard . . . . . . . . . . . . . . . . . . . . . .
Configure Anti-Spam Updates wizard . . . . . . . . . . . . . . . . . . . . . .
Configure Automatic Package Updates . . . . . . . . . . . . . . . . . . . . .
Option definitions Configure Updates (Time) . . . . . . . . . . . . . . . . . .
Edit Preferences (Warning Thresholds) . . . . . . . . . . . . . . . . . . . . .
Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Standard Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Custom Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interfaces Wizard . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Interface Layout . . . . . . . . . . . . . . . . . . . . . . . . . .
Restore from a file Setup . . . . . . . . . . . . . . . . . . . . . . . . . . .
ePO Managed Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption Only Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Overview of Troubleshoot features

476
477
477
478
478
486
486
487
497
499
500
501
502
506
507
511
511
512
513
514
515
515
515
517
520
529
533
533
539
545

553

Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ping and Trace Route . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generate Test Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIPS Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ATD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Minimum Escalation Report . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Capture Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .

McAfee Email Gateway 7.6.400 Appliances

466
466
466
469
470
470
474
474
475
475
475

553
554
554
555
555
556
557
557
558
558
558
559

Product Guide

Contents

Save Email Queues . . . . . .


Save Log Files . . . . . . . .
Error Reporting Tool . . . . . .
Tests . . . . . . . . . . . . . . .
Option definitions System Tests

. . .
. . .
. . .
. . .
. . .

. . .
. . .
. . .
. . .
. . .

. . .
. . .
. . .
. . .
. . .

. . .
. . .
. . .
. . .
. . .

. . .
. . .
. . .
. . .
. . .

. . .
. . .
. . .
. . .
. . .

. . .
. . .
. . .
. . .
. . .

. .
. .
. .
. .
. .

Overview of Email Gateway appliances and ePolicy Orchestrator Integration


How appliances work with ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . .
Differences in Email Gateway appliance administration under ePolicy Orchestrator . . . . . . .
Configuring your appliance for ePolicy Orchestrator management . . . . . . . . . . . . .
Removing the ePolicy Orchestrator extension . . . . . . . . . . . . . . . . . . .
Managing your appliances from within ePolicy Orchestrator . . . . . . . . . . . . . . . .
Task Upgrade from Email Gateway 7.6.2 or higher appliances managed by McAfee ePolicy
Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy comparisons in ePolicy Orchestrator 5.1 . . . . . . . . . . . . . . . . . . . . .

Overview of McAfee Quarantine Manager Integration

Overview of Content Security Reporter integration

McAfee Email Gateway 7.6.400 Appliances

565
566
569
570
570
571
572

573
573
574
574

577

About Content Security Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . .


How Content Security Reporter works . . . . . . . . . . . . . . . . . . . . . .
Further information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Benefits of using Content Security Reporter . . . . . . . . . . . . . . . . . . . . . .
Configure McAfee Email Gateway to send log data . . . . . . . . . . . . . . . . . . . .
Task Configure Content Security Reporter to receive Email Gateway data . . . . . . . . . .

Index

565

573

About McAfee Quarantine Manager . . . . . . . . . . . . . . . . . . . . . . . . . .


How appliances work with McAfee Quarantine Manager . . . . . . . . . . . . . . . . . .
The relationship between quarantine categories displayed in Message Search and MQM . .
Custom quarantine queues in McAfee Quarantine Manager . . . . . . . . . . . . .

560
561
562
563
563

577
577
578
578
579
579

581

Product Guide

Preface

Contents
About this guide
Find product documentation

About this guide


This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.

Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:

Administrators People who implement and enforce the company's security program.

Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold

Text that is strongly emphasized.

User input, code,


message

Commands and other text that the user types; a code sample; a displayed
message.

Interface text

Words from the product interface like options, menus, buttons, and dialog
boxes.

Hypertext blue

A link to a topic or to an external website.


Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Preface
Find product documentation

What's in this guide

Find product documentation


After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task

10

Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.

In the Knowledge Base pane, click a content source:

Product Documentation to find user documentation

Technical Articles to find KnowledgeBase articles

Select Do not clear my filters.

Enter a product, select a version, then click Search to display a list of documents.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email


Gateway

McAfee Email Gateway protects your network from viruses, undesirable content, spam, and other
threats. Understand these concepts to help you configure your McAfee Email Gateway.
Contents
How McAfee Email Gateway processes mail traffic through your network
The interface
Ports used by Email Gateway
Resources
Top Frequently Asked Questions (FAQs)
Using the McAfee Email Gateway 7.x troubleshooting tree
Upgrading Email Gateway
About timeouts
Working with FIPS 140-2
Resetting user interface access

How McAfee Email Gateway processes mail traffic through your


network
This information describes how McAfee Email Gateway processes mail traffic through your internal and
external networks.

Mail traffic flow


Within McAfee Email Gateway, all email messages originating from outside of your organization are
considered Inbound, and all messages leaving your organization and considered to be Outbound.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

11

Working with your McAfee Email Gateway


How McAfee Email Gateway processes mail traffic through your network

12

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


The interface

The interface
The user interface provides you with an intuitive way of finding information and configuring options for
your McAfee Email Gateway.
The interface you see might look slightly different from that shown here, because it can vary depending
on the appliance's hardware platform, software version, and language.

Figure 1-1 Areas of the user interface

A Navigation area
The navigation area contains four areas: user information, section icons, tab bar, and support controls.

B User information bar


C Section icons
The icons include the following:
Icon

Menu

Features

Dashboard

Use this page to see a summary of the appliance. From this page you can
access most of the pages that control the appliance.

Reports

Use the Reports pages to view events recorded on the appliance, such as
viruses detected in email messages, and system activities such as details of
recent updates and logins.

Email

Use the Email pages to manage threats to email messages, quarantine of


infected email, and other aspects of email configuration.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

13

Working with your McAfee Email Gateway


The interface

Icon

Menu

Features

System

Use the System pages to configure various features on the appliance.

Troubleshoot Use the Troubleshoot pages to diagnose any problems with the appliance.

D Tab bar
The contents of the tab bar are controlled by the selected section icon. The selected tab dictates what
is displayed in the content area.

E Support control buttons


The support control buttons are actions that apply to the content area.
Icon Description
Refreshes or updates the content.
Returns you to the previously viewed page. We recommend that you click this button, rather
than your browser's Back button.
Appears when you configure something to allow you to apply your changes.
Appears when you configure something to allow you to cancel your changes.
Opens a window of Help information. Much of the information in this window also appears in
the Product Guide.

F View control
The view control button shows or hides a status window.
The status window, which appears in the bottom right of the interface, shows recent activity. New
messages are added at the top of the window. If a message is blue and underlined, you can click the
link to visit another page. You can also manage the window with its own Clear and Close links.

G Content area
The content area contains the currently active content and is where most of your interaction will be.
The changes that you make take effect after you click the green checkmark.

Contents
User preferences
Make changes to the appliance's configuration
Using lists
Import and export information

14

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


The interface

User preferences
The User Preferences link in the User information bar allows you to personalize specific behaviors in
McAfee Email Gateway.

You can use this feature to:

Set the opening page for Email Gateway.

Reset the password for your user account.

Benefits of configuring user preferences


Use the User Preferences link to control your log-on process.
Setting the opening page streamlines your Email Gateway access, and changing your password
provides increased security to your account.

Setting your opening page


Users might encounter situations where they routinely access Email Gateway for specific reasons. If
so, they might regularly navigate to a particular tab in the interface. User Preferences allows them to set
their preferred destination in the application.
User permissions determine the available page selections for each account. They also determine the
default opening page. For example, an administrator with full access can set any tab as the opening
page. A user with more limited permissions can set only the allowed tabs.

Issue You have responsibility for monitoring and creating reports for management review. This task
requires logging on to Email Gateway several times per day. Navigating directly to the Reports tab
streamlines the work flow.
Solution Use User Preferences to set Reports as the opening page for your account.

Changing your password


Users might need to change their passwords for several reasons. When the need arises, User Preferences
allows them to reset their passwords directly.
Issue You are an administrator for your McAfee Email Gateway appliance, and you think other
users with fewer rights might have seen your password. You want to ensure that unauthorized users
cannot access your account.
Solution Use User Preferences to reset your password yourself.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

15

Working with your McAfee Email Gateway


The interface

Option definitions - User preferences


Use the options in this dialog box to set the opening page when you log on, and to reset your
password.
Table 1-1

Option definitionsUser preferences

Option

Definition

Preferences
After login open From the drop-down list, select the page Email Gateway displays when you log on.
Options include:
Dashboarddisplays the opening page for the Dashboard tab.
Reportsdisplays the opening page for the Reports tab.
Emaildisplays the opening page for the Email tab.
Systemdisplays the opening page for the System tab.
Troubleshootdisplays the opening page for the Troubleshoot tab.
Last visited pagetakes you back to the last page you opened before you last logged
off.
Change password
Current password

Type your current password in the data field

New password

Type the new password you want to configure

Confirm password

Type the new password again

Task Set your opening page


This task allows you to determine which page McAfee Email Gateway displays when you log on.
You can only set user preferences for the account you use to log on to McAfee Email Gateway. If you
use more than one user account, you can set preferences for each account.
Task
1

Log on to Email Gateway with your user name and password.


The current opening page displays. Your permissions determine the default page.

In the user information bar, select User Preferences.


The User Preferences dialog box opens.

In the Preferences section, After login open, select the page to display from the drop-down menu.
The menu contains only those pages available for your access permissions.

Click Apply.

The next time you log on to Email Gateway, the page you chose appears as your opening page.

Task Reset your password


Use these options to reset your McAfee Email Gateway password.
You can only reset your password for the account you use to log on to McAfee Email Gateway. If you
use more than one user account, you can reset passwords for each account.

16

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


The interface

Task
1

Log on to Email Gateway with your user name and password.


The current opening page displays. Dashboard is the default.

In the user information bar, select User Preferences.


The User Preferences dialog box opens.

In the Change Password section, type your current password in the data field.

Type your new password in the New password data field.

Type your new password again in the Confirm password data field.

Click Apply.

Your new password is effective the next time you log on.

Make changes to the appliance's configuration


Use this task to make changes to the operation of the appliance.
Task
1

In the navigation bar, click an icon. The blue tabs below the icons change to show the available
features.

Click the tabs until you reach the page you need.
To locate any page, examine the tabs, or locate the subject in the Help index. The location of the
page is often described at the top of the Help page. Example:

System | System Administration | Database Maintenance.


3

On the page, select the options. Click the Help button (?) for information about each option.

Navigate to other pages as needed.

To save your configuration changes, click the green checkmark icon at the top right of the window.

In the Configuration change comment window, type a comment to describe your changes, then click OK.
Wait a few minutes while the configuration is updated.

To see all your comments, select Review Configuration Changes in System | System Administration | Configuration
Management.

Using lists
Within the McAfee Email Gateway user interface, lists are used in many places to help define
information.
Contents
Make and view lists
Add information to a list
Remove single items from a list
Remove many items from a list
Change information in a list
View information in a long list

McAfee Email Gateway 7.6.400 Appliances

Product Guide

17

Working with your McAfee Email Gateway


The interface

Order information in a list by priority


Order information alphabetically in a list

Make and view lists


Lists specify information such as domains, addresses and port numbers on many pages in the
interface. You can add new items to a list, and delete existing items.
Although the number of rows and columns might vary, all lists behave in similar ways. In some lists,
you can also import items from a prepared file, and change the order of the items. Not all lists have
these actions. This section describes all the actions that are available in the interface.

Add information to a list


Add information into a list within the user interface.
Task
1

Click Add below the list.


A new row appears in the table. If this is your first item, a column of checkboxes appears on the
left of the table. You might also see a Move column on the right of the table.

Type the details in the new row. Press Tab to move between fields.

For help with typing the correct information, move your cursor over the table cell, and wait for a
pop-up to appear. For more information, click

To save the new items immediately, click the green checkmark:

Remove single items from a list


Some lists take a long time to create, and therefore you can delete only one entry at a time to prevent
the accidental deletion of a lot of information.
If the item cannot be deleted, the trashcan icon is unavailable:

Task
1

Click the item to select it. The row turns pale blue.

Click the trashcan icon

, or click Delete at the bottom of the list.

Remove many items from a list


On some long lists, you can remove many items quickly.
Task
1

In the column of checkboxes on the left of the table, select each required item. To select many
items, select the checkbox in the table's heading row to select all the items, then deselect those
that you want to keep.

Click Delete at the bottom of the list.

18

To save the new changes immediately, click the green checkmark:

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


The interface

Change information in a list


Change information contained within a list within the user interface.
If an item cannot be changed, the icon is unavailable:

Task
1

Click the edit icon

Click on the text, then delete or retype it.

3
4

To save the new changes immediately, click the green checkmark:


To cancel any recent changes, click the close button at the top right of the window:

View information in a long list


If the list has many items, you might not be able to see them all at the same time.
Task
1

To determine the position of an item in the list or the size of the list, view the text at the bottom of
the list, such as Items 20 to 29 of 40.

To move through the list or to move quickly to either end of the list, click the arrows at the bottom
right of the list. (
).

Order information in a list by priority


Some lists display items in priority order. The first item in the list is the highest priority, the last item
is the lowest priority. To change an item's priority:
Task
1

Find the row that contains the item.

In the Move column (on the right of the table), click the upward or downward arrow:

Order information alphabetically in a list


When information is given in a list, you can sort the list alphabetically.
Task

To change the order:

To force items in a column into alphabetical order, click the column heading. Items in other
columns are automatically sorted accordingly. An icon appears in the column heading to indicate
that this column is sorted:

To sort the information differently, click the other column headings.

To reverse and restore the alphabetical order of the information within a single column, click the
icons in the column heading:

McAfee Email Gateway 7.6.400 Appliances

Product Guide

19

Working with your McAfee Email Gateway


The interface

Import and export information


Find out how to import information to, and export information from the McAfee Email Gateway.
Contents
Import prepared information
Export prepared information

Import prepared information


From some pages, you can import information from other devices, appliances, or software for use on
the appliance, such as from a previously prepared comma-separated value (.csv) file, or a certificate
needed to verify identity of your appliance or other devices.
Imported information normally overwrites the original information.

Task
1

Click Import.

In the Import window, browse to the file.


The contents of the Import dialog box change according to the requirements of the type of file or
information you are importing. If further options are displayed in the dialog box, make the relevant
choices based on that information.

Click Open to import the information from the file.


Table 1-2 Some formats for comma-separated value (.csv) files
Type of information

Format

Example

Domain

D, domain, IP address

D, www.example.com, 192.168.254.200

Network address

N, IP address, IP subnet mask

N, 192.168.254.200, 255.255.255.0

Email address

E, email-address

E, network_user@example.com

Each item in the file is on a single line.

Export prepared information


From some pages, you can export or download information from the appliance for use on other
devices, appliances, software, or to read.
The information is generated in various forms, such as a .zip file, a .pdf, or a .csv file.
Table 1-3 Some formats for comma-separated value (.csv) files
Type of information

Format

Example

Domain

D, domain, IP address

D, www.example.com, 192.168.254.200

Network address

N, IP address, IP subnet mask

N, 192.168.254.200, 255.255.255.0

Email address

E, email-address

E, network_user@example.com

Each item in the file is on a single line.

Task

20

Click Export or Download.

In the Export or Download window, follow the instructions to create the file.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Ports used by Email Gateway

Ports used by Email Gateway


The appliance uses various ports to communicate with your network and other devices.
Table 1-4

Ports used by Email Gateway

Use

Application Transport Port


Protocol
Protocol
Number

Destination

Direction

Software updates

FTP

Anti-virus DAT and HTTP


Engine update
FTP

TCP

21

ftp.nai.com

Outbound

TCP

80
(default)

update.nai.com

Outbound

21
(optional)

The
anti-virus
DAT and
Engine
update
packages
are
encrypted
and signed
before
being
transported
over HTTP.

ftp.nai.com

2nd Anti-virus DAT HTTPS


and Engine
updates

TCP

443

tau.mcafee.com

Outbound

Anti-spam rules
and streaming
updates

TCP

80

http://su3.mcafee.com

Outbound

HTTP

http://sav-su3-1.mcafee.com
208.69.152.139

The
anti-spam
rules and
streaming
updates are
encrypted
and signed
before
being
transported
over HTTP.

192.187.128.17

Anti-spam engine
updates

HTTP

TCP

443

tau.mcafee.com

Outbound

Advanced Threat
Defense server

HTTPS

TCP

443
(default)

Your Advanced Threat


Defense appliance

Outbound

URL reputation
lookup

HTTPS

TCP

443

tunnel.web.trustedsource.org

Outbound

URL reputation
database update

HTTP

TCP

80

list.smartfilter.com

Outbound

Secure Web Mail


client

HTTPS

TCP

443

Your Email Gateway appliance Inbound

Management Port
for the User
Interface

HTTPS

TCP

10443

Your Email Gateway appliance Inbound

McAfee Email Gateway 7.6.400 Appliances

Product Guide

21

Working with your McAfee Email Gateway


Ports used by Email Gateway

Table 1-4

Ports used by Email Gateway (continued)

Use

Application Transport Port


Protocol
Protocol
Number

Destination

Direction

Domain Name
System (DNS)

DNS

TCP/UDP

53

Your DNS server

Outbound

LDAP (and Active


Directory) Global
catalog

LDAP

TCP

3268

Your directory server

Outbound

Secure LDAP (and


Active Directory)

LDAP

TCP

636

Your directory server

Outbound

Secure LDAP (and


Active Directory)
Global catalog

LDAP

TCP

3269

Your directory server

Outbound

Active Directory

LDAP

TCP

389

Your directory server

Outbound

McAfee Quarantine HTTP


Manager
HTTPS

TCP

80

Your MQM server

Bidirectional

McAfee Global
HTTPS
Threat Intelligence
message
reputation

TCP

443

tunnel.web.trustedsource.org

Outbound

McAfee Global
DNS
Threat Intelligence
file reputation

UDP

53

Your DNS server

Outbound

McAfee Global
HTTPS
Threat Intelligence
feedback

TCP

443

gtifeedback.trustedsource.org Outbound

443

Ports used for Email Hybrid communication


When you configure your Email Gateway for hybrid scanning with the McAfee Email Protection
(Hybrid), the following ports are used by default for communication between Email Gateway and
McAfee Email Protection (Hybrid).
Table 1-5 Email Hybrid communication ports
Use

Application Transport Port


Destination
Protocol
Protocol
Number

Direction

Email Hybrid

Proprietary

TCP

25

Your Email Gateway


appliance

Inbound

Email Hybrid
HTTPS
(hybridapi.mxlogic.com)

TCP

443

208.65.144.0/21

Outbound

Anti-spam cloud lookup

TCP

HTTPS

208.81.64.0/21
443

default.megrh.mxlogic.net Outbound

Ports used for ePolicy Orchestrator communication


When you configure ePolicy Orchestrator to manage or monitor and report on your Email Gateway
appliances, the following ports are used by default for communication between ePolicy Orchestrator
and your appliances.

22

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Ports used by Email Gateway

Table 1-6 ePolicy Orchestrator communication ports


Port usage

Port number

Agent-to-server communication port

80

Agent-to-server communication secure port

443 (when enabled)

Agent wake-up communication port

8081 (default)

Agent broadcast communication port

8082 (default)

Console-to-application server communication port

8443

Client-to-server authenticated communication port

8444

Intercept ports
When operating in transparent modes transparent bridge mode or transparent router mode the
appliance uses the following intercept ports to intercept traffic for scanning.
Table 1-7 Intercept ports
Protocol

Port number

POP3

110

SMTP

25

Listening ports
The appliance typically uses the following ports to listen for traffic on each protocol. The appliance
listens for traffic arriving on the designated ports. You can set up one or more listening ports for each
type of traffic scanned by your appliance.
Table 1-8 Typical listening ports
Protocol

Port number

POP3

110

SMTP

25

IP addresses needed for communication between Email Gateway and the McAfee
Email Protection (Hybrid)
To allow communication between Email Gateway and the McAfee Email Protection (Hybrid), you must
ensure that relevant IP addresses for the McAfee Email Protection (Hybrid) can be accessed from your
Email Gateway appliances.
Preferred Setting
If your hardware firewall solution accepts CIDR notation and supports Class 8 C notation, include the
following information:
CIDR

Starting IP address

Ending IP address

208.65.144.0/21

208.65.144.0

208.65.151.255

208.81.64.0/21

208.81.64.0

208.81.71.255

Alternative settings

McAfee Email Gateway 7.6.400 Appliances

Product Guide

23

Working with your McAfee Email Gateway


Resources

If your hardware firewall solution accepts CIDR notation but supports only Class 1 C notation, you
must include the following entries for the entire subnet:
CIDR

Starting IP address

Ending IP address

208.65.144.0/24

208.65.144.0

208.65.144.255

208.65.145.0/24

208.65.145.0

208.65.145.255

208.65.146.0/24

208.65.146.0

208.65.146.255

208.65.147.0/24

208.65.147.0

208.65.147.255

208.65.148.0/24

208.65.148.0

208.65.148.255

208.65.149.0/24

208.65.149.0

208.65.149.255

208.65.150.0/24

208.65.150.0

208.65.150.255

208.65.151.0/24

208.65.151.0

208.65.151.255

208.81.64.0/24

208.81.64.0

208.81.64.255

208.81.65.0/24

208.81.65.0

208.81.65.255

208.81.66.0/24

208.81.66.0

208.81.66.255

208.81.67.0/24

208.81.67.0

208.81.67.255

208.81.68.0/24

208.81.68.0

208.81.68.255

208.81.69.0/24

208.81.69.0

208.81.69.255

208.81.70.0/24

208.81.70.0

208.81.70.255

208.81.71.0/24

208.81.71.0

208.81.71.255

Further alternate setting


If your hardware firewall solution does not accept CIDR notation, you must include the start and end
IP addresses for the Class 8 C or the Class 1 C addresses.
Least desirable setting
If your hardware firewall does not accept CIDR notation or ranges of starting and ending IP addresses,
you can download a complete listing of affected IP addresses at: http://co.mcafeesaas.com/configtest/
validiplist.txt.
You can make any of these changes by creating a firewall rule or restricting access at the server level.
We highly recommend that you lock down these subnets at your firewall as the priority preference.
Before making changes, speak to your network administrator. For additional information regarding the
restriction of IP addresses, see the instructions for setting up your firewall or the guidelines from your
firewall provider.

Resources
The information, links, and supporting files that you can find from the Resources dialog box.
Click Resources from the black information bar at the top of the McAfee Email Gateway user interface.
The Resources dialog box contains links to different areas or to files that you might need when setting
up your appliance.

24

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Resources

Link name

Description

Technical
Support

Clicking this link takes you to the McAfee Technical Support ServicePortal login page
(https://mysupport.mcafee.com/Eservice/Default.aspx).
From this page, you can search the KnowledgeBase, view product documentation and
video tutorials, as well as access other technical support services.

Submit a sample

If you have a file that you believe to be malicious, but that your McAfee systems are
not detecting, you can safely submit it to McAfee for further analysis.
Follow the Submit a sample link and either log on or register as a new user to access the
McAfee Labs Tool to submit suspicious files.

Virus Information Viruses are continually evolving, with new malicious files being developed daily. To
Library
find out more about particular viruses or other threats, follow the link to the McAfee
Threat Center.
McAfee
This free tool integrates into Microsoft Outlook and allows users to submit missed
Customer
spam samples and email that was wrongly categorized as spam to McAfee Labs.
Submission Tool McAfee Customer Submission Tool version 2.3 can also be used with McAfee Email
Gateway and McAfee Quarantine Manager.
The tool supports automated blacklisting and whitelisting, and has an installer that
supports automated script-based installations.
The latest McAfee Customer Submission Tool and documents can also be downloaded
from the following location:
http://www.mcafee.com/us/downloads/free-tools/customer-submission-tool.aspx
ePO Extensions

Download the McAfee ePolicy Orchestrator extensions for Email and Web Security
Appliances.
This file contains both the EWG and the EWS extensions.
The EWG extension allows reporting from within McAfee ePolicy Orchestrator for the
following products:
McAfee Email and Web Security Appliances version 5.5
McAfee Email and Web Security Appliances version 5.6
McAfee Web Gateway
McAfee Email Gateway
The EWS extension provides full McAfee ePolicy Orchestrator management for McAfee
Email and Web Security Appliances version 5.6.
For you to use McAfee ePolicy Orchestrator for either reporting or management, the
ePO extensions need to be installed on your McAfee ePolicy Orchestrator server.

ePO Help
Extensions

Download the McAfee ePolicy Orchestrator Help extensions for the ePO extensions
listed above.
This file installs the Help extensions relating to the McAfee ePolicy Orchestrator
extensions for Email and Web Security Appliances onto your McAfee ePolicy
Orchestrator server.

SMI File

Download the Structure of Managed Information (SMI) file for use with the Simple
Network Management Protocol (SNMP).
This file provides information about the syntax used by the SNMP Management
Information Base (MIB) file.

MIB File

Download the MIB file for use with SNMP.


This file is used to define the information that your McAfee Email Gateway can
transmit using SNMP.

HP OpenView
NNM Smart
Plug-in Installer

Download the HP OpenView installer file to enable you to configure your McAfee Email
Gateway to communicate with HP OpenView.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

25

Working with your McAfee Email Gateway


Top Frequently Asked Questions (FAQs)

Top Frequently Asked Questions (FAQs)


To view a selection of frequently asked questions that have been submitted by other customers, and
learn the answers provided by McAfee Technical Support, refer to KnowledgeBase article KB76144.

Using the McAfee Email Gateway 7.x troubleshooting tree


McAfee support has published a troubleshooting tree to assist you in resolving issues that you might
experience with your McAfee Email Gateway.
Download the McAfee Email Gateway 7.x troubleshooting tree from KnowledgeBase article PD23748.

Upgrading Email Gateway


You can upgrade Email Gateway physical appliances, virtual appliances, or blade servers to the latest
version of the Email Gateway software. You can select how much of the previous configuration to
apply to the upgraded software. Upgrades can be applied with a CD or remotely.
Upgrading or migrating settings from previous versions restores all protocol, policy, and system
settings using the migration tools within Email Gateway. This process ensuring your previous levels of
protection are maintained in all areas.
The term 'upgrading your appliance' refers to installing the latest version of the software onto your
existing hardware or virtual appliances. The term 'migrating' refers to you setting up new hardware or
virtual appliances with the latest version of the Email Gateway software. When you have installed the
software, you use the in-built migration tools to restore the protocol, policy, and systems settings from
your existing Email Gateway system.

Benefits of upgrading from previous versions of the product


Learn how to upgrade from Email Gateway 7.5.3 or higher.
There are several supported methods to manage the process in the way that is best suited to your
organization:

From an Email Gateway installation CD, perform a new installation and then restore a configuration
file from a previous version.

From an Email Gateway installation CD, perform an upgrade from a previous version, retaining
configuration and log files.

Perform the upgrade remotely, by obtaining the latest Email Gateway ISO image and uploading it
to your Email Gateway. Use the Rescue Image feature (System | System Administration | Rescue Image) to
perform this remote upgrade.
Features associated with LDAP and role-based access control include enhanced protection options in
Email Gateway.

26

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Upgrading Email Gateway

Migrate settings from Email Gateway 7.5.3 or higher


This task describes how to migrate settings from version 7.5.3 or higher to the latest version of Email
Gateway.
Before you begin
Before performing any upgrade, back up your Email Gateway configuration (System | Cluster
Management | Backup and Restore Configuration).

If upgrading a cluster of appliances, first upgrade the Failover Management appliance. Repeat the
upgrade on the Management appliance, and then upgrade all scanning appliances.
If installing on a blade server, first upgrade the Failover Management blade. Repeat the upgrade on
the Management blade, and then upgrade all scanning blades.
Task
1

Switch on the appliance or blade server, and agree to the license agreement.

When the installation options menu appears, choose one of the following installation options:
a

To upgrade from the appliance itself:

Choose option a to perform a new installation, then restore the Email Gateway configuration
from a previously backed up configuration file.

Choose option c to back up the configuration, policies, log files, and email messages and
restore them automatically when you install the latest version of Email Gateway.

Choose option d to restore only the network configuration settings.

Choose option e to restore policy settings, but no log files or email messages.
To get a description of the installation options, press the RETURN key on the installation
options menu . Press the RETURN key to continue through the descriptions until you return to
the installation options menu.

Use the installation options menu to define further options, such as the action you want to take
when the installation finishes. Press the ENTER key.

Select option a to perform the upgrade, then press the ENTER key to confirm the installation
option that you chose.

Press the RETURN key to complete the installation, and wait while the computer restarts.

Open a web browser, and connect to the appliance's IP address.


If you chose option a, select Restore from a File to reinstate the previous configuration settings.

Depending on your chosen installation option, all protocol, email policy, and system settings from
Email Gateway 7.5.3 or higher are migrated. This migration ensures that your previous levels of
protection are maintained.
To change any network settings after installation, select System | Appliance Management | General and click
Change Network Settings.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

27

Working with your McAfee Email Gateway


Upgrading Email Gateway

Task Migrate settings from Email Gateway virtual appliances


7.5.3 or higher
Use this task to upgrade to the latest version from an existing Email Gateway virtual appliance using
the software .ISO installation file .
Before you begin
You must have Email Gateway virtual appliance 7.5.3 or higher already installed.
After an operating system is installed on a virtual appliance, the virtual machine always starts from
the hard disk first. To work around this feature, you have to shut down the virtual machine and
configure a power-on-boot delay so that you have enough time to access the Boot menu and tell it to
start from the installation CD instead.
Task
1

Download the Email Gateway virtual appliance .ISO file from the McAfee download site and extract
it.

Shut down the virtual appliance:


a

Log on to the virtual appliance user interface and go to System | System Administration | System
Commands

Enter the password.

Select Shutdown Appliance.

Log on to VMware ESX Server or use the VMware Infrastructure Client, or the VMware vSphere
Client to log on to VMware Virtual Center Server.

Enable a Power-on-Boot delay to get enough time to force the virtual machine to boot from CD:
a

Select the virtual appliance in the Inventory list and click Summary.

Select Edit Settings | Options | Boot Options.

In Power-on-Boot delay, type 10,000 in the text box, and click OK.

Turn on the virtual appliance.

Make sure the cursor focus is on the virtual appliance console. Then press the ESC key to open the
Boot Menu.
Do not select any options yet.

Release the cursor from the console and select Connect CD/DVD1.

Browse to the folder where you downloaded the Email Gateway virtual appliance .ISO file and
double-click <McAfee-MEG 7.6-<build-number>.VMbuy.iso>.

When the .ISO file is connected, click back on to the console screen. Select CD-ROM Drive and press
the ENTER key.
The virtual appliance starts from the .ISO file.

10 Press y to agree to the terms of the license agreement.


11 Select the upgrade option that you want, and press the ENTER key to perform the upgrade.
12 Type y to confirm that you want to continue.

28

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Upgrading Email Gateway

Depending on your chosen installation option, all protocol, email policy, and system settings from your
Email Gateway virtual appliance 7.5.3 or higher are migrated. This migration ensures that your
previous levels of protection are maintained.

Task Upgrade from Email Gateway 7.6.2 or higher appliances


managed by McAfee ePolicy Orchestrator
Use this task to upgrade to the latest version from an existing Email Gateway appliance managed by
McAfee ePO.
Before you begin
When upgrading the software on appliances that are managed by McAfee ePO, it is
important that you upgrade the components in the following order:

Upgrade the software on all appliances.

Download the ePO Extensions and ePO Help Extensions from the Resources link
within the user interface of one of the upgraded appliances.

From within your McAfee ePO user interface, install the new versions of the
ePO Extensions and ePO Help Extensions.

Before you can upgrade to the latest version of Email Gateway, your existing appliance
must be running Email Gateway version 7.6.2 and be correctly configured and running.
This upgrade process automatically disconnects the appliance from being managed by
McAfee ePO.

The in-built Email Gateway migration tools migrate many of your existing Email Gateway settings for
you. However, some settings may need to be recreated.
Task
1

In McAfee ePO, click Policy Catalog and select the Email Gateway 7.6.2 or higher product.

Click Export to export the product policies.

Right-click the Policies_for_McAfee_Email_Gateway_7.<x>.xml link, and save the file.

Go to your Email Gateway appliance.

Go to System | Component Management | ePO.

Select Migrate ePO Configuration.

Import the Policies_for_McAfee_Email_Gateway_7.<x>.xml file you just created.


The import process can take a few minutes to complete.

Select the epo_config_<date_stamp>.xml file produced at the end of this process, and save the file.

From the Email Gateway Resources link, download the ePO Extensions and ePO Help Extensions files.

10 From McAfee ePO, install the ePO Extensions and ePO Help Extensions files.
11 In McAfee ePO, click Policy Catalog and select the McAfee Email Gateway 7.<x> product.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

29

Working with your McAfee Email Gateway


About timeouts

12 Click Import, and import the epo_config_<date_stamp>.xml you saved in step 8.


The policies and settings within the configuration file are migrated across to your McAfee ePO
server.
After you have imported the settings into Email Gateway managed by McAfee ePO, you need to
re-assign the migrated policies to the correct groups in the System Tree in McAfee ePO.
13 On McAfee ePO, navigate to Menu | Gateway Protection | Email and Web Gateway.
14 From Actions, select Export Connection Settings. Save the epoConfig<xxxxxxx>.zip file.
15 On your Email Gateway, navigate to System | Component Management | ePO, click Import ePO connection
settings. Browse to the epoConfig<xxxxxxx>.zip file, and click OK.
Your McAfee ePO configuration settings are imported into your Email Gateway appliance.
16 Select both Enable ePO management, and Allow configuration to be applied from ePO.
17 Apply changes within your Email Gateway.
Your upgraded appliance is again under McAfee ePO control.
If you had documents registered for Data Loss Prevention in your previous Email Gateway appliance,
the document fingerprints for these are copied to your new Email Gateway McAfee ePO installation.
If you chose to create a scheduled task to push your previous Email Gateway DLP database to the new
Email Gateway version, you will need to create an equivalent scheduled task to push the new Email
Gateway DLP database to your appliance.

About timeouts
Learn about the timeouts that occur between the appliance receiving a message, scanning it, and
delivering it.
When the appliance receives an email message, the SMTP conversation and corresponding timeouts
occur as follows:
Where T equals "Time".

T0 The time the appliance receives the connection (where time = zero)

T1 The time taken between commands (EHLO, MAIL FRIM, RCPT TO, DATA (but not the dot that
signifies the end of DATA), RSET) defined in Email | Email Configuration | Protocol Configuration | Connection
Settings (SMTP) | Timeouts

T2 The time taken between receiving the chunks of data during DATA transfer

T3 The time taken for the whole conversation to occur, that is, to receive a message, scan it,
and deliver it

T4 The total time taken to scan the message, that is, when the appliance has received all the
data

T5 The appliance has received all the data

As an email message passes through the appliance, the following timeouts are applied.

30

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Working with FIPS 140-2

Client: Connection

Appliance: 220 banner

The appliance waits T1 seconds to receive the next command

Client: EHLO

Appliance: 250 OK

The appliance waits T1 seconds to receive the next command

Client: MAIL FROM: from @.bc

Appliance: 220 OK

The appliance waits T1 seconds to receive the next command

Client: RCPT TO: rcpt@e.f


Appliance 220 OK

The appliance waits T1 seconds to receive the next command

Client: DATA

Appliance: 354 Enter mail, end with "dot" on a line by itself

The appliance waits T2 seconds to receive each chunk of data

Client:

Subject: 1234

Hello there

The appliance scans the data

The appliance waits T4 seconds to scan the data

The appliance delivers the message and makes an onward connection. It has taken T3 T5
T0 to deliver the message. In other words, if the overall time to process a message is six
minutes, (T3), and receiving the message and scanning has taken four minutes, the appliance
has two minutes to deliver the message. If this limit is exceeded, the email is queued for
delivery later.

Appliance: 250 OK

Working with FIPS 140-2


Describes how to configure the appliance in FIPS 140-2 mode.
FIPs mode is enabled during installation. When the appliance is installed with FIPS mode enabled, the
Email Gateway installation menu (available locally, serial, ssh) is available. By default, it does not
include "Shell access"
To enable FIPS, select Option k Enable FIPS 140-2 level 1 compliant installation in the configuration console, then
select Option a - Perform installation.
In the Email Gateway Configuration Menu, a FIPS option is available. Select it to access the following options:

McAfee Email Gateway 7.6.400 Appliances

Product Guide

31

Working with your McAfee Email Gateway


Resetting user interface access

Table 1-9 Option definitions


Option Definition
Shell

Enable or disable shell access (disabled by default)


This option makes the appliance non FIPS compliant.

Failure

Configure how to handle FIPS validation failure:


Ignore the failure and continue booting.
Prompt for cryptographic officer password (Default).
This privilege is available to an administrator role with Access system administration privileges.

SSLFIPS Enable or disable the OpenSSL FIPS checking (enabled by default) All applications on the
appliance that use the OpenSSL library perform the OpenSSL FIPS validity check when they
start. If it causes compatibility issues with other devices, it can be disabled
Validate

Re-run FIPS validity tests The ability to re-run the tests and view the output in the console.

To check that the appliance is running in FIPS mode, click About the Appliance in the menu bar. The FIPS
140-2 Compliant status shows Yes, No, or Partial.
A Partial status is given in the following situations:

The Shell is enabled.

FIPS validation failures occurred, where the failure handling has been modified from the
default setting Prompt for cryptographic officer password.

OpenSSL checking is disabled.

Go to Reports | System Reports in the user interface to get more information about the FIPS
status.

Resetting user interface access


If the McAfee Email Gateway user interface becomes inaccessible, you can reset the access.
Contents
Reasons the user interface might be locked out
Reset user interface access

Reasons the user interface might be locked out


McAfee Email Gateway includes several features and methods to enable you to secure access to the
user interface.
However, it is possible to configure these secure access features so that they can prevent all access to
the McAfee Email Gateway user interface.
You can resolve the following lock-out scenarios:

32

The user-configured management port is being blocked by a firewall, preventing access to the
appliance user interface.

A badly formed Access Control List (ACL) can result in 403 Forbidden responses when you attempt
to log on to the user interface.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Working with your McAfee Email Gateway


Resetting user interface access

X.509 (also known as Department of Defense Common Access Card or DoD CAC) authentication
can be misconfigured in a number of ways, perhaps because the CA certificates required to validate
the user certificates are not present, the user certificates have expired, role mapping has been
mistyped, or the certificate chain length might exceed the permitted length.

If out-of-band management has been enabled on the appliance but incorrectly configured, and
in-band management has been disabled, the appliance user interface will not be accessible from
any network interface.

Reset user interface access


Reset access to the McAfee Email Gateway user interface if it becomes inaccessible.
Before you begin
To reset access to the McAfee Email Gateway user interface, ensure that you have a
keyboard and monitor connected to your physical appliance. If you have a virtual
installation of McAfee Email Gateway, use your VMware management system to open a
console session to your virtual appliance.
Task
1

Log on to the McAfee Email Gateway using the administrator account.

Select 2. Configuration console, then press Enter.


The Configuration Menu is displayed.

From the Configuration Menu, select Manage and then press Enter.
The Management Menu is displayed.

Select GUI, then press Enter.


The GUI Menu is displayed. Potentially problematic settings appear in red at the top of the page.
Reset options appear at the bottom of the page.

For each potentially problematic setting:


a

Select a reset option, then press Enter.


A single checkbox is displayed.

Use the space bar to select or deselect the checkbox, then press Enter.

The relevant reset screen is displayed. If you have multiple issues that may cause access to be
locked out, repeat this process for the other problematic settings.
6

When you have reset any problematic settings, select Quit until the top-level Configuration Menu is
displayed.

Select Apply. Press Enter.


Confirm that you want to apply your changes. Your McAfee Email Gateway configuration is updated
with the problematic settings removed.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

33

Working with your McAfee Email Gateway


Resetting user interface access

34

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features

When you first open the browser, you see the Dashboard, which gives a summary of the activity of the
appliance.

Dashboard
From this page you can access most of the pages that control the appliance.
Contents
Benefits of using the Dashboard
Dashboard portlets
Configurable thresholds
Option definitions Inbound Mail Summary portlet
Option definitions Outbound Mail Summary portlet
Option definitions SMTP Detections portlet
Option definitions POP3 Detections portlet
Option definitions System Summary portlet
Option definitions Hardware Summary portlet
Option definitions Network Summary portlet
Option definitions Services portlet
Option definitions Clustering portlet
Option definitions Advanced Threat Defense portlet
Option definitions Tasks portlet
Task Setting System Summary thresholds
Task Setting Services thresholds

McAfee Email Gateway 7.6.400 Appliances

Product Guide

35

Overview of Dashboard features


Benefits of using the Dashboard

Benefits of using the Dashboard


The Dashboard provides a single location for you to view summaries of the activities of the appliance
through a series of portlets.

Figure 2-1 Dashboard portlets

Some portlets display graphs that show appliance activity over the following periods of time:

1 hour

2 weeks

1 day (the default)

4 weeks

1 week

Within the Dashboard, you can make some changes to the information and graphs displayed:

Expand and collapse the portlet data using the


corner.

Drill down to specific data using the

See a status indicator that shows whether the item needs attention:

36

and

and

buttons in the portlet's top right-hand

buttons.

Healthy The reported items are functioning normally.


Requires Attention A warning threshold has been exceeded.
Requires Immediate Attention A critical threshold has been exceeded.
Disabled A service is not enabled.

Use
and
to zoom in and zoom out of a timeline of information. There is a short delay while
the view is updated. By default, the Dashboard shows data relating to the previous one day.
Move a portlet to another location on the Dashboard.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Dashboard portlets

Double-click the top bar of a portlet to expand it across the top of the Dashboard.

Set your own alert and warning thresholds to trigger events. To do so, highlight the item and click
it, edit the alert and warning threshold fields, and click Save. When the item exceeds the threshold
you set, an event is triggered.
Depending on the browser used to view the McAfee Email Gateway user interface, the Dashboard
"remembers" the current state of each portlet (whether it is expanded or collapsed, and if you have
drilled down to view specific data), and attempts to re-create that view if you navigate to another page
within the user interface and then return to the Dashboard within the same browsing session.

Dashboard portlets
The McAfee Email Gateway Dashboard portlets provide information about the state of email traffic,
recent detections and the current status of your McAfee Email Gateway.
Option

Definition

Inbound Mail
Summary

Displays the delivery and status information about messages sent to your
organization.

Outbound Mail
Summary

Displays the delivery and status information about messages sent from your
organization.

SMTP Detections

Displays the total number of messages that triggered a detection based on the
sender or connection, the recipient, or the content, and to view data specific to
either inbound or outbound SMTP traffic.

POP3 Detections

Displays how many messages triggered a detection based on threats such as


viruses, packers, or potentially inappropriate images.

System Summary

Displays information about load balancing, the disk space used for each partition,
total CPU usage, used and available memory, and swap details.

Hardware Summary

Status indicators to show the status of network interfaces, UPS servers, bridge
mode (if enabled), and RAID status.

Network Summary

Provides information about the status of your connections, network throughput


and counters relating to Kernel Mode Blocking

Services

Displays update and service status statistics based on protocol and external
servers used by the appliance.

Clustering

Provides information about the entire cluster when appliance is part of a cluster or
you are using the blade server hardware.

Tasks

Links directly to the areas of the user interface that search the message queue,
view reports, manage policies, configure mail protocol settings and network and
system settings, and access troubleshooting features.

Configurable thresholds
You can configure user-defined warning thresholds and critical thresholds for some status indicators.
When set, McAfee Email Gateway then provides the relevant level of warnings when these
user-defined values are exceeded.
For the System Summary portlet, you can configure the threshold values for the following parameters:
Swap | Used
Disk Space | /deferred | Inodes used
Disk Space | /deferred | Disk used

McAfee Email Gateway 7.6.400 Appliances

Product Guide

37

Overview of Dashboard features


Option definitions Inbound Mail Summary portlet

Disk Space | /encryption | Inodes used


Disk Space | /encryption | Disk used
Disk Space | /logs | Inodes used
Disk Space | /logs | Disk used
Disk Space | /quarantine | Inodes used
Disk Space | /quarantine | Disk used
Disk Space | /scandir | Inodes used
Disk Space | /scandir | Disk used
Disk Space | /var | Inodes used
Disk Space | /var | Disk used
Disk Space | /wk | Inodes used
Disk Space | /wk | Disk used
Message Queue | Inbound
Message Queue | Outbound
Message Queue | Total
For the Services portlet, you can configure the threshold values for the following parameters:
External | McAfee ePO | Event reports
External | McAfee ePO | Communication Attempts
External | McAfee ePO | Configuration Integrity
External | McAfee ePO | Policy Enforcement
External | McAfee ePO | DLP DB Update

Option definitions Inbound Mail Summary portlet


Use this portlet to get the delivery and status information about messages sent to your organization.
The information in this portlet relates to data from the SMTP Detections | Inbound portlet. Data is shown in
bar chart format.
Each incoming message is categorized as either:

38

Delivered

Queued for ATD

Blocked

Queued

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions Inbound Mail Summary portlet

Bounced

Scanning Skipped

Quarantined

Counter

Definition

Total Inbound
Messages

A top level counter which increments for each email that passes the MAIL FROM stage
of the SMTP conversation.
If multiple messages are sent down one connection, this counter will increment. You
can drill down to see how the email connection was received:
TLS The email was received over a TLS connection.
Non TLS The email was received over a standard non TLS connection.

Delivered

A top level counter which increments for each email that is delivered. You can drill
down to see how the email was delivered:
Plain The email was delivered as a standard plain message.
Encrypted The email was delivered encrypted by:
TLS The email was delivered over a TLS connection:
Secure Web Mail The content was encrypted using one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.
Plain The content was a standard plain message.
Non TLS The email was delivered over a standard non TLS connection:
Secure Web Mail The content was encrypted by one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

39

Overview of Dashboard features


Option definitions Inbound Mail Summary portlet

Counter

Definition

Blocked

A top level counter which increments for each email that is blocked. You can expand
the counter to see the number of messages blocked by sender or connection, recipient,
and content:
Sender/Connection provides a breakdown of the scanner that blocked the email,
either:
Deny Sender

BATV

RBL (Real-time blackhole lists)

SPF (Sender Policy Framework).

FCrDNS
Recipient provides a breakdown of the scanner that blocked the email, either:
Anti-Relay

LDAP Recipient

Grey Listing

Directory Harvesting

Rejected Recipient
Content provides a breakdown of the scanner that blocked the email, either:
GTI Message Reputation

Compliance

Sender ID

Image Filtering

DKIM

Mail URL Reputation

Spam

Mail URL Reputation DoS

Phish

DLP

Mail Filtering

Virus

Mail Size Filtering

PUPs

File Filtering

Packers

Denial of Service

Advanced Threat Defense

Bounced

The total number of inbound messages that were refused.

Scanning
Skipped

The total number of inbound messages that resulted in a policy-based action that did
not require scanning to be carried out.

Queued for ATD The total number of inbound messages that are currently queued to be sent to the
McAfee Advanced Threat Defense servers.
Queued

The total number of inbound messages that are queued awaiting delivery.

Quarantined

A top level counter which increments for each message that is quarantined.
The total number of messages in all of the quarantine queues.
The total number of messages requested for release by users by quarantine digests.
From within the Quarantined area, you can also drill-down into the number of email
messages quarantined in each quarantine category.
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total quarantined
messages.

40

Sender and
Recipient

Type the name of a particular sender or recipient for whom you wish to locate a
message, and click Search to go to the Message Search page.

Search

Click Search to go to the Message Search feature where you can look for messages based
on their status; either blocked, bounced, delivered, quarantined, or queued.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions Outbound Mail Summary portlet

Option definitions Outbound Mail Summary portlet


Use this portlet to get the delivery and status information about messages sent from your
organization.
The information in this portlet relates to data from the SMTP Detections | Outbound portlet. Each incoming
message is categorized as either:

Delivered

Queued for ATD

Blocked

Queued

Bounced

Quarantined

Scanning Skipped

If you are using the quarantine features, messages may also summarized in the quarantined list.
Counter

Definition

Total Outbound A top level counter which increments for each email that passes the MAIL TO stage of
Messages
the SMTP conversation.
If multiple messages are sent down one connection, this counter will increment. You
can drill down to see how the email connection was received:
TLS The email was received over a TLS connection.
Non TLS The email was received over a standard non TLS connection.
Delivered

A top level counter which increments for each email that is delivered. You can drill
down to see how the email was delivered:
Plain The email was delivered as a standard plain message
Encrypted The email was delivered encrypted by:
TLS The email was delivered over a TLS connection:
Secure Web Mail the content was encrypted using one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.
Plain The content was a standard plain message.
Non TLS The email was delivered over a standard non TLS connection:
Secure Web Mail The content was encrypted by one of the following methods:
Push
Pull
Push/Pull
S/Mime The content was encrypted by S/MIME.
PGP The content was encrypted by PGP.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

41

Overview of Dashboard features


Option definitions Outbound Mail Summary portlet

Counter

Definition

Blocked

A top level counter which increments for each email that is blocked. You can expand
the counter to see the number of messages blocked by sender or connection, recipient,
and content:
Sender/Connection Provides a breakdown of the scanner that blocked the email,
either:
Deny Sender

BATV

RBL (Real-time blackhole lists)

SPF (Sender Policy Framework).

FCrDNS
Recipient Provides a breakdown of the scanner that blocked the email, either:
Anti-Relay

LDAP Recipient

Grey Listing

Directory Harvesting

Rejected Recipient
Content Provides a breakdown of the scanner that blocked the email, either:
GTI Message Reputation

Compliance

Sender ID

Image Filtering

DKIM

Mail URL Reputation

Spam

Mail URL Reputation DoS

Phish

DLP

Mail Filtering

Virus

Mail Size Filtering

PUPs

File Filtering

Packers

Denial of Service

Advanced Threat Defense

Bounced

The total number of outbound messages that were refused.

Scanning
Skipped

The total number of outbound messages that resulted in a policy-based action that did
not require scanning to be carried out.

Queued for ATD The total number of outbound messages that are currently queued to be sent to the
McAfee Advanced Threat Defense server.
Queued

The total number of outbound messages that are queued awaiting delivery.

Quarantined

A top level counter which increments for each message that is quarantined.
The total number of messages in all of the quarantine queues.
The total number of messages requested for release by users by quarantine digests.
A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total quarantined
messages.

Search

42

Click Search to go to the Message Search feature where you can look for messages based
on their status; either blocked, bounced, delivered, quarantined, or queued.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions SMTP Detections portlet

Option definitions SMTP Detections portlet


Use this portlet to find out the total number of messages that triggered a detection based on the
sender or connection, the recipient, or the content, and to view data specific to either inbound or
outbound SMTP traffic.
The counters that appear in this portlet work differently to those in the Inbound and Outbound
Summary portlets where each message represents a single counter. In the Detections portlets, one
message can increment several counters, depending on the number of checks it fails.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

43

Overview of Dashboard features


Option definitions SMTP Detections portlet

Option Definition
Total

Shows the total number of inbound and outbound messages that triggered a detection, and
expands the statistics further to see the number of messages based on the following
criteria:
Sender/Connection Provides a breakdown of the scanner that triggered a detection, either:
Deny Sender

BATV

RBL (Real-time blackhole lists)

SPF (Sender Policy Framework)

FCrDNS
Recipient Provides a breakdown of the scanner that triggered a detection, either:
Anti-Relay

LDAP Recipient

Grey Listing

Directory Harvesting

Rejected Recipient
Policy Based Action Provides a count of the actions taken based on policy rather than a
scanning trigger.
Content Provides a breakdown of the scanner that triggered a detection, either:
GTI Message Reputation
Sender ID
DKIM
Spam
Phish
Mail Filtering
Mail Size Filtering
File Filtering
Denial of Service
Compliance
Image Filtering
Mail URL Reputation
Mail URL Reputation DoS
DLP
Virus By either the McAfee or the Commtouch

Command scanner

PUPs By either the McAfee or the Commtouch

Command scanner

Packers By either the McAfee or the Commtouch

Command scanner

Advanced Threat Defense


Inbound

Shows the total number of inbound messages that triggered a detection, and expands the
statistics further to see the number of messages based on the following criteria:
Sender/Connection Provides a breakdown of the scanner that triggered a detection, either:
Deny Sender

BATV

RBL (Real-time blackhole lists)

SPF (Sender Policy Framework)

FCrDNS

44

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions SMTP Detections portlet

Option Definition
Recipient Provides a breakdown of the scanner that triggered a detection, either:
Anti-Relay

LDAP Recipient

Grey Listing

Directory Harvesting

Rejected Recipient
Policy Based Action Provides a count of the actions taken based on policy rather than a
scanning trigger.
Content Provides a breakdown of the scanner that triggered a detection, either:
GTI Message Reputation
Sender ID
DKIM
Spam
Phish
Mail Filtering
Mail Size Filtering
File Filtering
Denial of Service
Compliance
Image Filtering
Mail URL Reputation
Mail URL Reputation DoS
DLP
Virus By either the McAfee or the Commtouch

Command scanner

PUPs By either the McAfee or the Commtouch

Command scanner

Packers By either the McAfee or the Commtouch

Command scanner

Advanced Threat Defense


Outbound Shows the total number of inbound messages that triggered a detection, and expands the
statistics further to see the number of messages based on the following criteria:
Sender/Connection Provides a breakdown of the scanner that triggered a detection, either:
Deny Sender

BATV

RBL (Real-time blackhole lists)

SPF (Sender Policy Framework)

FCrDNS
Recipient Provides a breakdown of the scanner that triggered a detection, either:
Anti-Relay

LDAP Recipient

Grey Listing

Directory Harvesting

Rejected Recipient
Policy Based Action Provides a count of the actions taken based on policy rather than a
scanning trigger.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

45

Overview of Dashboard features


Option definitions POP3 Detections portlet

Option Definition
Content Provides a breakdown of the scanner that triggered a detection, either:
GTI Message Reputation
Sender ID
DKIM
Spam
Phish
Mail Filtering
Mail Size Filtering
File Filtering
Denial of Service
Compliance
Image Filtering
Mail URL Reputation
Mail URL Reputation DoS
DLP
Virus By either the McAfee or the Commtouch

Command scanner

PUPs By either the McAfee or the Commtouch

Command scanner

Packers By either the McAfee or the Commtouch

Command scanner

Advanced Threat Defense

Option definitions POP3 Detections portlet


This information describes the data available from the POP3 Detections portlet. From here, find out
how many messages triggered a detection based on threats such as viruses, packers, or potentially
inappropriate images.
The counters that appear in this portlet work differently to those in the Inbound and Outbound
Summary portlets where each message represents a single counter incrementation. In the Detections
portlets, one message can increment several counters, depending on the number of checks it fails.

46

Option

Definition

Spam

Messages that could originate from a spammer.

Phish

Messages that could contain a phish attack.

Mail Size Filtering

Messages filtered because of their size.

Image Filtering

Messages that could contain inappropriate or pornographic images.

Virus

Messages that exhibit virus-like behavior or content.

PUPs

Messages that contain potentially unwanted programs.

Packers

Messages that could contain packers.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions System Summary portlet

Option definitions System Summary portlet


The System Summary portlet displays information about load balancing, the disk space used for each
partition, total CPU usage, used and available memory, and swap details.
Option

Definition

Uptime

Displays the amount of time the appliance has been running since it was last started

Load Average

Displays the five second load average

Processor

Displays the total usage for all processors

Memory

Displays:
Memory used includes used and buffered memory
Free memory includes free and cached memory
Displays:

Swap

Used Percentage used of swap (the area on the hard disk that is part of the
appliance's virtual memory which temporarily stores inactive memory pages if there
is insufficient physical memory available to do so.)
Rate A high swap-rate indicates the system is in some form of overload.
Disk Space

Displays the percentage of Inodes and disk space used for each partition

Message Queue Displays the current status of the message queue.

Option definitions Hardware Summary portlet


The Hardware Summary portlet uses status indicators to show the status of network interfaces, UPS
servers, bridge mode (if enabled), and RAID status.

Information states
On the Hardware Summary portlet, there are the following status indicators available:

functioning normally
a warning threshold has been exceeded
a critical threshold has been exceeded
the service is not enabled.

Further descriptions of a red status indicator for external services are given in the definition table.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

47

Overview of Dashboard features


Option definitions Hardware Summary portlet

Option

Definition

Network
Interface

Shows the following for LAN1 and LAN2:


Received Data received over the network interface
Transmitted Data sent over the network interface
Speed Speed of the network interface in bits per second
A red status indicator against any Network Interface indicates that urgent attention is
required.

You may need to:


Review your network configuration and check it is correct.
Check that the switch is functioning correctly.
Check that the switch configuration is correct.
Check the cabling to and from the appliance. (Not necessary for the Content
Security Blade Server).
In virtual appliance installations, check the virtual switch configuration.
Hardware
Modules

Shows a summary status indicator about the following hardware modules:


Temperature

Cooling Device

Voltage

Memory

Fan

Module Board

Current

Cable Interconnect

Physical Security

Management subsystem

Power Supply
Any module that is not installed is categorized as Not Applicable. Any module that shows as
red or amber contains links to Troubleshoot | Tools | Hardware Status where you can get more
detailed information.
UPS

When enabled, the following status indicators are available:

Healthy The UPS is online with the mains power working


Requires Attention Due to one of the following potential reasons:
Using battery power (that is, not
mains power)

The UPS is overloaded

The battery is discharging

The UPS is trimming or boosting


incoming voltage

No battery protection is available

48

Requires Immediate Attention The UPS is offline


Critical The battery is low

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions Network Summary portlet

Option

Definition

Bridge

A red status indicates that McAfee Email Gateway is running in bridge mode, and is not
forwarding the network data.

RAID

Depending on the type of RAID controller and hard disk drives installed on your appliance
or blade server, the overall status of the RAID system is displayed:

Healthy The RAID system is functioning correctly.


Requires attention The RAID system is functioning, but one or more of the hard disk
drives are reporting that a predictive failure is imminent.
Critical One or more hard disk drives have failed.

In addition, where this information is reported to McAfee Email Gateway, the status of
each hard disk drive within the RAID array is reported. The possible statuses for these
drives are:

Healthy The hard disk drive is functioning correctly.


Operational but requires attention The diagnostics within the hard disk drive is reporting
that failure of the drive is possible. This indicates that the drive needs to be replaced.
Requires immediate attention The hard disk drive has failed and needs to be replaced
immediately.

Option definitions Network Summary portlet


This information describes the data available from the Network Summary portlet.
Option

Definition

Connections

A top level counter which increments to show the total number of TCP connections
made to the SMTP port on the appliance

Throughput

A top level counter which increments to show the average throughput of data for all
TCP connections made to the SMTP port on the appliance

Kernel Mode
Blocking

A top level counter which increments to show the total number of SYN packets
blocked from an IP address that has triggered a Reject, close and deny (Block) action. The
GTI message reputation lookup feature is configured to perform this action by default
for the next ten minutes.
Within the Kernel Mode Blocking counter, you can also drill down to view information
about the number of Blocked Hosts.
The information given by the Kernel Mode Blocking counter are the number of blocked
packets for the currently selected time frame. The information given by the Blocked Hosts
counter are the number of hosts currently being blocked.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

49

Overview of Dashboard features


Option definitions Services portlet

Option definitions Services portlet


The Services portlet displays update and service status statistics based on protocol and external servers
used by the appliance.

Information states
On the Services portlet, the following status indicators are available:

Functioning normally.
A warning threshold has been exceeded.
A critical threshold has been exceeded.
The service is not enabled.

Further descriptions of a red status indicator for external services are given in the definition table.

50

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions Services portlet

Option Definition
Updates

Anti-Virus Shows the anti-virus DAT and engine update status. Any older than three days
are shown in red.

If you have activated the additional Commtouch Command anti-virus engine, information
specific to this engine is also shown.

Anti-Spam Shows the anti-spam definition and engine update status. Any older than 30
minutes are shown in red.
Status

Configuration Shows any configuration alerts, such as the appliance operating as an open
relay.
FIPS 140-2 Compliance When installed in FIPS-compliant mode, shows the current FIPS
status for the McAfee Email Gateway. More details information on the FIPS status can be
found at Troubleshoot | Tools | FIPS Status.
SMTP Service Shows whether the SMTP service is functioning correctly.
POP3 Service Shows whether the POP3 service is functioning correctly.
Encryption Service Shows whether the encryption service is functioning correctly.

External

McAfee ePO Shows the state of the communication between Email Gateway and McAfee
ePolicy Orchestrator.
The following are reported:
Event Reports Events are regularly sent from the appliance to the ePolicy Orchestrator
server for to be used to generate reports. If event files are not successfully uploaded,
this indicator turns red. (The default threshold is 25 files that failed to upload.)
Communication Attempts The appliance communicates with the ePolicy Orchestrator server
at regular intervals. Failures with these communication attempts are shown here.
Configuration Integrity The appliance checks that the configuration that has been pushed
by the ePolicy Orchestrator server does not contain any inconsistencies. Inconsistencies
could be a policy that refers to a Policy group or Directory service that might no longer
exist. The status is either Healthy, or Operational, but requires attention.
This issue can occur if incorrect ePolicy Orchestrator policies are assigned within the
ePolicy Orchestrator System tree.

Policy Enforcement Confirmation that the policy has been correctly enforced on the
appliance.
DLP DB Updates Confirmation that the Data Loss Prevention database has been correctly
updated.
MQM Shows the state of the communication between Email Gateway and McAfee
Quarantine Manager (MQM).
A red status indicates that communication between Email Gateway and MQM is broken.
GTI Message Reputation Shows the state of the communication between Email Gateway and
the McAfee Global Threat Intelligence (McAfee GTI) message reputation server.
A red status indicates that communication between Email Gateway and the McAfee
GTImessage reputation server is broken.
GTI Feedback Shows the state of the communication between Email Gateway and the
McAfee GTI feedback server.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

51

Overview of Dashboard features


Option definitions Clustering portlet

Option Definition
A red status indicates that communication between Email Gateway and the McAfee GTI
feedback server is broken.
GTI File Reputation Shows the state of the communication between Email Gateway and the
McAfee GTI file reputation server.
A red status indicates that a DNS query of a sample <Artemis> query did not respond
with the expected answer.
RBL Shows the state of the communication between Email Gateway and any RBL
(Real-time Blackhole List) servers that are configured.
A red status indicates that communication between Email Gateway and RBL servers is
broken, or gray status can indicate that there are no servers to monitor.
Syslog Shows the state of the communication between Email Gateway and any off-box
system log servers that are configured.
A red status indicates that communication between Email Gateway and the system log
servers is broken, or a gray status can indicate that there are no servers to monitor.
LDAP Shows the state of the communication between Email Gateway and any LDAP
servers that are configured.
A red status indicates that a test query did not respond with the expected response, or
gray status can indicate that there are no servers to monitor.
SNMP Shows whether the SNMP service is functioning correctly.
A red status indicates that the SNMPD agent is not running or functioning correctly.
DNS Shows the state of the communication between Email Gateway and any DNS
servers that are configured.
A red status indicates that communication between Email Gateway and the DNS servers is
broken, or gray status can indicate that there are no servers to monitor.
NTP Shows the state of the communication between Email Gateway and active NTP
(Network Time Protocol) servers that are configured.
A red status indicates that the time synchronization is not up to date with the active NTP
server.
Anti-spam cloud lookup Shows the state of the communication between Email Gateway and
the anti-spam cloud servers.
A red status indicates that communication between Email Gateway and the anti-spam
cloud servers is broken.

Option definitions Clustering portlet


This topic discusses the Clustering portlet found on the dashboard when you have configured your
appliance as part of a cluster, or if you are using the blade server hardware to run your Email
Gateway.

This section is available only on a cluster master appliance or management blade (on a blade
server).

52

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions Clustering portlet

Option

Definition

Email

When clicked, the meter displays Message per hour.

Message per hour

Displays the average throughput of the cluster, based on measurements taken every
few minutes. If the cluster has twice as many scanning appliances, its throughput
almost doubles too. Extra management activity consumes some of the processing
power

Status

Displays the status of the device:


Operating normally
Needs attention
Needs immediate attention

Scanning Device
Type

Displays the type of scanning device:


Cluster Master
Cluster Failover
Email Gateway Appliance

Name

Displays the name of the appliance as configured

State

Displays the current state of each appliance:


Network Connected to the network
Redundant The Cluster Failover device is not currently running but will take over if
the master cluster appliance fails
Install Installing software
Synchronizing Synchronizing with the cluster master
Boot Booting
Shutdown Shutting down
Malconfigured Configuration file is faulty
Unconfigured Not configured for load balancing
Disabled Disabled by the user
Failed No longer on the network. No heartbeat was detected
Fault A fault has been detected on this appliance
Legacy Not compatible for load balancing

Load

Displays the average system load over a period of five minutes

Active

Displays the number of active connections for each appliance. The row for the
cluster master shows the total for all appliance

Connections

Displays the number of connections handled by each appliance since the counters
were last reset

Component
Displays the versions of anti-spam and anti-virus DAT files. The version numbers are
version information the same if the appliances are up-to-date. During updating, the values might be
different. To see more information, move the cursor over the text and wait for a
yellow box to appear

McAfee Email Gateway 7.6.400 Appliances

Product Guide

53

Overview of Dashboard features


Option definitions Advanced Threat Defense portlet

Option definitions Advanced Threat Defense portlet


When you have configured McAfee Email Gateway to communicate to your McAfee Advanced Threat
Defense servers, the Advanced Threat Defense portlet displays the current status of communication to your
McAfee Advanced Threat Defense servers.
On the Advanced Threat Defense portlet, the following status indicators are available:

Functioning normally.
Needs attention. This error is usually due to an issue with a specific scan request, rather than
general communication issues between the McAfee Email Gateway and McAfee Advanced Threat
Defense servers.
Needs immediate attention. This could be because authentication to the Advanced Threat Defense
server has failed, incorrect credentials have been entered or other communication errors between
the McAfee Email Gateway and McAfee Advanced Threat Defense servers have occurred.

Table 2-1 Option definitions


Option

Definition

<McAfee Advanced Threat Defense server name> Each of your configured McAfee Advanced Threat Defense
servers are listed.

54

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Option definitions Tasks portlet

Option definitions Tasks portlet


Use the Tasks portlet to link directly to the areas of the user interface that search the message queue,
view reports, manage policies, configure mail protocol settings and network and system settings, and
access troubleshooting features.
Option

Definition

View Message
Queue and
Reports

Search the Message Queue Search for messages blocked, bounced, delivered,
quarantined, and queued by sender, recipient, and subject.
View Favorite Reports Display your most popular email reports in a variety of view
types.
Manage Scheduled Reports Create schedules for available report documents, such as
email activity.

Create Policy

Manage Policy (SMTP) Go to the Email Policies settings for the SMTP protocol where you
can create and edit policies for anti-virus and anti-spam protection, and compliance
settings.
Manage Policy (POP3) Go to the Email Policies settings for the POP3 protocol where you
can create and edit policies for anti-virus and anti-spam protection, and compliance
settings.
Manage Compliance Dictionaries Choose from a library of predefined rules, or create your
own rules and dictionaries specific to your organization. Compliance rules can vary in
complexity from a straightforward trigger when an individual term within a dictionary
is detected, to building on and combining score-based dictionaries which will only
trigger when a certain threshold is reached. Using the advanced features of
compliance rules, dictionaries can be combined using logical operations.
Register DLP Documents Restrict the flow of sensitive information sent by email
through the appliance. for example, block the transmission of a sensitive document
such as a financial report that is to be sent outside of your organization.

Configure Mail
Protocol

Configure Email Relay Domains Build a list of IP addresses, networks, and users who
can, or cannot connect to the appliance.
Configure Domain Routing Set up the network hosts that you want the appliance to use
to route mail traffic to specific domains.
Configure Encryption Enable the appliance to use supported encryption methods to
securely deliver your email messages.
Manage Certificates Use digitally signed certificates for tasks such as securely
transferring email using TLS, or using S/MIME certificates.

Configure
Network

Manage Network Settings View and edit basic settings for the appliance such as its
domain name, and the network interfaces settings.
Manage a Cluster Specify the appliance's load balancing requirements when it acts as
part of a cluster.
Manage Virtual Hosting Specify the addresses where the appliance receives or
intercepts mail traffic on the Inbound Address Pool.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

55

Overview of Dashboard features


Task Setting System Summary thresholds

Option

Definition

Configure
System

Configure ePO Management Set up the appliance to be managed by epolicy


Orchestrator.
Configure Quarantine Options Tell the appliane to store quarantined messages itself, or
to store them using the McAfee Quarantine Manager (MQM) service.
Generate Syslog Reports Set up and view system logs for a variety of events.
Define Directory Services Configure the appliance to work with your LDAP servers.
Configure SNMP Send alerts to the trap manager for a variety of events.
Configure DNS and Routing Create a list of DNS servers and sort them in order of
priority, and set up routes.

Troubleshoot

Generate a Minimum Escalation Reports Create a report that contains the minimum
information needed by support to help them diagnose a problem with the appliance.
Run System Tests Perform a series of tests on the appliance to ensure that key areas
are functioning correctly.
Back up and Restore Configuration Configure the appliance to back up the configuration,
or create a backup schedule, and restore the configuration if necessary.

Task Setting System Summary thresholds


Within the System Summary portlet, you can specify thresholds for some of the status indicators.
These thresholds are the points at which the status indicators change color and at which the appliance
logs an event, indicating a potential issue with your McAfee Email Gateway.
Task
1

Expand the Dashboard | System Summary portlet.

Drill down to an area that allows user-defined thresholds to be set.

Click the status indicator (the red, yellow or green circle) for the area on which to set the
threshold.
The parameter name is replaced as shown:

Adjust the threshold values for the


fields.
Click

Requires Attention and

Requires Immediate Attention threshold

to save the changed thresholds.

When the values for the dashboard information reaches the new threshold, the status indicator
changes to the appropriate color and an event is logged.
Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has
taken place and the threshold has been hit or exceeded.

56

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Dashboard features


Task Setting Services thresholds

Task Setting Services thresholds


Within the Services portlet, you can specify thresholds related to McAfee ePolicy Orchestrator status
indicators.
You can set alerts and warnings for the McAfee ePolicy Orchestrator-related status indicators.
You can set thresholds for warnings, alerts or both. The warning threshold must be equal to or less than
the alert threshold.

Task
1

Expand the Dashboard | Services portlet.

Click the status icon beside the area to have thresholds set.
The parameter name is replaced as shown:

Adjust the threshold values for the


fields.
Click

Requires Attention and

Requires Immediate Attention threshold

to save the changed thresholds.

When the values for the dashboard information reaches the new threshold, the status indicator
changes to the appropriate color and an event is logged.
Events will not be logged until after the thresholds have been saved, the next Dashboard refresh has
taken place and the threshold has been hit or exceeded.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

57

Overview of Dashboard features


Task Setting Services thresholds

58

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features

This topic provides an overview of the features within Email Gateway that relate to reporting the
activities of the appliance.

Reports
Contents
Types of reports
Message Search overview
Option definitions Blacklist/whitelist URLs
Scheduled Reports
Scheduled Reports New Report dialog box
Scheduled Reports Edit Report dialog box
Email Reports
System Reports

Types of reports
You can generate reports either on your appliance, your ePolicy Orchestrator server, or externally.

System | Logging, Alerting and SNMP

Reports
Use the external methods to keep the reported events over a longer period of time than that offered
by the reporting options on the appliance itself. Use features available from System | Logging, Alerting and
SNMP, or McAfee ePolicy Orchestrator to send data to generate reports externally.
Table 3-1 External reporting options
External report
generation option

Definition

System log

System | Logging, Alerting and SNMP. Supports the common event formats for
Splunk and ArcSight.

SNMP

System | Logging, Alerting and SNMP. Supports the SNMP Alert Settings and SNMP
Monitor Settings options. The MIB file can be downloaded from the Resources tab
available from the appliances toolbar.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

59

Overview of Reports features


Message Search overview

Table 3-1 External reporting options (continued)


External report
generation option

Definition

Email Alerting

System | Logging, Alerting and SNMP | Email Alerting. You can configure Email
Alerting to alert specified people about different events that occur on your
appliance.

McAfee ePolicy
Orchestrator

Use ePolicy Orchestrator to generate reports about multiple appliances and


security software within your organization, such as information about the
total number of viruses detected within your organization.

McAfee Web Reporter

System | Logging, Alerting and SNMP. Generates reports about Uniform Resource
Locator (URL) filtering activities. See the McAfee Web Reporter Product
Guide, available from the McAfee download site.

Use the appliance Dashboard to see high-level event statistics. Use the options in Reports to produce
regular and real-time reports on the following types of events on the appliance.
Table 3-2 Reporting options on the appliance
Report type

Definition

Scheduled reports Reports Set up regular activity overview (by protocol, threat type, and
detection), email detections, web detections, and system event reports and send
them to other administrators.
Email reports

Reports Create and view information about threats detected in the email passing
through your appliance, and the subsequent actions taken by the appliance.

System reports

Reports Create and view information about threat detection updates, and
system events.

Message Search overview


Use this feature to search for email messages that have passed to the DATA phase on your appliance.
This feature is also available from within McAfee ePolicy Orchestrator.

Reports | Message search


Message Search provides you with a convenient method to locate email messages on your appliance.
If the appliance has not received the message body, the message cannot be found in Message Search. For
example, if an email message is blocked by the Real-time Blackhole Lists (RBLs), the appliance will not have
received the message body. In this situation, use Reports | Email Reports from the McAfee Email Gateway to
find further information about this email message.

Contents
Benefits of using Message Search
Message Search parameters
Message Search results
Message Search icons
Task Identify quarantined email messages
Task Find out which email messages are queued
Task Find out which email messages are being blocked
Task Find the emails that were successfully delivered
Task A user has requested that I release one of their quarantined email messages

60

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

Task Export a message search report


Task Find a message containing a named attachment
Using multiple search parameters
Searching for archived content
Task - Configure identification of archived content
Task - Find content of archived files

Benefits of using Message Search


Message Search enables you to search for email messages that have passed to the DATA phase on
your McAfee Email Gateway appliance.

Figure 3-1 Message Search

A common request from users is "What happened to the email message I sent yesterday?", or "My
supplier emailed me on Monday, why haven't I received his message yet?"
From a single location within the user interface, Message Search allows you to confirm the status of
email messages that have passed through the appliance. It provides you with information about the
email, including:

Was it delivered?

Was it blocked?

Did the message bounce?

Was the message quarantined?

Is the message queued pending further action?

Does the message contain attachments? If so, what are the file names?
If an archive attachment includes non-English filenames that do not display correctly within Message
Search, change the Default decode character set options from Email | Email Policies | Policy Options | Content handling |
Email Options | Advanced Options.

You can use a wide range of different criteria to search on, including:

The Message status

Source IP

Sender, Recipient or Subject information

Email disposition

Category

If the Email has been modified or not

McAfee Email Gateway 7.6.400 Appliances

Product Guide

61

Overview of Reports features


Message Search overview

Date range

Audit ID

The Virtual host used

If you have configured Sender address masquerading or Recipient address aliasing, Message Search shows the
masqueraded or aliased email addresses.

Message Search parameters


This topic provides you with information about each of the parameters that are available to you with
the Message Search feature.
Option

Definition

Message status

You can choose to search All email messages. If you suspect that a message is in a
certain state, you can also search only for messages that are:
Advanced Threat Defense
Message Search only reports Advanced Threat Defense messages that are either
pending or being scanned by the Advanced Threat Defense servers. As soon as
scanning is complete, the messages are shown within the section relevant to the
scan results.

Blocked
Bounced
Delivered
Quarantined
This includes quarantined items that have pending release requests.

Queued
You can multi-select to search for messages in more than one status.
Sender,
You can search for emails containing particular sender, recipient, or subject text.
Recipient, Subject The appliance can modify the subject of some emails, typically by adding a [spam] or
[phish] prefix to the subject line. However, the subject displayed on the Message
Search page is the original subject line of the email message before the appliance
makes any changes.
You can use the * and ? wildcard characters in your searches.
To search for a literal *, ?, or \ character within these fields, use the backslash (\)
character before the search term. For example, use \* to search for the asterisk
character.

62

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

Option

Definition

Category

When you search on Blocked or Quarantined items, you can further refine your
search by selecting the Category that the appliance used to block or quarantine the
message.

When viewing messages that have been Blocked, the following Category options are
available:
Anti-Phish
Anti-Spam
Anti-Virus

If you have enabled the additional Commtouch Command anti-virus engine, you
will see anti-virus detections listed by detection engine.

Anti-Virus (Packer)
Anti-Virus (PUP)
Advanced Threat Defense
Compliance
Corrupt Content
Data Loss Prevention
Encrypted Content
File Filtering
Mail Filtering
Mail Size
Signed Content
Directory Harvesting
Image Filtering
URL Reputation
Denial of Service
Unscannable Content
Sender Authentication Threshold
DKIM
SenderID
Message reputation
For messages that were Quarantined by the appliance, the following Category
options are available:
Anti-Phish
Anti-Spam
Anti-Virus

If you have enabled the additional Commtouch Command anti-virus engine, you
will see anti-virus detections listed by detection engine.

Anti-Virus (Packer)
Anti-Virus (PUP)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

63

Overview of Reports features


Message Search overview

Option

Definition
Advanced Threat Defense
Compliance
Corrupt Content
Data Loss Prevention
Encrypted Content
File Filtering
Mail Filtering
Mail Size
Signed Content
Directory Harvesting
Image Filtering
URL Reputation
Denial of Service
Unscannable Content
Sender Authentication Threshold
DKIM
SenderID
Message reputation
You can multi-select to search for messages in more than one category. See
Quarantine Options to find out how the categories relate to those reported in McAfee
Quarantine Manager.

Quarantined to:

For messages that were quarantined, you can search all quarantine queues, or select
one or more from the list of configured queues. The queues are:
Viruses

Other

PUPs

Phish

Compliance

Spam

A single message may be quarantined to more than one category. Summing the total
number of messages in all categories will not necessarily generate the total
quarantined messages.

All Dates / Date


Range

64

You can search on All Dates , or you can specify a Date Range, using From and To
dates and times.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

Option

Definition

Audit ID

When an email message passes through the appliance, a received header


containing audit ID information is added to the message header.
The received header will look similar to the following:
Received: from (mta1.example.com [192.168.254.200]) by
meg_appliance1.example.com with smtp
id 1448_0004_4d37a0e8_93e1_11df_b43f_00114336c271
Tue, 20 Jul 2011 09:29:31 +0000

This audit ID information can be used to track the message as it passes through the
appliance.
Source IP

This is the source IP address of the originating email server. If your appliance is
configured behind one or more Mail Transfer Agents (MTAs), the email headers are
used to obtain the correct source IP address.
If you know the IP address that is sending email messages to you, you can search
using this address.
You can use either a single address (for example, 192.168.0.1) or a network
address/netmask (for example, 192.168.0.0/255.255.255.0).

Disposition

Allows you to select All or One or more of Inbound, Outbound and Internal messages
in your search.

Type

When dealing with quarantined email messages, this allows you to search for the all,
messages, original email or for messages that have been modified by the appliance.
It also allows you to search for messages that have their Release requested by your
users.

Virtual host

If you have enabled the use of virtual hosts on your appliance, you can track or view
email messages that are processed by an individual virtual host on the appliance.
To do this, select the relevant host name from the Virtual host drop-down list.

Attachment
(only visible
when
Attachment
identification
is enabled)

To find specific attachments within email messages, enter a full or partial attachment
name. You can also use wildcard characters.

View recipients

Clicking on any of the highlighted links in the View recipients area shows you either All
messages, or a list of recipients and the number of items against each recipient
beginning with the selected character. For example, it might show that one recipient
currently has four queued messages, one quarantined message and three delivered
messages.
By clicking on a particular recipient, you can then view all relevant items for that
recipient.
To revert to the total view of messages, click Close.

Search/Refresh

Click to search the appliance for email messages that match your search parameters,
or to refresh the list if you have changed any of the parameters.

Clear Parameters

Resets all search parameters to their default states.

Message Search results


Within the Message Search, the following results might be displayed.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

65

Overview of Reports features


Message Search overview

Option

Definition

Options

After you search for your required email types, you can perform actions based on the
type of message. These actions include:
Delete selected.
Release selected Only available if all selected messages are quarantined
"on-the-box," and do not contain viral content.
Retry selected.
Forward selected Only available if all selected messages are either queued or
quarantined.
Find related.
Submit false positive Submit the selected messages to McAfee for analysis, to help
reduce false positive detections.
Submit unscannable content.
Delete all.
Blacklist / whitelist URLs Enables you to extract URLs from within the scan log, and to
add these URLs to either the blacklist or whitelist.
Cancel ATD scan Allows the appliance to proceed with processing the email without
waiting for scan results from the McAfee Advanced Threat Defense server.
This action does not stop the Advanced Threat Defense server from completing the
scan.
If you configured your appliance to perform off-box quarantining using McAfee
Quarantine Manager, you cannot make release requests from within Message Search.

Real-Time retry

To retry the delivery of a queued item and to then show the results of the SMTP
conversation with the target MTA, click Real-Time Retry.
You can only use Real-Time Retry by selecting a single queued message.

Download ATD
Report

When using Advanced Threat Defense, click Download ATD Report to save and view the
report from the Advanced Threat Defense server that scanned the selected message.

View Message

If the message is still available to the appliance, you can view the selected message.
For example, if the email message has been queued or quarantined on the appliance.
From within the message view, you can:
Delete the message from the appliance.
Release the message from the appliance. (Quarantined messages only).
Retry to deliver the message from the appliance. (Queued messages only).
Forward the message to another email address.
Download the message to your local file system in .eml format.
You can also use Show headers to view the information contained within the email
header.

66

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

Option

Definition

View
You can view conversation details of email messages through the different stages of
Conversation Log the SMTP conversation.
SMTP conversation logging must be enabled on your appliance (from Email | Email Configuration
| Protocol Configuration | Connection Settings (SMTP) | SMTP conversation logging.)

Select an email message and click View Conversation Log to see the conversation details
for the selected message.
Download
Messages

Show Report

Downloads the selected queued or quarantined messages to your local file system.
If you select a single message, an .eml file is downloaded. If you select multiple
messages, a .zip file containing individual .eml files is downloaded.
View information about the selected email message.

Hide and
You can hide and show columns in the Message Search results area.
show columns

Click the left arrow to hide the selected column.

Click the down arrow to display options to sort or hide a column.

Click the right arrow to redisplay information in the hidden column.

Export

Click to export a report based on your message search results.

Maintenance
options

Click to go to the Database Maintenance area, where you can define the number of items
identified using Message Search that is retained in the database.

Table 3-3 Search results table


Column
heading

Definition

Checkbox

Select the checkbox next to a particular message to enable actions you can take
regarding that message. The checkbox in the header row enables or disables all
messages in the list.

Date

Displays the date and time Email Gateway received the message.

Sender

Displays the email address for the sender of the message.

Recipient

Displays the email address for the recipient of the message.

Subject

Displays the subject of the message, from the Subject line.

Policy

Indicates the configured email policy used to process the message.

Status/Category

Indicates the disposition of the message, such as delivered, blocked, quarantined.


When messages have been sent to Advanced Threat Defense, this column
indicates the status information returned from the Advanced Threat Defense
server. The status can be:
Advanced Threat Defense.
Advanced Threat Defense Timeout.
Advanced Threat Defense Queue Exceeded.
Advanced Threat Defense Scan Failed.

Quarantined to

If Email Gateway quarantined the message, the quarantine queue is displayed.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

67

Overview of Reports features


Message Search overview

Table 3-3 Search results table (continued)


Column
heading

Definition

Attachments

When attachment detection is enabled, shows information in a tree form about the
attachments. The information includes file name and file type, and can also include
archive data.
Email Gateway cannot obtain attachment information from the following file types:

CAB files
BZIP-compressed files
Password-protected files
Encrypted files
Source IP

Displays the IP address where the message originated.

Properties

Displays icons indicating message properties.

Size

Displays the message size, including attachments.

Message Search icons


Understand the meaning of the icons that are used within the message search page.
Option Definition
Email message is Inbound.
Email message is Outbound.
Email message was composed within the Secure Web Mail Client.
Email message is Internal.
Internal email messages are Alert messages and Quarantine Digest messages.

This is the original version of the quarantined message.


This is the version of the quarantined message that has been modified by the appliance.
This email message is currently held in a queue, but the appliance is not actively trying to
deliver the message.
The appliance is trying to deliver this message.
The appliance has a release request pending for this message.
Queued for delivery to your McAfee Quarantine Manager server.
Email message is secured using the Encryption policy settings.
Email message was received or delivered using TLS.
Email Gateway is waiting to send the email message to Advanced Threat Defense for
processing.
Advanced Threat Defense is scanning the email message.

68

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

Option Definition
Email message was scanned by Advanced Threat Defense, and scanning has completed.
Access to the quarantined email message is restricted. You do not have sufficient privileges
to view or download the message, or perform any actions (delete, release, forward) on the
message.

Task Identify quarantined email messages


Use this task to discover which email messages have been quarantined by your McAfee Email Gateway
Appliance.
To view a list of all messages that have been quarantined:
Task
1

Click Reports | Message Search.

Select Quarantined from the Message status drop-down list.

Click Search/Refresh.

All messages that have been quarantined are displayed in the lower part of the page.

Task Refine the search


You can further refine your search for quarantined email messages to show only those that have been
quarantined due to specific triggers. In this example, to find those email messages quarantined due to
compliance issues:
Task
1

Complete the steps in Task Find out which email messages are quarantined.

Select Compliance from the Category drop-down list.

Click Search/Refresh.

The lower part of the screen is refreshed to show only the messages that have been quarantined due
to compliance issues.

Task View a specific email message


You can view the content of a quarantined email message.
Task
1

Complete the steps in Task Refine the search.

Select the relevant quarantined message using the checkbox to the left of the page.

Click View Message.

The selected message is displayed in a new window. From this window, you can view the content of
the email message. You can also choose to view the detailed email header information. After you have
viewed the message, by clicking the relevant buttons, you can choose further actions to perform on
the email message.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

69

Overview of Reports features


Message Search overview

Task Release a quarantined email message


After viewing the email message that has been quarantined, you may want to release the message
from Quarantine. This task allows you to do this.
To release a selected message from quarantine:
Task
1

Complete the steps in Task View a specific email message.

Click Release Selected.

The selected email message is released from quarantine.


Email messages that contain viral content cannot be released from quarantine, as to do so would risk
causing damage to your systems.

Task Submit a false positive sample to McAfee


Submit email messages that have been incorrectly detected as spam or phishing messages to McAfee,
to help reduce false positive detections in the future.
Before you begin
You can only submit messages that have been detected as either spam or phishing email
messages, and that have then been quarantined by McAfee Email Gateway.

By investigating samples of genuine email messages that have been incorrectly detected as either
spam or phishing email messages (false positive detections), McAfee can improve the accuracy of the
spam and phishing message detections.
Task
1

Select Reports | Message search.

Select Quarantined from the Message status drop-down list.

Click Search/Refresh.

Select the email messages that have been incorrectly identified as either spam or phishing
messages.

Select Submit false positive from Options.

Click Go.

The selected incorrectly-identified spam or phishing messages are submitted to a secure McAfee site
where they can be analyzed and the results used to improve spam and phishing email message
detections.

70

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

Task Find out which email messages are queued


Use this task to find out which email messages are currently queued pending delivery on your Email
Gateway appliance.
To view a list of all messages that have been queued on the appliance:
Task
1

Click Reports | Message Search.

Select Queued from the Message status drop-down list.

Click Search/Refresh.

All messages that have been queued are displayed in the lower part of the page.

Task Find out which email messages are queued for inbound delivery
Use this task to refine your search for messages queued for inbound delivery.
You can further refine your search for queued email messages to show only those messages that have
been queued for inbound or outbound delivery. To view the queued messages awaiting inbound
delivery:
Task
1

Complete the steps in Task Find out which email messages are queued.

Select Inbound from the Disposition drop-down list.

Click Search/Refresh.

All messages that have been queued for inbound delivery are displayed in the lower part of the page.

Task Delivering the queued email message


Use this task to deliver the email message that are currently queued on your Email Gateway
appliance.
Having found the queued email messages, and investigated the reason for the messages to be
queued, you then need to force the appliance to try again to deliver the messages:
Task
1

Complete the steps in Task Find out which email messages are queued for inbound delivery.

Select the relevant queued messages using the check-boxes to the left of the page.

Choose one of the following:

From the Options drop-down list, select Retry selected.

For a single message, click View Message, and then select the Retry button.

To retry the sending of the messages and then see the results within the page, click Real-Time
Retry.

Your Email Gateway appliance attempts delivery of the queued messages.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

71

Overview of Reports features


Message Search overview

Task Find out which email messages are being blocked


Use this task to find email messages that have been blocked by your Email Gateway appliance.
To view a list of all messages that have been blocked on the appliance:
Task
1

Click Reports | Message Search.

Select Blocked from the Message status drop-down list.

Click Search/Refresh.

All messages that have been blocked are displayed in the lower part of the page. Email messages can
be blocked for a variety of reasons, and the table showing all blocked messages includes the reason
that each message was blocked within the Status/Category column.

Task Find the emails that were successfully delivered


Use this task to find all emails that were successfully delivered by your Email Gateway appliance.
You may have a request from your users to verify that an email message has been successfully
delivered to its intended recipient. To verify this:
Task
1

Click Reports | Message Search.

Select Delivered from the Message status drop-down list.

Click Search/Refresh.

All messages that have been successfully delivered by the appliance are listed in the lower part of the
page.

Task A user has requested that I release one of their


quarantined email messages
Use this task to release a quarantined email.
When an email message is quarantined, your users may receive a digest message, giving them
options relating to the messages in quarantine. To view and then release an email message that a user
has requested be released:
Task

72

Click Reports | Message Search.

Select Quarantined from the Message status drop-down list.

Select Release requested from the Type drop-down list.

Click Search/Refresh.

Select the email message (or messages) to be released.

Click View Message.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

If you are happy that the selected message is safe to release, select Release selected from the Options
drop-down list.

Click Go.
In the Dashboard | Email Queues area, you can see how many quarantine release requests have been made
by your users. Clicking the link on this page opens the Message Search page, and auto-populates the fields
required to release these messages.

Task Export a message search report


When you have run a message search, you have the option of exporting a report of the results in .csv
format.
Before you begin
Before you can export the report, you must run a message search that did not return 0
results.
Task
1

Navigate to the Message Search window.


You can navigate using Reports | Message search, or using the Task portlet on the Dashboard (Dashboard |
Tasks | Message Search & Reports | Search the Message Queue).
The Message Search window opens.

Select your desired parameters and perform a message search.


Your search results display.
The report you create will contain the entire results from your search.

Click the Export link at the bottom of the results window.


A message displays, providing a link to the exported .csv file.

Click the link to access the .csv file.

The report displays. The format is essentially the same as the Message Search results table, with a
few differences:

The audit ID displays.

The time displays both as seconds for sorting, and as a human-readable local time string.

The reason value for quarantined items displays.

The Properties column shows as three columns: Disposition, Type, and Encryption Type.

Task Find a message containing a named attachment


Search for messages that contain named attachments
Before you begin
Before you can find messages that contain attachments, you must Enable attachment
identification from Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) |
Attachment identification.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

73

Overview of Reports features


Message Search overview

Task
1

Navigate to the Message Search window. You can navigate using Reports | Message search, or using the
Task portlet on the Dashboard ( Dashboard | Tasks | Message Search & Reports | Search the Message Queue).
The Message Search window opens.

Choose the search parameters to use.

Click Search / Refresh.

Use the Attachments column to identify messages containing the relevant attachment.
You can also search for specific attachment names by using the Attachment field. This field accepts
either complete attachment names or partial names with wildcard characters.

Use the available controls to take appropriate actions on the selected messages.

Using multiple search parameters


Using the information you have, you can refine a message search to produce manageable results.
When you use one or only a few search parameters, the search can produce a long list of results. You
can avoid searching through such a list by using more information about the message.

Searching with multiple parameters


This example illustrates how to use a complex search.
Situation A colleague expected to receive an email message from a sales representative about a
new product. The message has not arrived, although the sender created it several days ago. You want
to find out where the message went and attempt to get it delivered. Here is the information you have.

The sales representative named Rep1, representing Example Corporation, sent the message. We
don't know the first name.

The message should have arrived during the last week of last month (February 23, 2015 through
February 27, 2015), probably on February 25, 2015.

User1 is the recipient.

The message included a PDF attachment, the information sheet about the new product.

The message might include words like "Revolutionary" or "Amazing" in the subject line.

Solution Conduct a message search based on this information.

Task Perform a detailed search


Use multiple parameters to narrow your message search.
This search is based on hypothetical information provided in the previous example.
Task
1

Select Reports | Message Search.

For Message Status, select One or more of, then select Quarantined.
Since the message was not delivered, it might be quarantined or blocked.

For Sender, type *rep1@examplecorp.com.


You know the last name of the sender, and the name of the company as it appears in email
addresses.

74

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Message Search overview

For Recipient, type user1@mycompany.com.

For Subject, type *Revolutionary*.

The subject line might include this word.


6

Select Default policy (SMTP).

For Category, select One or more of, then select Anti-Spam, File Filtering, and Mail Filtering.
You suspect one of these three categories includes the message.

For Quarantined to, select One or more of, then select Spam.

Select Date Range, the select February 23, 2015 and February 27, 2015 from the calendars as From and To
dates.

10 For Attachment, type *.pdf.


11 Click Search/Refresh.
Email Gateway performs the search and displays the results.
If the search does not produce the wanted result, change some of the parameters, such as the date
range. Perform the search again.

Searching for archived content


Identifying file names in archived attachments allows you to search for hidden malicious payload.
The names of archived files, including attachments, are viewable and searchable using the Message
Search feature.

Supported archive formats


Email Gateway can identify the contents of the following archive formats:

ZIP (*.zip)

GZIP-compressed archives (*.tar.gz)

TAR (*.tar)

RAR (*.rar)

7-ZIP (*.7z)

Email Gateway cannot retrieve attachment information from the following:

BZIP-compressed archives (*.tar.bz2)

CAB (*.cab)

Password-protected files

Encrypted files

Other formats have not been tested.

Using archive content detection


This example illustrates a situation where you might want to list the contents of archived files,
including attachments.
Issue Someone has sent an email containing a file attachment with a malicious payload to targeted
individuals. The attachment containing the payload is a .zip file, and zeroday protection does not
detect it. The .zip file name is randomized, so searching for the attachment is not practical. The name
of the payload is payload.exe, and it is therefore searchable. You want to know the recipients of the
malicious content.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

75

Overview of Reports features


Message Search overview

Solution Identifying file names in archive attachments permits you to conduct the required search.
Configure Attachment Identification and include identification of archive contents by typing payload.exe in
the Attachment data field. Then click Search/Refresh to conduct a message search.

Task - Configure identification of archived content


Attachment Identification includes archived content identification.
You cannot enable identification of archived content without enabling Attachment Identification.
Task
1

Select Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) | Basic SMTP settings.
The Connection Settings (SMTP) window opens.

Scroll down the page to the Attachment Identification section. Click the expansion icon to reveal the
configuration parameters.

Select the Enable attachment identification checkbox and configure a limit for the Maximum number of
attachments scanned per message.
Option

Description

Enter a number If you encounter issues due to large numbers of attachments, deselect the No limit
checkbox. Enter a limit for the number of attachments to identify.
No limit
4

Selected by default. All attachments are identified and searchable in Message Search.

Select the Enable identification of archive contents checkbox and configure a limit for the Maximum nesting depth
per message.
Option

Description

Enter a number By default, the appliance identifies attachments in nested archives up to five levels
deep. If you encounter issues with attachments due to layers of nesting, reduce this
number.
No limit
5

All attachments are identified with no limit on the number of layers of nesting.

Click the green checkmark in the menu bar to save your changes.

Task - Find content of archived files


Search archive files for messages that contain named attachments.
Before you begin
Before you can find messages that contain attachments, Enable attachment identification and
Enable identification of archive contents from Email | Email Configuration | Protocol Configuration | Connection
Settings (SMTP) | Attachment identification.
Task
1

Navigate to the Message Search window. You can navigate using Reports | Message search, or using the
Task portlet on the Dashboard.
The Message Search window opens.

76

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Option definitions Blacklist/whitelist URLs

Select or add the search parameters you want, including Attachment information, such as the archive,
attachment, and file name.
The Attachment field accepts either complete attachment names or partial names with wildcard
characters.

Click Search / Refresh.


Search results populate the table in the lower half of the page.
Message search results display the archive files in a tree view. Hover the mouse over the entry to
reveal the complete path to the item.

Use the available controls to take appropriate actions on the selected messages.

Option definitions Blacklist/whitelist URLs


Add URLs found within the scan log to your policy blacklists or whitelists.
Table 3-4 Option definitions
Option

Definition

URLs found

Lists the unique URLs found within the scan log. Information from the scan log,
and the available action options, are shown.
URL Pattern
Score
Action to be taken. The available actions are:
Ignore
Blacklist
Whitelist

Parse options

Choose between using Simple pattern or Regular expression to match the URLs.
Also, choose if the matches are case-sensitive.

Select the policies to


update

You can add the discovered URLs to the blacklists or whitelists for one or more
of the available policies where URL reputation has been enabled.

Scheduled Reports
Use this page to see a list of the available reports about threats that the appliance has detected.

Reports | Scheduled Reports


You can view the reports, send reports immediately to other people, or schedule reports to be sent at
regular intervals.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

77

Overview of Reports features


Scheduled Reports

Benefits of creating scheduled reports


Use scheduled reports to keep up to date with vital threat detection statistics and system activity, and
to share that information.
The Scheduled Reports option has some default report types already set up for you, or you can customize
their content or frequency, or even create new report types as necessary. The resulting reports can be
sent by email immediately, or at regular intervals to other people in your organization in a variety of
formats, such as PDF, HTML, or text.
You must enable the default reports to run automatically. To do so, select the report type from the list of
available reports, and click Edit. In the Edit Report dialog box, select Enable scheduled delivery.

Table 3-5 Report types


Option

Definition

Overview

Lists the number of detections by protocol, and type of threat, and provides details
about the types of detection made per protocol.

Email

Email security summary (inbound) shows the percent and number of messages to internal
users that were delivered or blocked because a threat was detected.
Email security summary (outbound) shows the percent and number of messages to external
users that were delivered or blocked because a threat was detected.
Email traffic flow provides information relating to the flow of messages into and out of
the organization.
Email security trend.
Email volume trends (inbound and outbound) provides information relating to the amount of
messages coming into and going out of the organization.
Email size trends (inbound and outbound) provides information relating to the size of the
messages coming into and going out of the organization.
Average number of emails displays the average number of messages sent into or out of
the organization for one or more days.
Users activity lists internal or external users who send or receive the most blocked or
monitored messages.
Top detections lists top viruses, potentially unwanted programs, spam or phish
detections, and sender authentication failures.

Favorite

78

Click Edit to choose from a list of pre-defined report types for email and system
reports, and to optionally send the report to other people in your organization daily,
weekly, or monthly. Any new favorite reports that you created in the Email Interactive
Reports section are available from here, too.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Scheduled Reports

Table 3-5 Report types (continued)


Option

Definition

Dashboard

Allows you to select information that is displayed in the dashboard portlets.


Select the information to include:
Inbound Mail lists all inbound mail activity, broken out into various categories, such as
plain text, encryption method used, information about messages quarantined,
bounced, queued and blocked, detection types triggered and information about the
senders, connections and email recipients.
Outbound Mail lists all outbound mail activity, broken out into various categories, such
as plain text, encryption method used, information about messages quarantined,
bounced, queued and blocked, detection types triggered and information about the
senders, connections and email recipients.
Services lists information about the software services provided.
SMTP Detections lists information about SMTP detections made.
POP3 Detections lists information about POP3 detections made.
Network Summary shows network connections, kernel mode blocking statistics and total
throughput.
System Summary Shows the status of the services, network and hardware.
Hardware Summary provides information about your hardware, including information
about the mode of operation, the network interfaces, information relating to the
hardware modules, RAID and UPS status.
Clustering provides information about your McAfee Email Gateway cluster.

Inbound Mail

Lists all inbound mail activity, broken out into various categories, such as plain text,
encryption method used, information about messages quarantined, bounced, queued
and blocked, detection types triggered and information about the senders, connections
and email recipients.

Outbound Mail

Lists all outbound mail activity, broken out into various categories, such as plain text,
encryption method used, information about messages quarantined, bounced, queued
and blocked, detection types triggered and information about the senders, connections
and email recipients.

Services

Lists information about the software services provided.

SMTP
Detections

Lists information about SMTP detections made.

POP3 Detections Lists information about POP3 detections made.


Network
Summary

Shows network connections, kernel mode blocking statistics and total throughput.

System
Summary

Shows the status of the services, network and hardware.

Hardware
Summary

Shows information about your hardware, including information about the mode of
operation, the network interfaces, information relating to the hardware modules, RAID
and UPS status.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

79

Overview of Reports features


Scheduled Reports

Table 3-5 Report types (continued)


Option

Definition

Clustering

Shows information about your McAfee Email Gateway cluster.

Attachment
Profiling

Shows a variety of information about attachments detected in your email traffic,


including reporting period, attachment type, numbers of attachments, and so forth.
If Attachment Profiling is disabled, a dialog box informs you and provides a link to
enable it.

The report includes information about the number of attachments sent to ATD if it is
enabled, or that would be sent if ATD were enabled. Administrators can use this data
to assess deployment of ATD servers.

Option definitions Scheduled Reports


Use this information to learn about the options available for the Scheduled Reports from within the
user interface.
Option

Definition

Name

Displays the name of the report. By default, the list includes some standard reports,
which you cannot delete.
The icon indicates the type of content in that report:
Overview, such as numbers of overall detections.
Email activity
System activity such as disk usage.
A choice of popular reports.

Description

Displays the title that appears on the first page of the report, the scheduling
information, and a list of the recipients.

Download

When clicked, generates the report, then allows you to download it for viewing in a
browser or saving as a file.

Email Now

When clicked, generates the report, then immediately sends it to the recipients. Any
regular schedule is not affected.
If the icon is disabled, the schedule has not been set. Double-click the icon, then
specify the details under Delivery Schedule.

New report

When clicked, lets you create a new report, which is an exact copy of an existing
report. A dialog box prompts you for further information:
Report name, which appears under the Name column on this page.
Report title, which appears at the top of the report.
When you click OK, you return to the main page. There you can select the new report,
click the icon under Edit, and design your own report.

Edit
Delete

80

When the icon is clicked, enables you to change the schedule, content, format and
delivery information of the selected report.
When the icon is clicked, deletes the selected report.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Scheduled Reports

Task See the number of detections by protocol and threat


type over the last week
Use this task to create a scheduled report to see the number of detections by protocol and threat type
over the last week.
Task
1

Select Reports | Scheduled Reports.

From the list of report types, select Overview, and click Edit.

In the Edit Report dialog box, set the Reporting period to 1 week.

Click OK, and apply the changes to the appliance.

Click Download to generate the report.

Task Send your manager an email activity report in PDF


format every Monday at 10.00am
Use this task to send a PDF version of an email activity report at a specific time and day each week, to
a nominated person.
Task
1

Select Reports | Scheduled Reports.

From the list of report types, select Email, and click Edit.

In the Edit Report dialog box, click Enable scheduled delivery.

Set the Report sent option to Weekly and choose Monday from the drop-down menu.

Click New Recipient, type myboss@examplecompany.com.

Click OK, and apply the changes to the appliance.

Task Download a report in .csv format for further processing


To enable further processing of information from your McAfee Email Gateway, export your report
in .csv format.
Task
1

Select Reports | Scheduled Reports.

From the list of report types, select Favorite, and click Edit.

In Delivery schedule, ensure that Enable scheduled delivery is unselected.

In Report content, select the information that you want to appear in the .csv formatted file. For
example, select Email reports and Top Spam Senders (last 24h).

In Advanced options, select CSV as the Document format. Configure other options to suit your
requirements.

Click OK, and apply the changes.

Click Download.

Click on the link to download the file to your local computer.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

81

Overview of Reports features


Scheduled Reports New Report dialog box

Task Send the email administrator a report that shows virus


detections in email messages over the last week
Use this task to send a report to a specific person showing all virus detections found within email
messages in the last week.
Task
1

Select Reports | Scheduled Reports.

From the list of report types, select Favorite, and click Edit.

In Sender and recipient details, type emailadministrator@examplecompany.com.

Select Report content, and select the Top Viruses report.

Click OK, and apply the changes.

Click Email Now.

Scheduled Reports New Report dialog box


Use this information to understand the options available when creating a new report.
Option

Definition

Name

Type a name for the new report that you are creating.

Title

Use the Title field to enter a descriptive title for the new report.

Use template

Select the template that you want to use as the basis of the new report.

Scheduled Reports Edit Report dialog box


Use this information to understand the options available when editing the specification for an existing
report.
Table 3-6 Option definitions Delivery schedule
Option

Definition

Enable scheduled delivery

When selected, reports are delivered according to the configured options.

Report sent to At

Use Daily, Weekly, Monthly and At to specify how often, and at what time, you
want the scheduled report to be delivered.

Reporting period

Select the time period that you want covered by the report.
(Attachment Profiling only) Select the checkbox to choose the preconfigured
options or to set the beginning and ending dates for the reporting period.
For Period, the available options are:
Today (default option)

2 weeks

Previous day

1 month

1 week
For Date, click the calendar icons for From and To, and select the dates you want
to include.
If the mail database is empty, only the current date is available.

82

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Scheduled Reports Edit Report dialog box

Table 3-6 Option definitions Delivery schedule (continued)


Option

Definition

Granularity
From the drop-down list, select the time period to include in each line of the
(Attachment Profiling report. Options are:
only)
1 hour
12 hours
3 hours

1 day

6 hours

7 days

Granularity selections might be limited based on the reporting period you


configure. This limitation prevents users from generating extremely
demanding reports, such as a one-month report with a granularity of one
hour.

Use the postmaster


address as the sender

Select to use the postmaster address as the sending address for the
scheduled reports.

Sender address

To use a sender address different than the already configured postmaster


address, enter an address here. Make sure you deselect Use the postmaster address
as the sender.

Recipients

The list of email addresses to which the scheduled reports are to be sent.
Click New Recipient to specify new addresses.

Table 3-7 Option definitions Report content


Option

Definition

Title

Specify the title for the scheduled report you are creating.

Include these reports Select the information to be included in the scheduled report. The available options
change depending on the type of report (Overview, Email, or System report.)
Header

Enter text that you want displayed on the header of the report.

Footer

Enter text that you want displayed on the footer of the report.

Table 3-8 Option definitions Advanced options


Option

Definition

Document format

Select your required format for the scheduled report.

Paper size

Select the paper size for the scheduled report.

Character set

Select the character set for the scheduled report.

Message subject

Enter the subject line that you want to appear on the email containing
the scheduled report.

Message body text

Enter the body text for the email message containing the scheduled
report.

Generate unique file names

Select this option to ensure that each scheduled report has a unique file
name.

Attachment file name

To specify the name of the attachment file containing the scheduled


report, unselect Generate unique file names and then enter the required file
name.

Maximum number of items in a list Specify the maximum number of items that you want to appear in each
list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

83

Overview of Reports features


Email Reports

Email Reports
Use this page to create and view real-time reports about threats detected in the email passing through
your Email Gateway, and the subsequent actions taken by the appliance.

Reports | Email Reports


You can generate a report based on a set of predefined filters, or edit the filters, test the results, and
save the report as a new report.

Introduction to the Email Reports page


This information introduces the Email Reports page, found in the Reporting section of Email Gateway.
Email Reports contains several sub-pages, accessed from the tabs beneath Email Interactive Reporting and
Selection.
The following tabs are shown beneath Email Interactive Reporting, each providing different views on a
report's results. See View types:

Total view

Time view

Itemized view

Detail view

There are two pages beneath Selection:

Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See
Report types.

Filter enables you to further define the data in each Favorite report using standard and advanced
filter settings, and set the period of time for which you want to retrieve data. See Filter types.

Benefits of using email reports


This topic discusses the benefits of using the report features of Email Gateway to create and view
reports about email traffic.
To keep your email infrastructure running at optimal levels, you need access to up-to-date information
about threats detected in the email flowing through the appliance. Generate email reports to get
information such as:

Types of threats detected, such as viruses, or spam and phishing messages.

Messages that had to have an action taken upon them.

Messages that were prevented from entering or leaving your network.

Individual sender activity.

Additionally, use the Email Reports feature with the Scheduled Reports feature to create regular
reports, and send them immediately to other people, or at regular intervals.
You can compile a list of, for example, blocked email messages using the Message Search feature
(Reports | Message search). Message Search cannot locate messages if the appliance has not received the
message body, such as messages blocked by the Real-time Blackhole Lists (RBLs). In this situation, use
the Email Reports feature to find out about an individual message.

84

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Email Reports

Types of Email reports


Information on the types of email reports that you can find within the Reports area of the user
interface are discussed.
The appliance comes with a set of reports with pre-defined filters available from the Favorites tab. You
can run these reports immediately, or edit them using standard and advanced settings and save as a
new favorite report to run again in the future, then make it available in the Scheduled Reports feature.
To see the default settings in each report, hold your mouse cursor to the left of a report name.

Table 3-9 Option definitions


Option

Definition

Email Overview

Displays results in Total view by default. Results show the number of legitimate,
monitored, modified, rerouted, or blocked messages processed over the previous
day.

Email Profile

Displays results in Itemized view by default. Results show the number of items detected
for each filter selection over the previous week.

Top Spam Senders Displays results in Itemized view by default. Results are filtered using the Spam/
Phish category by default, and show the spam or phish (or both) messages by sender
over the previous 24 hours.
Top Viruses

Displays results in Itemized view by default. Results are filtered using the Viruses
category by default, and show the viruses detected over the previous week, or
results for a specific threat that you specify.

Legitimate

Displays results in Time view by default. Results show the number of messages
categorized as Legitimate (that is, delivered with no detection or modification) for all
threat categories over the previous 24 hours.

Monitored

Displays results in Time view by default. Results show the number of messages for all
threat categories over the previous 24 hours that triggered an event log but were
delivered with no modification.

Modified

Displays results in Time view by default. Results show the number of modified
messages (for example, cleaned or replaced with an alert message) for all threat
categories over the previous 24 hours.

Rerouted

Displays results in Time view by default. Results show the number of messages routed
to another server (for example, an encryption server) for all threat categories over
the previous 24 hours.

Blocked

Displays results in Time view by default. Results show the number of inbound or
outbound messages stopped by the appliance for all threat categories over the
previous 24 hours.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

85

Overview of Reports features


Email Reports

Types of Email report views


The Email Gateway reporting system uses different views of the available data, to enable you to select
the view best suited to your needs.
Each report that you generate can be presented in one of the following views:
Type of Definition
View
Total view

Reports | Email Reports | Email Interactive Reporting | Total View


The information is displayed in a horizontal bar chart. If you see no information, click Apply
on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help
button (?).

Action Displays the list of actions taken by the appliances policies against each email
message or web access.
Number of email messages Displays the number of email messages or web accesses where
this action was applied.
Time view

Reports | Email Reports | Email Interactive Reporting | Time View


Displays results in a bar chart and table format over the time specified. Results are shown
in periods of ten minutes for hourly reports, by the hour for 24 hour reports, every six
hours for weekly reports, twelve hours for fortnightly reports, or daily for monthly reports.
The information is displayed in a vertical bar chart, and organized into small intervals. For
example, a weekly report shows activity in whole 6-hour portions of each day. If you see no
information, click Apply on the Filter tab, or change the period and click Apply.
You might not be able to view some older data, because the appliances log is regularly
purged.

For information about the Filter or Favorites section on the right, click its tab, then
click the Help button (?).
Start Displays the start of the period, such as on the hour.
Legitimate to Blocked Displays the numbers of email messages or web accesses
corresponding to each action in that period. If Action is not set to All, most columns have
values of 0.

86

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Email Reports

Type of Definition
View
Itemized
view

Reports | Email Reports | Email Interactive Reporting | Itemized View


The information is displayed in a pie chart and table format for each filter criteria, or for all
filters.
If you see no information, click Apply on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help
button (?).

Pie chart Displays the percentage of all email or web accesses that match the criteria
selected in the Filter tab.
The orange portion of the pie shows the portion of the data that matches the criteria. The
green portion shows the remainder. If no filtering is set, the whole pie appears orange.
Filter criteria Displays the list of categories taken against the email message or web
access. Click any blue link for more information represented as a bar chart.
To return to the pie chart, click List all criteria. To examine the information further, click any
blue links.
As you click each link, values in the Filter tab are updated. Click Apply to display the pie
chart again.
Number of distinct criteria items within the selection Displays the number of email messages or
web accesses where each criteria applies.
Detail view

Reports | Email Reports | Email Interactive Reporting | Detail View


Displays all results in a table format. Results are shown for each detection in the report
results.
Information includes any threat in the email messages or IP addresses. The information is
displayed in a table.
If you see no information, click Apply on the Filter tab, or change the period and click Apply.
For information about the Filter or Favorites section on the right, click its tab, then click the Help
button (?).

Date and other headings Displays the details of each email message or web access.
To see all columns, move the horizontal scroll bar.
To sort the data in any column, click the column heading. The most recently sorted
column is indicated by a red arrow in the column heading.
Data Click the blue link to see further information about an email message in a table
or as raw data (that is, in an XML-like format).
To move through the list or to move quickly to either end of the list, click the arrows at
the bottom right of the list.

Types of email report filters


To assist you finding the information you require, you can select filters to display more specific detail
within the Email Reports.
Reports | Email Reports | Selection | Filter

McAfee Email Gateway 7.6.400 Appliances

Product Guide

87

Overview of Reports features


Email Reports

Each report allows you to filter the results by standard and advanced criteria. For example, you can
see information about viruses from all sources in the last month. Make your selections, then click
Apply. The new report might take a while to appear. You can save these selections to produce a similar
report at any time. or clear the selections you made.
Table 3-10 Option definitions Email Reports filter options
Option

Definition

Period and
Ending

Displays information for a period from one hour to one month, based on the selected
start date.
When clicked, the Previous and Next buttons adjust the From date, for example, moving it
to next week or the previous day.

Protocol

Displays the protocols you want to view, such as SMTP.

Traffic

Displays traffic, whether inbound, outbound or both.


In a simple network, you might see reports on compliance for outbound traffic and
reports on spam for inbound traffic.

Sender

Displays information about one sender, such as user@example.com


When selected, the advanced options, Source domain and Source ID, further specify the
sender's domain or IP address, such as server1.example.com and 192.168.254.200.
Examples:
To view information about one sender or recipient, type:
<user@example.com>
The name is wrapped with chevron characters.

To view information about all senders' names that begin with b or B, type:
<b*
To view information about all senders' names that begin with b, B, e, or E, type:
<b*, <e*
Recipient

Displays information about one recipient, such as user@example.com


When selected, the advanced options, Destination domain and Destination ID, further
specify the recipient's domain or IP address, such as server1.example.com and
192.168.254.200.
Examples:
To view information about one sender or recipient, type:
<user@example.com>
The name is wrapped with chevron characters.

To view information about all senders' names that begin with b or B, type:
<b*
To view information about all senders' names that begin with b, B, e, or E, type:
<b*, <e*

88

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


Email Reports

Table 3-10 Option definitions Email Reports filter options (continued)


Option

Definition

Action

Enables you to filter reports on specific actions, such as Legitimate or Blocked.


Available actions include:

Category

All

Modified

Legitimate

Rerouted

Monitored

Blocked

Displays information about a single type of detection, such as spam or virus.


The available options are:
All

Compliance

Viruses

Spam/Phish

PuPs

Data Loss Prevention

Legitimate

Sender Authentication

Advanced Threat Detection

Other

If the selection is not All, you see further options relevant to your selection. For
example, if you select Content, you can further select Mail Size.
Extra categories appear if you have installed any optional software.
Table 3-11 Option definitions Show Advanced options
Option

Definition

Detection

Top Spam Senders report only. Choose whether the report should contain results for
spam senders, phish senders, or both.

Virus/PuPs

Top Viruses report only. Type the name of the virus or potentially unwanted program to
get detection results for that specific threat.

Show Advanced

When clicked, shows the options below.


To hide the options again, click Hide Advanced.

Source Domain

Filter traffic based on the domain that the messages are being sent from.

Source IP

Filter traffic based on the IP address that the messages are being sent from.

Destination Domain Filter traffic based on the domain that the messages are being sent to.
Destination IP

Filter traffic based on the IP address that the messages are being sent to.

Audit ID

As traffic passes through the appliance it can have an Audit ID assigned. Use this
field to filter traffic with a specific Audit ID.

Policy

Provides a selection of policies.

Favorite reports
Use this page to run an existing favorite report immediately, or build a list of links to reports that you
have already saved.
Reports | Email Reports | Selection | Favorites
Reports | System Reports | Selection | Favorites

McAfee Email Gateway 7.6.400 Appliances

Product Guide

89

Overview of Reports features


Email Reports

Table 3-12 Option definitions


Option

Definition

Name

Displays the name of each report that you have saved.

Run report When clicked, opens the selected report and displays it to the left of the screen.
Edit

Opens the Filter page from where you can change the settings, test the report results, and
save the report criteria into a new favorite report.

Delete

Removes that Favorite report from the list, and from the reports available in Scheduled
Reports.

Task Generate an email activity overview for a particular


sender
Use this task to create an overview of the email activity for a particular sender.
Use this task to:

Create a report that shows global email activity in the previous 24 hours

Filter those results to show the activity of a particular sender

Save the report as a new favorite report to be run again in the future

Set up a schedule to send the report regularly to the email administrator

Task Run a standard email activity report


Create a report that shows global email activity in the previous 24 hours
Task
1

Click Reports | Email Reports.

From the Favorites list, select the Email Overview (last 24h) report.

Click Run report to generate a report for all users.

A report is created that shows the email traffic over the last 24 hours, for all users.

Task Filter the data for a particular sender and save the report as a new
favorite report
Use this task to filter data produced from a global email report to refer to a particular sender.
Additionally, save the new report as a favorite.
Before you begin
Make sure that you have created the report detailed in Task Run a standard email
activity report .
Task
1

Click Filter.

In Sender, type sender@examplecompany.com and click Apply to filter the data for that sender.

Click Save, type a name for the report, and click OK.

The report appears in the list of Favorites.

90

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


System Reports

Task Set up a schedule to send the report regularly to the email


administrator
Use this task to set up a schedule to regularly send a report to the email administrator.
Before you begin
Make sure that you have created the report detailed in Task Filter the data for a
particular sender and save the report as a new favorite report .
Task
1

Click Reports | Scheduled Reports.

In the list of available report documents, select Favorite, and click Edit.

Select Enable scheduled delivery, and set the report to run Daily at 17:00 hours.

Type the email administrator address.

Click Report content.

In the list of favorite reports, select the report that you created, click OK, and apply the changes to
the appliance.

The selected report is send each day at 17:00 hours to the specified email administrator.

Task Show me the total viruses detected over the previous


week
Use this task to show the total number of viruses detected in the previous week, and analyze the data
using different report views.
Task
1

Click Reports | Email Reports.

From the Favorites list, select the Top Viruses report, and click Filter.

Click Apply to run the report.

Select Time view to see the action that was taken on each message broken down into eight hour
periods.

Select Detail view to see further information such as policy details, and the source IP address for each
message.

The required report, showing the total number of viruses detected in the previous week, is generated.

System Reports
Use this page to create and view real-time reports about threat detection updates, and system events.
Reports | System Reports
You can generate a report based on a set of pre-defined filters, or edit the filters, test the results, and
save the report as a new report.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

91

Overview of Reports features


System Reports

Introduction to the System Reports page


This information introduces the System Reports page, found in the Reporting section of Email
Gateway.
System Reports contains several sub-pages, accessed from the tabs beneath System Interactive Reporting and
Selection.
Under System Interactive Reporting is a detailed view of the report results that tells you the type of update
made, when it ran, and whether it was successful. Data shows the update number so you can check
with the McAfee website that you're running the most up-to-date threat detection files available.
There are two pages beneath Selection:

Favorites enables you to choose a report with pre-defined filters, and generate it immediately. See
Report types.

Filter enables you to further define the data in each Favorite report, and set the period of time for
which you want to retrieve data. See Filter types.

Benefits of using system reports


This topic discusses the benefits of using the report features of Email Gateway to create and view
reports about system events.
Keeping up-to-date with McAfee threat detection updates is vital to the continued and successful
running of your organization. Generate system reports to get information about threat detection files
update status, user logon statistics, and network and hardware status .
Additionally, use the System Reports feature with the Scheduled Reports feature to create regular
reports, and send them immediately to other people, or at regular intervals.

Types of System reports


Information on the types of system reports that you can find within the Reports area of the user
interface are discussed.
The appliance comes with a set of reports with pre-defined filters available from the Favorites tab. You
can run these reports immediately, or edit them, and save as a new favorite report to run again in the
future, then make it available in the Scheduled Reports feature.
To see the default settings in each report, hold your mouse cursor to the left of a report name.

Table 3-13 Option definitions


Option

Definition

Anti-Virus Updates (last


24h)

Displays results in Detail view by default. Results show the type of update
(anti-virus, spam rules, or URL filtering definitions), when it was made, the
results, and reference number associated with the update file

Anti-Virus Updates (last


week)

Displays results in Detail view by default. Results show the type of update
(anti-virus, spam rules, or URL filtering definitions), when it was made, the
results, and reference number associated with the update file

Types of System report views


Use this page to see the details of system updates or detection file updates.
Reports | System Reports | System Interactive Reporting | Detail View
If you see no information, click Apply on the Filter tab, or change the period and click Apply.

92

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Reports features


System Reports

For information about the Filter or Favorites section on the right, click its tab, then click the Help button
(?).
Table 3-14 Option definitions
Option

Definition

Interactive
reporting Detail
view

Date Displays the details of each email message or web access.


To see all columns, move the horizontal scroll bar.
To sort the data in any column, click the column heading. The most recently sorted
column is indicated by a red arrow in the column heading.
Data Click the blue link to see further information about an email message in a
table or as raw data (that is, in an XML-like format).
To move through the list or to move quickly to either end of the list, click the
arrows at the bottom right of the list.

Types of System report filters


To assist you finding the information you require, you can select filters to display more specific detail
within the System reports.
Reports | System Reports | Selection | Filter
Each report allows you to filter the results.
Table 3-15 Option definitions System Reports filter options
Option

Definition

Period and Ending Displays information for a period from one hour to one month, based on the
selected start date.
When clicked, the Previous and Next buttons adjust the From date, for example,
moving it to next week or the previous day.
Event type

Displays reports about particular event types. For example, issues concerning the
Network.

Event

Select individual events based on the chosen Event type.

Reason

Select individual reasons based on the chosen Event.

Favorite reports
Use this page to run an existing favorite report immediately, or build a list of links to reports that you
have already saved.
Reports | Email Reports | Selection | Favorites
Reports | System Reports | Selection | Favorites
Table 3-16 Option definitions
Option

Definition

Name

Displays the name of each report that you have saved.

Run report When clicked, opens the selected report and displays it to the left of the screen.
Edit

Opens the Filter page from where you can change the settings, test the report results, and
save the report criteria into a new favorite report.

Delete

Removes that Favorite report from the list, and from the reports available in Scheduled
Reports.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

93

Overview of Reports features


System Reports

Task Generate a report that shows all threat detection


updates
Use this task to show all updates to the threat detection files on your Email Gateway.
Use this task to:

Run a report that shows all updates that took place in the last week

Filter the results to show only the URL filter updates that failed

Save the report as a new favorite report to be run again in the future

Task
1

Click Reports | System Reports.

From the Favorites list, select the Anti-Virus Updates (last week) report.

Click Run report to generate a report for all updates.

Click Filter.

In Event, select URL filter update failed, and click Apply to filter the data accordingly.

Click Save, type a name for the report, and click OK.

The report appears in the list of Favorites.

94

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu

This section of the online help topic provides an overview of the Email features and controls within
your Email Gateway appliances.

Email
Contents
Life of an email message
Email Configuration overview
Email Policies
DLP and Dictionaries overview
Encryption
Certificate Management
Hybrid configuration
Group Management
Add Directory Service wizard
Quarantine Configuration

Life of an email message


Use this topic to understand how the appliance processes the email messages that it receives.
The appliance handles an email message according to:

Who sent the email message.

Who will receive the email message.

The content of the email message.

On receiving an email message, the appliance processes it in the following order:


Email message
processing order

Kernel mode blocking

Permit and Deny Lists

CONNECT

Permit Sender [Connection]

Permit and Deny Lists

Deny Sender [Connection]

Permit and Deny Lists

Real-time Blackhole Lists


(RBL)

Sender Authentication Settings RBL


Configuration

Permit Sender

Permit and Deny Lists

Deny Sender

Permit and Deny Lists

EHLO/MAIL
FROM

Bounce Address Tag Validation Bounce Address Tag Validation

McAfee Email Gateway 7.6.400 Appliances

Product Guide

95

Overview of Email menu


Life of an email message

RCPT TO

DATA

SPF (Sender Policy


Framework)

Sender Authentication Settings SPF Sender ID


and DKIM

Address Masquerading

Address Masquerading (SMTP)

Anti-Relay

Anti-Relay Settings

Greylisting

Recipient Authentication

Address Aliasing
(Masquerading)

Address Masquerading (SMTP)

Permitted Recipient list

Recipient Authentication

LDAP recipient check

Recipient Authentication

Directory Harvest Prevention

Recipient Authentication

RBL

Sender Authentication Settings RBL


Configuration
If behind an MTA.

SPF

Sender Authentication Settings SPF Sender ID


and DKIM
If behind an MTA.

McAfee Global Threat


Intelligence message
reputation

Sender Authentication Settings McAfee Global


Threat Intelligence message reputation
The McAfee Global Threat Intelligence message
reputation score is also passed to the
anti-Spam engine, where it is used to
supplement the spam scores for the email
message being scanned.

Sender ID

Sender Authentication Settings SPF Sender ID


and DKIM

Domain Keys Identified Mail


(DKIM)

Sender Authentication Settings SPF Sender ID


and DKIM

Anti-spam

Anti-Spam Settings - Basic Options

Scanning
Anti-Spam Settings - Advanced Options
Anti-Spam Settings - Blacklists and Whitelists
Anti-phish

Anti-Phish Settings

Mail size filter

Mail Size Filtering Settings - Message Size


Mail Size Filtering Settings - Attachment Size
Mail Size Filtering Settings - Attachment Count

96

Encrypted / Signed content


check

Signed or encrypted content Settings

Corrupt content

Content Handling Settings - Corrupt or Unreadable


Content

Encrypted content

Content Handling Settings - Corrupt or Unreadable


Content - Protected files

HTML check

Content Handling Settings - HTML Options

Compliance

Compliance Settings

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Anti-virus [Including McAfee


Global Threat Intelligence file
reputation, PUPs, Packers]

Anti-Virus Settings - Basic Options


Anti-Virus Settings - McAfee Anti-Spyware
Anti-Virus Settings - Packers
Anti-Virus Settings - Custom Malware Options

DLP

Data Loss Prevention Settings

Image filtering

Image Filtering Settings

File filter

File Filtering Settings

Delivery
Proxy Mode

Domain Relay
DNS
Fallback relay

Transparent
Mode
When passing through the scanning stage, the next step that the email message takes depends on the
scanners that are triggered and the primary actions defined for each scanner.

Primary actions are prioritized as follows:

Deny connection

Replace

Refuse

Allow through

Accept and drop

For example, consider the following circumstances:

The appliance scans an email message and triggers against both a virus and spam. The anti-virus
scanner is configured to block on detection, whereas the anti-spam scanner is configured to block.
In this situation, the appliance will report the email message as containing viral content, as this is
the highest-priority primary action.

The appliance scans an email message and again triggers against both a virus and spam. However,
this time, both the anti-virus and the anti-spam scanners have their primary actions set to block.
In this case, the appliance will report the anti-spam trigger anti-spam scanning occurs before
the anti-virus scanning but, as both scanners are configured with the same priority primary
action, this will also be reported as containing viral material.

Email Configuration overview


Use these topics to understand the email protocol configuration, receiving email and sending email
pages within the Email Gateway user interface.

Email | Email Configuration


From the Email Configuration pages, you can configure features such as your protocol setting for SMTP
and POP3 email messages, Anti-relay settings, Recipient authentication, Permit and deny lists, as well
as other areas such as DKIM signing, delivering email domains and fallback relays.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

97

Overview of Email menu


Email Configuration overview

Contents
Protocol Configuration
Option definitions Protocol Presets dialog box
Option definition - New Protocol Preset
Receiving Email
Sending Email
Sending Email Add Relay List dialog box and Add MX Lookup dialog box
Anti-Relay Settings Add Relay Domain dialog box and Add MX Lookup dialog box

Protocol Configuration
The Protocol Configuration tab within Email Configuration enables you to configure settings that are
protocol-dependant.

Email | Email Configuration | Protocol Configuration


Further tabs enable you to configure connection and protocol settings for both SMTP and POP3
protocols, as well as to configure address masquerading and transport layer security for your SMTP
protocol.
Contents
Connection Settings (SMTP)
Protocol Settings (SMTP)
Address Masquerading (SMTP)
Connection and Protocol Settings (POP3)

Connection Settings (SMTP)


The Connection Settings (SMTP) page links to configuration areas that set up settings for SMTP
connections on the appliance, such as ports, warning thresholds and timeouts.

Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP)

Basic SMTP settings


Use this area to specify basic connection settings for the SMTP protocol, such as port numbers.

Email | Email Configuration | Protocol Configuration | Connection Settings (SMTP) | Basic SMTP settings
Changing these settings can affect scanning performance. If you are not sure about the impact of
making changes, ask your network expert.

Table 4-2 Option definitions


Option

Definition

Enable the SMTP


protocol

When deselected, ignores any SMTP traffic. Other traffic is not affected.

Listening ports

Specifies a port number.


The default value is 25.

98

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Table 4-2 Option definitions (continued)


Option

Definition

Transparent interception Specifies a port number.


ports
The default value is 25.
Secure ports

Specifies the type of port. The default value is 465.


SMTPS uses a secure port.
Click these icons and the port headings to reveal icons for managing the port
information:

Indicates the port number.


Indicates the traffic that is intercepted.
Indicates a period when traffic is not scanned.
Enable reverse DNS
lookups

When selected, enables the appliance to perform lookups. Default value is Yes.

Append appliance
domain name for DNS
lookups

If you encounter issues with non-delivery of sent email messages routed using
DNS lookups to recipients using legacy email systems, select this option.

Take care if deselecting this setting. If you deny reverse DNS lookups, some
functions might fail.

Selecting this option appends the domain name of the appliance (for example:
appliance.domain.test) to the domain details found within the message. So, if a
message is sent to user@recipientdomain.test, the appliance carries out DNS
lookups for both recipientdomain.test.domain.test and recipientdomain.test.
This option is disabled by default.
Appending appliance domain names to the DNS lookups is known to cause issues
with DNS systems configured with wildcard records.

Timeouts
Use this area to specify the timeouts that apply to the SMTP conversations.
These settings are configured by default to provide the best SMTP performance with most appliances
and network configurations. Changing these settings can affect performance. If you are not sure about
the impact of making any changes, ask your network expert.

Protocol preset
Select the required protocol preset, or create a new preset, using the drop-down list and button to the
right of the page.

Maximum wait times when receiving email


Specifies how long the appliance waits for responses from the mail server that sends the email
message.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

99

Overview of Email menu


Email Configuration overview

Option

Definition

Between commands

The default value is 60 seconds.

Between receiving chunks of data

The default value is 180 seconds.

Acknowledgment of all the data

The default value is 360 seconds.

Maximum wait times when sending email


Specifies how long the appliance waits for responses from the mail server that receives the email
message.
Option

Definition

Establishing a connection

The default value is 60 seconds.

Response to a MAIL command

The default value is 60 seconds.

Response to a RCPT command

The default value is 60 seconds.

Response to a DATA command

The default value is 60 seconds.

Between sending chunks of data

The default value is 180 seconds.

Acknowledgment of the final dot

The default value is 300 seconds.

SMTP conversation logging


Learn about enabling SMTP conversation logging.
Option

Definition

Enable SMTP conversation logging Select to produce a log of performed scans. These logs are available
from Reports | Message search.

100

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option definitions Attachment identification


Enable attachment identification to use Message Search to find messages containing attachments.
Table 4-3 Option definitions
Option

Definition

Enable attachment identification

Select the checkbox to configure Email Gateway to carry out


additional scanning of email messages to identify attachments
contained within the messages.

Email Gateway cannot obtain


attachment information from
the following file types:

CAB files

After attachment identification is enabled, you can use Message


Search to view details or search for attachments contained in
email messages.

BZIP-compressed files

Search options:

Password-protected files

Maximum number of attachments Type a number to limit the


number of attachments identified in each message.

Encrypted files

Enable identification of archive contents

No limit Select the checkbox to allow detection of unlimited


attachments.
Select the checkbox to configure McAfee Email Gateway to
identify files inside archives that are attached to the email
message.
Search options:
Maximum nesting depth Type the number of nesting layers for
which attachment identification is attempted in each
message.
No limit Select the checkbox to allow identification of the
contents of unlimited nesting levels.
If an archive attachment includes non-English filenames that
do not display correctly within Message Search, change the Default
decode character set options from Email | Email Policies | Policy Options
| Content handling | Email Options | Advanced Options.

Enable attachment checksum calculation

Select the checkbox to configure McAfee Email Gateway to


calculate MD5 checksum for each attachment.
Options:
Maximum number of checksums to calculate type a number to set
the maximum number of attachments for which checksums
are calculated. Select the No limit checkbox to allow checksums
for any number of attachments.
Maximum attachment size type a number to set the maximum
file size for each attachment for which checksums are
calculated. Select the No limit checkbox to allow checksums for
attachments of any size.
Email Gateway sends the checksums to syslog with the other
existing information about attachments.

Enable identification of file formats for


attachment profiling

Select the checkbox to configure McAfee Email Gateway to


identify file formats for all attachments.
Enable identification of file formats to ensure that the formats
of all attachments are included in attachment profiling. Email
Gateway identifies file format as needed, based on appliance
configuration.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

101

Overview of Email menu


Email Configuration overview

Unscannable content options


Some content can prevent scanners from completing their scan, potentially resulting in scans being
continuously retried and always failing.
Table 4-4 Option definitions
Option

Definition

Enable detection of unscannable content

To prevent unscannable content from tying up resources by


continually being rescanned, enable detection.

Maximum number of failed scan attempts

Configure the number of times that a scan is attempted before


the system marks the message as unscannable. The default is 5
attempts.

Period before content previously detected


as unscannable can be rescanned

Configure the time before another scan of the same email


message is attempted. The default is 24 hours.

Protocol Settings (SMTP)


The Protocol Settings (SMTP) page links to areas to allow you to configure settings for the SMTP
protocol on the appliance.

Email | Email Configuration | Protocol Configuration | Protocol Settings (SMTP)

Data command options


Use this area to specify how the appliance responds during the DATA phase when handling SMTP
email.
Table 4-5 Option definitions
Option

Definition

Maximum message data size

Specify the maximum size of message data in kilobytes. Setting this


option prevents excessively large email data from being processed by
the appliance. By default, no limit is set.

Maximum length of a single line

Specify the maximum length of a line within the message data. Setting
this option prevents data with excessively long line lengths from being
processed by the appliance. By default, no limit is set.

Maximum number of hops

Specifies the maximum number of hops allowed, that is, the maximum
number of Received lines allowed in the email header.
Default value is 100.

102

If these limits are exceeded

Specifies how the appliance responds. Default value is Close the connection.

Maximum line length before the


message is re-encoded

By default, no limit is set.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Denial of service protection


Use this area to specify how the appliance prevents possible denial-of-service attacks on your mail
server.
Table 4-6 Option definitions
Option

Definition

Minimum data throughput

Prevents an average data throughput that is too low. An attacker might


deliberately handle parts of the SMTP conversation slowly.
Default value is No lower limit.

Maximum number of trivial


commands

Prevents the appliance receiving too many trivial commands before a


successful DATA command. An attacker might repeatedly send commands
like HELO, EHLO, NOOP, VRFY, and EXPN.
Default value is 100.

Maximum number of AUTH


attempts

Prevents too many AUTH conversation attempts. (Transparent Bridge


mode only). The SMTP AUTH command is a request to the email server
for an authentication mechanism.
Default value is No limit.

Maximum command length

Prevents excessive command length. This might be a buffer-overflow


attack. According to RFC 2821, the maximum total length of a command
line including the command word and the CR-LF is 512 characters.
Default value is 999.

Maximum duration of an SMTP


conversation

Limits the time between opening the connection and receiving the final
dot (.) command.
Default value is No limit.

Allow null senders

Accepts an empty From address.


Default value is Yes.

Reject recipient if the domain is


not routable

Default value is No.

Maximum number of recipients


Prevents an excessive number of recipients. During spam or
before a failure response is given directory-harvest attacks, the number of recipients often exceeds the
number who typically receive company-wide messages. When setting a
number here, consider that typical maximum, then add some more to
allow for possible increases. Consider changing this number if the
network is reconfigured or the typical maximum changes.
Default value is No limit.
Maximum number of recipients
before a delay is imposed

Prevents an excessive number of recipients.

Delay period

Specifies a period before connections may resume.

Default value is No limit.


Default value is Not set.

Impose a lockout period

Specifies a delay to prevent an immediate reconnection.


Default value is 600 seconds.

Generate non-delivery reports for Default value is Yes.


undeliverable email

McAfee Email Gateway 7.6.400 Appliances

Product Guide

103

Overview of Email menu


Email Configuration overview

Message processing
Use this area to configure message processing options within the SMTP protocol.
Table 4-7 Option definitions
Option

Definition

Welcome message

Specifies the text that is seen by a host when connecting to the appliance in
Explicit Proxy mode.
By default, this message is empty.

Store and forward email Always Selecting the check box causes Email Gateway to queue all messages
for delivery at a later time.
When the message size exceeds Messages which exceed the specified size limits will
always be accepted and queued by the appliance before onward delivery is
attempted. Default value: no limit.
When the number of recipients exceeds Messages which exceed the specified number
of recipients will always be accepted and queued by the appliance before onward
delivery is attempted. Default value: no limit.
Messages below the specified limits will have delivery attempted immediately.
Maximum number of
MX records used

Specifies the response to messages that use MX (mail exchange) records


excessively.
Default value is 100.

Maximum number of A
records used

Specifies the response to messages that use A (address) records excessively.


Default value is 100.

Advanced options
Use this section to specify further settings for message processing. You do not normally need to
change the settings.

Table 4-8 Advanced options


Option

Definition

Port for SMTP communications

Specifies the usual port number.


The default port number is 25.

Maximum number of policies per email

Limits the number of policies that can be applied to each email


message. A larger number can affect scanning performance.
Default number is 5.

Add a Received header to email

Adds Received (RCPT) commands to the email headers.


Default value is Yes.

Add the IP address of the connecting


server to the Received header

If you prefer that the IP address of your server is not made


available, deselect this feature.
Default value is Yes.

Add the domain name of the


connecting server to the Received
header

If you prefer that the domain address of your server is not made
available, deselect this feature.

A HELO command implies a reset

Forces the HELO command to automatically perform a reset (RSET


command). The RSET command clears the buffers that store data
such as the sender, recipients, and the email message.

Default value is No.

Default value is Yes.

104

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Table 4-8 Advanced options (continued)


Option

Definition

A HELO or EHLO command is required

Forces the use of the HELO or EHLO command in any SMTP


communication. Most SMTP conversations begin with these
commands. You need this feature only if the sender does not use the
command.
Default value is No.
Provides information for troubleshooting. Select only if instructed to
do so. Otherwise performance will be affected.

Dump input email to disk

Default value is No.


Provides information for troubleshooting. Select only if instructed to
do so. Otherwise performance will be affected.

Dump output email to disk

Default value is No.

Transparency options (router and bridge mode only)


Use this area to configure options applicable only in the transparent operating modes transparent
router or transparent bridge mode.
Table 4-9 Option definitions
Option

Definition

Use the welcome


message from the mail
server

Specifies the welcome message that appears when a host using SMTP connects
to an appliance operating in a transparent mode.
When selected, displays the welcome message of the mail server at the other
end of the connection. Prefixes extra text, if specified in the next option.
When not selected, displays the appliance's own welcome message (in the
Message processing section).
Default value is Yes.

Prepend the following


text

Specifies text for the message.

Send keepalives (NOOP


commands) during the
DATA phase and
Keepalive interval

Prevents the connection between the appliance and the onward email server
from timing-out when the appliance is scanning large email messages by
sending a keep-alive command to the destination server. This keeps the
connection alive until the DATA phase from the sending email server to the
appliance has completed. When the data has been transferred to the appliance,
the appliance stops sending the commands and starts the DATA phase between
the appliance and the destination email server. Default value is No.

Default value is to prefix no text.

Specify how often to send the keep-alive (NOOP) commands during the DATA
phase.
Default value of interval is 55 seconds

Advanced options
Use this section to specify further settings for transparency options. You do not normally need to
change these settings.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

105

Overview of Email menu


Email Configuration overview

Table 4-10 Option definitions


Option

Definition

Allow the appliance to Generates additional scanning alerts to warn a network administrator or other
generate additional
users when specific events occur.
scanning alerts
Default value is Yes.
The actions that the appliance takes when one of these events occurs, depends on
which detection was triggered and how the policies have been set up for each
protocol. By default, most secondary actions are not available when the appliance
is operating in a transparent mode. Only the quarantine actions are available by
default.
Allow multiple
policies per email

Allows the use of multiple policies for email messages that have more than one
recipient.
Default value is No.
If an email message has more than one recipient, you can configure the appliance
to allow different policies to apply to each of the recipients. If you do not allow
multiple policies, the appliance applies only the highest priority policy, as defined
by the order of your policies.

Add a Received
header to email

Adds Received (RCPT) commands to the email headers.

Secure conversation
pass-through

Allows TLS or SSL-secured conversations to be passed through the McAfee Email


Gateway without being interrupted.

Default value is Yes.

With this option selected, when the McAfee Email Gateway either receives the
STARTTLS command or a connection is received on a Secure Port (SMTPS), the
connection is passed through to the other email server, allowing a secure
server-to-server connection to be made directly between the client and server
without McAfee Email Gateway scanning or processing the data.
As the TLS or SSL connection is effectively direct between the two email servers,
McAfee Email Gateway cannot scan the secured traffic that is passed through it
using Secure conversation pass-through. Therefore, it is possible that malicious content
could pass undetected through your McAfee Email Gateway and into your network.

ESMTP extensions

Scans features of the Extended Simple Mail Transfer Protocol.


Default values:
Enable ESMTP extensions Yes
DSN (Delivery Status Notification), 8BITMIME (8-bit data transfer), AUTH
(Authentication) Yes
SIZE No

Microsoft Exchange
ESMTP extensions

Prevents scanning of some extensions.


Default values:
X-EPS, X-LINK2STATE, XEXCH50, CHUNKING No
If the appliance operates between two Microsoft Exchange servers, the appliance
must allow these email headers to be exchanged without scanning.

Address parsing options


Use this area to configure options relating to the parsing of email addresses.
You do not normally need to change these settings. Change the settings only if you understand the
possible effects, or you have consulted an expert.

106

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

An email address such as user@example.com has two parts:

The local part is before the @ character user.

The domain part is after the @ character example.com.

Table 4-11 Option definitions


Option

Definition

Maximum length of the local part

Specifies how many characters can be used in the local part.


The RFC limit is 64 characters.
Specifies how many characters can be used in the domain part.

Maximum length of the domain part

The RFC limit is 255 characters.


Allow non-RFC characters in the domain
part

By default, characters outside the ASCII range are not allowed in


an email address.

McAfee Secure Web Mail


Enable policy support for McAfee Secure Web Mail.
Table 4-12 Option definitions
Option

Definition

Advertise McAfee Secure Web Mail When using this appliance to provide encryption services to other
policy support in the EHLO
McAfee Email Gateway appliances, you should enable this option.
response
Use the Protocol presets to ensure that the appliance only advertises
McAfee Secure Web Mail policy support when the connection is coming
from other McAfee Email Gateway appliances.

Address Masquerading (SMTP)


Use the sections on this page to convert the addresses in incoming or outgoing email messages.

Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)


For example:

Send and receive email for general enquiries using an anonymous address such as
info@example.com, instead of one persons specific address.

Redirect email for several people to one person.

Modify the email headers to hide information about your internal domains.

Make modifications to the From address and sender headers of outgoing email under Sender address
masquerading.
Make modifications to the To address of incoming email under Recipient address aliasing.
Address masquerading is based on protocol presets and can affect a large number of email messages.
When configuring your policies, consider whether you need the policy rules to apply to the email
addresses before or after they might be re-written.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

107

Overview of Email menu


Email Configuration overview

Useful websites
Regular expressions: http://www.regular-expressions.info/reference.html

Option definitions Sender address masquerading


Use this area to change the address from which email messages appear to have been sent.
Option

Definition

Type

States whether the sender address is a string replacement, or an LDAP lookup.

Search pattern

Specifies a search pattern that uses regular expressions to convert the original sender
email address to a masqueraded email address.
Take care with the use of ^ and $ in a regular expression. If the email headers contain
extra characters such as chevrons (< >), the regular expression will not replace the
email address, as expected.

Replacement

Displays the address you want to put in place of the original email address.

Move

The search for the pattern is done from the top to the bottom of the list. When a
pattern matches, it replaces using the replacement. In the case of LDAP lookups, it
uses the relevant LDAP query.

Add Entry

Adds a string replacement entry to the list.

Add LDAP entry Adds an LDAP lookup to the list.


Test

When clicked, opens a further window where you can test whether your regular
expression makes the correct replacement address. Type an email address as input,
click Check to see the resulting output address.

Export

When clicked, this link opens a dialog box you can use to export your list of
masquerade addresses as a text file. The list can be stored on the appliance, or on
your local computer.
The list is a text file in the following format:
List, search pattern
Replacement
List, search pattern
Replacement
Write down the file name and location in case you need to import it.

Import

108

When clicked, this link opens a dialog box you can use to navigate to a stored
(exported) address list and import it to your current Masquerade window. You can
overwrite existing addresses, or append to the existing list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Sender mail headers to search (advanced)


Specify the email headers that McAfee Email Gateway will search when using Sender address masquerading
to replace email addresses.
Option

Definition

Sender mail headers Specifies the mail headers to search within outgoing email messages.
to search
You need only add new headers if your mail server attaches its own unique
headers, or extra headers are defined in new email specifications.
By default, the following email headers are searched when using Sender address
masquerading:
return-path

resent-sender

from

reply-to

sender

return

resent-from

Option definitions Recipient address aliasing


Use this area to change the address to which email messages appear to have been sent.
Option

Definition

Type

States whether the sender address is a string replacement, or an LDAP lookup.

Search pattern

Specifies a search pattern that uses regular expressions to convert the recipients email
address to an aliased email address.
Take care with the use of ^ and $ in a regular expression. If the email headers contain
extra characters such as chevrons (< >), the regular expression will not replace the
email address, as expected.

Replacement

Displays the address you want to put in place of the recipient email address.

Move

The search for the pattern is done from the top to the bottom of the list. When a
pattern matches, it replaces using the replacement. In the case of LDAP lookups, it
uses the relevant LDAP query.

Add Entry

Adds a string replacement entry to the list.

Add LDAP Entry Adds an LDAP lookup to the list.


Test

When clicked, opens a further window where you can test whether your regular
expression makes the correct replacement address. Type an email address as input,
click Check to see the resulting output address.

Export

When clicked, this link opens a dialog box you can use to export your list of virtual
addresses as a text file. The list can be stored on the appliance, or on your local
computer.
The list is a text file in the following format:
List, search pattern
Replacement
List, search pattern
Replacement
Write down the file name and location in case you need to import it.

Import

When clicked, this link opens a dialog box you can use to navigate to a stored
(exported) address list and import it to your current Masquerade window. You can
overwrite existing addresses, or append to the existing list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

109

Overview of Email menu


Email Configuration overview

Recipient mail headers to search (advanced)


Specify the email headers that McAfee Email Gateway will search when using Recipient address aliasing.
Option

Definition

Recipient mail headers to Specifies the email headers to search within incoming email messages.
search
You need only add new headers if your mail server attaches its own unique
headers, or if extra headers are defined in new email specifications.

Task Masquerading all incoming email messages using an attribute in LDAP to


masquerade the sender
Use this task to masquerade all incoming or outgoing email messages using an attribute in LDAP.
Before you begin
Ensure that you have a valid connection to an LDAP server created with a functioning
Address Masquerading query.
You can follow these steps to masquerade a recipient by selecting Add LDAP Entry from the Recipient address
aliasing section of the page.

Task
1

Go to Email | Email Configuration | Protocol Configuration | Address Masquerading (SMTP)

In the Sender address masquerading section, click Add LDAP Entry.

Enter a search pattern such as .*@test.dom.

In Replacement, select the correct server and address masquerading query and click Test.

In Input email address, type the email address that you want to masquerade. and click Check.
The Pattern matched and Output email address fields are automatically populated.

Click Close.

When the query is selected, any email that comes from, for example originalsender@test.dom, should
be replaced with the masqueraded email address such as <masqueraded sender>@test.dom.

Connection and Protocol Settings (POP3)


Use this area to specify settings for the POP3 protocol such as port numbers and time-outs.

Email | Email Configuration | Protocol Configuration | Connection and Protocol Settings (POP3)
Optionally specify periods when some parts of the network will not be scanned.
Before turning off scanning of any traffic, consider the security risks. The most secure option is to scan
all traffic. If an appliance is operating in a transparent mode, use this feature to exclude some parts of
the network from scanning traffic in a protocol during specific periods. You might need to do this if you
regularly move many large files through the appliance.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.

110

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Basic POP3 settings


Use this area to configure the basic setting for using the POP3 protocol.

Email | Email Configuration | Protocol Configuration | Connection and Protocol Settings (POP3) | Basic POP3
settings
Changing these settings can affect scanning performance. If you are not sure about the impact of
making changes, ask your network expert.

Table 4-13 Option definitions


Option

Definition

Enable the POP3


protocol

When deselected, ignores any POP3 traffic. Other traffic is not affected.

Listening ports

Specifies a port number. The default value is 110.

Transparent
interception ports

Specifies a port number. The default value is 110.

Dedicated POP3 proxy


ports

Specifies connections to dedicated POP servers.


Specify a unique port number for each server. Choose port numbers in the range
1024 to 65535, because numbers below 1024 are generally assigned to other
protocols. The server must have an FQDN, for example, pop3server.example.com.
Click these icons and the port headings to reveal icons for managing the port
information:

Indicates the port number.


Indicates the traffic that will be intercepted.
Indicates a period when traffic is not scanned.
Indicates a dedicated port.
Enable reverse DNS
lookups.

When selected, enables the appliance to perform lookups. Default value is Yes.

Append appliance
domain name for DNS
lookups

If you encounter issues with non-delivery of sent email messages routed using
DNS lookups to recipients using legacy email systems, select this option.

Take care if deselecting this setting. If you deny reverse DNS lookups, some
functions might fail.

Selecting this option appends the domain name of the appliance (for example:
appliance.domain.test) to the domain details found within the message. So, if a
message is sent to user@recipientdomain.test, the appliance carries out DNS
lookups for both recipientdomain.test.domain.test and recipientdomain.test.
This option is disabled by default.
Appending appliance domain names to the DNS lookups is known to cause issues
with DNS systems configured with wildcard records.

Timeouts
Use this area to specify time-out values for the POP3 protocol.
You do not need to change these values often.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

111

Overview of Email menu


Email Configuration overview

Table 4-14 Option definitions


Option

Definition

Maximum wait times when talking to Specifies how long the appliance waits for responses from the
a POP3 client
computer that sends the email message. Default values:
Between commands 600 seconds
Completing data transfer 60 seconds
Maximum wait times when talking to Specifies how long the appliance waits for responses from the mail
a POP3 server
server that receives the email message. Default values:
Establishing a connection 60 seconds
Completing data transfer 60 seconds

POP3 protocol settings


Use this section to specify settings that apply only to the POP3 protocol.
Table 4-15 Option definitions
Option

Definition

Enable server
keepalives

Specifies values to keep the server connection open. The appliance can repeatedly
send a POP3 command to prevent the connection between the appliance and the
mail server timing-out.
Default values:
Enable server keepalives No
Keepalive interval 60 seconds
Keepalive command Not set

Enable client
keepalives

Specifies values to keep the client connection open. The appliance can repeatedly
send a POP3 command to prevent the connection between the appliance and the
POP3 mail client timing-out. Default values:
Enable client keepalives No
Keepalive interval 60 seconds

Address delimiters

Specifies the characters that identify each part of an email address. For example:
[user name]#[host name]:[port number]. Default values:
# User delimiter
: Host delimiter
You need only change the delimiter characters if your POP3 provider uses different
characters.

Respond to CAPA
requests

Responds to a POP3 CAPA command, which returns a list of capabilities supported


by the POP3 server. Default value is No.
For more information, see RFC 2449.

112

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option definitions Protocol Presets dialog box


Use this dialog box to re-order, create, and edit or remove existing protocol preset policies.
Option

Definition

Add network group

Click to open the Add Network Group dialog box to group together hosts or networks
that you want to be associated with each other.
Network groups can be used when defining rules for email policies and protocol
presets by selecting the source or destination network group rule type.

Add Policy

Click to open the New Preset dialog box.

Order

Shows the presets in the order in which you want them to be evaluated. The
default policy is always evaluated last.

Policy name /
Move / Delete

Lists the presets, and allows you to move them or edit them as appropriate.
The default policy cannot be modified or deleted.

Option definition - New Protocol Preset


Use this dialog box to create a protocol preset to apply to a policy.
Some of these options may not be available in all instances of creating a new protocol preset.

Option

Definition

Policy name

Type a name for the virtual host policy

Description

Optionally type a description for the policy to help you identify it.

Inherit settings
from

Select the protocol preset from which you want to inherit the settings, that is, any
settings that are not overridden by this protocol preset will be taken from the
protocol preset specified here.

Policy type

Select either:
Physical A standard policy that has rules available. A physical policy can be
triggered when its rules are matched and can also be used for inheritance.
Virtual A virtual policy can be considered to be a collection of settings available
for the purposes of inheritance. A virtual policy can never be triggered.
This option is only available when you create a protocol preset from Email | Email
Configuration when virtual hosting has been enabled on the appliance.

Match logic

Select either:
Match one or more of the following rules this policy triggers if any of the specified rules
are matched.
Match all of the following rules this policy triggers if all of the specified rules are
matched.
This option is only available when you create a protocol preset from Email | Email
Configuration.

Rule type /
Move / Edit

Lists the rules associated with the preset, and allows you to move or edit them as
appropriate.
This option is only available when you create a protocol preset from Email | Email
Configuration.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

113

Overview of Email menu


Email Configuration overview

Option

Definition

Add Rule

Click to specify the type of rule that you want to apply to the preset, and set its
Match and Value.
This option is only available when you create a protocol preset from Email | Email
Configuration.

Add network
group

Click to create a network group to associate with the preset.


This option is only available when you create a protocol preset from Email | Email
Configuration.

Receiving Email
The Receiving Email tab within Email Configuration enables you to configure settings that are
protocol-dependant.
Further tabs enable you to configure permit and deny lists and anti-relay settings as well as recipient
authentication and bounce address tag validation.
Contents
Permit and Deny Lists
Anti-Relay Settings
Recipient Authentication
Bounce Address Tag Validation

Permit and Deny Lists


Use this page to build a list of IP addresses, networks and users that are permitted, blocked or
temporarily blocked from connecting to the appliance.

Email | Email Configuration | Receiving Email | Permit and Deny Lists


The page has these sections:

Benefits of using the permit and deny lists


Use this information to understand the benefits of using the permit and deny lists.
The permit and deny lists for connections and senders are located on a single page within the user
interface, allowing you to easily configure these settings.
Once set, the permit and deny lists help prevent your users from being swamped by unwanted email
messages, whilst helping ensure that email messages from trusted senders do not accidentally get
blocked.

114

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option definitions Permitted and blocked connections


Use this topic to learn where to specify IP addresses that are always permitted or blocked when
connecting to the appliance.
Table 4-16 Option definitions Permitted connections
Option

Definition

IP address The appliance accepts email from this address even if a detected threat caused a "Deny
connection" action. This setting ensures that the appliance does not delay email from
trusted senders.
Add

Add IP addresses to the Permitted connections list.

Delete

Remove selected IP addresses from the Permitted connections list.

Import List To prevent you having to enter the permitted connections individually onto each of your
appliances, you can import a list of permitted connections.
Export List Once you have configured the permitted connections list for one of your appliances, you
can export the permitted connections list, to be imported onto other appliances.
The file is created in comma separated values (CSV) format.
Table 4-17 Option definitions Blocked connections
Option

Definition

Virtual Host

Displays the name of the virtual host that received the connection currently
being blocked by the appliance.

IP address

Displays the IP addresses for connections that the appliance is currently


blocking. Addresses remain in this list for a specified period during which email
is not accepted.
Permitting a connection does not override any time constraints set up by the
policy that blocks the connection. For example, if a policy states that a
connection will be blocked for 600 seconds and you change the connection to
permitted within the 600 seconds, the connection continues to be blocked until
the 600 seconds have elapsed. This is why a connection can temporarily appear
in both the Blocked and Permitted connections list.

Domain Name

Displays the domain name associated with the blocked IP address.

Port

Displays the number of the port on which the message was received. This is
typically port 25.

VLAN ID

Displays the ID of the virtual LAN on which the message was received. This is
typically 1 to 4094.
Applicable to Transparent Bridge mode only.

Seconds remaining

Displays the time that must pass before the appliance again allows a connection
from this IP address.

Refresh

When clicked, updates the list of connections. The list is not automatically
updated.

Resolve Addresses

When clicked, the appliance attempts to resolve the IP addresses to show the
relevant domain name.

Unblock

When clicked, enables the selected IP address to try to reconnect.

Store a maximum of
items in the blocked
connections list

If the limit is reached, the appliance can only add more IP addresses to the list
when an existing address expires or is removed manually by clicking Unblock.
Default value is 5000.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

115

Overview of Email menu


Email Configuration overview

Option definitions Permitted and blocked senders


Use the information in this topic to specify senders, networks and domains that are always permitted
or blocked when connecting to the appliance.
Table 4-18 Option definitions
Option

Definition

Value type (Permitted


senders)

If an email is from a permitted sender, Sender Authentication checks are


bypassed, and the sender is accepted.

Value (Permitted senders) Displays the details of the sender:


Email address For example, network_user@ example.com
IP address For example, 192.168.255.240
Domain name For example, www.example.com
Value type (Blocked
senders)

If an email is from a blocked sender, it will be refused unless there is a


corresponding entry in the permitted senders list.

Value (Blocked senders)

Displays the details of the sender (email address, IP address and domain
name).

Response if a sender is in Offers various actions, including:


the block list
Allow through
Accept and drop

Reject and close


Reject, close and deny

Reject
Resolve permitted /
blocked host names to IP
addresses

When selected, causes the appliance to use DNS to resolve host names to IP
addresses from a domain name. These lookups take place when the SMTP
proxy is initialized. The default value is Yes.

Reverse lookup sender IP


address

When selected, causes the appliance to use DNS to do a reverse lookup of the
sending IP address to match domains in the list. Because this requires an extra
lookup for each connection, this can affect performance. The default value is
No.

Import List

To prevent you having to enter the permitted or denied senders individually


onto each of your appliances, you can import lists of permitted or denied
senders.

Export List

Once you have configured the permitted or denied senders list for one of your
appliances, you can export the information, to be imported onto other
appliances.
The files are created in comma separated variables (CSV) format.

Task How do I add a permitted connection?


Use this task to add a permitted connection to your appliance.
To add a permitted connection:
Task
1

Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists | Permitted and blocked connections |
Permitted connections.

Click Add.

Type the IP address and the netmask for the connection that you want listed as permitted.

Apply the changes.

The specified IP address is added as a new permitted connection.

116

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Task How do I export my lists of permitted or denied settings?


Use this task to export your lists of either permitted or denied settings.
Once you have configured your appliance with your permitted or denied settings, you can export a list
of these settings, either as a backup or to import into other appliances.
Task
1

Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists.

Click Export List for the relevant area (Permitted connections, Permitted senders or Blocked senders).

Click the displayed link to download it to your local file system.

Click Close.

Your list of Permitted connections, Permitted senders or Blocked senders is downloaded to your local file system.

Task How do I import a list that I exported from another appliance?


Use this task to import a list that was exported from another appliance.
To prevent you having to repeatedly enter the same data into each of your appliances, McAfee Email
Gateway enables you to import a list of permitted or denied senders or permitted connections into
your appliance.
Task
1

Ensure that you have exported the required list, and that it is located where it can be accessed
from your user interface.

Browse to Email | Email Configuration | Receiving Email | Permit and Deny Lists.

From the relevant area (Permitted connections, Permitted senders or Blocked senders), click Import List.

Browse to the required file.

Click OK.

The selected list is imported onto your appliance.

Anti-Relay Settings
Use this page to prevent the appliance from being used as an open relay.

Email | Email Configuration | Receiving Email | Anti-Relay Settings

Benefits of configuring relaying email and anti-relay settings


Understand the importance of preventing the appliance being used as an open relay.
By default, the appliance is configured as an open relay. This means that anyone can send messages
through it. You must specify the domains that can send and receive messages.
Anti-relay settings are required to ensure that the appliance only handles email for authorized users,
and to prevent other people such as spammers from using the appliance to forward their messages.
When you first log on to the appliance, a warning is given in the Services portlet on the Dashboard.
You must create at least one local domain to prevent the appliance from being used as an open relay.
Even if you have a list of domains categorized as permitted domains or denied domains, the lack of a
local domain will still mean that the appliance can be used as an open relay.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

117

Overview of Email menu


Email Configuration overview

The page has these sections:

Relaying email

Anti-relay options

A typical scenario is that the local domain, such as *.local.dom, accepts messages for delivery by
the appliance. You also have a network from which you accept messages, such as 192.168.0.0/24.
The anti-relay feature checks the contents of these lists to determine whether a recipient is
acceptable.

The order in which anti-relay checks take place


Use this information to understand the order in which Email Gateway makes the anti-relay checks.
The appliance makes anti-relay checks at the RCPT TO phase of the SMTP conversation. It is important
to understand the order in which the anti-relay checks take place:

Is the local domain list empty?

Yes. The appliance operates as an open relay and allows the recipient to receive the message.

No. The appliance performs the next check.

Is the recipient or connection in the permitted domains list?

Yes. The appliance allows the recipient to receive the message.

No. The appliance performs the next check.

Is the recipient or connection in the denied domains list?

Yes. The appliance rejects the recipient.

No. The appliance performs the next check.

Is the recipient or connection in the local domain list?

Yes. The appliance checks whether the recipient matches on a permitted routing character.

118

Yes. The appliance accepts the recipient.


No. The appliance checks whether the recipient matches on a denied routing character.

Yes. The appliance rejects the recipient.

No. The appliance accepts the recipient.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

No. The appliance rejects the recipient.

Option definitions Relaying email


Use this information to specify domains and networks that can use the appliance for handling their
email.
Option

Definition

Add Domain

Click to specify the domains that can relay messages through the appliance to the
recipient. Choose from:
Local domain These are the domains or networks for which email is accepted for
delivery. For convenience, you can import a list of your local domain names using
the Import Lists and Export Lists options. McAfee recommends that you add all domains
or networks that are allowed to relay messages as local domains.
Permitted domain Email is accepted. Use permitted domains to manage exceptions.
Denied domain Email is refused. Use denied domains to manage exceptions.
Hold your mouse cursor over the field to see the recommended format.
Ensure that you define at least one local domain, as well as the domains from which you
want to permit email relaying, and that you want to deny email relaying. Defining a
domain as a Permitted domain ensures that email traffic from that domain is always allowed
to be relayed.

Add MX Lookup

Click to specify a domain that the appliance will use to identify all mail server IP
addresses from which it will deliver messages.

Delete Selected
Items

Removes the selected item from the table. You must apply the changes before the
item is completely removed from the appliance configuration.

Domain Name/
Network
Address/MX
Record

Displays the domain names, wildcard domain names, network addresses, and MX
lookups from which the appliance will accept or refuse email.

Type

Domain name for example, example.dom. The appliance uses this to compare the
recipient's email address and compare the connection against an A record lookup.
Network Address for example, 192.168.0.2/32 or 192.168.0.0/24. The appliance
uses this to compare the recipient's IP literal email address such as
user@[192.168.0.2], or the connection.
MX Record Lookup for example, example.dom. The appliance uses this to compare the
connection against an MX record lookup.
Wildcard domain name for example, *.example.dom. The appliance only uses this
information to compare the recipients email address.

Category

Local domain
Permitted domain
Denied domain

Resolve the
above domain
names to IP
addresses

If selected, allows the appliance to use DNS to resolve the IP addresses of the
domains. These lookups take place only when the SMTP proxy is initialized.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

119

Overview of Email menu


Email Configuration overview

Option

Definition

If a sender or
recipient is
rejected

Reject sends an SMTP 550 (permanent failure) response and closes the connection.
Reject the email and close the connection sends a rejection code, SMTP 550 (permanent
failure) response code or a SMTP 421 (Temporarily unavailable service due to
potential threat message), then closes the connection.
Accept and ignore the recipient sends an acceptance code, SMTP 250 (OK). McAfee does
not recommend this option because it suggests to the sender that the message was
received as intended.

Import Lists/
Export Lists

On an appliance from which you want to save a list of domains for anti-relay
specification, click Export Lists to create a comma-separated CSV file that contains
details of all the domains that you specified on this page, whether they are local,
permitted or denied. On an appliance onto which you wish to put the list of domains,
click Import Lists.
To create your own list, see Formats for export lists later on this page.

Option definitions Anti-relay options


Use this information to understand the options relating to the anti-relay settings.
Using routing characters (such as %, !, and |) is a method of passing messages between computers.
With these characters, unauthorized users can relay email messages (often spam) by using computers
inside your network. To permit or block this form of relaying, you specify the routing characters, which
are in the part of an email address before the final @. By default, the appliance does not support
routing characters in email addresses.
Option

Definition

Permitted routing
characters

Specifies permitted routing characters. Normally you do not need to type any
characters here.

Use the default


(Permitted routing
characters)

When selected, prevents the use of the following routing characters: *!* *%*
*|*

Denied routing
characters

Accepts any of the following characters:


*%* - Right-binding routing character (%-exploit).
*!* Local or mail gateway routing.
*|* Pipe is used by some mail servers to execute commands.
*[*]* Parentheses that encloses a dotted-decimal domain address such as
192.168.254.200.
*:* Colon for multiple hops.
For example, to block the relaying of addresses of the type
user@host@relay.com, add *@* to the list of denied characters.

Use the default (Denied


routing characters)

When selected, prevents the use of the following routing characters: *!* *%*
*|*

Enable routing character


checking for sender

When selected, examines routing characters on outgoing mail.

Protocol preset

Lists any connection-based policies to which the routing characters setting


applies.
Click to open the Protocol Presets screen to assign additional policies, or create
new policies or network groups to which the routing characters setting applies.

120

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Task Creating a simple configuration


Use this task to create a simple configuration to allow controlled relaying of incoming and outgoing
messages from your Email Gateway.
To allow relaying of incoming messages to your domain, add a wildcard domain. To allow the relaying
of outgoing messages from your domain, add the IP address or network address of the Message
Transfer Agent (MTA):
Task
1

Go to Email | Email Configuration | Receiving Email | Anti-Relay Settings.

Click Add Domain.

Type the domain name using a wildcard, such as *example.dom.

In Category, select Local domain, and click OK.

Click Add Domain, and type the network address or the IP address from which you expect to receive
messages (such as 192.168.0.2/32 or 192.168.0.0/24).

In Category, select Local domain, and click OK.

The domains that you specify are allowed to relay incoming or outgoing email traffic.

Task Creating a permitted subdomain based on a larger denied domain


Use this task to create a new permitted subdomain, using the settings for a larger, denied, domain.
To create a small permitted subdomain within a larger denied domain, create the main domain as a
denied domain, and add the sub domain as a permitted domain.
Task
1

Go to Email | Email Configuration | Receiving Email | Anti-Relay Settings.

Click Add Domain.

Type the domain name that you want to deny using a wildcard, such as *example.dom to reject all
messages sent to that domain.

In Category, select Denied domain, and click OK.

Click Add Domain again, and type the name of the subdomain that you want to accept, such as
sub.example.dom.

In Category, select Permitted domain, and click OK.

The permitted subdomain is created.

Task Create a list of domains and export it to another appliance


Use this task to configure the domains on one appliance, generate a list of these domains, and then
import this list onto another appliance.
Task
1

On a master appliance, go to Email | Email Configuration | Receiving Email to set up the local domain, and
any permitted or denied domains.

Click Export Lists to create a CSV file that contains a list of all domains displayed in the Relaying
email list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

121

Overview of Email menu


Email Configuration overview

Click the link to download the file, and save it onto your local file system.

On a secondary appliance, go to Email | Email Configuration | Receiving Email and click Import Lists.

Formats for export lists


Use this information to understand the formats you can use to create an export list.
To create a list of domains for an export list, type the domains into a comma-separated values file
using the following formats:

To add a local domain, type LD *<domain name>

To add a local network address, type LN <IP address>/<CIDR>

To add a permitted domain, type PD *<domain name>

To add a denied domain, type DD *<domain name>

For example:
LD *inbri.bs.dom, LN 10.6.1.3/24, PD *qa.ext.bs.dom, DD *ext.bs.dom

Recipient Authentication
Use this page to prevent attacks from zombie networks, bogus recipient names, and directory
harvesting.

Email | Email Configuration | Receiving Email | Recipient Authentication


The page has these sections:

Benefits of using Recipient Authentication


Use this information to understand the benefits of using Recipient Authentication on your McAfee Email
Gateway.
Greylisting email messages from unknown senders causes messages from these senders to be rejected
for a period of time. If the sending email system is legitimate, it will follow the correct protocols for
re-delivering previously rejected messages. However, most "zombie" networks that are used to send
spam messages do not comply with these protocols, and therefore messages from them are blocked.
Recipient checks are useful tools in preventing directory-harvest attacks and flooding attacks (where
large volumes of email messages are directed at your email servers, in the hope that some will get
through to valid email addresses). Recipient checks work by you providing information about your
genuine recipients of email messages within your organization. This information may already be
available from your LDAP servers. You can also import lists of recipient email addresses from a file.
This option is intended for small companies who can easily maintain a list of email recipients. For
larger companies, consider using LDAP directory services to provide email attributes to the appliance
(Email | Group Management | Directory Services.)
Directory harvest prevention compares the number of email messages being sent to known and unknown
email addresses within your organization. From this, the appliance can identify when a directory
harvest is taking place, and can take steps to minimize the impact of the attack.

122

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option definitions Greylisting


Use this information to learn about the options available for configuring greylisting on your McAfee
Email Gateway.
Use this section to create a grey list, which is effective against attacks from unknown senders such as
zombie networks. Greylisting temporarily rejects email from new senders to resist spam attacks.
Option

Definition

Protocol preset

Specifies the policy (and network group) to which these settings apply.

Accept SMTP
callback requests

If selected, overcomes delays caused by devices that use SMTP callbacks to


prevent spam.

Initial retry delay

Specifies how long to reject any early attempt to resend the email. The default
value is 3600 seconds (1 hour). Many mail servers typically try to resend after one
hour. The range is up to 86400 seconds (1 day).

Unretried record
lifetime

Specifies how long to keep a record, where the sender has not tried to send
another message.
After this time, the appliance deletes the record of any triplet that has not be
retried. We recommend a value below 8 hours. The range is up to 96 hours (4
days). Default value is 4 hours.

Greylisted record
lifetime

Specifies how long to keep a greylisted record. The appliance deletes records of
triplets that have not been referenced for some time. The range is up to 2160
hours (90 days). Default value is 864 hours (36 days), which is suitable for
occasional mail like monthly newsletters.

Maximum number of Specifies the maximum number of greylisted records. When the number of records
records
approaches this value, the appliance starts deleting old records. The range is
50,000 to 2,000,000. Default value is 2000000.

Option definitions Recipient Checks


Use this information to learn about the options available within the user interface for configuring
recipient checks.
Use this section to prevent directory-harvest attacks and attacks that issue large numbers of email
messages (known as flooding). You can provide the appliance with a list of permitted recipients. Your
network might already have this information on its LDAP servers. Alternatively, you can import a list of
email addresses from a text file.
Option

Definition

Protocol preset

Specifies the policy (and network group) to which these settings apply.

If the recipient is not in


the following list

When selected, checks the recipient address against email addresses in the list.

Email address

Lists the acceptable email addresses. You can use wildcards, for example:
user*@example.com. We recommend that you do not overuse wildcards,
because you will defeat the intention. Add or remove addresses as necessary.

Or if the recipient does


not satisfy the query

When selected, checks the recipient address against email addresses in the LDAP.
To connect to an LDAP server, select Email | Group management | Directory Services and
click Add Server.

Take the following


action

Accept and ignore the recipient Accepts the email message and ignores it. The
appliance sends an acceptance code (SMTP 250 OK). We do not recommend
this option because it suggests to the sender that the message was received as
intended.
Reject Sends a rejection code (SMTP 550 Fail). We recommend this option
because the sender is normally informed that the message was not accepted.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

123

Overview of Email menu


Email Configuration overview

Option definitions Directory harvest prevention


Use this information to learn about the options available within the user interface for configuring
directory harvest prevention.
Use this section to prevent directory harvest attacks. The appliance examines the number of known
and unknown email addresses to determine whether an attack is taking place.
When used with some email servers, Directory Harvest Prevention might not function as expected.

Table 4-19 Option definitions


Option

Definition

Protocol preset

Specifies the policy (and network group) to which these settings apply.

When the appliance is in


transparent mode

None Takes no action.


Tarpit Delays a response to email that has several recipient addresses.
Tarpit then deny connection Delays a response to the email, then adds the
sender to the Denied Connections list.
Deny connection Adds the sender to the Denied Connections list.
Default value is Deny connection.

When the appliance is in


proxy mode

None takes no action.


Deny connection adds the sender to the Denied Connections list.
Default value is Deny connection.

When an email has been


deferred and is being
retried

None Takes no action.


Deny connection Adds the sender to the Denied Connections list.
Deny connection and quarantine email Adds the sender to the Denied Connections
list, then forwards the email to a quarantine area.
Default value is Deny connection and quarantine email.

Response delay

When a tarpit action was selected, specifies the delay in responding to this
email.
Default value is 5 seconds. This is often enough to deter an attack.

Maximum number of
recipients

When a tarpit action was selected, specifies how many recipient addresses
each email may have. Default value is 10.
Applies a delay if there are too many recipient addresses in the email message.

A directory harvesting
attack ...

Defines this type of attack. Default values are 5 failed recipients and 10%
accepted recipients.
Email that falls outside this specification is not considered to be an attack, so
no action is taken.

Task Block all incoming email where the user does not exist in LDAP
Use this task to block all incoming email messages where the user does not exist in LDAP.
Task

124

Go to Email | Email Configuration | Receiving Email | Recipient Authentication | Recipient checks.

Select Or if the recipient does not satisfy the query and select the desired Valid recipient query for the LDAP
server.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Select the action that you want to take.

Apply the configuration changes to the appliance.

Bounce Address Tag Validation


Use this page to combat backscatter bounced email that was not originally sent from your
organization.

Email | Email Configuration | Receiving Email | Bounce Address Tag Validation


If an Mail Transfer Agent (MTA) cannot deliver an email message, the MTA returns (or 'bounces') the
message to the sender using a return address in the message. Unfortunately, spam email messages
often have a forged (or spoofed) return address. The bounced email often goes to an innocent
organization. This type of email is known as backscatter. During a spam attack, your organization
might receive many such messages.

Benefits of using Bounce Address Tag Validation


This topic discusses the benefits of using Bounce Address Tag Validation.
Bounce Address Tag Validation (BATV) enables your organization to ignore any backscatter email
message by checking whether your organization was its original sender. The appliance can attach a
encrypted digital signature (or tag) to the SMTP MailFrom address on every outgoing email message.
When a bounced email arrives, the appliance searches for the digital signature, and rejects any
message that has no digital signature or has an invalid digital signature. Such a message cannot be a
genuine, bounced email message.
BATV can be implemented on a per-policy basis, using suitably configured Protocol presets.
For more information about BATV, visit http://mipassoc.org/batv/draft-levine-batv-03.txt.
If email is handled by several appliances for example, one appliance handles outgoing email, while
another appliance handles incoming email all the appliances need information about the signature
seeds and signature lifetime. To distribute the information between your appliances, use the import
and export features in the interface.

Option definitions Bounce Address Tag Validation


Use this information to learn about the controls available within the user interface for configuring
Bounce Address Tag Validation.
Table 4-20 Option definitions Bounce Address Tag Validation Actions
Option

Definition

Protocol preset:

Select a Protocol preset to allow you to configure per-policy actions for


BATV on your appliance.
Select Create a new preset if you need to define a new preset.
Click to open a dialog box enabling you to re-order your existing protocol
presets.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

125

Overview of Email menu


Email Configuration overview

Table 4-20 Option definitions Bounce Address Tag Validation Actions (continued)
Option

Definition

Enable bounce address tag


validation

Select to configure BATV on your appliance.

When validation fails

Specifies how the appliance must handle each invalid bounced message.
The available options are:
Allow through
Reject
You can assign different actions for each preset.

When you enable BATV tagging, the maximum length of local part of the MAIL FROM address used by
the appliance increases by 16 characters. Adjust your configuration setting to allow up to 80 characters
to allow BATV tagged email addresses. To do this, navigate to Email | Email Configuration | Protocol Configuration |
Protocol Settings (SMTP) | Address Parsing Options and change the maximum length.

Option

Definition

Signature lifetime Specifies how long the signature seed will be used to sign outgoing email. Mail servers
typically try to deliver mail for up to four days. McAfee recommend a value of 47
days.
Signature seed

Specifies a seed for signing the sender's address.


Use only letters, numbers and space characters. The acceptable key length is 464
characters. Type a seed that is not easy to guess.

Generate

When clicked, generates a signature seed that has 20 random letters and numbers.
You can use this method instead of typing your own signature seed.

Import settings

When clicked, opens a file browser to import a text file that contains BATV settings
from another appliance.

Export settings

When clicked, opens a file browser to create a text file that contains BATV settings for
use by another appliance.

Sending Email
Use this page to specify how the appliance delivers email messages.

Email | Email Configuration | Sending Email


The page has these sections:

Benefits of using the Sending Email features


This information explains some of the benefits of using the Sending Email features found within
McAfee Email Gateway.
The features and options found within the Sending Emails tab enable you to configure the methods used
by the appliance to send email messages on. These options enable you to select the best options to
suit your existing network and email configuration.

126

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option definitions Delivering email


Use this information to understand how the appliance tries to deliver email, based on the domain part
of the recipient's address. In a To field, the domain part of an address such as aaa@example.com is
example.com.
Using the recipient's domain, the appliance uses the following logic to decide how it will deliver
messages:

If the recipient's domain matches those listed in Domain Routing, it uses those relays to deliver the
message.

If the recipient's domain does not match those listed in Domain Routing, it can be configured to use an
MX record lookup to deliver using DNS. If no MX records are available, it attempts to make the
delivery using an A record lookup. MX delivery is attempted to hosts in the order of priority that is
returned by the DNS server.

If it cannot deliver using one of the previous methods, it uses fallback relays to make the delivery
(providing the recipient's domain matches those listed in the Fallback relays field).

If the domain does not exist, the appliance generates a non-delivery report and sends it to the
originator.

If the receiving server cannot accept delivery, or there are no IP addresses to complete the
delivery, the message is queued.

Option

Definition

Import Lists

Click the link to open the Import Lists dialog box.

Export Lists

Click the link to open the Export Lists dialog box.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

127

Overview of Email menu


Email Configuration overview

Option

Definition

Domain Routing

Displays a list of domains.


This list allows you to specify specific relays/sets of relays to be used to deliver
messages destined for specific domains. Domains can be identified using exact
matches, or using pattern matches such as *.example.com.
Click Add Relay List to populate the Domain Routing table with a list of host names, or IP
addresses for delivery. Delivery will be attempted in the order specified unless you
select the Round-robin the above hosts option which will distribute the load between the
specified hosts.
Host names/IP addresses may include a port number.

Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.

Click Add LDAP Lookup to populate the Domain routing table with an LDAP lookup to
determine the Home Mail Transfer Agent (MTA) to be used for emails to the specified
domain.
Only LDAP servers that have already been set up in Email | Group Management | Directory
Services | Add Server appear on this list.

Use an IPv4 or IPv6 address with optional port number or a fully qualified domain
name. For example, 10.6.1.6, 10.6.1.5:25,
2001:db8:ac10:fe01:205:2cff:fe03:2a45 or mailrelay.mydomain1.dom. If you
specify a fully qualified domain name, the appliance does an A-record lookup to
determine the IP address.
To specify multiple relays for a single domain, separate each with a space.
If the first mail relay is accepting email, all email is delivered to the first relay. If that
relay stops accepting email, subsequent email is delivered to the next relay in the
list.

128

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option

Definition

Enable DNS
lookup for
domains not
listed above

If selected, the appliance uses DNS to route email for other, unspecified domains.
DNS delivery attempts an MX-record lookup. If there are no MX records, it does an
A-record lookup.
If you deselect this checkbox, the appliance delivers email only to the domains that
are specified under Domain Routing.

Fallback relays for Specifies the fallback relays. If delivery is unsuccessful by any other method, and the
unreachable
domain matches an entry in this list, the appliance uses the information in this list to
domains
determine a host to be used for delivery.
Click Add Relay List to populate the Domain Routing table with a list of host names, or IP
addresses for delivery. Delivery will be attempted using the hosts in the order
specified unless you select the Round-robin the above hosts option which will distribute the
load between the specified hosts.
Host names/IP addresses may include a port number.

Click Add MX Lookup to populate the Domain Routing table with an MX record lookup to
determine the IP addresses for delivery.
Delivery will be attempted to host names returned by the MX lookup in the order of
priority given by the DNS server.

Click Add LDAP Lookup to populate the Domain Routing table with an LDAP lookup to
determine the Home Mail Transfer Agent (MTA) to be used for emails to the specified
domain.
Only LDAP servers that have already been set up in Email | Group Management | Directory
Services | Add Server appear on this list.

Option definitions Postmaster address


Use this information to understand the importance of assigning a postmaster address, and how to do
this.
McAfee recommends that you assign a postmaster, so that queries from your users are handled
promptly. The postmaster must be someone who reads email regularly. You can use the name of a
single user or a distribution list.
Option

Definition

Postmaster
address

Specifies an email address that the appliance uses to deliver email that has a
recipient of postmaster.
We recommend that you specify an email address here, so that any delivery
problems are handled promptly. You can specify a distribution list or a single user
who reads email regularly.

Option definitions Enable digests


Use this information to understand the options available to allow you to configure quarantine digest
messages.
Option

Definition

Enable digest messages Specifies whether to enable digest messages for the selected protocol preset.
and message
Protocol preset

Reminds you that digest messages are enabled for this protocol preset.
Allows you to make settings for any exception to the default setting. For
example, you can specify that some parts of the network do not use digest
messages.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

129

Overview of Email menu


Email Configuration overview

Option definitions DKIM signing


Use this information to understand DKIM signing, and to view the available options for configuring
DKIM signing.
The Domain Keys Identified Mail (DKIM) technique uses RSA private and public keys and DNS TXT
records to enable the recipient to verify the identity of an email sender.
The sender signs the email message with a private key, by adding an extra header - the
DKIM-Signature header. The header provides the email message with a cryptographic signature. The
signature is typically derived from the message body and email headers such as From and Subject,
then encrypted by the sender's private key.
Recipients can verify that the message is genuine by making a query on the signer's domain to
retrieve the signer's public key from a DNS TXT record. The recipient then verifies that the email and
its signature match. The recipient can therefore be confident that the email was sent from the stated
sender and was not altered during transit.
The appliance can verify signatures from incoming mail and attach signatures to outgoing mail.
For information about Domain Keys Identified Mail (DKIM), visit the Internet Engineering Task Force
website, http://www.ietf.org and http://www.dkim.org.
Use this section to create a Domain Keys Identified Mail (DKIM) key.
Option

Definition

Enable DKIM
signing

When selected, adds a DKIM header (like a digital signature) to each email message as
it is sent.
You must add a key before you can enable DKIM signing.

Domain name
and Selector

During verification, the recipient extracts your Domain Name and Selector from the
signature to retrieve the public key associated with the appliances private signing key.
For example, if your Selector is mail and your Domain Name is example.com, the
recipient must issue a DNS query for the TXT record of mail._domainkey.example.com.

Signing key

Select the key to be used to sign the messages.

DKIM signing
keys

Allows you to create signing keys from numerous parameters.

Export

When clicked, allows you to save the private key to a file, in case the original private
key is lost or erased.

View Public Key Place the public key on your DNS server or give it to your Internet Service Provider, so
that recipients can verify email from your organization.

130

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Option

Definition

Import Key

Select this to import an existing DKIM key onto your system.

Advanced
options

This section enables you to select specific advanced options that relate to the way your
appliance carries out DKIM checks.
From this area, you can choose:
What to sign either signing All headers or Selected headers. Click the linked text to select
the individual headers to sign.
Header canonicalization you can choose either Simple or Relaxed canonicalization for the
headers.
Body canonicalization you can choose either Simple or Relaxed canonicalization for the
body text.
Key expiry choose to either have a key that does not expire, or to set an expiry date
for the key.
Signing identity add an optional signing identity to your DKIM keys.

Option definitions Queued email delivery


Use this information to understand how to specify the handling of email delivery if the first attempt to
send is not successful. You do not normally need to change these settings.
Use the Per-domain settings section to specify how the appliance delivers email intended for known
domains. The options outside this section apply to email for all other destinations.
Table 4-21 Option definitions
Option

Definition

Maximum number of connections


open at any one time

Default value is 500.

Time before an NDR is issued

Specifies how long the appliance tries to deliver an email message


before sending a non-delivery report (NDR) to its sender. Default value
is 108 hours (4.5 days).

Domain

Specifies a domain to which the appliance delivers many email


messages during a single connection. To organize priority for delivery,
click the icons in the Move column.
An asterisk (*) indicates all domains.

Retry Interval (success) and Retry


Interval (failure)

Specifies how often to retry delivery to the specified domain.

Maximum open connections and


Emails per connection

Specifies other options that control the rate for delivering email to this
domain.

By default, further email is sent every 1 minute if previous email was


sent successfully. If a previous attempt failed, the appliance waits 10
minutes before trying again.

Task Deliver all email using MX record delivery


Use this task to deliver all email using MX record delivery.
By default, your Email Gateway uses MX records to deliver all email.
Task

Use the default settings.

Your Email Gateway uses MX records to deliver all email by default.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

131

Overview of Email menu


Email Configuration overview

Task Deliver all email to a specific domain using round robin delivery
Use this task to deliver all email to a specific domain using round robin delivery.
Task
1

Go to Email | Email Configuration | Sending Email.

In Delivering email, click Add Relay List.

In Domain name, type example.com.

Click Add Host and type internal1.mailserver.com and internal2.mailserver.com.

Click Round-robin the above hosts.

Your Email gateway is configured to deliver all email to the specified domain using round robin
delivery.

Task Use MX to manage your delivery to a specific domain


Use this task to use your own MX environment to deliver email messages to a specific domain.
You can use your own MX environment to manage your infrastructure externally. For example,
mx.mailserver.com could be set up to either have priority or round-robin delivery.
Task
1

Go to Email | Email Configuration | Sending Email.

In Delivering email, click Add MX Lookup.

In Domain name, type example.com.

In MX record, type mx.mailserver.com.

Your email messages sent to the specified domain are delivered using MX lookup.

Task Use a specified LDAP server to deliver email from a specific domain
Use this task to specify that email messages from a particular domain are handed by a specified LDAP
server.
Before you begin
You must configure your appliance to use the required LDAP server using Email | Group
Management | Directory Services | Add Server before using this feature. You also need ensure that
the Home MTA queries in the Add Server wizard match the configuration for your LDAP directory
services.
Task
1

Go to Email | Email Configuration | Sending Email.

In Delivering email, click Add LDAP Lookup.

In Domain name, type example.com.

In Directory servers, select the LDAP directory server to be used to deliver email messages to the
domain specified in Domain name.

The specified LDAP server is used to handle email messages from the selected domain.

132

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Configuration overview

Task Deliver all failed deliveries to a specific server


Use this task to ensure that all failed email message deliveries are sent to a specific server.
Task
1

Go to Email | Email Configuration | Sending Email.

In Fallback relays for unreachable domains, click Add Relay List.

In Domain name, type *.

Click Add Host, and type internal3.mailserver.com.

All failed email message deliveries are now sent to the specified server.

Task - Deliver the email for a user to the Home MTA attribute defined in
LDAP
Use this task to deliver a message for a user to the Home Message Transfer Agent attribute defined in
LDAP.
Task
1

Go to Email | Email Configuration | Sending Email .

In the Domain Routing area under Delivering email, select Add LDAP Lookup.

In the Domain name field, add the domain name of the email recipients on which you want to perform
the LDAP lookups.

Select the server from the list of directory servers, and click OK.

Sending Email Add Relay List dialog box and Add MX Lookup
dialog box
Add a relay to the lists for sending email, or use MX lookups.
Table 4-22 Add Relay List dialog box
Option

Definition

Domain name

Enter the domain name to which the new relay applies.

Relay host

Shows the relay hosts that are already configured.

Add Host

Click to add a new host to the relay Hosts list.

Delete Selected Hosts

To delete relays listed in the lists, select the relevant relays, and click Delete
Selected Hosts.

Round-robin the above hosts Select this to enable the hosts to be used in a round-robin when sending
email.
Table 4-23 Add MX Lookup dialog box
Option

Definition

Domain name

Enter the domain name to which the lookup applies

MX record

Enter the MX lookup information that determines the IP addresses for delivery.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

133

Overview of Email menu


Email Policies

Anti-Relay Settings Add Relay Domain dialog box and Add MX


Lookup dialog box
Add a relay to the lists for receiving email, or use MX lookups.
Table 4-24 Option definitions Add Domain dialog box
Option

Definition

Domain name

Type the domain name to be used within the anti-relay settings.

Category

Define the type of domain, either:


Local domain
Permitted domain
Denied domain

Table 4-25 Option definitions Add MX Lookup dialog box


Option Definition
MX record To have McAfee Email Gateway do a mail exchange record lookup for domain example.dom,
type server1.example.dom where domain name is example.dom, and the MX record is
server1.example.dom.
Define the type of domain, either:

Category

Local domain
Permitted domain
Denied domain
You can only enter one MX record per domain name.

Email Policies
Use this page to view and configure policies relating to your email traffic.

134

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Introduction to policies
The appliance uses policies which describe the actions that the appliance must take against threats
such as viruses, spam, unwanted files, and the loss of confidential information.

Email | Email Policies

Figure 4-1 Email Policies

Policies are collections of rules or settings that can be applied to specific types of traffic or to groups of
users.

SMTP policies
Email Gateway provides the following features when scanning the SMTP protocol:

Email | Email Policies

SMTP

Anti-Virus, including:

Anti-virus

McAfee GTI file reputation

McAfee Anti-Spyware

Packer detection

Spam, including:

Spam

Phish

McAfee Email Gateway 7.6.400 Appliances

Product Guide

135

Overview of Email menu


Email Policies

Sender Authentication

McAfee GTI message reputation

Compliance, including:

File filtering

Image filtering

Data Loss Prevention

Signed or encrypted content

Mail size filtering

McAfee GTI URL reputation

Compliance

Policy Options, including:

Scanning limits

Notification and routing

Content handling

McAfee GTI feedback

Alert settings

Encryption

POP3 policies
Email Gateway provides the following features when scanning the POP3 protocol:

Email | Email Policies

136

POP3

Anti-Virus, including:

Anti-virus

McAfee GTI file reputation

McAfee Anti-Spyware

Packer detection

Spam, including:

Spam

Phish

Compliance, including:

Mail size filtering

Image filtering

Signed or encrypted content

Scanner Options, including:

Scanning limits

Content handling

Alert settings

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Secure Web Mail policies


McAfee Email Gateway provides the following policies when using the Secure Web Mail client to send
email messages.

Email | Email Policies (McAfee Secure Web Mail

Anti-Virus, including:

Anti-virus

McAfee GTI file reputation

McAfee Anti-Spyware

Packer detection

Spam, including:

Spam

Phish

Compliance, including:

File filtering

Compliance

Data Loss Prevention

Image filtering

Mail size filtering

Signed or encrypted content

Scanner Options, including:

Scanning limits

Notification and routing

Content handling

McAfee GTI feedback

Alert settings

Encryption

About Protocol Presets


Protocol presets enable you to configure your appliance to cater for differences in parts of your
network, or for specific devices on your network.
Normally you design your connection settings to apply to all devices. However some parts of your
network might need some differences because some devices operate differently.
For example:

Part of the network can handle larger or smaller files than normal.

A slow connection requires a different time-out value.

Part of the network must use an alternative authentication service.

By creating a protocol preset, you can cater for this exception to the connection settings.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

137

Overview of Email menu


Email Policies

Where this feature is available, you can click this icon:

Primary and secondary actions


McAfee Email Gateway can be configured to apply two levels of actions when a detection is made.
In general, a client MTA sends an email to Email Gateway. The email message is then scanned. If no
detections are found, the message is delivered to its intended recipients on the server MTAs. However,
if a scanner triggers a detection, Email Gateway applies the selected primary action and a number of
secondary actions to the message that contains the detection.
When Email Gateway is configured in hybrid mode, email messages from the inbound client MTA are
scanned by the cloud-based McAfee Email Protection (Hybrid). If no detections are found, the message
is delivered to the Email Gateway for onward delivery to its intended recipients. However, the process
taken when a scanner triggers a detection varies depending on the scanner.

Primary Action
The primary action is defined as What happens to the message coming from the client MTA to the
server MTA?":

Was it blocked?

Was it modified and then delivered?

Was it delivered to the recipient without modification?

The message is scanned by all scanners. If multiple scanners trigger, the primary action that has the
highest priority is applied. For example, if the file filtering policy is set to Allow Through (Monitor), and the
anti-spam policy was set to Accept and Drop the data (Block), then the Accept and Drop the data (Block) action
applies.
Table 4-26 Primary actions behavior in top-down priority order

138

Type

Action

Sender perspective

Blocking

Deny Connection

550 Message Rejected. Might No message is


receive notification that the
received.
message was delivered.

Yes

Blocking

Refuse the data


and return an
error code

550 Message Rejected. Might No message is


receive notification that the
received.
message was delivered.

No

Blocking

Accept and drop


the data

250 Message Rejected. Might No message is


receive notification that the
received.
message was delivered.

No

Modify

Replace the
content with an
alert

250 Message Accepted. It


appears to the sender that the
message is delivered.

Replacement
message (alert
received)

No

Reroute

Reroute

250 - Message Accepted.

Dependent on
action taken by
onward server

No

McAfee Email Gateway 7.6.400 Appliances

Recipient
perspective

Kernel
mode
blocking

Product Guide

Overview of Email menu


Email Policies

Table 4-26 Primary actions behavior in top-down priority order (continued)


Type

Action

Sender perspective

Recipient
perspective

Kernel
mode
blocking

Monitor

Allow Through

250 Message Accepted.

Message received

No

Skip
scanning

Allow through,
without scanning

250 Message Accepted.

Message received

No

This option might allow


viruses and other
unwanted content to pass
through without
detection.

Only one primary action is taken per detection.

Available primary actions


If a scanner triggers a detection, these primary actions are available:

Deny Connection (Block) Blocks the message from being delivered, returns a 550 SMTP code to the
sending MTA, places the connecting IP address in the Kernel Mode Block list.

Refuse the data and return an error code (Block) Blocks the message from being delivered, returns a 550
SMTP code to the sending MTA.

Accept and Drop the data (Block) Accepts the connection, but blocks the message from being delivered,
returning a 250 SMTP code to the sending MTA.

Replace the content with an alert (Modify) Replaces any detected content with a configurable alert and
delivers the modified Email to its intended recipients.

Allow Through (Monitor) Lets the message pass to its intended recipients, but information is retained
within the logs and reports.

Skip scanning No scanning is performed on this action.


This option might allow viruses and other unwanted content to pass through without detection.
Even though the feature is called Skip scanning, it is still necessary to perform some sort of scanning
of the email to ensure that certain features (for example, attachment identification and disclaimers)
still function. Therefore, the SMTP proxy still needs to be protected from Denial of Service attacks.

Tarpit - Delays the response to the email message. By default, the delay is 5 seconds, and is
configurable from the Default Sender Authentication Settings | Cumulative score and other options tab.

Add to score Combines the results of several methods of sender authentication.

Select the score to be added.

Reject (Block) Blocks the message from being delivered, and returns the appropriate code to the
sending MTA.

Reject and close (Block) Blocks the message from being delivered, returns appropriate code to the
sending MTA and the closes the connection.

Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of combating spam, as
it deals with the message itself (reject), the connection (close) and adds the sending server to the
deny list.
Not all primary actions are available to all policy areas.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

139

Overview of Email menu


Email Policies

Secondary action
A secondary action is defined as What additional actions will happen due to the scanner triggering a
detection?:
The message is scanned by all scanners. If multiple scanners trigger, the secondary actions are
aggregated together. For example, if the file filtering policy is set to Annotate and deliver original to a list, and
the anti-spam policy is set to Annotate and deliver original to a list, then only one notification is sent.
You can also configure any or all of the following secondary actions:
Quarantine options

Quarantine original Select to have the original message added to the Quarantine database.

Quarantine modified Select to have the modified message added to the Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into which the email
message is placed. This selection can include custom quarantine queues that you have created.

Notification email options

Send one or more notification emails Use notification templates to customize the notifications send. Click
Manage templates to make changes to the notification options.

Annotate and deliver original to sender Deliver the original email message to the sender, with
annotations added.

Deliver a notification email to 'Notification Email List' Deliver a notification email to all addresses defined
within the notification email list.

Deliver a notification email to the original recipient(s) Deliver a notification email to all the recipients on
the original email message.

Deliver a notification email to the sender Deliver a notification email to the sender of the email
message.

Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email message for auditing
purposes to all addresses defined within the auditing email list.

Deliver the modified email to the sender Deliver the email message to the sender, with modifications
made by McAfee Email Gateway included.

Show selected/Show all To help manage the options shown, you can hide unselected notification
templates.
In addition to the pre-defined templates shown above, this list will also include any custom
notification templates that you create.

Other actions

140

Modify subject McAfee Email Gateway rewrites the subject of the email message using
user-definable templates, and then delivers the message to the intended recipients. Click Manage
templates to change the way the subject is re-written.

Modify headers McAfee Email Gateway modifies the email message headers using user-definable
templates, and then delivers the message to the intended recipients. You can select multiple
header modification templates. Click Manage templates to change the way the headers are re-written.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your configured encryption
settings.

Policy exceptions
Use policy exceptions to minimize the number of policies that you need to create and maintain.
By applying exceptions for specific circumstances to standard policies, you avoid the time-consuming
task of changing all of your policies.
Contents
What are policy exceptions?
Benefits of using policy exceptions
Task - Configure a policy exception to allow email messages containing blacklisted URLs to be
received by members of Human Resources

What are policy exceptions?


Policy exceptions are rules that change the behavior of a policy only in certain circumstances.
To simplify the process of creating and maintaining the policies that define the scanning behavior for
McAfee Email Gateway, you can configure policy exceptions. Policy exceptions allow you to create
policies that can be applied to a wide user base, and to then create exceptions to these policies for
specific users or groups of users that might need different scanning criteria.
For example, you might configure a policy that includes mail size filtering, with a corporate-wide size
limit of 100,000 KB. You can now configure a policy exception to this policy that states that members
of your creative services team have a higher email size limit, as they often have a legitimate
requirement to send very large files via email.

Benefits of using policy exceptions


By configuring policy exceptions within McAfee Email Gateway, you can use a small number of
standardized policies, and create exceptions that enable the policies to behave slightly differently in
specific circumstances.
If you do not use policy exceptions, you must create new policies for each different behavior, creating
a complex set of policies that becomes difficult to maintain. By using policy exceptions, you need to
maintain fewer policies, as you can handle different requirements using the policy exceptions. These
exceptions make it much easier if you need to update your global policies, as you will need to make
changes to only a small number of policies.
Policy exceptions can be used for most email scanning policies used within McAfee Email Gateway.
When you configure a policy exception, you cannot configure any inheritance of settings from the
original policy. In order to configure different settings for a policy exception to those in the underlying
policy, inheritance is automatically broken for the policy exception.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

141

Overview of Email menu


Email Policies

Task - Configure a policy exception to allow email messages containing


blacklisted URLs to be received by members of Human Resources
You can create exceptions for almost any setting within a policy. This discussion uses URL Reputation
Settings as an example.
You might have added the URLs to your competitors' job vacancy web sites into the URL Reputation
Blacklists in your general policy, so that your workforce cannot receive these links in email messages.
However, you might want to allow your Human Resources team to receive email messages containing
links to these web sites so that they can keep abreast of the current positions and salaries within your
industry. This goal is achieved by creating a policy exception for all members of the Human Resources
team. A policy exception for all members of the Human Resources team has the blacklisted URLs
removed.

Task Add a policy exception


Create policy exceptions to modify the way specific policies apply. This example shows how to add an
exception to URL reputation scanning for Human Resources.
Task
1

Select Email | Email Policies | Compliance.

Click the URL reputation link.

In the exceptions box, click Add Exception.

Type the initial information about the exception:


a

Type a name for this policy exception.


Example: Type HR Exception1

[Optional] Type a description for the exception.


Example: Exception to allow HR to view competitors job/vacancy sites

Select the required option to configure the match logic.


Example: Select Match one or more of the following rules.

Add at least one rule to the exception.


a

Click Add Rule in the Scanning Policies New Policy Exception window.

In the Rule type list, select the proper entity.


Example: Select Recipient email address.

In the Match list, select the proper logic.


Example: Select is like.

In the Value field, type the information that identifies the selected entity.
Example: *@hr.example.com.

e
6

Click OK.

Click OK.
The Scanning Policies New Policy Exception window closes, and the new exception appears in the
exceptions box. An exceptions icon is displayed to the left of the policy area to which it applies.

142

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Task - Add a rule to a policy exception


You must add at least one rule to a policy exception to complete it. You can also add rules to existing
exceptions.
Before you begin
You must create an exception before adding rules.
This example shows how to add a rule to an exception to URL reputation settings.
Task
1

Select Email | Email Policies | Compliance | URL Reputation.

Click the URL reputation link.

In the exceptions box, click the button for the exception to which you want to add a rule.

Click Add Rule.

In the Match list, select the required matching logic.

In the Value field, type the information that identifies the selected entity.

Click OK.

Click OK.

Task Change the policy settings only within the exception


So that these changes only apply to a specific scenario, make changes to the policy settings only
within the exception you have created.
Task
1

Navigate to the portion of the policy you want to change.


Example: Select Email | Email Policies | Compliance | URL Reputation.

Click the URL reputation link.

In the exceptions box, click the button for the exception you want to change.
The configuration page for the policy shows the settings that apply to the exception.

Make the required change to the policy settings.


Be sure to highlight the exception, not the original policy.

Example: From the URL Reputation Settings page, select Blacklists and Whitelists. Remove the URLs you
want excluded from the blacklist.
5

Click OK.
Human Resources are allowed to see links to competitor's employment opportunities without other
departments receiving this information within their email messages.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

143

Overview of Email menu


Email Policies

Task Edit an existing policy exception


You can change the exception logic, and add, change, or delete rules as needed.
Task
1

Select Email | Email Policies | Compliance | URL Reputation.

Click the URL reputation link.

In the exceptions box, click the button for the exception you want to edit.
The Scanning Policies Edit Policy Exception Details window opens.

Make the changes you want.

Change the exception name or the optional description.

Change the match logic.

Add, edit, or delete rules.

Change the order of rules.

Click OK.

[Optional] To delete an exception:


a

Select the exception in the exceptions box.


An X appears beside the exception name.

Click the X. Click OK to delete the exception.

Custom Notifications
McAfee Email Gateway allows you to create your own custom notification email messages for any rule
that allows secondary actions.
Custom notifications allow you to send different messages to specific individuals or groups when an
email message triggers the associated rule. You can use custom notification templates along with the
pre-configured templates. You can also have more than one custom notification template for each rule,
and use any of the available templates in combination.

Benefits of using custom notifications


Custom notifications permit administrators to set up specialized email messages to be sent to select
individuals and groups when a message triggers a particular rule.
Email notifications generated by Email Gateway are based on templates. The system already includes
basic, pre-configured templates. Any custom templates you create become available on the template
list.
Custom email notifications allow you to:

Specify the content and other attributes of your notifications.

Provide the most relevant information to different individuals about messages that trigger action.

Send multiple email notifications for one rule.

Examples Using custom notifications


Custom notifications are useful in a variety of circumstances. The following scenarios illustrate ways
you might apply them.

144

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Issue In the default policy, you have enabled Compliance, and you created five compliance rules. By
default, all five rules use the default compliance notification. You want to send more detailed
notifications to two distinct groups when a message triggers specific rules: the Legal Department, and
a list of other individuals.
Solution You create two custom notification templates, one for each of these groups. Then you can
add the notifications to the actions for each rule you want, without affecting the actions for other
rules.
Issue You have created a policy that applies to inbound mail, and you have enabled Image Filtering.
You have created a rule that scans messages for objectionable images. You want to notify the intended
recipient about the message, and you want to inform Human Resources. The notification to Human
Resources contains unique content.
Solution You create a custom notification template for Human Resources, then apply it to the rule.
You also apply the preconfigured notification to the recipient.

Task Create a custom notification


You might want to notify an administrator or group of people if McAfee Email Gateway detects a
specific event. In many policy options, you can now define your own notification message templates.
Before you begin
Notifications result from messages that trigger specific rules. You must have configured a
rule before you can generate notification email messages.
Use the wizard from the Manage Templates page to create a custom notification.
Task
1

Select Email | Email Policies. In the scanner column of your choice, select the link for a rule.

Select the option to enable the rule.

Set thresholds or other parameters for the rule if required.

Under Take the following action, select the main action for the rule.

Under And also, scroll to Notification email options and select the check box to Send one or more notification
emails.

Select the Manage templates link.

On the Notification Templates page, click Add.

Use the Add Notification Template wizard to create the custom notification template.

When you have completed the wizard, click Finish

10 On the Notification Templates page, click OK.


11 On the options page for the rule you chose, select the new custom notification template from the
list of available templates.
Messages that trigger the rule will generate the custom email notifications.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

145

Overview of Email menu


Email Policies

Email Policies
Use this page as a single point where you can access the pages and dialog boxes you need to set up
and configure your policies.

Email | Email Policies | Scanning Policies


Policy settings specify how the appliance handles threats to groups of users or devices. For example, a
policy can apply to all computers on the same subnet, or all users in a department.

Benefits of using the Scanning Policies page


Use this information to gain an understanding of the benefits of using Scanning Policies to configure
your Email Gateway.
The Scanning Policies page enables you to access all the forms you need to configure and manage your
policies for the SMTP and POP3 protocols and for McAfee Secure Web Mail policies.
The user interface provides an overview of your policy settings, giving you information about each
policy such as the action taken when a virus is detected. The page to configure these settings is
displayed when you click the relevant information.
Some of the options described on this help page do not apply to POP3 or McAfee Secure Web Mail
scanning policies. Where options only apply to one protocol, this is highlighted.

Option definitions Email scanning policies


Learn about the options present within the user interface for configuring email scanning policies.
The following information and controls are available to configure this feature:
Table 4-27 Option definitions
Option

Definition

Select a
protocol:

Use the drop-down list to display, create, or edit your policies for:
SMTP
POP3
McAfee Secure Web Mail

Order

Policies are used in a "top-down" order. When more than one policy has been created,
you can select the order in which they are applied.

Policy Name

Displays the name of each policy.


The appliance always has a default policy, which applies to everything in the network.
You can change the default policy, but you cannot delete it.
To see the users or devices that are affected by a policy, move the cursor over the
policy name and wait for a yellow box to appear.
To change any details of the policy, click the blue link to open another window.

146

Applies to inbound email traffic (SMTP protocol only)


Applies to outbound email traffic (SMTP protocol only)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-27 Option definitions (continued)


Option
Anti-Virus

Definition
Displays brief details about the Anti-Virus options settings.
Click any link within the Anti-Virus area of the relevant policy to open the Anti-Virus Settings
page.
From the Anti-Virus Settings page you can access:
Basic Options, including McAfee GTI file reputation
Advanced Threat Defense
McAfee Anti-Spyware
Packers
Custom Malware Options

Spam

Displays brief details about the Spam settings.


Each link within the Spam area of each policy opens a separate page containing the
features and options you need to configure your policy.
Anti-Spam Settings including:
Basic Options

Spam Rules

Advanced Options

Spam Terms

Blacklists and Whitelists


Anti-Phish Settings
Sender Authentication Settings (SMTP protocol only), including:
Message Reputation
You can enable this option for a higher detection threshold, a lower detection
threshold, or both, based on GTI Message Reputation levels.

RBL Configuration
SPF, Sender ID, DKIM and FCrDNS
Cumulative Score and Other Options
Compliance

Displays brief details about the Compliance settings.


Each link within the Compliance area of each policy opens a separate page containing the
features and options you need to configure your policy. You can configure:
File Filtering Settings (SMTP protocol only)
Data Loss Prevention Settings (SMTP protocol only)
Mail Size Filtering Settings, including information on:
Mail Size Filtering Settings -- Message Size
Mail Size Filtering Settings -- Attachment Size
Mail Size Filtering Settings -- Attachment Count
Compliance Settings
Image filtering
Signed or encrypted content
URL reputation

McAfee Email Gateway 7.6.400 Appliances

Product Guide

147

Overview of Email menu


Email Policies

Table 4-27 Option definitions (continued)


Option

Definition

Policy Options

Displays brief details about the Policy Options settings.


Each link within the Policy Options area of each policy opens a separate page containing
the features and options you need to configure your policy. You can configure:
Scanning Limits, including information on maximum file size, maximum nesting depth
and maximum scan time.
Alert Settings
Content Handling, including information on:
Content Handling Settings Email Options
Basic Options

Text and binary MIME types

Advanced options

Character sets

Missing / Empty Headers


Content Handling Settings HTML Options
Content Handling Settings Corrupt or Unreadable Content
Corrupt content
Protected files
Partial / external messages
Unscannable Content
Policy based action
Notification and Routing (SMTP protocol only), including information on:
Notification and Routing Notification Emails
Notification and Routing Audit Copies
Notification and Routing Routing
Notification and Routing SMTP Relays
Notification and Routing Email Recipients
McAfee GTI feedback
Encryption Options, including information on:
Encryption Settings
On-box Encryption Options
On-box Decryption Options
Move

Use the arrow icons to move your policies higher or lower in priority order.

Move the policy up

Move the policy down


The default policy always appears at the bottom of the list of policies. You cannot change
its position.

148

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-27 Option definitions (continued)


Option

Definition

Delete

After creating policies, you can choose to delete any that you no longer require, by
clicking

.
You cannot delete the default policy.

When clicked, opens the Scanning Options New Policy dialog box where you can create new
policies, user groups, and network groups.

Add Policy

Task Delete a scanning policy


Use this task to understand how to delete a scanning policy that is no longer needed.
You cannot delete the default scanning policy.

To delete a previously created policy:


Task
1

Click Email | Email Policies | Scanning Policies.

Identify the policy to be deleted.

3
4

Click

Confirm that you intend to delete the policy.

The identified policy is deleted.

Task View policies for SMTP, POP3 or McAfee Secure Web Mail
View the scanning policies that exist for SMTP, POP3 or McAfee Secure Web Mail.
You use this page to create, and manage your SMTP, POP3 or McAfee Secure Web Mail email scanning
policies.
The POP3 protocol limits some of the scanning actions that can be applied to email messages. Options
not available to scan POP3 email messages are hidden from the POP3 protocol view.

Task
1

Click Email | Email Policies | Scanning Policies.

Select either SMTP, POP3 or McAfee Secure Web Mail from the Select a protocol: drop-down list.

The Email | Email Policies | Scanning Policies page refreshes to show the policies that have been defined for
the selected protocol.

Task Change the scanning order of my policies


Use this task to change the order in which your policies are used to scan email traffic.
The appliance uses the order of the policies to evaluate the email messages being scanned. A message
will first be evaluated against the rule with the Order value of 1, and if this does not trigger, it is then
evaluated against policy 2 and so on until it is evaluated by the default scanning policy.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

149

Overview of Email menu


Email Policies

If you have created more than two scanning policies, you can change the order that your appliance
uses the policies to evaluate email traffic. This is achieved by moving the relevant policies up or down
the policy list.
The default policy always appears at the bottom of the list of policies. You cannot change its position.

Task
1

Click Email | Email Policies | Scanning Policies.

Identify the policy to move in the evaluation order.

In the Move column, click

or

to move the policy one step.

If the identified policy is either at the top of the evaluation order, or is next to the default policy,
then one or other of the icons will not be available for selection.

Task Turn on GTI message reputation for all users in the HR group
defined in LDAP
Use this task to enable GTI message reputation checks for all users in the Human Resources group
defined in LDAP.
Before you begin
Before completing this task, you must do the following:

Configure an LDAP server and at least one query (Email | Group Management | Directory Services

Define a user group for Human Resources (Email | Group Management | Network Groups

Task
1

Go to Email | Email Policies.

Within the desired protocol, click Add Policy.


The Scanning Policies - New Policy dialog box opens.

Type a name for the new policy, and add a description if desired.

Select the policy from which this policy will inherit settings.

Indicate the email direction for messages treated with this policy.

Select the match logic to use for this policy.

Select Add Rule.


The Add Rule dialog box opens.

In the Add Rule dialog box, select the LDAP Query rule type and click OK.
The Add Rule dialog box closes.

On the New Policies dialog box, click OK.


The new policy appears on the Policies list.

10 In the Spam section for the new policy (or for the Default policy if you selected that), click the link
for GTI message reputation.
The Sender Authentication Settings dialog box opens.

150

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

11 Enable message reputation, then click OK.


12 Select the green check mark icon in the upper portion of the window to save and apply your
configuration.

Task Re-write the Subject of all messages matching a policy


Configure McAfee Email Gateway to re-write the Subject line of all email messages that match a
specific policy. To configure your policy to re-write the Subject line of email messages requires that
you follow each of the steps given within this task.
Tasks

Task Create a compliance dictionary to match all subject lines on page 151
Create a compliance dictionary that matches all email messages with a valid subject line.

Task Create a compliance dictionary to match subject lines that have already been
modified on page 152
To prevent the subject line of a message being re-written each time any other process
modifies the subject, create a new compliance dictionary.

Task Configure a policy to use the new compliance dictionaries on page 153
Link the new compliance dictionaries to a policy, so that your McAfee Email Gateway can
re-write the subject of email messages matching the compliance dictionary, unless the
subject line has already been modified.

Task Create a compliance dictionary to match all subject lines


Create a compliance dictionary that matches all email messages with a valid subject line.
Before you can configure a policy to match all email messages with a valid subject line, create a
compliance dictionary.
Task
1

Browse to Email | DLP and Dictionaries | Compliance Dictionaries.

Under Dictionary List, click Add Dictionary.

Type a name for the new category. For example, type All Subjects in the Name field.

Type a description for the new dictionary.

Select Regular expressions from Match type.

Click OK.
Under Dictionary details for 'All Subjects', a New term is added.

Click the Everything link from within Dictionary details for 'All Subjects'.

Unselect Everything.
The File categories and Subcategories areas are enabled.

Select E-Mail Messages from within File categories.

10 Select Subject line from within Subcategories


11 Click OK.
The new dictionary, All Subjects, now is applied only to email messages with a valid Subject line.
12

From the New term row of the Dictionary details for 'All Subjects' table, click the edit

McAfee Email Gateway 7.6.400 Appliances

icon.

Product Guide

151

Overview of Email menu


Email Policies

13 In the Term field, type .*.


14 Click OK.
15 Apply the new configuration.
The new compliance dictionary is created, and is configured to match any email message with a valid
subject line.

Task Create a compliance dictionary to match subject lines that have


already been modified
To prevent the subject line of a message being re-written each time any other process modifies the
subject, create a new compliance dictionary.
Before you begin
Ensure that you have already created the compliance dictionary for the initial subject
re-write, and have configured your policies to successfully re-write subject lines for emails
that match the policies.
Task
1

Browse to Email | DLP and Dictionaries | Compliance Dictionaries.

Under Dictionary List, click Add Dictionary.

Type a name for the new category. For example, type Previously Modified Subjects in the Name
field.

Type a description for the new dictionary.

Select Regular expressions from Match type.

Click OK.
Under Dictionary details for 'Previously Modified Subjects', a New term is added.

Click the Everything link form within Dictionary details for 'Previously Modified Subjects'.

Unselect Everything.
The File categories and Subcategories areas are enabled.

Select E-Mail Messages from within File categories.

10 Select Subject line from within Subcategories


11 Click OK.
The new dictionary, Previously Modified Subjects, now is applied only to email messages with a valid
Subject line.
12

From the New term row of the Dictionary details for 'Previously Modified Subjects' table, click the edit

13 In the Term field, type ^((re|fw):\s*)*policy match:.


Repeat this step for any other modification patterns that you do not want to be re-applied.

14 Click OK.
15 Apply the new configuration.

152

McAfee Email Gateway 7.6.400 Appliances

Product Guide

icon.

Overview of Email menu


Email Policies

The new compliance dictionary is created, and is configured to match any email message with a
subject line that includes re: or fw:
This rule is not case sensitive, so it will match re: Re: RE: fw: Fw: or FW:

Task Configure a policy to use the new compliance dictionaries


Link the new compliance dictionaries to a policy, so that your McAfee Email Gateway can re-write the
subject of email messages matching the compliance dictionary, unless the subject line has already
been modified.
Before you begin
Ensure that you have created the new compliance dictionaries before following this task.
You can edit an existing policy to use the new compliance dictionaries, or you can create a new policy.

Task
1

Create a new policy, or select the policy to be edited.

Click the Compliance link within the Compliance column.

Ensure that Compliance is enabled (Select Yes at the top of the dialog box.)

Click Create new rule.


You will need to create a new rule for the "All Subjects" compliance dictionary and another new rule
for the "Previously Modified Subjects" compliance dictionary.

Type a name for the new rule: (for example:)

Match all messages for the All Subjects rule.

Previously Modified Subjects for the rule to prevent multiple subject re-writes.

Click Next.

Search for and select the compliance dictionaries you previously created (in the example, this was
"All Subjects", and "Previously Modified Subjects".)

Click Next.

Click Next.

10 From the If the compliance rule is triggered drop-down list, select Allow Through (Monitor).
11 From And also, select Modify subject from the Other actions sub-category.
12 Click Manage templates.
13 Click Add from the Subject Templates dialog box.
14 Select or edit the required Subject templates:

For the "All Subjects" rule, edit the subject template by adding the text you want to be
displayed in the subject line for email messages matching this policy. For example, type "Policy
Match: " before the %SUBJECT% token.

For the "Previously Modified Subjects" rule, select the %SUBJECT% option, and make sure that
it has a higher priority than the "Policy Match: %SUBJECT%" template (by moving this to the
top of the list).

McAfee Email Gateway 7.6.400 Appliances

Product Guide

153

Overview of Email menu


Email Policies

15 Click OK.
16 Click OK.
17 Select the modified subject from the Select a template drop-down list.
18 Click Finish.
19 Click OK.
20 Apply the changes.
The subject line of all email messages matching this policy are re-written, unless the subject lines
have already been modified.

Task Modify the headers of all messages matching a policy


Configure McAfee Email Gateway to modify the headers of all email messages that match a specific
policy.
Tasks

Task Create a compliance dictionary to match all messages on page 154


Create a compliance dictionary that matches all email messages. One way to achieve this is
to match email messages with a valid subject line.

Task Configure a policy to use the new compliance dictionaries on page 155
Link the new compliance dictionary to a policy, so that your McAfee Email Gateway can add
a custom header to email messages matching the compliance dictionary.

Task Create a compliance dictionary to match all messages


Create a compliance dictionary that matches all email messages. One way to achieve this is to match
email messages with a valid subject line.
Before you can configure a policy to match all email messages, create a compliance dictionary.
Task
1

Browse to Email | DLP and Dictionaries | Compliance Dictionaries.

Under Dictionary List, click Add Dictionary.

Type a name for the new category. For example, type All Subjects in the Name field.

Type a description for the new dictionary.

Select Regular expressions from Match type.

Click OK.
Under Dictionary details for 'All Subjects', a New term is added.

Click the Everything link from within Dictionary details for 'All Subjects'.

Unselect Everything.
The File categories and Subcategories areas are enabled.

Select E-Mail Messages from within File categories.

10 Select Subject line from within Subcategories

154

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

11 Click OK.
The new dictionary, All Subjects, now is applied only to email messages with a valid Subject line.
12

From the New term row of the Dictionary details for 'All Subjects' table, click the edit

icon.

13 In the Term field, type .*.


14 Click OK.
15 Apply the new configuration.
The new compliance dictionary is created, and is configured to match any email message with a valid
subject line.

Task Configure a policy to use the new compliance dictionaries


Link the new compliance dictionary to a policy, so that your McAfee Email Gateway can add a custom
header to email messages matching the compliance dictionary.
Before you begin
Ensure that you have created the new compliance dictionary before following this task.
You can edit an existing policy to use the new compliance dictionary, or you can create a new policy.

Task
1

Create a new policy, or select the policy to be edited.

Click the Compliance link within the Compliance column.

Ensure that Compliance is enabled (Select Yes at the top of the dialog box.)

Click Create new rule.


You will need to create a new rule for the "All Subjects" compliance dictionary.

Type a name for the new rule: (for example:) Match all messages for the All Subjects rule.

Click Next.

Search for and select the compliance dictionary you previously created (in the example, this was
"All Subjects".)

Click Next.

Click Next.

10 From the If the compliance rule is triggered drop-down list, select Allow Through (Monitor).
11 From And also, select Modify headers from the Other actions sub-category.
12 Click Manage templates.
13 Click Add from the Header Modification Templates dialog box.
14 Select or edit the required header templates, including defining the name for each header and
specifying the tokens applicable to each header.

To prevent multiple copies of a defined header being added to a message, select Remove Existing.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

155

Overview of Email menu


Email Policies

15 Click OK.
16 Click OK.
17 Select one or more Header Modification Templates from the list of currently configured templates.
18 Click Finish.
19 Click OK.
20 Apply the changes.

Email Policies - Add Policy


Specify a new policy, including defining the group of users or devices to which you can apply the
policy.

Email | Email Policies | Add Policy...


The Add Policy page enables you to specify parameters that define the policy. You also specify the users,
user groups, and network groups to which the policy applies.

Option definitions Scanning Policies | New Policy


This information describes the options available on this dialog box.

Option definitions New Policy dialog box


Option

Definition

Add user group

Click to open the Add User Group dialog box.

Add network group

Click to open the Add Network Group dialog box

Policy name

Type the name of the new policy.

Description

Optionally add a description of the new policy to facilitate identification.

Inherit settings from

Select the policy from which you want this policy to inherit its settings.

Email direction

Choose whether you want the policy to apply to inbound or outbound email traffic
only. By default, policies apply to both inbound and outbound traffic.

Match logic

Choose whether you want the match to be made on one or more of the rules, or all
of the rules in the list.

Add Rule

Opens a new dialog box where you can specify the type and match for the rule
that you want to create, and specify the value.
The network group and user group and LDAP query rules are not available until you
create the items.

Move

Use the arrows to move the rules up and down the list.
The rules are actions from the top of the list downwards.

Delete Selected Rules Click to remove a rule from the list.


Reset

156

Resets the window to the default state.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option definitions Add User Group dialog box


Option

Definition

Group name

Type the name of the group

Selected or
unselected

Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.

Rule type

Choose from:
Sender email address
Recipient email address
Sender user group
Recipient user group
LDAP Query (if configured)
The LDAP query and user group options become available only when a user
group or LDAP server has been created.

Match

Choose from:
is
is not
is like
is not like

Value

Type the value that you want to associate with Match.

Add Rule

Click to add a new rule to the list.

Option definitions Add Network Group dialog box


Option

Definition

Group name

Type the name of the network group

Rule type

Choose from:
IP address
VLAN identifier
Network connection
Host name

Match

Choose from:
is
is not
is in
is not in

Value

Type the value associated with the type of rule that you chose

Move

Use the arrows to move the rules up and down the list
The rules are actions from the top of the list downwards.

Add Rule / Delete Selected Rules

Click to add a new rule to the list

Reset

Click Reset to clear all data from this form.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

157

Overview of Email menu


Email Policies

Task Create a new scanning policy


Learn how to create a new scanning policy.
Your appliance uses the policies you create to scan the email messages sent through the appliance.
You can create multiple policies to control the way different users use email, or to specify different
actions based on specific circumstances.
Task
1

Select Email | Email Policies | Scanning Policies.

Select the required protocol using steps in Task View policies for SMTP, POP3 or McAfee Secure
Web Mail.

Click Add policy.

In the Scanning Policies New Policy page, enter the following information:
a

Name for the policy.

Write an optional description for the new policy.

Specify where the new policy inherits its settings from.


If you have a similar policy already set up, select this to allow its settings to be inherited by the
new policy.

Choose if the policy is to apply to inbound or outbound email traffic. (SMTP only)

Select the required Match logic for the policy.

Select the type of rule, how it should match, and the value that the rule tests against.

If required, add additional rules, and use the

and

buttons to correctly order the rules.

Click OK.

The new policy is added to the top of the list of policies.

Task - add a user group


Use this task to create a user group that can be used in policy selection.
Before you begin
Ensure that you have a valid connection to a Generic LDAP Server, and its queries are
providing output.
Task
1

Go to Email | Group Management | Email Senders and Recipients.

Click Add and type a name for the group.

Click Add Rule.

In Rule type, select LDAP Query.


The Values field is populated with the name of the LDAP group you selected.

158

Click OK to close the dialog box.

Go to Email | Email Policies | Add Policy....

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Click Add Rule. In Rule type, select User group.

In Value, select the user group you created, and click OK.

Task Create a policy using a network group


Use this task to create an email policy using a network group of internal email servers. This allows
easy management of your internal network groups without having to change scanning policies.
Task
1

Go to Email | Group Management | Network Groups.

Click Add, and type a name for the network group such as Internal Email Servers.

Click Add Rule.

In Rule type, select IP address.

In Match, select is, and type the IP address of one of your mail servers.

In Value, type the IP address of one of your email servers, and click OK.

Repeat steps 3 through 6 to add the IP address of another email server.

Click Email | Email Policies | Add Policy..., and type a name for the policy.
If the network group that you want to use for the policy is not already created, click Add network group.

Configure the policy:

Select the policy from which you want to inherit settings

Select the email direction

Set the match logic.

10 Click Add Rule.


11 In Rule type, select Source network group, and in Value, select the Internal mail servers group.
12 Click OK.

Option definitions Add rule or Edit rule dialog


Use these options to configure or edit the types of rules you want the policy to apply.
The available options vary with the selected rule type.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

159

Overview of Email menu


Email Policies

Table 4-28
Rule type

Option definitions available options


Explanation

Source IP address Use this rule to enforce a policy based on the IP address of
the incoming network connection.
The source IP address is usually the IP address of the
Senders MTA or of the Firewall/NAT in front of the MTA.
This rule works with proxy or transparent connections.
Destination IP
address

Use this rule to enforce a policy based on the IP address of


the outgoing network connection.
The destination IP address is usually the IP address of the
Recipients MTA or of the Firewall/NAT in front of the MTA.
This rule only works with transparent connections.

Supported match
options
is
is not
is in
is not in
is
is not
is in
is not in

Sender email
address

Use this rule to enforce a policy based on the email address


of the sender. The rule uses the information in the MAIL
FROM envelope of the SMTP conversation.

is
is not
is like
is not like

Masqueraded
sender email
address

Use this rule to enforce a policy based on an email address


after address masquerading is carried out.

is
is not
is like
is not like

The email address to evaluate is taken from 'MAIL FROM' of


the SMTP conversation, after address masquerading has
been applied. If the email address has not been
masqueraded the original Sender email address is used.
This rule applies regardless of masquerading success or
failure.

160

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-28

Option definitions available options (continued)

Rule type

Explanation

Recipient email
address

Use this rule to enforce a policy based on the email address


of the recipient of the email. The rule uses Information in
the 'RCPT TO' envelope of the SMTP conversation.
Since an email may be addressed to more than one
recipient, the application of this rule differs between
transparent and proxy connections:

Supported match
options
is
is not
is like
is not like

Proxy connections application of this rule causes the


message to be split if a single policy does not match all of
the recipients of the email (as specified by the Recipient
email address or Aliased recipient email address). The
message will be scanned using each of policies for the
recipients that match that policy. It is possible that
recipients who match different policies will receive a
different mail to other recipients, if policy settings cause
modification of the mail.
The number of times a message may be split is configured
in Email Configuration | Protocol Configuration | Protocol
Settings (SMTP) | Message processing | Advanced options
| Maximum number of policies per email. If the message is
split more that the configured number of times, no
message split is performed and the message is scanned
with the highest order common policy.
Transparent connections by default a policy with this
rule is only triggered if all recipients match the rules for
the policy (as specified by the Recipient email address or
Aliased recipient email address).
When a message has multiple recipients and multiple
policies would have matched, the highest order policy that
matched all rules up to the RCPT TO phase of the policy
will be used for scanning. This behavior may be overridden
in Email Configuration | Protocol Configuration | Protocol
Settings (SMTP) | Transparency options (router and bridge
mode only) | Advanced options | Allow multiple policies
per email.
Overriding this behavior will cause the original
connection to the onward server to be ended, and a new
mail delivered for each policy.
A policy will never trigger, if 'Recipient email address' rule
type has been used more than once in the policy with
'Match all of the following rules' match logic.

Recipient email
address list

Use this rule to enforce a policy based on the email


addresses of the complete set of recipients included in the
email delivery.
This rule is evaluated after the complete set of recipients has
been received at the 'RCPT TO' phase of the SMTP
conversation. It will not cause the message to be split for
different policies.

contains
does not contain
contains values like
does not contain
values like

This rule may be used to trigger a policy when you need to


consider whether multiple recipients have been sent a
message.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

161

Overview of Email menu


Email Policies

Table 4-28

Option definitions available options (continued)

Rule type

Explanation

Aliased recipient
email address

Use this rule to enforce a policy based on the aliased email


address of the recipient.

Supported match
options
is
is not
is like
is not like

Aliased recipient
email address list

Use this rule to enforce a policy based on a recipient email


address list after the recipient aliasing is carried out.
Once the policy is enforced based on the email address list it
will stop evaluating the policies later in the order for that
email.

VLAN identifier

Use this rule to enforce a policy based on a VLAN identifier


which uniquely identifies the VLAN to which the frame
belongs. You can use a value between 0 4095.

contains
does not contain
contains values like
does not contain
values like
is
is not

This rule applies to transparent connections only.

162

Incoming network Use this rule to enforce a policy based on a specific network
connection
connector (NIC) for incoming connections.

is

Outgoing network Use this rule to enforce a policy based on a specific network
connection
connector (NIC) for outgoing connections.

is

Source host name Use this rule to enforce a policy based on the domain name
for the origin or the message.

is
is not
is like
is not like

Destination host
name

Use this rule to enforce a policy based on the domain name


for the recipient of the message.

is
is not
is like
is not like

Source network
group

Use this rule to enforce a policy based on a specific,


identifiable network group.

is
is not

Destination
network group

Use this rule to enforce a policy based on a specific,


identifiable network group.

is
is not

User group

Use this rule to enforce a policy based on a specific,


identifiable user group.

is
is not

LDAP query

Use this rule to enforce a policy based on a selected LDAP


query.

Query and Value


Retrieve button

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-28

Option definitions available options (continued)

Rule type

Explanation

Email subject

Use this rule to enforce a policy based on specific values of


the Subject header of the message.

Supported match
options
matches
does not match
is
is
is
is
is
is
is
is

Email header

Use this rule to enforce a policy based on specific values in a


Header of the message.
The UI provides a drop down list of standard headers, as
well as headers used by McAfee Data Loss Prevention
(X-RCIS-Action) and McAfee Outlook Add-in for sending
encrypted outbound messages (X-MFE-Encrypt). You can
choose any of these, or specify a custom header, such as
XMyHeader.

not
like
not like
empty
not empty
present
not present

matches
does not match
is empty
is not empty
is present
is not present

All whitespace in the header value, including continuation


lines, is collapsed and normalized to one SPACE (ASCII
0x20) character. To match any whitespace use either ' ' or
\s.
Multiline headers are collapsed into a single line.
MIME-encoded header values containing non-ASCII
characters are decoded. The pattern matching uses the
Unicode values of the characters in the string.
Policy rules

Use this rule to enforce a policy based on configured policy


based rules.

N/A

Other configuration options


Operator

This option is only available when you select the rule type.

Match

Available LDAP querymatch options vary with the rule type you choose. The match
logic options table below shows the permitted matches for each rule type.

Value

Enter or select the value associated with the type of rule that you chose.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

163

Overview of Email menu


Email Policies

Option definitions match logic options


Understand the options for the matching logic available within rules.
Table 4-29 Option definitions match logic options
Option

Definition

Explanation

is

The rule type you select is an exact


match for the value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
is not

The rule type you select does not


match the value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
is like

The rule type you select matches the


pattern of the value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
is not like

The rule type you select does not


match the pattern of the value you
enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name

164

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-29 Option definitions match logic options (continued)


Option

Definition

Explanation

contains

The rule type you select contains the


specific value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
does not contain

The rule type you select does not


contain the specific value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
contains values
like

The rule type you select includes


values that match the pattern of the
value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
does not contain
values like

The rule type you select does not


include values that match the pattern
of the value you enter.

Supported values vary according to rule


type, and may include:
IP address

Network
connection

Network IP
address

VLAN identifier

Email address

Host name

Domain name
is empty

The rule type you select exists, but it


contains no values.

N/A

is not empty

The rule type you select exists, and


contains unspecified values.

N/A

is present

The rule type you select exists.

N/A

is not present

The rule type you select does not


exist.

N/A

McAfee Email Gateway 7.6.400 Appliances

Product Guide

165

Overview of Email menu


Email Policies

Table 4-29 Option definitions match logic options (continued)


Option

Definition

Explanation

matches

The rule type you select matches the


regular expression you enter.

Create a regular expression.

does not match

The rule type you select does not


match the regular expression you
enter.

Create a regular expression.

Option Definitions Scanning Policies New Policy Exception


Create policy exceptions to exempt specified individuals or groups from configured policies.
Exceptions apply whether you enable the underlying policy or not.

Table 4-30

Option definitions New Policy Exception

Option

Definition

Exception name

Specifies name for the exception.

Description (optional)

Specifies a description that helps to identify the exception, if desired.

Use this exception when


scanning email

(Only visible when editing an existing policy exception)

Match logic

Select the required option to determine how the system applies policy
exception rules.

Rule type

Displays the type of the rule, based on the parameters set when you
created the rule.

Move

Clicking the relevant arrow moves a rule up or down in the list of rules.
Rule priority is determined by the position within the list, with the rules at
the top of the list having a higher priority than those lower down.

Edit

Opens the edit window for the specific rule.

Add user group

Opens the page to allow you to create a new user group.

Add network group

Opens the page to allow you to create a new network group.

By default, this checkbox is selected, enabling the selected policy exception


within your email scanning. Deselect to disable the policy exception.

Table 4-31 Option definitions Add Rule


Option

Definition

Rule type

Drop-down list displays the available entity types. The rule applies this type.

Match

The drop down selections determine how the rule applies to the entity.

Value

Specifies the data to identify the specific entity.

Option definitions Scanning Policies | New Policy | Add user


group
This information describes the options available on this dialog box.

166

Option

Definition

Group name

Type the name of the group.

Selected or
unselected

Select a group and click Edit or Delete Selected Rules as appropriate. Use the arrow
icons to move the rules up and down the list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition

Rule type

Choose from:

Sender email address


Recipient email address
Sender user group
Recipient user group
LDAP Query (if configured)
The LDAP query and user group options become available only when a user
group or LDAP server has been created.

Choose from:

Match

is
is not
is like
is not like
Value

Type the value that you want to associate with Match.

Add Rule

Click to add a new rule to the list.

Task - add a user group


Use this task to create a user group that can be used in policy selection.
Before you begin
Ensure that you have a valid connection to a Generic LDAP Server, and its queries are
providing output.
Task
1

Go to Email | Group Management | Email Senders and Recipients.

Click Add and type a name for the group.

Click Add Rule.

In Rule type, select LDAP Query.


The Values field is populated with the name of the LDAP group you selected.

Click OK to close the dialog box.

Go to Email | Email Policies | Add Policy....

Click Add Rule. In Rule type, select User group.

In Value, select the user group you created, and click OK.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

167

Overview of Email menu


Email Policies

Option definitions Scanning Policies | New Policy | Add


network group
This information describes the options available on this dialog box.
Option

Definition

Group name

Type the name of the network group.

Rule type

Choose from:
IP address
VLAN identifier
Network connection
Host name
Choose from:

Match

is
is not
is in
is not in
Value

Type the value associated with the type of rule that you chose.

Move

Use the arrows to move the rules up and down the list.

Add Rule / Delete Selected Rules Click to add a new rule to the list.
Use the Reset button to clear the entries you have made in this dialog box.

Reset

Option definitions Subject Templates


Create or edit Subject templates for the subject re-write action used by McAfee Email Gateway
features.
Option

Definition

Template

Shows the text or tokens that will be used to re-write the subject line.

Priority

Shows the priority of the available templates.

Move

Use the arrow icons to move your subject template higher or lower in priority order.

Move the template up

Move the template down

Edit

Click to make changes to the text that is used to re-write the subject line.

Delete

Click to remove the template.


You cannot delete a template that is currently being used by a policy.

168

Add

Create a new template at the bottom of the template list.

Insert

Create a new template above the currently selected template.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option definitions Header Modification Templates


Create or edit header templates for the modify headers action used by Email Gateway features.
Option

Definition

Header Name

Shows the name of the header being added or modified within the email message.

Header Value

Shows the tokens that provide information used to modify the email headers.

Remove Existing

When selected, Email Gateway removes existing headers with the same name.

Edit

Click to make changes to the header template.

Delete

Click to remove the template.


You cannot delete a template that is currently being used by a policy.

Add

Create a new template at the bottom of the template list.

Option definitions Notification Templates


Use the notification templates page to view details about each available notification template, and to
manage the customized notification templates.
Table 4-32 Option definitions
Option

Definition

Template Name Lists the names for all the pre-defined and custom notification templates.
Email Content

Provides an overview of the content of the notification emails generated from each
notification template.

Sender

Lists the purported sender for the notification email message.

Recipients

Lists the recipients that will receive notifications when each notification template is used
to generate a notification email message.

Subject

View the subject that is added to notification email messages.

Edit

Click to make changes to the settings contained within custom notifications.


You cannot edit the pre-defined notification templates.

Delete

Click to remove the template.


You cannot delete the pre-defined notification templates, or any templates that are
currently being used by a policy.

Add

Create a new notification template. The new template is added at the bottom of the
template list.

Option definitions Add/Edit Notification Template


Create or edit notification templates as part of the customized notifications feature.
The Add Notification Template pages take the form of a wizard, with the following pages:

Email Content

Subject

Sender

Other options

Recipients

When editing a pre-configured customized notification template, these same pages are available from
tabs accessed from the Edit Notification Template link.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

169

Overview of Email menu


Email Policies

Table 4-33 Option definitions Add/Edit Notification Template Email Content


Option

Definition

Template name

Add or edit the name for the template. This name is reflected in the first column of
the Notification Templates dialog box.

Predefined content To use predefined content within the notification, select one of the options:
Send a default notification email

Forward the original email

Send an annotated email

Forward the modified email

Send a scanner alert


Selecting either of the forward options does not allow the use of custom subjects, or
allow the forwarding of any attachments contained within the email message.

Custom content

To create a custom notification, choose either:


Send a custom HTML notification, or
Send a custom plain text notification

Editing area

When creating custom notification content, use the editing area to create the
notification. Select from the drop down list of available tokens to have McAfee Email
Gateway add the required information at the time the notification is sent. Type any
other message for the intended recipients of the notification.

Table 4-34 Option definitions Add/Edit Notification Template Sender


Option

Definition

Predefined sender Select from the list of available, predefined senders.


Custom sender

To have notification emails appear to be from a specific, custom sender, enter the
required email address.

Table 4-35 Option definitions Add/Edit Notification Template Recipients


Option

Definition

Predefined recipients

Select from either the recipient (or recipients) for the original email message, or
the sender of the original email message.

Custom recipient

To have notification emails sent to another recipient, enter the required email
address.

Configured recipient lists To have the notification messages sent to a list of recipients, enable One or more
recipient lists, and then select the required list or lists.
Table 4-36 Option definitions Add/Edit Notification Template Subject
Option

Definition

Predefined subject Select from the list of available subject options.


Custom subject

Create a custom subject to be used by notification messages generated using this


template. Custom subjects can include tokens selected from the drop-down list that
are populated with data from the McAfee Email Gateway at the time the notification
is generated.

Table 4-37 Option definitions Add/Edit Notification Template Other options


Option

Definition

Attachments

You can choose to attach the original email message, the


modified email message when available, both types of message
or no messages.

Miscellaneous options

170

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-37 Option definitions Add/Edit Notification Template Other options (continued)
Option

Definition

Only generate the notification when the email


is delivered

Select this check box to send notifications only when the


appliance does not block the message.

Do not generate a bounce email if the


notification cannot be delivered

Select this check box to prevent sending bounce emails when a


notification cannot be delivered.

Allow viral content to be forwarded or


included as an attachment

Select this check box to permit forwarding viral content or


including it as an attachment.
To detect viral content, enable anti-virus scanning.

Option definitions Add/Edit Header Modification Template


Create or edit header modification templates as part of the header modifications feature.
Option

Definition

Header name Add or edit the header name.


To ensure that only one header exists with a given name, select Remove existing headers with
the same name.
Header value Select the required header tokens from the drop-down list. You can add multiple tokens.
To remove headers, leave the Header value field empty.

Anti-Virus policy settings


Use the Anti-Virus policy settings to specify the files you want to scan and the actions you want to take
when a threat is detected, and create detection policies for viruses, spyware, packers, and malware
threats such as worms and mass mailers.

Anti-virus features
The anti-virus protection within Email Gateway provides many ways to protect your network and
users.

Email | Email Policies | Anti-Virus


The anti-virus software:

Detects and cleans viruses.

Protects your network from potentially unwanted programs (PUPs). The appliance can be
configured to:

Enable or disable detection of potentially unwanted programs.

Detect specific types of potentially unwanted programs, such as mass mailers and Trojan
horses.

Detect named malware.

Take specific actions when malware is detected.

Protects your network from named packers. You can add and remove packer names from the list of
packers that will be detected.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

171

Overview of Email menu


Email Policies

Packers compress files and can effectively disguise executable programs. They can also compress
Trojan horses and make them harder to detect. The appliance can be configured to:

Detect named packers.

Exclude named packers from detection.

Take specific actions when a packer is detected.

Protects your network from PUPs. A cautious user might want to be informed of PUPs, and might
want to remove them.
McAfee anti-spyware software detects and, with your permission, removes potentially unwanted
programs. Some purchased or intentionally downloaded programs act as hosts for other potentially
unwanted programs. Removing these potentially unwanted programs may prevent their hosts from
working. Review the license agreement for these host programs for further details. McAfee does not
encourage nor condone breaking any license agreements. Read the details of license agreements
and privacy policies carefully before downloading or installing any software.

Automatically scans within compressed files.

Automatically decompresses and scans files compressed in the packages that include PKZip, LHA,
and ARJ.

Detects macro viruses.

Detects polymorphic viruses.

Detects new viruses in executable files and OLE compound documents, using a technique called
heuristic analysis.

Upgrades easily to new anti-virus technology.

Settings for scanning viruses and similar threats


The anti-virus settings in a policy protect the network and its users.

Email | Email Policies | Anti-Virus


Threats to your network and users may be from:

Viruses

Spyware

Adware

Various kinds of malware (malicious software) and other potentially unwanted software.

Spyware can steal information and passwords. This category includes potentially unwanted programs
(PUPs), which are any software that a cautious network administrator might want to be informed of,
and possibly remove, such as password crackers. Adware, too is among these nuisances, because it
distracts employees from their normal work.

What is a potentially unwanted program (PUP)?


Potentially unwanted programs (PUPs) are not considered to be malware like viruses and Trojan
horses.

Email | Email Policies | Anti-Virus | McAfee Anti-Spyware

172

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Some software programs written by legitimate companies might alter the security or privacy of the
computer where they are installed. This software can include spyware, adware, and dialers, and might
be downloaded unwittingly with a program that the user wants. Cautious users prefer to know about
such programs, and in some cases, remove them.

Customized anti-virus settings


Besides giving you the levels of scanning (such as default file types, which scans only the most
susceptible files), Email Gateway also allows you to specify various options when scanning for viruses.

Email | Email Policies | Anti-Virus | Basic Options


Although more options can provide greater security, scanning will take longer. The scanning
capabilities are:

Detect possible new viruses in programs and documents.


Documents that carry a virus often have distinctive features such as a common technique for
replicating themselves. Using heuristics, the scanner analyzes the document to detect these kinds
of computer instructions. Program file heuristics scans program files and identifies potential new
file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft
Word, Microsoft Excel, and Microsoft Office) and identifies potential new macro viruses.

Scan inside archive files.


By default, the scanner does not scan inside file archives such as .zip or .lzh files because any
infected file inside them cannot become active until it has been extracted.

Scan default file types.


Normally, the scanner examines only the default file types it scans only those files that are
susceptible to infection. For example, many popular text and graphic formats are not affected by
viruses. Currently, the scanner examines over 100 file types by default, including .exe and .com.

Scan all files.


This option ensures that every file is scanned. Some operating systems, such as Microsoft
Windows, use the extension names of files to identify their type. For example, files with the
extension .exe are programs. However, if an infected file is renamed with a harmless extension
such as .txt, it can escape detection and the operating system can run the file as a program if it is
renamed later.

Scan files according to file name extension.


You can specify the types of files you want to scan according to their file name extensions.

Treat all macros as viruses.


Macros inside documents are a popular target for virus writers. Therefore, for added security,
consider scanning all files for macro viruses, and optionally removing any macros found, regardless
of whether they are infected.

Scan compressed program files.


This is used to scan compressed files such as those compressed using PKLITE. If you are scanning
selected file extensions only, add the appropriate compressed file extensions to the list.

Special actions against packers and PUPs


The appliance handles most detections according to the actions that you specify on the Basic Options
tab.

Email | Email Policies | Anti-Virus | Custom Malware Options

McAfee Email Gateway 7.6.400 Appliances

Product Guide

173

Overview of Email menu


Email Policies

To specify that a scanner on the appliance handles some packers and PUPs differently, use the Custom
Malware Options tab.

Problems with alerts for mass mailers


Normally, the appliance handles all potentially unwanted programs in the same way. However you can
specify that certain types are handled differently.

Email | Email Policies | Anti-Virus | Custom Malware Options


For example, you can configure the appliance to inform the sender, the recipient and an administrator
with an alert message whenever a virus is detected in an email message. This feature is useful
because it shows that the anti-virus detection is working correctly, but it can become a nuisance if a
mass-mailer virus is encountered.
Mass-mailer viruses (for example Melissa and Bubbleboy) propagate themselves rapidly using email.
Numerous alerts are generated, and these can be as annoying as the surge of detected email
messages that has been blocked.
The appliance can handle any mass-mailer virus separately from other types of virus. You example,
you can choose to discard the detected document immediately, and thereby suppress any alert
messages that will otherwise be generated.

Configuring basic Anti-Virus settings


Use the following information to understand the benefits and procedures to configure basic Anti-Virus
settings.

Email | Email Policies | Anti-Virus | Basic Options


The Anti-Virus | Basic Options page enables you to configure options such as the types of files that are
scanned for viruses, the actions to take if a virus is identified, and what to do if an infected file cannot
be cleaned.
Contents
Benefits of configuring basic Anti-Virus options
Benefits of using McAfee Global Threat Intelligence file detection
Option definitions Anti-Virus Basic Options
Task Enabling McAfee Global Threat Intelligence file reputation

Benefits of configuring basic Anti-Virus options


This information describes the benefits associated with setting up the basic Anti-Virus options.
To provide the best combination of performance and detection of viruses, the Anti-Virus | Basic Options
page has settings to enable you to select the types of files that are scanned for viral content, and the
actions to be taken when a viral detection is made.
This page also give you the option of enabling McAfee Global Threat Intelligence file reputation.

174

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Benefits of using McAfee Global Threat Intelligence file detection


This technique reduces the delay between McAfee's detection of a new malware threat and when a
customer receives and installs a detection definitions (DAT) file. The delay can be 24 - 72 hours.

Email | Email Policies | Anti-Virus | Basic Options


Using McAfee Global Threat Intelligence file reputation enables your Email Gateway to provide
protection against new threats, before they are included in detection definition (DAT) files.
1

The appliance scans each file, comparing its code against the information (or signatures) in the
current detection definitions (DAT) file.

If the code is not recognized and is suspicious, for example, the file is packed or encrypted, the
appliance sends a small definition (or fingerprint) of that code to McAfee Global Threat Intelligence
an automated analysis system at McAfee. Millions of other computers with McAfee software also
contribute fingerprints.

McAfee compares the fingerprint against a database of fingerprints collected worldwide, and
informs the appliance of the likely risk within seconds. Based on settings in the scanning
policies, the appliance can then block, quarantine, or try to clean the threat.

If McAfee later determines that the code is malicious, a DAT file is published as usual.

Option definitions Anti-Virus Basic Options


Use this page to specify basic options for anti-virus scanning.
Table 4-38 Option definitions Enable anti-virus scanning for "policy name"
Option

Definition

Enable anti-virus scanning

When selected, enables anti-virus scanning of email messages.

Table 4-39 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

175

Overview of Email menu


Email Policies

Table 4-40 Option definitions Specify which files to scan


Option

Definition

Specify which files to Scan all files Offers the highest security. However, scanning takes longer and
scan
might affect performance.
Some operating systems such as Microsoft Windows use the extension name of a
file to identify its type. For example, files with the extension .exe are programs.
However, if an infected file is renamed with a harmless extension such as .txt, it
can escape detection. The operating system cannot run the file as a program
unless it is renamed later. This option ensures that every file is scanned.
Default file types The scanner examines only the default file types in other
words, it concentrates its efforts on scanning those files that are susceptible to
viruses.
For example, many popular text and graphic formats are not affected by viruses.
Currently the scanner examines over 100 types by default, which includes .exe
and .com file types.
Defined file types Scans only the types in the list.
Using this option, you can specify the types of files that you want scanned.
Scan archive files
(ZIP, ARJ, RAR ...)

By default, the scanner does not scan inside file archives such as .zip or .lzh files
because any virus-infected file inside them cannot become active until it has been
extracted.
When selected, Email Gateway scans these types of files.
However, scanning takes longer and might affect performance. As the contents of
these files are harmful only when files inside are extracted, they can be scanned by
the on-access scanners on individual computers in your network.

Find unknown file


viruses

An anti-virus scanner typically detects viruses by looking for the virus signature,
which is a binary pattern that is found in a virus-infected file. However, this
approach cannot detect a new virus because its signature is not yet known,
therefore the scanner uses another technique: heuristic analysis. Program file
heuristics scans program files and identify potential new file viruses. Macro
heuristics scans for macros in the attachments (such as those used by Microsoft
Word, Microsoft Excel, and Microsoft Office) and identify potential new macro
viruses.
When selected, does extra analysis to find any virus-like behavior.

Find unknown macro Macros inside documents are a popular target for virus writers.
viruses to Remove When selected, take actions against macros in documents. Macros inside
all macros from
documents are a popular target for virus writers.
document files
Enable McAfee
Global Threat
Intelligence file
reputation with
Sensitivity level

Enables McAfee Global Threat Intelligence file reputation on your appliance.


McAfee Global Threat Intelligence file reputation complements the DAT-based
signatures by providing the appliances access to millions of cloud-based
signatures. This reduces the delay between McAfee detecting a new malware
threat and its inclusion in DAT files, providing broader coverage.
The sensitivity levels enable you to balance the risk of missing potentially harmful
content (low settings) with the risk of false positive detections (high settings).
For gateway appliances, the recommended sensitivity level is Medium.

176

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-41 Option definitions Actions


Option

Definition

Attempt to clean

When selected, the infection inside the item is removed, if possible. When
deselected, the entire item is removed.

If cleaning
succeeds

Specify the secondary actions to take if the appliance successfully cleans the
infection.
Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

177

Overview of Email menu


Email Policies

Table 4-41 Option definitions Actions (continued)


Option

Definition

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email
options

When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.

If cleaning fails

Specify the primary action to take if the appliance cannot clean the infection.
Deny connection (Block)

Replace detected item with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

178

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-41 Option definitions Actions (continued)


Option

Definition

And also

Specify the secondary actions to take if the appliance cannot clean the infection.
Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

179

Overview of Email menu


Email Policies

Table 4-41 Option definitions Actions (continued)


Option

Definition

If a file is zero
bytes after
cleaning

When triggered, removes any pre-existing headers of the same name.

Provides an action against a file that is now empty. Zero-byte files cannot carry
threats, but you might prefer to remove the files if they confuse users.
The available options are:
Keep zero byte file
Remove zero byte file
Treat as a failure to clean

Table 4-42 Option definitions Obfuscated content


Option

Definition

Make deobfuscated content available to other


scanners

When selected, provides extra protection against unwanted


content. The techniques that detect hidden viruses and
malware are made available to content scanning.

Table 4-43 Option definitions Additional anti-virus engine


Option

Definition

Enable Commtouch
Command anti-virus

When selected, enables the Commtouch Command anti-virus engine within your
policies.

Scanning optimization Select how the Commtouch Command anti-virus engine is used:

Perform optimized scanning Objects are not passed to the Commtouch Command
anti-virus engine if the McAfee anti-virus engine makes a detection that is then
either replaced with an alert message, or that causes the email message to be
dropped.

Depending on the actions configured for the McAfee anti-virus engine, the
additional anti-virus engine might not be used to scan an email message.

Perform exhaustive scanning Objects are always passed to the Commtouch


Command anti-virus engine after the McAfee engine completes its scan.

Exhaustive scanning might result in your McAfee Email Gateway reporting


multiple detections for a single email message.

Task Enabling McAfee Global Threat Intelligence file reputation


Use this task to enable McAfee Global Threat Intelligence file reputation on your McAfee Email
Gateway.
Task

180

Select Email | Email Policies | Anti-Virus | Basic Options.

From within Specify which files to scan, select Enable McAfee Global Threat Intelligence file reputation.

Select your required Sensitivity level. A low setting means that the McAfee Email Gateway may miss
some potentially harmful content, whereas a high setting means that the McAfee Email Gateway
may detect some harmless files and wrongly label them as potentially harmful.

Click OK.

Click Apply.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Using McAfee Advanced Threat Defense


Learn how to configure McAfee Email Gateway so that it works with McAfee Advanced Threat Defense
to provide further levels of protection to your email traffic.

Email | Email Policies | Anti-Virus | Advanced Threat Defense

Benefits of integrating McAfee Advanced Threat Defense and Email Gateway


By using a layered approach, greater accuracy of detection of malware samples is achieved.
Traditional approaches to the detection of malware rely on samples of the unwanted software having
been previously identified and signatures created to compare incoming files against. However, if the
dangerous software has not previously been identified, this approach does not work.
Several McAfee products, including Email Gateway, interact with McAfee Advanced Threat Defense to
provide in-depth, layered protection.
By using Email Gateway at the gateway, and configuring it to forward suspect content onto your
McAfee Advanced Threat Defense servers for further, advanced analysis, detection rates for malware
are improved.
By running content in a secure sandbox area within the McAfee Advanced Threat Defense server, and
using multiple detection methods, McAfee Advanced Threat Defense searches for evidence that
malware is present. This method is used to detect new, zeroday malware that traditional detection
methods cannot yet know about.

Using McAfee Advanced Threat Defense


This example illustrates a situation where you might use McAfee Advanced Threat Defense.
Issue A new, zeroday malware targeted at your industry sector has been released onto the
Internet, and is using email to transmit the malware content to your users. As this malware has only
just appeared "in-the-wild", none of the anti-virus vendors have yet seen or analyzed a sample of this
malware, so cannot identify and neutralize it using traditional definition methods.
Solution Configuring Email Gateway to send potentially dangerous content to your McAfee
Advanced Threat Defense servers before delivery allows multiple advanced detection methods to be
applied to the sample. These methods ascertain if the sample exhibits malware characteristics when
activated and run within a secured sandbox within the McAfee Advanced Threat Defense server. If

McAfee Email Gateway 7.6.400 Appliances

Product Guide

181

Overview of Email menu


Email Policies

found to be malicious, McAfee Advanced Threat Defense reports the threat level to your Email
Gateway, which then takes the actions on the original email message that you have configured within
the user policy for the reported threat level.

Figure 4-2 McAfee Advanced Threat Defense flow

Step Description
1

Email message sent to a user from outside your organization.

McAfee Email Gateway scans the email message.

Any attachments contained within the message are sent to McAfee Advanced Threat Defense
for further advanced analysis.

McAfee Advanced Threat Defense carries out the advanced analysis on the attachments and
components of the message.

On completion of the advanced analysis, McAfee Advanced Threat Defense reports to McAfee
Email Gateway, which takes the configured actions within the user policy for the reported
threat level.

If both Email Gateway and McAfee Advanced Threat Defense finds no issue with the message,
it is delivered to the intended recipients.

About McAfee Advanced Threat Defense virtual machine profiles


To allow McAfee Advanced Threat Defense to perform advanced analysis on samples, select the virtual
machine profile to be used to analyze the samples.
There can be situations where you require McAfee Advanced Threat Defense to use different virtual
machine profiles.
Issue You have a new acquisition that is using Microsoft Windows XP as their computing platform.
The rest of your organization is using Microsoft Windows 7 Professional.
Solution Perform the following steps:

182

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Install Microsoft Windows XP virtual machine profiles on some McAfee Advanced Threat Defense
servers, with Microsoft Windows 7 Professional virtual machine profiles on the remaining McAfee
Advanced Threat Defense servers.

Configure Email Gateway to use a policy exception so that all email messages going to employees
of the new acquisition are analyzed using McAfee Advanced Threat Defense servers with the
Microsoft Windows XP virtual machine profiles installed.

For messages going to your other users, configure your policy to use the McAfee Advanced Threat
Defense servers that include the Microsoft Windows 7 Professional virtual machine profiles.

Setting up McAfee Advanced Threat Defense with McAfee Email Gateway


The procedure to set up McAfee Advanced Threat Defense and Email Gateway to provide enhanced,
multi-layer scanning is:

Install and configure one or more McAfee Advanced Threat Defense servers within your network.

Create suitable virtual machine profiles within your McAfee Advanced Threat Defense servers.

Configure Email Gateway to use your selected McAfee Advanced Threat Defense servers. (Navigate
to System | ATD Servers | McAfee Advanced Threat Defense Server Configuration.)

Test the connections to the McAfee Advanced Threat Defense servers.

Create policies that include the enabled McAfee Advanced Threat Defense configuration. (Navigate
to Email | Email Policies | Anti-Virus | Advanced Threat Defense.)

Option definitions McAfee Advanced Threat Defense


Use this page to specify the policy options for sending content to McAfee Advanced Threat Defense for
further analysis.
Table 4-44 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

183

Overview of Email menu


Email Policies

Table 4-45 Option definitions McAfee Advanced Threat Defense


Option

Definition

Enable Advanced Threat Defense

Click to enable McAfee Advanced Threat Defense.

Select which virtual machine profile to use to


scan emails

Select the virtual machine profile on the McAfee Advanced


Threat Defense servers to be used for scanning the McAfee
Email Gateway traffic.

Configure Advanced Threat Defense servers

Jump to the page where you can configure the McAfee


Advanced Threat Defense servers to use.

Table 4-46 Option definitions Actions


Option

Definition

If the report returned


Select the threshold for the threat level. When the selected threshold is reached,
from the server indicates the configured Actions are triggered for the message.
a threat level of
The possible threat levels that McAfee Advanced Threat Defense returns are:

Action

Informational

Medium

Very Low

High

Low

Very High

Select the main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

184

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-46 Option definitions Actions (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

McAfee Email Gateway 7.6.400 Appliances

When triggered, removes any pre-existing headers of the same name.

Product Guide

185

Overview of Email menu


Email Policies

Table 4-46 Option definitions Actions (continued)


Option

Definition

Additional configuration
for notification emails

When clicked, open another window where you can specify who the appliance
notifies when a threat is detected.

If an action results in an
alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Table 4-47 Option definitions Timeout Actions


Option

Definition

If the time spent waiting to Select a timeout value in minutes, after which the configured Timeout Action is
send an email to the
taken. This value is the time in which McAfee Email Gateway expects to receive
server and process it
the scan results from the McAfee Advanced Threat Defense server.
exceeds
Action

Provides a main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

186

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-47 Option definitions Timeout Actions (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to
all addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to
all the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

McAfee Email Gateway 7.6.400 Appliances

Product Guide

187

Overview of Email menu


Email Policies

Table 4-47 Option definitions Timeout Actions (continued)


Option

Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Additional configuration
for notification emails

When clicked, open another window where you can specify who the appliance
notifies when a threat is detected.

If an action results in an
alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Table 4-48 Option definitions Queue Size Exceeded Actions


Option

Definition

If the number of emails


waiting to be processed
exceeds

Define the queue size that results in alternative actions being taken.

Action

Select the main action to take when the configured number of waiting emails
are exceeded. The available options are:
Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

188

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-48 Option definitions Queue Size Exceeded Actions (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to
all addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to
all the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

McAfee Email Gateway 7.6.400 Appliances

Product Guide

189

Overview of Email menu


Email Policies

Table 4-48 Option definitions Queue Size Exceeded Actions (continued)


Option

Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Additional configuration
for notification emails

When clicked, open another window where you can specify who the appliance
notifies when a threat is detected.

If an action results in an
alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Task Configure Advanced Threat Defense policies


Set the options to configure your anti-virus policies to use Advanced Threat Defense.
Before you begin
Ensure that you have configured Email Gateway to communicate with your Advanced
Threat Defense server before configuring your Advanced Threat Defense policies. Use the
Configure Advanced Threat Defense servers link to move to the System | ATD Servers | McAfee Advanced
Threat Defense Server Configuration page.
If you want Email Gateway to send attachments through Advanced Threat Defense, ensure
that feature is enabled.

Task
1

Select Email | Email Policies | Anti-Virus | Advanced Threat Defense and select Enable Advanced Threat Defense.

Select which of the available virtual machine profiles are to be used by this policy to analyze traffic
from your Email Gateway.

Within Actions, select the threat level threshold to use.


Balance the risks of your selection:

A low threshold can lead to threats bypassing Advanced Threat Defense.

A high threshold can increase the load on your Advanced Threat Defense servers.

too low a level, leading to threats bypassing Advanced Threat Defense, with increased load on your
Advanced Threat Defense servers if a more severe threshold is chosen.

190

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Configure the actions you want Email Gateway to take when Advanced Threat Defense is triggered.
a

Select the primary action from the drop-down list.

Select any secondary actions from the scrolling And also menu.

Click the Additional configuration for notification email link to set options on the Notification Emails page.

Specify the use of the default alert text by selecting the Use default text checkbox.

If you want to change the text of the alert, click the Change the default alert text link.

From Timeout Actions, select the timeout period in minutes.


If this timeout period is exceeded, Email Gateway triggers the configured Timeout actions.

Configure the actions you want Email Gateway to take if Advanced Threat Defense fails to return
the scan result within the configured Timeout period.
a

Select the primary action from the drop-down list.

Select any secondary action or actions from the scrolling And also menu.

Click the Additional configuration for notification email link to set options on the Notification Emails page.

Specify the use of the default alert text by selecting the Use default text checkbox.

If you want to change the text of the alert, click the Change the default alert text link.

Click OK.

Apply the changes.

See also
Option definitions Attachment identification on page 101

Troubleshooting McAfee Email Gateway and McAfee Advanced Threat Defense


McAfee Email Gateway and McAfee Advanced Threat Defense include several features to help you
resolve any issues relating to Advanced Threat Defense.
Use the following to help resolve any issues with the McAfee Advanced Threat Defense feature:
From McAfee Email Gateway

Check the status of the connected McAfee Advanced Threat Defense servers, from the Dashboard |
Advanced Threat Defense portlet.

Check the Queued For ATD counters on the Dashboard | Inbound Email Summary and Dashboard | Outbound Email
Summary portlets.

Test the connections to your McAfee Advanced Threat Defense servers, using the Troubleshoot | Tests.

View the conversation log for the specific email message from within Reports | Message search.
SMTP conversation logging must be enabled from Email | Email Configuration | Protocol Configuration | Connection
Settings (SMTP) | SMTP conversation logging to use this feature.

Define conversation events from System | Logging, Alerting and SNMP | Logging Configuration.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

191

Overview of Email menu


Email Policies

Configuring McAfee Anti-Spyware


Use the following information to understand the benefits and procedures to configure McAfee
Anti-Spyware.

Email | Email Policies | Anti-Virus | McAfee Anti-Spyware


The Anti-Virus | McAfee Anti-Spyware page enables you to configure McAfee Anti-Spyware to detect and take
action against certain types of potentially unwanted programs being transmitted within email
messages.
Contents
Benefits of using McAfee Anti-Spyware
Option definitions Default Anti-Virus Settings McAfee Anti-Spyware

Benefits of using McAfee Anti-Spyware


This information describes the benefits associated with setting up the McAfee Anti-Spyware options.
Several types of software programs can be transmitted using email. Some of these programs may be
classed as potentially unwanted programs (PUPs).
You can configure your Email Gateway to scan for potentially unwanted programs.
A PUP (potentially unwanted program) is any program that may be unwanted, even though the user
consented to downloading and installing the software. This may be because the user did not read the
terms and conditions relating to the software, or because it was downloaded in conjunction with
another piece of software that the user did want to install.
Potentially unwanted programs can include spyware, adware, and dialers. To learn more about
potentially unwanted programs, visit McAfee Labs Threat Library(http://vil.nai.com/vil/default.aspx).
Options on the user interface enable you to select the categories of unwanted programs the appliance
should detect.
You can also specify the actions to use when a potentially unwanted program is detected, and some
optional additional actions.

Option definitions Default Anti-Virus Settings McAfee Anti-Spyware


Use this page to specify the McAfee Anti-Spyware settings for anti-virus scanning.
Table 4-49 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

192

Move

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-49 Option definitions Policy exceptions (continued)


Option

Definition

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-50 Option definitions Potentially Unwanted Program (PUP) detection
Option

Definition

Enable anti-virus scanning When selected, scans for viruses and other threats such as worms and
spyware. The option is normally set to Yes. Select No only if you have anti-virus
protection elsewhere in your network.
Enable detection

Select to enable potentially unwanted program (PUP) detection.


Read the disclaimer text before enabling PUP detection.

Spyware to Other PUPs

Select the types of potentially unwanted programs detected.

Exclude and Include

Build a list of names of programs to scan or ignore.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

193

Overview of Email menu


Email Policies

Table 4-51 Option definitions Actions


Option

Definition

If detected

Provides a main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of the
email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email message
for auditing purposes to all addresses defined within the auditing email list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended recipients.
You can select multiple header modification templates. Click Manage templates to
change the way the headers are re-written.
The following icons indicate the template settings:

194

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-51 Option definitions Actions (continued)


Option

Definition

If an action
results in an alert

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Configuring packer detection


Use this information to understand the threat posed by packers, and how you can configure your Email
Gateway to deal with this threat.

Email | Email Policies | Anti-Virus | Packers


The Anti-Virus | Packers page enables you to configure Email Gateway to detect and take action against
types of packers.
Packers compress files, which changes the binary signature of the executable. Packers can compress
Trojan-horse programs and make them harder to detect.
Contents
Benefits of using Packer detection
Option definitions - Default Anti-Virus Settings - Packers

Benefits of using Packer detection


This information describes the benefits associated with setting up the packer detection options.
Packers compress files, which changes the binary signature of the executable. This can make it harder
to detect Trojan-horse or other potentially unwanted programs, as their true binary signatures are
hidden.
Enabling Packer detection helps defend against this type of threat, by scanning within the compressed
files to check the true binary signatures of the files contained within.

Option definitions - Default Anti-Virus Settings - Packers


Use this page to specify the actions to take against packers.
Table 4-52 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.

Add exception

McAfee Email Gateway 7.6.400 Appliances

Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Product Guide

195

Overview of Email menu


Email Policies

Table 4-52 Option definitions Policy exceptions (continued)


Option
Move up and
down

Definition
Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-53 Option definitions Packer detections

196

Option

Definition

Enable detection

Select to enable detection of packers by the appliance.

Exclude specified names and Include only


specified names

Allows you to build a list of names of packers to scan or


ignore.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-54 Option definitions Actions


Option

Definition

If detected

Provides a main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of the
email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email message
for auditing purposes to all addresses defined within the auditing email list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended recipients.
You can select multiple header modification templates. Click Manage templates to
change the way the headers are re-written.
The following icons indicate the template settings:

McAfee Email Gateway 7.6.400 Appliances

Product Guide

197

Overview of Email menu


Email Policies

Table 4-54 Option definitions Actions (continued)


Option

Definition

If an action
results in an alert

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Configuring Custom Malware Options


Use the following information to understand the benefits and procedures to configure customer
malware options within Email Gateway.

Email | Email Policies | Anti-Virus | Custom Malware Options


The Anti-Virus | Custom Malware Options page enables you to configure Email Gateway to take different
actions when certain types of malware are detected.
Contents
Benefits of using the Custom Malware options
Option definitions Default Anti-Virus Settings Custom Malware Options

Benefits of using the Custom Malware options


This information describes the benefits associated with using the custom malware options.
The custom malware options enable you to select different actions for certain types of malware to
those that you have selected for other detection types.

Option definitions Default Anti-Virus Settings Custom Malware Options


Use this page to specify the actions to take when some types of malicious software (malware) are
detected.
Table 4-55 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

198

Move

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-55 Option definitions Policy exceptions (continued)


Option
Edit exception properties

Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-56 Option definitions Apply different actions to certain detection types
Option

Definition

Mass mailers to Trojan horses

When selected, applies the specified action to this type of malware.


If the option is not selected, the malware is handled as described by
the basic options.

Specific detection name

When selected, allows you to add names of specific detections. You


can use * and ? to represent multiple and single characters in
the malware names.

Do not perform custom malware check


if the object has already been cleaned.

Enable this to prevent the appliance carrying out the custom


malware checks if the object has already been successfully cleaned.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

199

Overview of Email menu


Email Policies

Table 4-57 Option definitions Custom actions


Option

Definition

If detected

Provides a main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.

200

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-57 Option definitions Custom actions (continued)


Option

Definition
The following icons indicate the template settings:

If a custom
malware action
results in an alert

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Handling hybrid scan results

When an email message triggers an action during the scan by the cloud-based McAfee Email
Protection Service, the results of that scan are communicated to your Email Gateway appliance.
You can configure the way hybrid scanning responds when actions are triggered.

Benefits of hybrid scanning


Hybrid scanning reduces the workload for the Email Gateway appliances within your network.
Hybrid scanning processes your inbound email messages in the cloud, leaving your appliances free to
scan outbound traffic. You maintain control over the way scan results are used, because you can
configure policies for hybrid scanning like you can for scanning by your Email Gateway appliances.

Option definitions - Hybrid scanning


Use this page to enable and configure hybrid scanning.
Table 4-58 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-59

Option definitions - Hybrid Scanning

Option

Definition

Hybrid scanning options


Enable hybrid anti-virus
scanning

Enables or disables anti-virus scanning by the SaaS Email Protection Service.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

201

Overview of Email menu


Email Policies

Table 4-59

Option definitions - Hybrid Scanning (continued)

Option

Definition

Re-scan the email locally Enables or disables additional scanning by the Email Gateway appliance for any
if it is NOT found to be
email that passes through the SaaS Email Protection Service without triggering
infected
an action.
Actions
If a virus is detected

Sets the action to be taken by the Email Protection Service if it detects a virus.
Options are:
Deny connection (Block)

Replace with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow through (Monitor)

Accept and then drop the data (Block)

202

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-59

Option definitions - Hybrid Scanning (continued)

Option

Definition

And also

Sets additional actions to be taken by the Email Protection Service for emails
that were not blocked as the primary action. Options are:
Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

McAfee Email Gateway 7.6.400 Appliances

Product Guide

203

Overview of Email menu


Email Policies

Table 4-59

Option definitions - Hybrid Scanning (continued)

Option

Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email options

Link that opens the Notification Emails page where you can set options.

If an action results in an
alert

Enables or disables use of the default text for virus alerts. If the default is
disabled, the system uses alert text provided by the user.

Change the default alert


text

Opens the Alert Editor page for anti-virus detection alerts.

If a potentially unwanted Sets the action to be taken by the Email Protection Service if it detects a
program is detected
potentially unwanted program. Options are:
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Replace with an alert (Modify)
Allow through (Monitor)

204

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-59

Option definitions - Hybrid Scanning (continued)

Option

Definition

And also

Sets additional actions to be taken by the Email Protection Service for emails
that were not blocked as the primary action. Options are:
Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

McAfee Email Gateway 7.6.400 Appliances

Product Guide

205

Overview of Email menu


Email Policies

Table 4-59

Option definitions - Hybrid Scanning (continued)

Option

Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email options

Link that opens the Notification Emails page where you can set options.

If an action results in an
alert

Enables or disables use of the default text for potentially unwanted program
alerts. If the default is disabled, the system uses alert text provided by the user.

Change the default alert


text

Opens the Alert Editor page for potentially unwanted program alerts.

Task - Configure scanning policy


Follow this process to enable and configure hybrid anti-virus scanning policy.
Before you begin
You should register your appliance with McAfee SaaS Email Protection Service (SaaS) and
configure the domains for which email traffic is to be scanned in the cloud.
Task
1

Select Email | Email Policies, then in the Anti-Virus column, click the Viruses: Clean or Replace link.
The Default Anti-Virus Settings (SMTP) page opens.

Select the Hybrid Scanning tab.


The Hybrid scanning options tab opens.

206

In the Hybrid scanning options section of the page, select the checkbox to enable hybrid scanning.

If you want your Email Gateway appliance to scan any email that passes through the hybrid scan
without triggering an action, select the Rescan the mail locally checkbox.

Configure the actions you want the Email Protection Service to take when it detects a virus.
a

Select the primary action for virus detection from the drop-down list.

Select any secondary action or actions from the scrolling And also menu.

Click the Notification and annotated email options link to set options on the Notification Emails page.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Specify the use of the default alert text for anti-virus alerts by selecting the Use default text
checkbox.

If you want to change the text of the anti-virus alert, click the Change the default alert text link.

Configure the actions you want the Email Protection Service to take when it detects a potentially
unwanted program (PUP).
a

Select the primary action for PUP detection from the drop-down list.

Select any secondary action or actions from the scrolling And also menu.

Click the Notification and annotated email options link to set options on the Notification Emails page.

Specify the use of the default alert text for PUP alerts by selecting the Use default text checkbox.

If you want to change the text of the alert, click the Change the default alert text link.

Anti-spam policy settings


Use the Spam policies to manage spam and phish detection, and configure any sender authentication
settings you want to apply.

Anti-spam features
The anti-spam protection within Email Gateway provides many ways to protect your users from
unsolicited email messages.
The anti-spam features include:

score-based spam reporting

ability to add prefixes to the subject line of emails identified as being unsolicited

customizable message size options

ability to add custom headers to the identified email messages

the use of blacklists and whitelists

spam rules that can be disabled if they are incorrectly identifying legitimate emails as spam

In addition, Email Gateway provides protection against phishing emails. Phishing emails are messages
that purport to come from a users bank or other institution, but, in fact are aimed at tricking the user
into disclosing sensitive financial data about their account and PIN numbers.
Another method of reducing the amount of unsolicited email is to use Sender Authentication to check that
the email messages have actually been sent from the source that it appears to have been sent.

Configuing basic anti-spam options


Use the following information to understand the benefits and procedures to configure basic anti-spam
options.

Email | Email Policies | Spam | Basic Options


Contents
Benefits of using basic Anti-Spam options
Option definitions Default Anti-Spam Settings Basic Options

McAfee Email Gateway 7.6.400 Appliances

Product Guide

207

Overview of Email menu


Email Policies

Benefits of using basic Anti-Spam options


This information describes the benefits associated with setting up the basic Anti-Spam options.
The basic options available within the Default Anti-Spam Settings page allow you to specify settings such as
the spam reporting threshold for messages. This is the accumulated score at which your Email
Gateway marks messages as possibly being spam.
From this dialog box, you can also choose how you want to inform your users that a message could
possibly be spam. You can add a prefix to the subject line of emails suspected of being spam, and can
edit the text that appears within the subject.
You can also configure further spam-based options, including defining stricter actions (monitor, block
or reroute) for messages gaining a higher spam score.

Option definitions Default Anti-Spam Settings Basic Options


Use this page to specify how to handle spam email messages.
Table 4-60 Enable anti-spam scanning for "policy name"
Option

Definition

Enable anti-spam scanning

When selected, enables anti-spam scanning of email messages.

Table 4-61 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-62 Option definitions Reporting options
Option

Definition

Spam reporting threshold

Specifies a spam threshold. Messages that have a spam score below the
threshold are not treated as spam.
Typically, a spam score of 5 or more indicates spam. You need only change
this threshold if its default value is not effective. You can enter numbers with
decimal fractions, for example 6.25.
Default value is 5.

Add a prefix to the subject


When selected, adds some text that helps users to find suspicious messages
line of spam messages and in their email inbox.
Prefix text
Default value is [spam].

208

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-62 Option definitions Reporting options (continued)


Option

Definition

Add a spam score indicator


and Indicator text

When selected, adds an indicator to each message's Internet headers. For


example, a message that has a spam score between 6 and 7 can be given an
indicator of six asterisks. This information is useful for later analysis.
Default value is *.

Attach a spam report

When selected, adds a report to the messages, showing the names of the
anti-spam rules that have triggered.
We recommend that you select a spam report for initial testing only, because
it can affect your server's performance. When you have collected the
information, deselect the option.

Verbose reporting

When selected, adds descriptions of the anti-spam rules.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

209

Overview of Email menu


Email Policies

Table 4-63 Option definitions Additional score-based actions


Option

Definition

When the spam


score is at least

Specify the actions to take when the spam score exceeds a user-specified value.
The available actions are:
Deny connection (Block)

Route to an alternative relay (reroute)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


If the action to take against email is Route to an alternate relay, you can click a Manage the
list of relays link to a list of other devices that will handle the email instead.

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
Notification email options
Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.

210

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-63 Option definitions Additional score-based actions (continued)


Option

Definition
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.

Notification and
annotated email
options
Table 4-64

Alert settings

Option

Definition

Use the default alert

Select whether to use the default alert text when an anti-spam action triggers.
You can edit the alert text by clicking either:
change the default alert text, or
customize the alert text

Configuring advanced Anti-Spam options


Use the following information to understand the benefits and procedures to configure advanced
Anti-Spam options.

Email | Email Policies | Spam | Advanced Options


Contents
Benefits of using the anti-spam Advanced Options
Option definitions Anti-Spam Settings Advanced Options

Benefits of using the anti-spam Advanced Options


This information describes the benefits associated with setting up the advanced anti-spam options.

Scan emails using anti-spam cloud lookup


By sending incoming email messages to McAfee data centers for real-time analysis, you benefit from
up-to-date detections of spam within your email traffic. Also, you are helping ensure that McAfee
systems detect the latest types of spam.
Issue McAfee adds new anti-spam engines and technologies to the McAfee data center servers.
These engines and technologies improve spam detection rates, and provide protection against specific
spam campaigns.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

211

Overview of Email menu


Email Policies

Solution You do not have to update the software on your appliances to take advantage of the
improved spam detection available using anti-spam cloud lookup. Simply enable Anti-Spam Cloud Lookup
within your Email Gateway appliances, to benefit from these features.

Figure 4-3 Email flow using anti-spam cloud lookup

Specify limits
The advanced options tab allows you to configure limits that apply to the anti-spam scanning.
These limits include:

Maximum message size

Maximum width of spam headers

Maximum number of reported rules

By configuring these settings, you can tune the spam scanning and reporting from your Email
Gateway appliances.

Add a custom header


You can add custom headers to email messages, so that you can more easily track messages that
have been categorized as potential spam.
You can specify:

212

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Header name

Header value

You can also specify if the custom headers are never added, are added only to spam messages, only
to non-spam messages or to all messages.

Option definitions Anti-Spam Settings Advanced Options


Use this page to specify advanced settings against spam email. You do not need to change these
settings often.
Table 4-65 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.

Edit exception properties

Click to delete the selected policy exception.


Delete exception

Scan emails using anti-spam cloud lookup


Option

Definition

Enable anti-spam
cloud Lookup

Select to allow your Email Gateway to send information about your incoming email
messages to McAfee data centers for real-time spam analysis.
Policy exceptions do not apply to anti-spam cloud lookups, as these lookups are
made at the protocol level.

Use default proxy


settings

Select this option to use the currently configured proxy settings, or click (configure
defaults) to move to System | Appliance Management | Default Server Settings, where you can
change these settings.

Specify limits
Option

Definition

Use the default maximum Select to use the default message size limits.
message size
The currently installed anti-spam engine sets the default message size.
Deselect to set a custom Maximum message size.
Maximum message size

Specifies the maximum size of the email message. Spam messages are
typically small.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

213

Overview of Email menu


Email Policies

Option

Definition

Maximum width of spam


headers

Specifies the maximum width of headers that the appliance adds to email
messages.
We do not recommend that you decrease the value. For example, Verbose
reporting creates header lines, each with the name and description of a rule. A
reduced width truncates the rule descriptions, making them more difficult to
read.
Default value is 76 bytes.

Maximum number of
reported rules

Specifies the maximum number of anti-spam rule names that can be included
in a spam report.
Default value is 180.

Add a custom header


Option

Definition

Header name and Header


value

Specifies the name and value of an extra email header, that can be used for
later processing.

Add the header

Specifies the type of email message to which to add the email header. For
example, you can add the customized email header to spam messages only.
Default value is Never.

Use alternative header names


when a mail is not spam

If selected, appends the text - Checked to the normal spam header names
when the email message did not contain spam. This option can be useful to
other devices that handle the same email message later.

Configuring Blacklists and Whitelists


Use the following information to understand the benefits and procedures to configure Blacklists and
Whitelists on your Email Gateway.

Email | Email Policies | Spam | Blacklists and Whitelists


Contents
Benefits of using Blacklists and Whitelists
Option definitions Blacklisted Senders
Option definitions Blacklisted Recipients
Option definitions Whitelisted Senders
Option definitions Whitelisted Recipients
Option definitions User Submitted

Benefits of using Blacklists and Whitelists


This information describes the benefits associated with using the blacklists and whitelists to help block
spam email messages from reaching your users.
Blacklists and whitelists are useful tools in helping keep your user inboxes free from unsolicited
(spam) email messages.
During email "spam" campaigns, high volumes of email messages can be generated in a short period
of time. If each of these spam emails that reach your email servers have to be individually scanned to
check the content, this can consume scanning resources on your Email Gateway.
Using blacklists, you can block all emails from a specific address, thereby removing the requirement to
scan each of the emails individually.

214

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

If you find that people that send legitimate email messages into your organization have their
messagse erroneously tagged as being spam, adding their addresses to the whitelists can prevent the
messages being tagged as spam.

Option definitions Blacklisted Senders


Use this information to make lists of email addresses that regularly send spam to your organization.
Table 4-66 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Option

Definition

Email Address

Use this to make a list of email addresses that often send spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*

Add Address

Click to add a new row to the list of email addresses that often send spam. Type
the email address that you want added to the list.

Delete Selected
Addresses

If you find that legitimate email sender addresses have been added to the
Blacklisted Senders list, select each legitimate address, and click Delete Selected Addresses.

Option definitions Blacklisted Recipients


Use this information to make lists of email addresses that regularly receive spam email messages.
Table 4-67 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

McAfee Email Gateway 7.6.400 Appliances

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

Product Guide

215

Overview of Email menu


Email Policies

Table 4-67 Option definitions Policy exceptions (continued)


Option

Definition

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Option

Definition

Email Address

Use this to make a list of email addressses that often receive spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*

Add Address

Click to add a new row to the list of email addresses that often receive spam. Type
the email address that you want added to the list.

Delete Selected
Addresses

If you find that legitimate email addresses have been added to the Blacklisted
Recipients list, select each legitimate address, and click Delete Selected Addresses.

Option definitions Whitelisted Senders


Use this information to make lists of email addresses that are allowed to send email from within to
your organization.
Table 4-68 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Option

Definition

Email Address

Use this to make a list of users who want to send email messages that the
appliance normally treats as spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*

216

Add Address

Click to add a new row to the list of email addresses that are to be allowed to send
email. Type the email address that you want added to the list.

Delete Selected
Addresses

If you find that illegal email sender addresses have been added to the Whitelisted
Senders list, select each illegal address, and click Delete Selected Addresses.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option definitions Whitelisted Recipients


Use this information to make lists of users who want to receive email messages that are normally
identified as spam.
Table 4-69 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-70 Option definitions
Option

Definition

Email Address

Use this page to make a list of users who want to receive email messages that
are normally identified as spam.
Specifies each email address. You can use wildcards, for example: user_?
@example.*

Add Address

Click to add a new row to the list of email addresses that are to be allowed to
receive email messages. Type the email address that you want added to the list.

Delete Selected
Addresses

If you find that illegal email recipient addresses have been added to the Whitelisted
Recipients list, select each illegal address, and click Delete Selected Addresses.

Option definitions User Submitted


Use this information to understand how to allow your users to blacklist or whitelist individual senders,
and how to view and manage those lists.
Use this to view and manage lists of blacklists and whitelists that have been submitted by users
through quarantine digests.
If the appliance is configured to use the McAfee Quarantine Manager, you can only view the lists.

Table 4-71 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

217

Overview of Email menu


Email Policies

Table 4-71 Option definitions Policy exceptions (continued)


Option

Definition
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-72 Option definitions
Option

Definition

View

Click to view the lists of user-submitted blacklists and whitelists.

Refresh and Clear

Click to either refresh the information shown on screen, or to clear all


information from the screen.

Filter

Specify the information that you want to filter the list by. Click Apply.
The lists are filtered to only show those entries that match the entered filter
string.

Modify, Add and Delete Use these buttons to add, remove or edit entries within the user-submitted lists.
Import Lists

Take a previously exported list of blacklisted and whitelisted email addresses,


and import them onto your Email Gateway.

Export Lists

Create a list of the user submitted blacklisted and whitelisted email addresses,
and export them as an xml file.

Configuring Spam Rules


Use the following information to understand the benefits and procedures available to configure Spam
Rules.

Email | Email Policies | Spam | Spam Rules


Contents
Benefits of configuring spam rules
Option definitions Spam Rules
Option definitions - Editable spam rules
Task Configure spam rules
Task Edit a spam score

Benefits of configuring spam rules


Use the following information to understand the benefits of configuring spam rules.
McAfee Email Gateway uses several methods to catch unsolicited (spam) email messages and prevent
them from reaching your users.
One of these methods is to use a set of regularly updated rules to detect specific spam campaign
messages.

218

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

However, on occasion, one of these rules might wrongly detect legitimate email messages as spam - a
false positive detection. In this situation, you can disable just the rule that is causing the false positive
detections. You can also edit the spam score for any rule with a name that begins with EDT_.

Using editable spam scores


Editing the spam score for a rule allows you to reduce false positive detections, or create stricter
detection rules if spam messages are not being caught. Increasing the score makes detection more
sensitive because the rule contributes a higher number to the overall spam score. Decreasing the
score makes detection less sensitive, since the rule contributes a lower number to the score.
Only messages that trigger the editable rules experience improved false positive or false negative rates.
The score for an individual rule is only part of the total spam score. The accumulated score for all
triggered rules determines the possible presence of spam.

Issue McAfee Email Gateway generates excessive false positive detections caused by messages
that trigger rule EDT_ SDHA_HMS_FRM. The current spam score is set to 1.0 (the number contributed
to the total spam score).
Solution Edit the spam score for the rule to a lower value. Save your changes, and monitor the
results.
Issue You notice several email messages being delivered, where the email addresses in the 821
header and 822 header do not agree. The spam rule EDT_SDHA_ADR_FRG should trigger for these
messages. The current spam score for this rule to 0.2.
Solution Edit the spam score for this rule to a higher value. Save the changes, and monitor the
results.

Managing editable spam scores with ePO


Specific conditions apply when you manage editable spam scores with McAfee ePO.

If the editable spam rules do not appear in the list, you must add them manually.
The rules will appear automatically only if they existed in the imported Email Gateway configuration.

You can enable or disable the added rules for all rules.

The default value for all added rules is 0.

You cannot edit scores for spam rules that do not begin with EDT_.

You can edit scores for any spam rules that begin with EDT_.

Spam rules can be filtered using the Filter option.

See also
Task Edit a spam score on page 221
Benefits of using basic Anti-Spam options on page 208

Option definitions Spam Rules


Use this page to remove any spam rules that are causing some email to be wrongly detected as spam.
It is unlikely that you need to change this list. Make changes only if you understand the implications.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

219

Overview of Email menu


Email Policies

Table 4-73 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-74 Option definitions Anti-spam settings
Option

Definition

Rule Name

Displays the rule name that is seen in the spam report.

Rule Score

Displays the rule score, which is typically 15. You can edit the spam score for any
rule with a name that begins with EDT_.
EDT_ rules support scores ranging from -999.99 to 999.99.

Enabled

Specifies whether a rule is active. To disable a rule, deselect its checkbox.

Apply and Filter When Apply is clicked, the table shows only those numbers specified by Filter. You can
type a regular expression here, for example:
^AA Find all terms that begin with AA.
BB$ Find all terms that end with BB.
CC Find all terms that contain CC.
To see the full list again, clear Filter and click Apply.

Option definitions - Editable spam rules


You can edit specific anti-spam rules from the user interface. All editable rule names begin with EDT_.
The following list shows examples of editable rules.
Table 4-75

Editable spam rules

Rule name

Trigger condition

EDT_ SDHA_SMP_HMS_FRM Null sender

220

Description
This rule triggers when the MAIL FROM has a null
sender.

EDT_ SDHA_HMS_FRM

Header From missing This rule triggers when the header From is missing or
empty.

EDT_SDHA_FRM_INV

Header From invalid

McAfee Email Gateway 7.6.400 Appliances

This rule triggers when the 822 header is an invalid


email address.

Product Guide

Overview of Email menu


Email Policies

Table 4-75

Editable spam rules (continued)

Rule name

Trigger condition

Description

EDT_SDHA_ADR_FRG

Address forged

This rule triggers when there is a mismatch in either


the local or the domain part of the email address
between 821 and 822 headers.

EDT_SDHA_DMN_FRG

Domain forged

This rule triggers when there is a mismatch in the


domain part of the email address between 821 and 822
headers.

Task Configure spam rules


You can enable or disable individual spam rules for any Email Gateway policy.
Before you begin
You must have at least one policy defined before you can configure spam rules.
Task
1

From the Email Gateway opening screen, select the Email tab.
The screen defaults to the Email Policies screen,

Select a protocol.
You can choose SMTP, POP3, or McAfee Secure Web Mail.

In the Policy List screen, click the Spam: link.


The Default Anti-Spam Settings window opens.

Select Spam Rules.

Select Yes to enable anti-spam scanning.

Enable or disable individual spam rule by selecting or deselecting the Enabled checkbox.

Click Okay, then save your changes.

Task Edit a spam score


You can edit the spam score for specific anti-spam rules.
You can change the point score for spam rules that begin with EDT_.
Task
1

Select Email | Email Policies | Spam.


The Default Anti-Spam Settings (SMTP) window opens.

Click the Spam Rules tab to see the list of existing rules.

Select any editable rule.


Spam rules that begin with the prefix EDT_ can be changed from their default scores.
Find these editable rules by typing EDT_ in the Filter field and selecting Apply.

Change the current spam score, then click OK.


The new score is saved.

When an email message triggers this rule, Email Gateway applies the edited score.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

221

Overview of Email menu


Email Policies

See also
Option definitions Spam Rules on page 219
Option definitions - Editable spam rules on page 220
Sender Authentication Settings McAfee Global Threat Intelligence message reputation on
page 227

Configuring spam terms


Use spam terms to prevent unsolicited email messages from reaching your users.

Email | Email Policies | Spam | Spam Terms


Contents
Benefits of scoring spam terms
Option definitions Spam terms
Task Create a dictionary of spam terms
Task Create a dictionary of spam term exclusions
Task Use the spam terms and spam term exclusions dictionaries to modify spam scores

Benefits of scoring spam terms


McAfee Email Gateway uses several methods to catch unsolicited (spam) email messages to prevent
them from reaching your users. One of these methods is to measure the "spam score" of a message,
and to take appropriate actions based on that score.
McAfee Email Gateway can search incoming email messages for terms that appear within either
predefined or custom dictionaries, and then to add to the spam score for that message.

Option definitions Spam terms


You can specify which dictionaries to use to modify the spam score for incoming messages.
Table 4-76 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

222

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-77 Option definitions Anti-Spam Terms


Option

Definition

Dictionaries Lists the dictionaries that are used to match terms within email messages and to modify
the spam scores for that message.
If you have configured your McAfee Email Gateway to scan for Graymail, the predefined
Graymail dictionary is automatically added to this list. If you have not configured Graymail
from the Setup Wizard, you can manually add this dictionary to the Dictionaries list.

Exclusions

Use a custom dictionary to define a list of terms that cause the email message containing
the terms defined within the configured Dictionaries to be whitelisted.

Score

The value used to modify the total spam score for the message.
For terms to be considered as spam, add a positive value in this field.
For terms to not be considered as spam, add a negative value.

Add Term

Opens a window to define further dictionaries that are used to modify spam scores.

Task Create a dictionary of spam terms


Create a dictionary for terms that you find in spam messages that your users are receiving.
Task
1

Select Email | DLP and Dictionaries | Compliance Dictionaries.

At the bottom of the Dictionaries list, click Add Dictionary.

Enter a name for the dictionary; for example, Spam Terms.


Optionally, enter a description for this dictionary.

Define whether to use simple string matching or regular expressions for this dictionary.

Click OK.
An empty dictionary is created.

Use the Add OR condition, Add AND Condition, and Insert Term buttons to define the terms to be added to
the new dictionary and to configure the relationships between the terms.

Click OK.

Apply the changes.

Task Create a dictionary of spam term exclusions


Create a dictionary of terms that, when discovered in a message, are used to whitelist that message.
Task
1

Select Email | DLP and Dictionaries | Compliance Dictionaries.

At the bottom of the Dictionaries list, click Add Dictionary.

Enter a name for the dictionary; for example, Spam Term Exclusions.
Optionally, enter a description for this dictionary.

Define whether to use simple string matching, or regular expressions for this dictionary.

Click OK.
An empty dictionary is created.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

223

Overview of Email menu


Email Policies

Use the Add OR condition, Add AND Condition, and Insert Term buttons to define the exclusion terms to be
added to the new dictionary and to configure the relationships between the terms.

Click OK.

Apply the changes.

Task Use the spam terms and spam term exclusions dictionaries to modify spam
scores
Use the dictionaries containing the spam terms and spam term exclusions to modify the spam scores
for the email messages.
Before you begin
Before attempting this task, ensure that you have created suitable dictionaries containing
spam terms and spam term exclusions.
Task
1

Select Email | Email Policies | Spam | Spam Terms.

Click Add Term.

Click Select a dictionary.

Search for the dictionaries containing the required spam terms (in the example, this was Spam
Terms).

Select the required dictionaries, then click OK.

If needed, in the Exclusions column, click No exclusions.


Exclusions are used to negate the impact of finding a spam term in a message if a further term, that
is included within the exclusions list, is also found.

Search for the dictionaries containing the required spam term exclusions .

Select the required dictionaries, then click OK.

In the Score field, enter the score to be added to the total spam score for each message.

10 Click OK.
11 Apply your changes.

Configuring Anti-Phish settings


Use this information to understand how to configure your Email gateway to protect your users from
Phishing emails.

Email | Email Policies | Spam | Phish


Contents
Benefits of Anti-Phish scanning
Option definitions Anti-Phish

224

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Benefits of Anti-Phish scanning


Learn about the benefits of enabling Anti-Phish scanning on your Email Gateway.
Phishing is the illegal activity of using spoofed email messages to persuade unsuspecting users to
disclose personal identity and financial information. Criminals can use the stolen identity to
fraudulently obtain goods and services and to steal directly from bank accounts.
Configuring the anti-phish settings within your appliance helps to protect your users and your
organization from the illegal phishing activities.

Option definitions Anti-Phish


Use this page to specify how to handle phishing email.

Enable anti-phish scanning for "policy name"


Option

Definition

Enable anti-phish scanning

When selected, enables anti-phish scanning of email messages.

Table 4-78 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

Reporting options
Option

Definition

Add a prefix to the subject


line of phishing messages

When selected, adds a prefix to help users to see phishing messages in their
email inbox quickly.
Specifies text for the prefix.
We recommend that you do not use characters from multi-byte (extended)
character sets here unless the re-encoding is UTF-8.

Default value is ****Possible Phish****.


Add a phish indicator header
to messages

When selected, adds an indicator in the email X-header, which enables other
software to process or analyze the message further.

Attach a phish report

When selected, attaches a report to the email message, which explains why
the email message was marked as phish.

Verbose reporting

When selected, provides a fuller report, providing descriptions of the names


of the rules that have triggered.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

225

Overview of Email menu


Email Policies

Actions
Option

Definition

If a phishing attempt Provides a main action to take against the phish message. The options available
is detected
are:
Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Route to an alternate relay (Reroute)

Accept and then drop the data (Block)

Allow Through (Monitor)

If the action to take against email is Route to an alternate relay, you can click a Manage the
list of relays link to a list of other devices that will handle the email instead.

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
Notification email options
Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.

226

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.

If an anti-phishing
action results in an
alert

Enables you to use the default anti-phish alert message, or to change the text to
create your own message.
You can also choose the following options:
Do not attach the original message
Attach the original message in RFC822 format
Attach the original message in plain text format

Sender Authentication Settings McAfee Global Threat Intelligence


message reputation
Use this page to specify the actions to take against known senders of spam.
The appliance uses McAfee Global Threat Intelligence message reputation to identify senders of spam
email messages.
Sender authentication checks are made at different times during the email conversation. For example,
Real-time Blackhole List checks are made during the CONNECT phase of the conversation, BATV and
SPF checks are made during the EHLO/MAIL FROM phase and McAfee Global Threat Intelligence
message reputation takes place during the DATA phase.
McAfee Global Threat Intelligence message reputation is based on sender details, for example, Source
IP address or Sender email address. Message reputation does not work at the SMTP protocol level.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

227

Overview of Email menu


Email Policies

Table 4-79 Option definitions Higher Detection Threshold


Option

Definition

Enable McAfee GTI


Message Reputation at
the higher detection
threshold

The feature is enabled by default.

Detection threshold

Select an appropriate detection threshold for the higher detections. The available
options are:
Highly suspect
Suspect
Custom
The default threshold is Highly Suspect.
When Custom is selected, you also need to enter the appropriate Threshold value.

If the sender fails the


check

Provides actions to take. For example:


Allow Through (Monitor) Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings | Cumulative
score and other options tab.
Add to score Combines the results of several methods of sender authentication.
Select the score to be added.
Accept and Drop the data (Block) Accepts the connection, but blocks the message
from being delivered, returning a 250 SMTP code to the sending MTA.
Reject (Block) Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
Reject and close (Block) Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of
combating spam, as it deals with the message itself (reject), the connection
(close) and adds the sending server to the deny list.
The default action is Reject, close and deny (Block)

Whenever you choose Add to score as your action, you have the option to edit the current score if
necessary. Change the score in the data field.

228

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-80 Option definitions Lower Detection Threshold


Option

Definition

Enable McAfee GTI


The feature is disabled by default.
Message Reputation at
the lower detection
threshold
Detection threshold

Select an appropriate detection threshold for the lower detections. The available
options are:
Highly suspect
Suspect
Custom
The default threshold is Highly Suspect.
When Custom is selected, you also need to enter the appropriate Threshold value. This
value should be lower than the value set for the Higher Detection Threshold.

If the sender fails the


check

Provides actions to take. For example:


Allow Through (Monitor) Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings | Cumulative
score and other options tab.
Add to score Combines the results of several methods of sender authentication.
Select the score to be added.
Accept and Drop the data (Block) Accepts the connection, but blocks the message
from being delivered, returning a 250 SMTP code to the sending MTA.
Reject (Block) Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
Reject and close (Block) Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of
combating spam, as it deals with the message itself (reject), the connection
(close) and adds the sending server to the deny list.
The default action is Accept and drop (Block)

Whenever you choose Add to score as your action, you have the option to edit the current score if
necessary. Change the score in the data field.

Sender Authentication Settings RBL Configuration


Use this page to specify the locations of lists of IP addresses that are known to send spam.
By default the appliance is configured to use the McAfee Blackhole list, cidr.bl.mcafee.com.
You are able to add as many RBL servers as you require. The appliance will query each server in the
order they are shown in the user interface until a match is found, when it will take the specified
action. McAfee recommends that you place the RBL servers in the order that they are most likely to
trigger to reduce the number of lookups the appliance carries out for each incoming connection.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

229

Overview of Email menu


Email Policies

Table 4-81 Option definitions


Option

Definition

Enable RBL lookup The feature is enabled by default.


Domain name

Specifies locations of servers that maintain real-time blackhole lists.

If the sender fails


the check

Provides actions to take. For example:


Allow Through (Monitor) Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings | Cumulative
score and other options tab.
Add to score Combines the results of several methods of sender authentication.
Select the score to be added.
Accept and Drop the data (Block) Accepts the connection, but blocks the message from
being delivered, returning a 250 SMTP code to the sending MTA.
Reject (Block) Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
Reject and close (Block) Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method of
combating spam, as it deals with the message itself (reject), the connection
(close) and adds the sending server to the deny list.
The default action is Reject, close and deny (Block)

Sender Authentication Settings SPF, Sender ID and DKIM


Use this page to specify settings for techniques that determine whether the sender of an email
message is genuine.
These techniques reduce the workload for the appliance, because they reject suspicious email without
the need for scanning.
The appliance can take various actions according to whether the email passes or fails each check. You
can use each type of authentication separately or combine the techniques by using scoring (or
"weighting").
Table 4-82 Option definitions
Option

Definition

Enable SPF or Enable


sender ID

When selected, enables Sender Policy Framework (SPF) or Sender ID on the


appliance.

Add an SPF header to


email, Add a sender ID
header to email, Add a
verification result header
to emails or Add a
FCrDNS header to emails

After verifying an email message, the appliance attaches its own header to the
email message, which indicates to other mail servers in your organization that
the email message has been verified.

If selected, adds an extra header line to the email message.

The headers include:


Received-SPF header
Received-PRA header
X-NAI_DKIM_Results header

230

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-82 Option definitions (continued)


Option

Definition

If the sender fails the


check

Provides actions to take. For example:


Allow Through (Monitor) Lets the message pass to its intended recipients, but
information is retained within the logs and reports.
Tarpit - Delays the response to the email message. By default, the delay is 5
seconds, and is configurable from the Default Sender Authentication Settings |
Cumulative score and other options tab.
Add to score Combines the results of several methods of sender
authentication.
Select the score to be added.
Accept and Drop the data (Block) Accepts the connection, but blocks the message
from being delivered, returning a 250 SMTP code to the sending MTA.
Reject (Block) Blocks the message from being delivered, and returns the
appropriate code to the sending MTA.
Reject and close (Block) Blocks the message from being delivered, returns
appropriate code to the sending MTA and the closes the connection.
Reject, close and deny (Block) - Kernel Mode Blocking. This is an effective method
of combating spam, as it deals with the message itself (reject), the
connection (close) and adds the sending server to the deny list.

If the sender passes the


check

Provides actions to take. For example:


Allow through (Monitor) - lets the message move to the next stage.
Add to score - combines the results of several methods of sender authentication.

Enable DKIM verification

Select to enable DomainKeys Identified Mail (DKIM) verification of email


messages.

Enable FCrDNS

Select to enable Forward-Confirmed reverse DNS lookups to provide weak


verification of email messages.

Sender Authentication Settings Cumulative Score and Other Options


Use this page to specify various options, including scoring techniques for authenticating senders.
If no method is entirely effective against untrusted senders, or some methods work better than others
in your network, you can associate scores to each method to refine the overall detection. To ensure
scoring works correctly, select Add to score as the action for every method that is in use.
Table 4-83 Option definitions
Option

Definition

Check the total added score, Score


threshold, If this threshold is reached

Uses scores from several methods of sender authentication to


determine the action to take against an email message when its
sender cannot be authenticated.

Delay period when tarpitting

Specifies a delay when acknowledging the sending of an email. The


default value of 5 seconds is often effective in deterring a
denial-of-service attack.

Parse the email headers for sender


address if behind an MTA and Number
of hops to the MTA

If the appliance is preceded by Mail Transfer Agents (MTAs), specify


the number of hops from the appliance to the MTA. The appliance
can then parse the email headers to find the original sender and
check against that IP address.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

231

Overview of Email menu


Email Policies

Task Apply Sender Policy Framework checks to sub-policies


Configure McAfee Email Gateway to apply Sender Policy Framework (SPF) checks to sub-policies.
If you create sub-policies that include Sender/Recipient Address, Sender Policy Framework (SPF) is by
default, triggered by the default policy rather than by the sub-policy.
This is because SPF checks are performed during the Mail From phase of the SMTP conversation. To
change this default behavior, you need to force the SPF checks to be carried out after the DATA phase
of the SMTP conversion starts.
Task
1

Navigate to Email | Email Policies | Spam | Sender Authentication | Cumulative Score and Other Options.
Cumulative Score and Other Options is available from the drop-down list on the Default Sender Authentication
Settings (SMTP) window tab bar.

Select Parse the email headers for sender address if behind an MTA.

Click OK.

Apply changes.

SPF checks are now carried out after the DATA phase of the SMTP conversation starts.

Benefits of adding sender authentication results to spam scores


Adding sender authentication results to spam scores allows better control over possible actions.
You can add sender authentication scores to the spam scores for specific editable spam rules. Editable
rules begin with EDT_.

Adding sender authentication results to the spam score


These examples illustrate how you might configure sender authentication scores as part of the overall
spam scores.
Issue You have enabled McAfee Global Threat Intelligence message reputation, but would like to
exempt a set of recipients.
Solution Configure McAfee GTI message reputation to add to spam score and create a policy
exception in the anti-spam settings of the corresponding policy for the wanted recipients.
Issue You have enabled McAfee GTI message reputation and would like to send out a notification
whenever Email Gateway takes a block action.
Solution Configure McAfee GTI message reputation to add to spam score and choose the wanted
notification email option in the anti-spam settings of the corresponding policy.
Issue You have enabled Sender Policy Framework (SPF) and would like the soft fail condition to
contribute to the overall spam score, rather than just blocking or allowing the mail through.
Solution Configure SPF to add to spam score and choose a score-based action in the anti-spam
settings of the corresponding policy
See also
Benefits of configuring spam rules on page 218
Task - Add sender authentication results to a spam score on page 233
Task Exempt a recipient from a McAfee GTI reputation check on page 233
Task Send a notification when a McAfee GTI check blocks a message on page 234
Task Add to spam score when SPF results in a soft fail on page 234

232

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Task - Add sender authentication results to a spam score


Adding sender authentication scores to the spam score permits flexibility in detecting spam.
After you add sender authentication results to the spam score, the final action Email Gateway takes
depends on the overall spam score and the score-based actions configuration. Each individual sender
authentication result can contribute to a score, and action can be taken if this cumulative score
exceeds a threshold.
Task
1

Select Email | Email Policies | Sender Authentication.


The Default Sender Authentication Settings (SMTP) window opens.

Select Yes to enable sender authentication.

Select Message Reputation, then select the checkbox to Enable McAfee GTI Message Reputation at the higher
detection threshold.

For If the sender fails the check, select the action Add to score, a then type the value you want to add.

Click OK.
The Default Sender Authentication Settings (SMTP) window closes.

Select Email | Email Policies | Spam.


The Default Anti-Spam Settings (SMTP) window opens.

Select Yes to enable anti-spam scanning.

Select Spam Rules.


The list of currently configured spam rules populates.

Select a rule you want to configure, then type the score that triggers the rule.

10 Click OK.
The Default Anti-Spam Settings (SMTP) window closes.
11 Select Spam.
The Default Anti-Spam Settings (SMTP) window opens.
12 Configure any Additional score-based actions you want.
13 Click OK.
The Default Anti-Spam Settings (SMTP) window closes.
14 Click the green checkmark icon to apply your changes.
See also
Spam rules that support adding sender authorization scores on page 235

Task Exempt a recipient from a McAfee GTI reputation check


Create policy exceptions to refine the way McAfee Email Gateway applies your policies.
Before you begin
This task assumes that you have configured adding McAfee GTI reputation scores to the
spam score.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

233

Overview of Email menu


Email Policies

You must be familiar with policy exceptions in McAfee Email Gateway.


Task
1

Select Email | Email Policies (SMTP).

For the policy you want to configure, select Spam.


The Anti-Spam Settings window opens.

Configure an Anti-Spam policy exception for the required recipient. Disable Anti-Spam.

Click OK, then save your changes.

The messages for the specific recipient are exempt from McAfee GTI reputation checks, and do not
add authentication scores to the spam score.

Task Send a notification when a McAfee GTI check blocks a message


Configure notifications to alert individuals or groups when a reputation check blocks a message.
Before you begin
Before you can configure this option, you must configure Global Threat Intelligence
message reputation checks.
Task
1

Select Email | Email Policies (SMTP).

For the policy you want to configure, select Spam.


The Anti-Spam Settings window opens.

Configure the desired notifications in the anti-spam settings.

Select Spam Rules.


The list of configured rules populates.

Ensure that the score for the EDT rule you are applying exceeds the configured threshold.

Click OK, and save your changes.

Task Add to spam score when SPF results in a soft fail


You can add authentication results to the spam score when Sender Policy Framework detects a soft
failure.
Before you begin
To configure this action, you must first configure McAfee Email Gateway to add sender
authentication results to the spam score.
Task
1

Select Email | Email Policies (SMTP).

In the Spam column, select Sender Authentication.


The Sender Authentication window opens.

234

Select SPF, Sender ID, DKIM and FCrDNS.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Enable SPF, then select Allow through (Monitor) as the action for If the sender fails the check.

Click OK.
The Sender Authentication window closes.

Select Spam.
The Anti-Spam Settings window opens.

Select Spam Rules, then select the EDT_SA_SP_SOFT_FAIL rule.

Type the score that triggers the rule, then click OK.
The Anti-Spam Settings window closes.

Save your changes.

Spam rules that support adding sender authorization scores


Certain editable spam rules support adding sender authentication results to the total spam score.
Table 4-84

Spam rules that support sender authentication scores

Editable spam rule

Description

EDT_SA_AU_FAIL

Triggers when the overall sender authentication score exceeds the


configured sender authentication cumulative score threshold

EDT_SA_AU_PASS

Triggers when the overall sender authentication score does not exceed
the configured sender authentication cumulative score threshold

EDT_SA_BV_FAIL

Triggers when BATV check fails

EDT_SA_BV_PASS

Triggers when BATV check passes

EDT_SA_DK_FAIL

Triggers when DKIM check results in a fail action

EDT_SA_DK_NEUTRAL

Triggers when DKIM check results in a neutral action

EDT_SA_DK_NONE

Triggers when DKIM check results in a none action

EDT_SA_DK_PASS

Triggers when DKIM check results in a pass action

EDT_SA_DK_PERM_ERROR Triggers when DKIM check results in a perm error action


EDT_SA_DK_SOFT_FAIL

Triggers when DKIM check results in a soft fail action

EDT_SA_DK_TEMP_ERROR Triggers when DKIM check results in a temp error action


EDT_SA_DN_FAIL

Triggers when Deny List check results in a fail action

EDT_SA_DN_PASS

Triggers when Deny List check results in a pass action

EDT_SA_FD_FAIL

Triggers when FCrDNS check results in a fail action

EDT_SA_FD_PASS

Triggers when FCrDNS check results in a pass action

EDT_SA_PR_FAIL

Triggers when Permitted recipient check results in a fail action

EDT_SA_PR_PASS

Triggers when Permitted recipient check results in a pass action

EDT_SA_RB_FAIL

Triggers when Real-Time Black hole lists (RBL) check results in a fail
action

EDT_SA_RB_NONE

Triggers when Real-Time Black hole lists (RBL) check results in a none
action

EDT_SA_RB_PASS

Triggers when Real-Time Black hole lists (RBL) check results in a pass
action

EDT_SA_SI_HARD_FAIL

Triggers when Sender ID check results in a hard fail action

EDT_SA_SI_NEUTRAL

Triggers when Sender ID check results in a neutral action

McAfee Email Gateway 7.6.400 Appliances

Product Guide

235

Overview of Email menu


Email Policies

Table 4-84

Spam rules that support sender authentication scores (continued)

Editable spam rule

Description

EDT_SA_SI_NONE

Triggers when Sender ID check results in a none action

EDT_SA_SI_PASS

Triggers when Sender ID check results in a pass action

EDT_SA_SI_PERM_ERROR

Triggers when Sender ID check results in a perm error action

EDT_SA_SI_SOFT_FAIL

Triggers when Sender ID check results in a soft fail action

EDT_SA_SI_TEMP_ERROR

Triggers when Sender ID check results in a temp error action

EDT_SA_SP_HARD_FAIL

Triggers when SPF check results in a hard fail action

EDT_SA_SP_NEUTRAL

Triggers when SPF check results in a neutral action

EDT_SA_SP_NONE

Triggers when SPF check results in a none action

EDT_SA_SP_PASS

Triggers when SPF check results in a pass action

EDT_SA_SP_PERM_ERROR Triggers when SPF check results in a perm error action


EDT_SA_SP_SOFT_FAIL

Triggers when SPF check results in a soft fail action

EDT_SA_SP_TEMP_ERROR Triggers when SPF check results in a temp error action


EDT_SA_TS_FAIL

Triggers when McAfee GTI message reputation check results in a fail


action

EDT_SA_TS_NONE

Triggers when McAfee GTI message reputation check results in a none


action

EDT_SA_TS_PASS

Triggers when McAfee GTI message reputation check results in a pass


action

EDT_SA_TS_TEMP_ERROR Triggers when McAfee GTI message reputation check results in a temp
error action
EDT_SA_TS_TIMEOUT

Triggers when McAfee GTI message reputation check query times out

Compliance policy settings


Use the Compliance policies to manage file and mail size filtering, configure data loss prevention
settings, ensure message compliance through the use of compliance dictionaries, and detect possible
pornographic images using Image filtering or to specify settings for handling signed or encrypted
content.

File Filtering
Use this page to specify actions against different types of files. This is known as file filtering.

Email | Email Policies | Compliance | File filtering


The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large, deeply nested files, or to investigate possible attacks.

236

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Benefits of file filtering


Use this topic to gain a better understanding of file filtering.
You can use filters to restrict the use of certain file types. For example:

File format If your organization's valuable information is in databases or other special files, it is
important to control the movement of these files. The appliance examines files based on their true
content.
Any file can be made to masquerade as another. A person with malicious intent might rename the
important database file customers.mdb to notes.txt, attempting to transfer that file undetected.
Fortunately, you can configure the appliance to examine each file based on its content or file
format, and not on its file name extension alone.
You can also define the types of file that are sent to your Advanced Threat Defense appliances (if
applicable) by selecting the categories and subcategories of files. Also, you can create rules to, for
example, prevent small graphics files being sent for further scanning by Advanced Threat Defense,
while still sending larger files of the same formats for advanced scanning.

File name Some graphic file formats such as bitmap (.bmp) use large amounts of computer
memory and can affect network speed when transferred. You might prefer that users work with
other more compact formats such as .gif, .png, or .jpeg.
If your organization produces computer software, you might see executable (.exe) files moving
around the network. Within another organization, those files might be games or illegal copies of
software. Similarly, unless your organization regularly handles movie files (MPEG or MPG), they are
probably for entertainment only. A file filtering rule that examines the file extension name can
restrict the movement of these files.
Financial information might have file names like Year2008.xls or 2008Results. A file filter that
matches the text 2008 can detect the movement of these files.

File protection status You can create a rule to take a configured action on all files that have a
protected status, such as files that are password-protected.

File size Although you might allow graphic files to be moved around your network, you can
restrict their size to prevent the service running too slowly for other users.

When you create settings to control the use of any file, remember that some departments within your
organization might need fewer constraints. For example, a marketing department might need large
graphic files for advertising.
This feature is not available to the POP3 protocol.

File filtering rules and Advanced Threat Defense


For the Advanced Threat Defense - Supported formats options within your file filtering rules to have effect, you
must have:

One or more Advanced Threat Defense appliances configured within your network

Configured Email Gateway to communicate with your Advanced Threat Defense appliances

Enabled Advanced Threat Defense scanning within your Email Gateway

Example file filtering rule


Issue Your company email templates include a small graphic of your corporate logo. However,
when you receive reply messages that include original email messages from within your company,
these graphics are getting sent to your Advanced Threat Defense appliances for further analysis, tying
up bandwidth and resources.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

237

Overview of Email menu


Email Policies

Solution Create a file filtering rule that excludes your corporate logo file from Advanced Threat
Defense scanning, as long as the file name matches and is below a certain size.
See also
Task Configure Email Gateway to communicate with your Advanced Threat Defense
appliances on page 476
Task Configure Advanced Threat Defense policies on page 190

Option definitions Default File Filtering Settings (SMTP)


Use this page to configure and manage SMTP file filters.
Table 4-85 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-86 Option definitions File Filtering Rules
Option

Definition

Order

Displays the order in which the filters are applied. To change the order,
click icons in the Move column.

Rule Name

Displays the rule name.

If Triggered

Displays the action to take. Click the link to change the primary and
secondary actions associated with the rule.

Add Rule

Opens a further window where you can specify the types of file you want
to detect.

If a file filtering action results in


an alert

Select to use the default alert message, or click Change the default alert text to
open a further window where you can change the alert message that is
issued after a detection.

Task Exclude logo files from ATD scans


To prevent multiple copies of your corporate logo graphics file being sent for advanced scanning,
create a file filtering rule to exclude it from being sent to Advanced Threat Defense.
Before you begin
You must have:

238

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

One or more Advanced Threat Defense appliances configured within your network

Configured Email Gateway to communicate with your Advanced Threat Defense


appliances

Enabled Advanced Threat Defense scanning within your Email Gateway

Configured Advanced Threat Defense to scan graphics files found within email messages

The Do not scan the attachment with Advanced Threat Defense option is only available when the primary action is set
to Allow through.

Task
1

Navigate to Email | Email Policies | Compliance | File filtering.


The Default File Filtering Settings (SMTP) dialog box is displayed.

Select Yes to enable file filtering.

Click Add Rule.


The New Rule dialog box is displayed.

Enter a name for this rule, for example, Exclude Logo from ATD.

Select Continue scanning if rule triggers so that other attachments may be scanned.

Click Clear selections to deselect all categories and subcategories.

Within Advanced Threat Defense - Supported formats, select Graphics/Presentation: Portable Network Graphics Format or
other appropriate file subcategory.
This ensures only .png files are impacted by this rule.

Select Naming Filtering and click Enable file name filtering.

Enter the name of the file to be excluded from Advanced Threat Defense scanning, for example,
companylogo.png. Click OK.
The new file filtering rule is created.

10 Click the If Triggered link for the new rule.


The Actions dialog box is displayed.
11 From And also | Other actions, select Do not scan the attachment with Advanced Threat Defense.
12 Click OK.
13 Click OK and apply your changes.
When a reply email is received that contains your corporate logo within the original message body, the
file is excluded from being sent to your Advanced Threat Defense appliances. For a further level of
protection, you can also configure the rule so that the filename must match, and the file must be
below a configured size. This prevents someone renaming another, larger file to match your corporate
logo file, and then bypassing your Advanced Threat Defense scans.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

239

Overview of Email menu


Email Policies

Data Loss Prevention settings


Use this page to create a policy that assigns data loss prevention actions against the registered
document categories.

Email | Email Policies | Compliance | Data Loss Prevention

Benefits of using Data Loss Prevention (DLP)


You can choose to restrict the flow of sensitive information sent in email messages by SMTP through
the appliance using the Data Loss Prevention feature. For example, by blocking the transmission of a
sensitive document such as a financial report that is to be sent outside of your organization. Detection
occurs whether the original document is sent as an email attachment, or even as just a section of text
taken from the original document.
Configuring DLP takes place in two phases:

Registering the documents that you want to protect

Setting the DLP policy to action, and control the detection (this topic)
If an uploaded registered document contains embedded documents, their content is also fingerprinted
so the combined content is used when calculating the percentage match at scan time. To have
embedded documents treated individually, they must be registered separately.

Option definitions Data Loss Prevention


Use this information to understand the controls available from within the Data Loss Prevention dialog
box.
Table 4-87 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

240

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition

Yes, No, or Use the


same settings as the
default policy

Select to activate the Data Loss Prevention policy settings

Document match
percentage

The percentage of the original registered document which must be seen in order
to trigger DLP. For example, if you register two documents; one with 100 pages
of content, and another with 10 pages, a setting of 30% would require 30 pages
to match the document with 100 pages, and just 3 pages to match the document
of 10 pages.
The algorithm involved in DLP is sophisticated and involves text normalization,
common word removal, and signature generation. These figures offer a guideline
only.

Number of consecutive Set the number of sequential signatures which will cause a trigger. For example,
signatures (advanced): if you register two documents; one with 100 pages of content, and another with
10 pages, use this feature to detect a small section of the original content,
irrespective of its original size.
The algorithm involved in DLP is sophisticated and involves text normalization,
common word removal, and signature generation. An approximate guide is that 1
signature represents 8 words of text after common words have been removed.

Rules

Select the box to show or hide the list of existing DLP rules.

Create new rule

This list is empty until you set up categories for registered documents. Click the
link to create a new data loss prevention rule based on the categories that you
set in Registered Documents.
This opens a dialog box to allow you to select one or more DLP categories.

Exclusions

Select the box to show or hide the list of existing document exclusions.

Create document
exclusion

This list is empty until you register documents. Click the link to specify registered
documents to exclude from this policy.
This opens a dialog box to allow you to select one or more documents to be
excluded from the rule.

If a Data Loss
Prevention action
results in an alert

When selected, issues the default alert upon detection. When deselected, allows
you to click the link, then change the text of the alert.

Task Prevent a sensitive document from being leaked


Use this task to block sensitive financial documents from being sent outside your organization.
Before you begin
This example assumes that you have already created a Finance category.
Task
1

Select Email | Email Policies | Compliance | Data Loss Prevention.

In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.

Click Create new rule, select the Finance category, and click OK to have the category appear in the Rules
list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

241

Overview of Email menu


Email Policies

Select the action associated with the category, change the primary action to Deny connection (Block),
and click OK.

Click OK again, and apply the changes.

Task Block a section of the document


Use this task to block just a small section of the document from being sent outside your organization.
Task
1

Select Email | Email Policies | Compliance | Data Loss Prevention.

In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.

Enable the consecutive signatures setting, and type the number of consecutive signatures against
which the DLP policy will trigger a detection. The level is set to 10 by default.

Click Create new rule, select the Finance category, and click OK to have the category appear in the
Rules list.

Select the action associated with the category, change the primary action to Deny connection (Block),
and click OK.

Click OK again, and apply the changes.

Task Exclude a specific document for a policy


Use this task to prevent a specific financial document from triggering the DLP policy settings.
Task
1

Select Email | Email Policies | Compliance | Data Loss Prevention.

In the Default Data Loss Prevention Settings dialog box, click Yes to enable the policy.

Click Create document exclusion, select the document you want to ignore for this policy, and click OK.

Click OK again, and apply the changes.

Mail Size Filtering Settings


Use the Mail Size Filtering Settings to specify maximum message size, attachment size, and number of
attachments that can be scanned in any one message.

Email | Email Policies | Compliance | Mail size filtering

Benefits of filtering messages based on their size or attachments


Scanning messages based on their size or attachments can help to alert you to potential
denial-of-service attacks entering your email gateway.
This policy contains the following options:

242

Message Size

Attachment Size

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Attachment Count

Options

The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large numbers of large email messages, or the occasional transfer of large
attachments within email messages, or the number of attachments within email messages, or to
investigate possible attacks.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.

Option definitions Mail Size Filtering Settings | Message Size


Use this page to specify how to handle large email messages.
Table 4-88 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Option

Definition

If the message size


exceeds

Specifies the limit. The default values are:


Message size - 100000KB (100MB).
Use the message size only as a guide. When encoded, a message can become up to
33% larger. To use the actual size of the message, select Decode email parts for the
purposes of size calculation from the Options tab.

(Menu)

Provides a main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

243

Overview of Email menu


Email Policies

Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

244

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If attachments are
replaced with an
alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Option definitions Mail Size Filtering Settings | Attachment Size


Use this page to specify how to handle large attachments within email messages.
Table 4-89 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-90 Option definitions Specify a maximum attachment size
Option

Definition

If an attachment size
exceeds

Specifies the limit. The default values are:


Attachment size - 32000KB (32MB).
Use the attachment size only as a guide. When encoded as an attachment, a file
can become up to 33% larger. To use the actual size of the attachments, select
Decode email parts for the purposes of size calculation from the Options tab.

(Menu)

Provides a main action to take. The available options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

245

Overview of Email menu


Email Policies

Table 4-90 Option definitions Specify a maximum attachment size (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

246

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-90 Option definitions Specify a maximum attachment size (continued)


Option

Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If attachments are
replaced with an alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Table 4-91 Option definitions Specify the maximum size of all attachments
Option

Definition

If the size of all


attachments exceeds

Specifies the limit for the combined size of all attachments. The default values
are:
Size of all attachments - 64000KB (64MB).
Use the attachment size only as a guide. When encoded as an attachment, a file
can become up to 33% larger. To use the actual size of the attachments, select
Decode email parts for the purposes of size calculation from the Options tab.

(Menu)

Provides a main action to take. The available options are:


Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Replace all attachments with a single alert (Modify)
Remove all attachments (Modify)
Allow Through (Monitor)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

247

Overview of Email menu


Email Policies

Table 4-91 Option definitions Specify the maximum size of all attachments (continued)
Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

248

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-91 Option definitions Specify the maximum size of all attachments (continued)
Option

Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If attachments are
replaced with an alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Option definitions Mail Size Filtering Settings | Attachment Count


Use this page to specify how to handle large numbers of attachments within email messages.
Table 4-92 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Option

Definition

If the attachment
count exceeds

Specifies the limit. The default values are:

(Menu)

Provides a main action to take. The available options are:

Attachment count - 500.

Deny connection (Block)


Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Replace all attachments with a single alert (Modify)
Remove all attachments (Modify)
Allow Through (Monitor)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

249

Overview of Email menu


Email Policies

Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

250

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If attachments are
replaced with an
alert

Select to use the default alert.


Click change the default alert text to view or change this alert message.

Option definitions Mail Size Filtering Settings | Options


Specify options relating to Mail Size Filtering.
Table 4-93 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-94 Option definitions Options
Option

Definition

Decode email parts for the purposes of size


calculation

When selected, McAfee Email Gateway decodes the


attachments and other parts within email messages so that
their actual size can be calculated.

Compliance Settings
Use this page to create and manage compliance rules.

Email | Email Policies | Compliance | Compliance

Benefits of the compliance settings


Use compliance scanning to assist with conformance to regulatory compliance and corporate operating
compliance. You can choose from a library of predefined compliance rules, or create your own rules
and dictionaries specific to your organization.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

251

Overview of Email menu


Email Policies

Compliance rules can vary in complexity from a straightforward trigger when an individual term within
a dictionary is detected, to building on and combining score-based dictionaries which will only trigger
when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can
be combined using logical operations of any of, all of, or except.

Option definitions Default Compliance Settings (SMTP)


This information describes the options available on this page.
Table 4-95 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Option

Definition

Enable compliance

Select to activate the Compliance policy settings.

Rules

Lists the configured compliance rules.

Create new rule

Click to open a wizard that creates a new compliance rule.

Create new rule from template

Click to open a wizard that lists the predefined compliance rules.

If a compliance action results in an alert When selected, issues the default alert upon detection. When
deselected, allows you to click the link, then change the text of the
alert.

Task Block messages that violate a policy


Use this to task to block messages that violate a threatening language policy.
Task

252

Select Email | Email Policies | Compliance.

In the Default Compliance Settings dialog box, click Yes to enable the policy.

Click Create new rule from template to open the Rule Creation Wizard.

Select the Acceptable Use - Threatening Language policy, and click Next.

Optionally change the name of the rule, and click Next.

Change the primary action to Deny connection (Block), and click Finish.

Click OK and apply the changes.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Task Create a simple custom rule


Use this task to create a simple custom rule that blocks messages that contain social security
numbers.
Task
1

Select Email | Email Policies | Compliance.

In the Default Compliance Settings dialog box, click Yes to enable the policy.

Click Create new rule to open the Rule Creation Wizard.

Type a name for the rule, and click Next.

In the Search field, type social.

Select the Social Security Number dictionary, and click Next twice.

Select the Deny connection (Block) action, and click Finish.

Task Create a complex custom rule


Use this task to create a complex rule that triggers when both Dictionary A and Dictionary B are
detected, except when Dictionary C is also detected.
Task
1

Select Email | Email Policies | Scanning Policies and select Compliance.

In the Default Compliance Settings dialog box, click Yes to enable the policy.

Click Create new rule to open the Rule Creation Wizard.

Type a name for the rule, and click Next.

Select two dictionaries to include in the rule, and click Next.

Select a dictionary that you want to exclude from the rule in the exclusion list.

Select the action that you want to take place if the rule triggers.

From the And conditionally drop-down list, select All, and click Finish.

Task Add a dictionary to a rule


Use this task to add a new dictionary to an existing rule.
Task
1

Select Email | Email Policies | Compliance.

Expand the rule that you want to edit.

Select Add dictionaries.

Select the new dictionary that you want to include, and click OK.

Task Create a rule to monitor or block at a threshold


For score-based dictionaries you might want to monitor triggers that reach a low threshold, and only
block the email when a high threshold is achieved.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

253

Overview of Email menu


Email Policies

Task
1

Select Email | Email Policies | Compliance.

Click Create new rule, type a name for it such as Discontent - Low, and click Next.

Select the Discontent dictionary, and in Threshold, type 20.

Click Next, and Next again.

In If the compliance rule is triggered, accept the default action.

Click Finish.

Repeat steps 2 through 4 to create another new rule but name it Discontent - High and assign it
a threshold of 40.

In If the compliance rule is triggered, select Deny connection (Block).

Click Finish.

10 Click OK and apply the changes.

Task Edit the threshold associated with an existing rule


Use this task to edit the threshold associated with an existing rule.
Before you begin
This task assumes that your rule includes a dictionary which triggers the action based on a
threshold, such as the Compensation and Benefits dictionary.
Task
1

Select Email | Email Policies | Compliance.

Expand the rule that you want to edit, then select the Edit icon next to the dictionary whose score
you want to change.

In dictionary threshold, type the score on which you want the rule to trigger, and click OK.

Task Restrict the score contribution of a dictionary term


Use this task to restrict the score contribution of a dictionary term.
Before you begin
This task assumes that your rule includes a dictionary which triggers the action based on a
threshold score, such as the Compensation and Benefits dictionary.
You can restrict how many times a term can contribute to the overall score.
For example, if testterm within a dictionary has a score of 10 and is seen five times within an email,
it will add 50 to the overall score. Alternatively you can restrict this, for example to contribute only
twice by setting Maximum term count to 2.

254

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Task
1

Select Email | Email Policies | Compliance.

Expand the rule that you want to edit, then click the Edit icon next to the dictionary whose score
you want to change.

In Maximum term count, type the maximum number of times that you want a term to contribute to the
score.

Image Filtering
The Image Filtering scanner analyzes images to determine attributes that indicate the image may be of a
pornographic nature.

Email | Email Policies | Compliance | Image filtering


The Image Filtering feature uses sophisticated, analytical processes that consist of thousands of
algorithms. These include eleven different detection methods to provide enough information to reliably
distinguish between pornographic and non-pornographic images.
The feature use the following techniques:

Converts Image to BGR format

Multi-layer detection algorithms

Advance surface luminosity curvature analysis

Negative Curvature Rejection reduces false positives

Face detection and body part composition analysis

Benefits of image filtering


This information describes the benefits associated with setting up image filtering on the appliance.
Detecting potential pornographic material enables you, as an administrator, to enforce acceptable use
policies around image content leaving and entering your company, and be able to monitor and block
any deliberate or inadvertent infractions of your policy.

Option definitions Image Filtering


This information describes the options available in the Image Filtering policy.
Table 4-96 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

McAfee Email Gateway 7.6.400 Appliances

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

Product Guide

255

Overview of Email menu


Email Policies

Table 4-96 Option definitions Policy exceptions (continued)


Option

Definition

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-97 Option definitions Higher Image Detection Threshold
Option

Definition

Detection threshold

Choose from Highly Suspect, Suspect, and Custom. Set to Highly Suspect by default.
Select Custom to set the Confidence level.

Confidence level

In %, the level of confidence that an image is pornographic against each detection.


Set to 75% by default.

Take the following


action

Provides a main action to take. The options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

256

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-97 Option definitions Higher Image Detection Threshold (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

257

Overview of Email menu


Email Policies

Table 4-97 Option definitions Higher Image Detection Threshold (continued)


Option

Definition
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.

Notification and
annotated email
options

When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.

Table 4-98 Option definitions Lower Image Detection Threshold


Option

Definition

Detection threshold

Choose from Highly Suspect, Suspect, and Custom. Set to Suspect by default.
Select Custom to set the Confidence level %.

Confidence level

In %, the level of confidence that an image is pornographic against each detection.


Set to 50% by default.

Take the following


action

Provides a main action to take. The options are:


Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

258

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-98 Option definitions Lower Image Detection Threshold (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

When clicked, opens another window where you can specify who the appliance will
notify when a threat is detected.

Table 4-99 Option definitions Alert Settings


Option

Definition

If an action results in an alert

Select to specify whether to use the default alert text or not.

Change the default alert text

Click to open the Alert Editor.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

259

Overview of Email menu


Email Policies

Task Block and quarantine highly suspicious images


Use this task to block and quarantine highly suspicious images.
Task
1

Go to Email | Email Policies.

In the Compliance policy section, select Image Filtering.

Click Yes to enable the Image Filtering policy.

In the Higher Image Detection Threshold section, select the Accept and then drop the data (Block) action.

In And also, select Quarantine.

Quarantined messages can be viewed in the Message Search feature (Reports | Message Search), in the Image
Filtering category.

Task Monitor suspicious images and notify an administrator


Use this task to monitor suspicious images and notify an administrator.
Task
1

Go to Email | Email Policies.

In the Compliance policy section, select Image Filtering.

Click Yes to enable the Image Filtering policy.

In the Lower Image Detection threshold section, select the Allow Through (Monitor) action.

In And also, select the Forward modified to... notification email option.
The message is sent to any email lists you have created.
a

To change the email recipients who will receive the forwarded message, click Edit.
The Email Recipients dialog box opens.

b
6

Select the lists that you want to receive the message and click OK.

Click OK to activate the policy.

Signed or encrypted content


Specify how you want McAfee Email Gateway to handle content that is either signed or encrypted, or
signed and encrypted, or in plain text.

Email | Email Policies | Compliance | Signed or encrypted content

Benefits of the Encrypted Content Settings options


Find out more about the type of signed or encrypted content settings, and actions that you can take
when that type of content is detected.
The Encrypted Content Settings options are divided into the following categories:

260

Signed Content

Encrypted Content

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Signed and Encrypted Content

Plaintext Content

For each category, you can choose a primary action to take when that type of content is detected, and
optionally choose a secondary action. Additionally, you can set notification and alert actions too.

Option definitions Signed or encrypted content


Define how you want the encryption settings to work when signed or encrypted content is detected.
Table 4-100 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

261

Overview of Email menu


Email Policies

Table 4-101 Option definitions Signed Content


Option

Definition

When content that is Select the primary action that you want the appliance to take in this circumstance.
signed but not
The available options are:
encrypted is
Deny connection (Block)
detected
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Allow the changes to break the signed email (Monitor)
Do not allow the changes to break the signed email (Monitor)
Replace the content with an alert (Modify)
Reroute to an alternative relay (Reroute)
And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions

262

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-101 Option definitions Signed Content (continued)


Option

Definition
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

Alert Settings

Select to use the default alert, or follow the link to make changes to the alert text.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

263

Overview of Email menu


Email Policies

Table 4-102 Option definitions Encrypted Content link


Option

Definition

When content that is


encrypted but not
signed is detected

Select the primary action that you want the appliance to take in this circumstance.
The available options are:
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Replace the content with an alert (Modify)
Reroute to an alternative relay (Reroute)
Allow Through (Monitor)

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.

264

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-102 Option definitions Encrypted Content link (continued)


Option

Definition
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

Alert Settings

Select to use the default alert, or follow the link to make changes to the alert text.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

265

Overview of Email menu


Email Policies

Table 4-103 Option definitions Signed and Encrypted Content


Option

Definition

When content that is Select the primary action that you want the appliance to take in this circumstance.
both signed and
The available options are:
encrypted is detected
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Allow the changes to break the signed email (Monitor)
Do not allow the changes to break the signed email (Monitor)
Replace the content with an alert (Modify)
Reroute to an alternative relay (Reroute)
And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions

266

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-103 Option definitions Signed and Encrypted Content (continued)


Option

Definition
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

Alert Settings

Select to use the default alert, or follow the link to make changes to the alert text.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

267

Overview of Email menu


Email Policies

Table 4-104 Option definitions Plaintext Content


Option

Definition

When content that is


neither signed nor
encrypted is detected

Select the primary action that you want the appliance to take in this circumstance.
The available options are:

And also

Deny connection (Block)

Replace the content with an alert (Modify)

Refuse the data and return an error code


(Block)

Reroute to an alternative relay (Reroute)

Accept and then drop the data (Block)

Allow Through (Monitor)

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.

268

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-104 Option definitions Plaintext Content (continued)


Option

Definition
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

Alert Settings

Select to use the default alert, or follow the link to make changes to the alert text.

Classifying embedded URLs

McAfee Global Threat Intelligence (McAfee GTI)(McAfee GTI) performs lookups on URLs that are
embedded in email messages.

Email | Email Policies | Compliance | URL Reputation


McAfee GTI provides reputation scores to the URL reputation database. Use the reputation scores to
configure actions for suspected security risks. The URL blacklists and whitelists have an impact on the
URL reputation scans.
The URL reputation score has no appreciable effect on the overall score for the message.

Benefits of classifying embedded URLs


Classifying any embedded URLs within email messages sent into your organization helps prevent your
users visiting internet sites that may host malware or other undesirable content.
Email messages can contain links to embedded URLs. Some of these links may be to sites with low
reputation scores. By using your McAfee Email Gateway to classify these URLs, you help protect your
organization from the effects of people following these links.
You can enable URL reputation scanning when you run the Setup Wizard, or you can do it after initial
setup. The URL database is not available until you enable URL reputation scans.
URL scanning appears as a component of the Compliance features on the Email Policies page. The
database appears under System | Component Management | Update Status.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

269

Overview of Email menu


Email Policies

Option definitions - Default URL properties settings


Configure the properties settings to determine how McAfee Email Gateway processes URL reputation
scans.
Table 4-105

URL reputation options

Option

Definition

Enable URL reputation

Select the proper radio button to enable or disable URL scanning.

Table 4-106 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-107

URL reputation options

Option

Definition

Higher URL reputation threshold


Detection threshold

Select threshold level. Options are:


Highly suspect
Suspect
Custom

Confidence level

This field is pre-populated with the proper score to trigger the


higher threshold.

Take the following action

Select the preferred action from the drop down list.

And also

If necessary, select one or more secondary actions from the scrolling


menu.

Notification and annotated email options Click this link to configure default notifications and alerts.
Lower URL reputation threshold
Detection threshold

Select threshold level. Options are:


Highly suspect
Suspect
Custom

270

Confidence level

This field is pre-populated with the proper score to trigger the lower
threshold.

Take the following action

Select the preferred action from the drop down list.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-107

URL reputation options (continued)

Option

Definition

And also

If necessary, select one or more secondary actions from the scrolling


menu.

Notification and annotated email options Click this link to configure default notifications and alerts.
Alert settings
If an action results in an alert

Select the checkbox to generate the default alert.

(change the default alert text)

Click this link to change the text in the default alert.

Task - Configure URL reputation settings


Use this page to set up parameters for detecting embedded URLs and taking action on them.
Before you begin
To detect embedded URLs in messages, enable URL reputation scanning.
Task
1

Navigate to Email | Email Policies.


The Email Policies page opens, showing all currently configured policies and the evaluation order.

Select your protocol from the drop down list.

Under the Compliance column, select the URL reputations link.


The Default URL Reputation Settings page opens.

If URL reputation scanning is not already enabled, click the Yes radio button.

Select the URL Reputation tab.

Configure the Higher URL Threshold.

Select the threshold designation from the drop down list.

Verify the confidence level.

Select the primary action for URLs that trigger the higher threshold.

Select any secondary actions, if required.

Set notification and alert options associated with the higher threshold.

Configure the Lower URL Threshold.


a

Select the threshold designation from the drop down list.

Verify the confidence level.

Select the primary action for URLs that trigger the lower threshold.

Select any secondary actions, if required.

Set notification and alert options associated with the lower threshold.

[Optional] Enable Alert Settings.

Click OK.

The Default URL Reputation Settings page closes, and the URL reputations link shows the primary action.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

271

Overview of Email menu


Email Policies

URL reputation Blacklists and Whitelists


Configuring blacklists and whitelists for URL classification enables you to fine-tune how McAfee Email
Gateway handles different URLs.

Email | Email Policies | Compliance | URL Reputation | Blacklists and Whitelists

Benefits of using URL reputation blacklists and whitelists


The blacklists and whitelists feature provides a method for handling specific URLs. Whitelisting allows
through URLs that would otherwise be blocked by the URL reputation service. Blacklisting blocks URLs
regardless of their reputation scores.
If you know that a particular URL is not trustworthy, add it to the blacklist. When a URL reputation
scan detects this URL, it will take your specified action immediately. On the other hand, if you know
specific URLs that are always trusted, add them to the whitelist. The URL scan will not take action. In
both cases, URL scans execute more efficiently.
Blacklisting takes precedence over whitelisting.

Parts of the URL


A URL consists of a number of characteristic parts.
The following table reflects these sample URLs:

http://user:1234@www.mydomain.com:10443/index.php?id=5678#para1

ftp://user:1234@ftp.domain.com:2021/docs/data.rtf;type=a

Table 4-108 URL format


Part

Format

Example

Parsing string

Scheme

Protocol

http://

Ends at '*://'

ftp://
Credentials

User name and password

user:1234

Starts after '*://'


Ends at "@"

Host

Consists of one of the


following:

www.mydomain.com:
10443

Starts after '*://', '@' or


nothing

Domain name

ftp.domain.com:2021

Ends at '/', '?', '#' or


end of string

index.php

Starts after '*/'

docs/data,rtf

Ends at '?' or '#' or end


of string

type=a

Starts after path, begins


with ';'

IPv4 address
IPv6 address
Square brackets are
required.

Can also include TCP port


Path

Type (only for


FTP URLs)

Transfer type (added to


path)

Ends at end of string

272

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-108 URL format (continued)


Part

Format

Example

Parsing string

Query (not valid


for FTP URLs)

id=5678

Starts after '?'

Anchor (not valid Specifies a location within


for FTP URLs)
the document

para1

Ends at '#' or end of


string
Starts after '#'
Ends at end of string

Using expressions
Global Threat Intelligence tests URLs found in emails against regular expressions to determine if the
URL is allowed or forbidden to enter the system.
Email Gateway permits the user to specify patterns for the individual parts of the URL and then
compile these parts into a regular expression that will match a complete URL. If the user does not
enter a value for a part, the compiled expression matches anything or nothing for that part.
You must enter a value for the Host part. A recognizable URL must have, at a minimum, a host name.

You can specify parts as either simple DOS patterns or as regular expressions.

Simple patterns
Simple patterns allow you to enter much less information than regular expressions, but offer much
less flexibility. You can use simple wildcards:

'?' match single character

'*' match any characters

Certain matches are not possible with simple patterns. For example:

In the Host field, '*' does not match '.' by design. This prevents possible unwanted matches.

The pattern 'www.mcafee.*' matches www.mcafee.com and www.mcafee.fr, but not


www.mcafee.co.uk.

You cannot match alternates, such as port 8080 or 8443.

You cannot match just IPv4 addresses.

Matching patterns like these requires regular expressions.

Regular expressions
The ability to specify the URL parts of interest as regular expressions overcomes any restrictions of
simple patterns:

www\.mcafee\.(?:com|co\.uk)

8080|8443

(?:[12]?\d{1,2}\.){3}[12]?\d{1,2}

On the URL Expression Builder, each text field is a separate regular expression that follows Perl-compatible
regular expression (PCRE) syntax, and is validated as a regular expression. Regular expressions offer
greater flexibility, but they are more complex than simple patterns. You are allowed to enter nothing
for all fields, resulting in a generated regex that matches anything that sufficiently resembles a URL.

You must remember to escape characters that have significant meaning in a regular expression.
These characters are: \.-[]{}()^$|+?*

McAfee Email Gateway 7.6.400 Appliances

Product Guide

273

Overview of Email menu


Email Policies

You must not use positional matches, otherwise known as anchors, in regular repressions.
Examples of anchors are: '^', '$', '\A' and '\z'.
Anyone who wants to use regular expressions in this feature should already be comfortable with regular
expressions, due to their complexity.

If you want to specify a regular expression that matches any number or character, avoid using '.* and
'.+' as the expression. Either of these choices is likely to match more characters than you desire and
will result in less efficient pattern matching. Use one of these combinations to 'match any character'
based on the part you want to specify:

Credentials '[^@]' (match anything apart from '@' )

Host '[^:/\?#]' (match anything apart from ':', '/', '?' and '#')

Path '[^\?#]' (match anything apart from '?' and '#' )

Query string '[^#]' (match anything apart from '#' )

When you use these patterns, the matches stop at the next part of the URL.
The best approach when constructing regular expressions is to use the URL parser tool which is
regex-aware and will do the necessary escaping for you.

Option definitions URL reputation blacklists and whitelists


Blacklists and whitelists enable you to fine-tune the list of URLs that are blocked or allowed by McAfee
Email Gateway.
Table 4-109 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-110

274

Blacklist and whitelist options

Option

Definition

URLs that should always be


blocked

The upper table shows all URLs currently configured to be blacklisted.

Search

Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.

Type

Simple pattern or regular expression

Description

Any descriptive text that identifies the URL.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-110

Blacklist and whitelist options (continued)

Option

Definition

Pattern

The entire regular expression (all fields concatenated).


Simple patterns show '*' for any unspecified parts. Regular expressions show
the entire pattern.

Match Case

Indicates whether the regular expression should evaluate the URL on a


case-sensitive basis.

Edit

Clicking this link opens the URL Expression Builder where you can edit this URL .

Add Simple Pattern

Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.

Add Regular Expression

Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.

Delete Selected Patterns

Click this button to delete any patterns you have checked in this table.

URLs that should always be


allowed

The lower table shows all URLs currently configured to be whitelisted.

Search

Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.

Type

Simple pattern or regular expression

Description

Any descriptive text that identifies the URL.

Pattern

The entire regular expression (all fields concatenated).


Simple patterns show '*' for any unspecified parts. Regular expressions show
the entire pattern.

Match Case

Indicates whether the regular expression should evaluate the URL on a


case-sensitive basis.

Edit

Clicking this link opens the URL Expression Builder where you can edit this URL .

Add Simple Pattern

Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.

Add Regular Expression

Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.

Delete Selected Patterns

Click this button to delete any patterns you have checked in this table.

Task - Configure blacklists and whitelists


Follow this process to configure blacklists and whitelists for embedded URLs.
Before you begin
To use URL blacklisting and whitelisting, enable McAfee Global Threat Intelligence.
Task
1

Navigate to Email | Email Policies.


The Email Policies page opens, showing all currently configured policies and the evaluation order.

Select your protocol from the drop down list.

Under the Compliance column, select the URL reputations link.


The Default URL Reputation Settings page opens.

If URL reputation scanning is not already enabled, click the Yes radio button.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

275

Overview of Email menu


Email Policies

Select the Blacklists and Whitelists tab.


The page displays tables of URLs that should always be blocked, or always be allowed.

To add a URL to either list:


a

Click the Add Simple Pattern button or the Add Regular Expression button.
The URL Expression Builder page appears.

In the data fields, type the required information.

Repeat until you have added all desired URLs.

To delete a URL from either list, select the Delete check box associated with the URL.

[Optional] To parse a URL into its component parts:


a

Click the Parse a URL link on the URL Expression Builder page.
The URL Parser dialog box opens.

Type or paste the URL into the data field, then click OK.

The URL Parser closes, and the component parts of the URL populate the URL Expression Builder.
9

[Optional] To encode or decode a URL:


a

Click the URL encode/decode link on the URL Expression Builder page.
The URL Encode/Decode dialog box opens.

Type or paste a URL fragment into the data field.


Encode only individual path segments and individual terms. Do not encode the entire path or
multiple segments at the same time.

To encode the fragment to its canonical representation (%-encoded sequence), click the Encode
button.
The encoded fragment appears in the data field.

To decode a %-encoded fragment into readable form, click the Decode button.
The decoded fragment appears in the data field.

To convert an improperly or partially encoded sequence into its canonical representation, click
the Canonicalize button.
The canonical representation of the sequence appears in the data field.

Close the dialog box.


You return to the URL Expression Builder.

10 Click OK.
The URL Expression Builder closes, returning you to Default URL Reputation Settings page which shows the
results of your additions, edits, or deletions.
11 Save your changes before you log off.
12 Click OK.

276

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

ClickProtect
The ClickProtect feature in McAfee Email Gateway scans email messages for embedded links to protect
the enterprise and its users from malware and phishing attempts.

Email | Email Policies | Compliance | URL Reputation | ClickProtect


ClickProtect uses URL reputation to perform the initial McAfee Global Threat Intelligence (McAfee GTI)
scan of email messages. This initial scan checks the incoming messages for any URLs, and performs a
URL reputation lookup for each one, providing a numerical reputation score.
If your policies accept the email, the embedded URLs are rewritten to allow further scanning at click
time.
When the user clicks a URL contained within the email message, ClickProtect uses the information in
the rewritten URL to handle the request. The request is forwarded to the cloud-based McAfee Email
Protection service. This service performs the second, real-time malware scan of the remote content to
identify the risk level of the webpage.

The full ClickProtect features require your McAfee Email Gateway to be provisioned to use the
cloud-based McAfee Email Protection service. If hybrid scanning is not configured, ClickProtect can
remove or replace non-whitelisted URLs.
You can configure a preview of the webpage and a summary of its content to be presented to the user.
McAfee Email Gateway does not support the scanning of embedded URLs contained within email
attachments.

Benefits of using ClickProtect


ClickProtect protects against malicious content being added to linked websites between the time an
email is received, and when the user clicks links within it (click time).
This secondary assessment of the linked websites provides greater confidence that the website is safe.
Also, ClickProtect unmasks any obscured URLs, making it easier for your users to identify the actual
website they are about to visit.
ClickProtect allows you to determine the action to take at click-time, based on the categorized threat
level of the URL. By default:

URLs categorized as low-risk load the original website as it appears in the message.

URLs categorized as unverified or medium-risk trigger a warning page where the content of the
website is summarized.

URLs categorized as high-risk are denied with an alert.

You can configure whether users can access web hyperlinks or not.
ClickProtect uses the hybrid scanning feature. Hybrid scanning must be enabled for ClickProtect to
provide real-time malware scanning. However, you do not have to route your email flow to the
cloud-based McAfee Email Protection (Hybrid) service.
Whitelisted URLs bypass ClickProtect. ClickProtect does not protect whitelisted URLs. Whitelist any local
or intranet URLs (including IP address based URLs) to allow users to click them directly.
ClickProtect protects users who access their email accounts and click URLs inside or outside the
corporate network.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

277

Overview of Email menu


Email Policies

Using ClickProtect
This example illustrates a situation where you might use ClickProtect.
Issue On a Friday evening, spammers start a spam campaign, sending email messages containing
links to websites that have a good reputation, and contain no malware. Over the weekend, the
spammers then "infect" the website with malicious content. On their return to work, your users are
presented with links within their email messages pointing to websites now containing malicious
content.
Solution By enabling URL reputation scanning, Email Gateway ensures that when email messages
are received, only URLs that point to websites with a good reputation are allowed. Enabling
ClickProtect ensures that at the time that users click those links (click time), the content of the
website is still safe for your users to visit.

How ClickProtect works


The diagram illustrates the high-level work flow for ClickProtect.

Figure 4-4 ClickProtect flow

Step Description

278

A sender directs an email message that contains a web link toward an internal user.

MEG initiates a McAfee Global Threat Intelligence (McAfee GTI) scan to check the link for any
threats.

McAfee GTI returns the scan results.

If the message has an acceptable URL reputation score, ClickProtect rewrites the URL and
delivers the message.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Step Description
5

When the user clicks the link, ClickProtect initiates a cloud-based McAfee Email Protection
(Hybrid) service scan to ensure that no threats have been added.

McAfee Email Protection (Hybrid) service returns the scan results.


If a threat appears, ClickProtect notifies the user and, if so configured, presents a safe view of
the webpage. The user determines if the real webpage is the one expected.

Option definitions - ClickProtect


Use these options to determine how ClickProtect functions.

Option definitions ClickProtect options


If McAfee Email Protection (Hybrid) is not enabled from within Email | Hybrid Configuration, only the
ClickProtect URL Replacement Actions are available on this page.

.
Option

Definition

Enable ClickProtect

Selecting this option enables the ClickProtect service.


To enable the full ClickProtect service, the McAfee Email Protection (Hybrid)
service must be enabled and configured.

Take the following


actions when a user
clicks on

From the drop-down list for each URL risk level, select the appropriate action:
Risk levels:
A high risk URL Specifies a URL that exhibits detrimental behavior. For
example, the site is known to host malware. By default, ClickProtect denies
the message and sends an alert.
A medium risk URL Specifies a URL that exhibits questionable behavior that
might be detrimental to the user. By default, ClickProtect issues a warning.
An unverified URL Specifies a URL for which no reputation information has
been calculated. By default, ClickProtect issues a warning.
A low risk URL Specifies a URL that exhibits appropriate behavior or that is
verified as trusted. By default, ClickProtect re-writes the URL, and, at click
time, McAfee Email Protection (Hybrid) redirects the user to the original
website.
Actions:
Deny Denies the connection.
Warn Warns the user about risks.
Allow Allows the connection.

When the action is


Selecting the checkbox causes the system to send a preview of the potentially
"Warn", display a preview risky page to the user with the warning.
of the page the user is
attempting to visit

McAfee Email Gateway 7.6.400 Appliances

Product Guide

279

Overview of Email menu


Email Policies

Option definitions ClickProtect URL Replacement Actions


Option

Definition

HTML
message
actions

Select the actions to take when McAfee Email Gateway detects a URL within an
HTML-based message.
Clickable URLs URLs that include the information allowing users to click the link and be
taken to the linked website.
Visible URLs any text that is formatted to look like a URL, but that does not contain
hypertext information.
Actions:
Leave original URL do not make any changes to the way that clickable URLs are
displayed.
Use the ClickProtect URL replace the original URL with the URL that includes the click
protected information.
If McAfee Email Gateway is not provisioned to use the cloud-based McAfee Email
Protection (Hybrid) service, you cannot select this option.

Remove the URL remove the URL without substituting any text.
Replace with custom text remove the URL and substitute it with the text defined in the
text box to the right.
Plain text
message
actions

Select the action to take when McAfee Email Gateway detects a URL within a plain text
message.
Actions:
Leave original URL do not make any changes to the way that visible URLs are displayed.
Use the ClickProtect URL replace the original URL with the URL that includes the click
protected information.
If McAfee Email Gateway is not provisioned to use the cloud-based McAfee Email
Protection (Hybrid) service, you cannot select this option.

Remove the URL remove the URL without substituting any text.
Replace with custom text remove the URL and substitute it with the text defined in the
text box to the right.

Option definitions ClickProtect Actions


Option

Definition

If URL rewriting is not


possible

From the scrolling list, specify the primary action to take.


ClickProtect rewrites detected URLs to redirect them to ClickProtect when the
user clicks them. The system cannot rewrite URLs contained in TNEF-format
emails.
Transport Neutral Encapsulation Format (TNEF) is a proprietary Rich Text email
attachment format used by Microsoft Outlook and Microsoft Exchange. Most
email clients cannot decipher TNEF blocks.

And also

From the scrolling list, specify the secondary action to take.

If an action results in an
alert

Select the checkbox to enable the default alert.


Click the link to create or change the text for the default alert.

280

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Task - Configure ClickProtect


Set up ClickProtect by following this process.
Before you begin
Before you configure ClickProtect, enable Hybrid processing from within Email | Hybrid
Configuration.
Task
1

Select Email | Email Policies | Compliance | URL Reputation.


The Default URL Reputation Settings page opens.

Enable URL reputation.


The other tabs on the page become available.

Click the ClickProtect tab.

Enable ClickProtect.

Under ClickProtect Options, set options for each threat level.

Enable the preview page option, if wanted.

Under ClickProtect URL Replacement Actions, set options for replacement of URLs.
Some of these options can be configured without requiring McAfee Email Protection (Hybrid) to be
enabled.

Under ClickProtect Actions, select the action to take if URL rewriting is not possible.

Under And also, configure secondary actions.

10 Enable or disable Use the default alert, as required.


11 Click OK.

Option definitions URL Count


The URL Count page enables you to fine-tune the way email messages containing large numbers of
URLs are handled by McAfee Email Gateway.
Table 4-111 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

McAfee Email Gateway 7.6.400 Appliances

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

Product Guide

281

Overview of Email menu


Email Policies

Table 4-111 Option definitions Policy exceptions (continued)


Option

Definition

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-112 Option definitions URL Count
Option

Definition

Maximum number of URLs per email

Typing a number in the text field sets the maximum number of URLs
in one email. If the URLs exceed the number, the system takes the
configured action.

If this threshold is exceeded

The scrolling list allows selection of the proper primary action

And also

The list allows selection of secondary actions.

Notification and annotated email options This link opens the Default Notification and Routing Settings page.
If an action results in an alert

Selecting the check box enables use of the default text. Clicking the
associated link permits editing the default text.

Option definitions - URL Expression Builder


Use this page to add a URL by entering either a simple DOS pattern or a regular expression. Specify
only the parts you want to match.
Table 4-113

URL expression options

Option

Description

Description

Text that helps to define or identify the URL (optional)

Scheme

Protocol

Credentials

User name and password

Host

Consists of one of the following:


Domain name
IPv4 address
IPv6 address
Square brackets are required.

Port

TCP port

Path
Query string

Supplies parameters to the server. Not relevant for FTP URLs.

Named anchor

Specifies a location within the document. Not relevant for FTP URLs.

Match the credentials, path, query Selecting the check box causes McAfee GTI to match the URL
string and named anchor
case-sensitively.
case-sensitively.
If you leave this unchecked, whatever you type in the text fields is
converted to lower case when you click OK.

Compiled regular expression

282

This dynamic table shows the regular expression you create as you enter
one or more parts.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-113

URL expression options (continued)

Option

Description

Test a URL

Data field where you can type or paste a URL to test it against the
regular expression. Icons indicate whether the URL matches or not.

Tools: Parse a URL

Link opens an additional dialog box where you can paste or type a URL
and have it parsed into its component parts. If you click OK in this dialog,
the URL will populate the fields in the URL Expression Builder.
The URL is not validated.

Parsing URLs
The URL Expression Builder includes a link that allows you to parse a URL into its component parts.
The parsed URL populates the appropriate fields on the page.

URL normalization
Certain characters, such as /', ? and #, serve as delimiters in the URL. Other characters, such as
control codes, are not printable. These characters must be escaped by encoding them as % followed
by their hexadecimal ASCII value when they are used in the Credentials, Path, or Query string, or in the
named Anchor field. For example, = must be represented by %3B so it will not be misinterpreted as a
key-value separator in the Query string.
The ASCII characters A-Z, a-z, 0-9 and -._~ never need to be escaped. Characters outside the ASCII
range must be represented by the %-encoding of their UTF-8 byte values. For example, a character
is encoded as %E2%82%AC.
Attackers can manipulate the %-encoding rules to obfuscate the URL. Manipulations include:

Escaping characters that do not need to be escaped to make part of the URL unreadable to
humans. An example of this would be the sequence %2E%2E%2F/ in the path.

Not escaping characters that should be escaped. For example, the glyph for the Unicode character
U+2215, DIVISION SLASH, looks identical to an ASCII / character. If used in un-escaped form in
the path, it would look indistinguishable from a regular path separator. This is called a homograph
attack.

To overcome any issues from ambiguous representation, URLs found in emails are normalized by
decoding the individual parts and reapplying the %-encoding so that it is in strict compliance with the
encoding rules in RFC 3986, Uniform Resource Identifier (URI): Generic Syntax. The path is further
normalized so that . (current directory) and .. (directory above the current directory) sequences are
removed. For example /a/b/../c is normalized to the equivalent /a/c.

Address normalization
Instead of a domain name in the host field, a URL may contain an IP address.
An IPv4 address may be represented in many different ways, all of which offer an attacker
opportunities to obscure the host that a URL points to. As well as the familiar a.b.c.d format where a,
b, c and d represent base-10 numbers in the range 0-255, an IPv4 address may be represented by 1
to 4 numbers, each of which may be represented using base 10, octal (base 8) and hexadecimal (base
16). For example, it is not at all obvious that the following URLs point to the same resource:

McAfee Email Gateway 7.6.400 Appliances

Product Guide

283

Overview of Email menu


Email Policies

http://7763631671/

http://235396898359/

http://206.057717067/

When testing URLs found in emails, all variant representations of IPv4 addresses are normalized to the
a.b.c.d format.
IPv6 addresses have stricter rules for representation within a URL. However, the same address can
vary in its representation depending on how empty quads are displayed and how many leading zeroes
are used. Therefore, IPv6 addresses are normalized to their most compact form with hexadecimal
values in uppercase. For example, http://[2001:ea75:0000:0:00:000:0:0001]/ is normalized to
http://[2001:EA75::1]/.

International Domain Names (IDNs)


Some domain registrars allow Unicode characters in domain names that are registered with them.
These domain names are presented to humans in human-readable form but must be encoded into
ASCII form when, for example, they are resolved through DNS. The domain name normalization rules
and ASCII-encoding algorithm are specified in RFC 3490, Internationalizing Domain Names in
Applications (IDNA). An example of an IDN is mxico.icom.museum and its ASCII-encoding is xn-mxico-bsa.icom.museum. The xn-- ACE (ASCII Compatible Encoding) label denotes an encoded IDN.
When an IDN in its encoded form is encountered, it is decoded to its human-readable, Unicode form.
This decoding may fail if the encoded URL fails a TLD check. Top Level Domain (TLD) registrars who
accept IDNs limit the Unicode characters that they will allow. For example, the .no (Norway) TLD will
only allow Unicode characters that are part of the Norwegian alphabet. If the decoding fails, the
domain name is left in its encoded form with a warning message stating why the decoding failed.
If an IDN is encountered in its Unicode form, it is normalized. Without normalization, IDNs are subject
to homograph attacks. For example, if the URL http://www..gr were blacklisted, an attacker
might try to circumvent this by replacing (U+03BC, GREEK SMALL LETTER MU) with (U+00B5,
MICRO SIGN). According to IDN rules these domain names are identical and encode to the same
ASCII form: www.xn--hxakkrmio1b.gr. However, a simple string match would not detect that the URLs
were identical. Therefore, Unicode names are normalized by applying the RFC 3490 Nameprep
algorithm which disambiguates visually identical string values.

URL encoding and decoding


Because URLs are canonicalized before they are checked against the blacklists and whitelists, it may
be unclear what you should use to match a given value.
The URL encode/decode tool provides a text field that you can paste a string into and either encode it
to give its canonical representation or decode it so that you can see what a %-encoded sequence
actually matches. Clicking Canonicalize will turn an improperly or partially encoded sequence into its
canonical representation.
Keep the following information in mind when you use the encode/decode tool:

284

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

The encoded sequences %00 - %1F and %7F are control characters any may render unpredictably
when decoded. Two-byte sequences starting with %C2 followed by %80 - %A0 are also control
characters.

Do not use the URL encode tool to encode, for example, the entire path. This will result in a
non-canonical encoding. Encoding a/b will result in the string a%2Fb which will no longer match
a/b in the path. Only encode individual path segments and individual terms (the keys and values
in key-value pairs) in the Query string.

Option definitions Create new rule (DLP Categories)


This information describes the options available on this dialog box.
Option

Definition

Name

The name of the DLP category.

Documents

Any documents associated with that category.

Option definitions Create new rule


This information describes the options available on this dialog box.
Option

Definition

Name

The name of the DLP categories available

Documents

The number of documents contained in the category

Option definitions Create document exclusion


This information describes the options available on this dialog box.
Option

Definition

Search

Search by name for documents that you want to exclude from the policy.

Name

The name of the document.

Size

The size of the document.

Trained on

The date on which the document was trained.

Option definitions New Rule dialog box


Use these options to create a new rule.

Option definitions Category Filtering tab


Option

Definition

Rule name

Type the name of the rule.

Continue scanning if rule


triggers

With most Email Gateway rules, scanning stops and the configured actions are
taken if the rule triggers. Select this option to take the configured actions, but
to continue the scan when the rule triggers.
Select this option when using file filtering to define the files sent to Advanced
Threat Defense and when using file filtering for other purposes, such as Image
filtering.

Enable file category


filtering

Select to open the list of file categories and subcategories.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

285

Overview of Email menu


Email Policies

Option

Definition

Take action when the file


category is

File categories Select the file categories to which you want the rule to apply.
Categories include:
Advanced Threat Defense - Supported
formats

Archive/Compressed files

Common document formats

E-Mail messages

Documents

HTML content

Databases

UUE and BASE64 encoded files

Spreadsheets

McAfee virus definition file

Multimedia

Other specific formats

Graphics/Presentation

General text formats

Subcategories By default, selecting a file category selects all subcategories


within it.
The Clear selections link resets the list of selected subcategories to none.
Extend this rule to
unrecognized file
categories

Select this option to enable this rule to be used for file categories that are
unrecognized.

Table 4-114 Files within some of the file type subcategories


Category Subcategory Types of file in the subcategory
Multimedia

MP3

MPEG Layer3 ID3 v1.x


MPEG Layer3 ID3 v2.x
MPEG-1 audio - Layer 3

MPEG

MPEG-1 audio - Layer 1

MPEG-1 video

MPEG-1 audio - Layer 2

MPEG-2 video

MPEG-2 audio - Layer 1

MPEG-4 file

MPEG-2 audio - Layer 2

MPEG-7 file

MPEG-2 audio - Layer 3


Windows Sound

Windows Sound (WAV file)


Windows Media Audio (WMA file)

Windows Video

Windows Video (AVI file)


Windows Media Video (WMV file)
Microsoft Digital Video Recording (DVR file)

Option definitions Name Filtering tab

286

Option

Definition

Enable file name filtering

Enable filtering based on the name of the file.

Take action when the file name matches

Add the file name to match against when filtering.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option definitions Protected File Filtering tab


Option

Definition

Enable protected file filtering

Enable filtering based on the protected status of the file.

Take action when the file is:

Select either:
Protected
Unprotected

Option definitions Size Filtering tab


Option

Definition

Enable file size filtering

Enable filtering based on the size of the file.

Take action when the file size is Select to take the configured actions when a file is either less than or
greater than the configured file size.

Option definitions Actions


This information describes the options available on this dialog box.
Option

Definition

If the file filtering rule is


triggered

Select the primary action to take when the rule triggers. Choose from:
Deny connection (Block)
Refuse the data and return an error code (Block)
Replace the content with an alert (Modify)
Allow Through (Monitor)

And also

Select the secondary actions to take when the rule triggers on the original
message, and set notification and ecryption options as necessary.

Notification and annotated


email options

When clicked, takes you to the Default Notification and Routing Settings
(SMTP) set of options.

Rule Creation Wizard


Use this wizard to set the dictionaries that you want the rule to use, and the actions that you want the
appliance to take when the rule triggers.

Option definitions Customize the name for this rule


This information describes the options available on this page of the wizard.
Option

Definition

Rule name

Type the name of the rule that you want to create.

Option definitions Dictionaries to include


This information describes the options available on this page of the wizard.
Option

Definition

Search

Search the list of dictionaries for the ones that you want to include in the rule.

Name

Displays the dictionary name as it appears in the Compliance Dictionaries list (Email | DLP and
Dictionaries | Compliance Dictionaries).

McAfee Email Gateway 7.6.400 Appliances

Product Guide

287

Overview of Email menu


Email Policies

Option

Definition

Threshold

Displays the threshold that will trigger a score-based dictionary. To enable score-based
detection for a dictionary, go to Email | DLP and Dictionaries | Compliance Dictionaries.

Max Term Count Displays the maximum number of times that terms in that dictionary can contribute
towards a threshold score.

Option definitions Dictionaries to be excluded


This information describes the options available on this page of the wizard.
Option

Definition

Search

Search the list of dictionaries for the ones that you want to exclude from the rule

Name

Displays the dictionary name as it appears in the Compliance Dictionaries list (Email | DLP and
Dictionaries | Compliance Dictionaries).

Threshold

Displays the threshold that will trigger a score-based dictionary. To enable score-based
detection for a dictionary, go to Email | DLP and Dictionaries | Compliance Dictionaries.

Max Term Count Displays the maximum number of times that terms in that dictionary can contribute
towards a threshold score.

Option definitions If the compliance rule is triggered


This information describes the options available on this page of the wizard.
Option

Definition

If the compliance rule is


triggered

Select the primary type of action from the drop-down list that you want the
appliance to take when it triggers a compliance detection.

And also

Optionally, select secondary actions that can be applied to the detection, such
as quarantining the original or modified message, notifying the sender, and
sending the message to other people. The options displayed differ according to
the primary action that you select.

Notification and annotated


email options

Opens the Default Notification and Routing Settings pages. See Email | Email Policies |
Policy Options | Notifications and routing.

And conditionally

Specify whether you want the actions to take place when Any or All of the
dictionaries in the rule trigger a match.

Rule Creation Wizard


Use the wizard to create a new compliance rule based on settings from an existing rule, and the
actions that you want the appliance to take when the rule triggers.

Option definitions Select a predefined rule to configure


This information describes the options available on this page of the wizard.
Option

Definition

Select a predefined rule to


configure

Expand the rule that contains the settings on which to base the new rule.

Search

Search the list of dictionaries for the rule on which you want to base your
new rule.

Option definitions Customize the name for this rule


This information describes the options available on this page of the wizard.

288

Option

Definition

Rule name

Edit the name of the rule.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option definitions If the compliance rule is triggered


This information describes the options available on this page of the wizard.
Option

Definition

If the compliance rule is


triggered

Select the primary type of action from the drop-down list that you want the
appliance to take when it triggers a compliance detection.

And also

Optionally, select secondary actions that can be applied to the detection, such
as quarantining the original or modified message, notifying the sender, and
sending the message to other people. The options displayed differ according to
the primary action that you select.

Notification and annotated Opens the Default Notification and Routing Settings pages. See Email | Email Policies |
email options
Policy Options | Notifications and routing | Routing.
Specify whether you want the actions to take place when Any or All of the
dictionaries in the rule trigger a match.

And conditionally

Policy Options settings


Use the Policy Options settings to configure scanning limits and how to handle corrupt or unreadable
content, and specify alert settings.

Email | Email Policies | Policy Options

Scanner Limits
Use this page to set limits on scanning to prevent attacks and other performance issues.

Email | Email Policies | Policy Options | Scanning limits


The default policy values are normally suitable, but you might need another policy to allow the
occasional transfer of large, deeply nested files, or to investigate possible attacks.
Table 4-115 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

289

Overview of Email menu


Email Policies

Table 4-116 Option definitions Maximum file size


Option

Definition

If expanded file size


exceeds

Specifies the limit. The default value is: File size 500MB

(menu)

Provides a main action to take. The available options are:


Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

290

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-116 Option definitions Maximum file size (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

291

Overview of Email menu


Email Policies

Table 4-116 Option definitions Maximum file size (continued)


Option

Definition

When triggered, adds a header without removing any pre-existing


headers.
When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If a denial of service
action results in an
alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Table 4-117 Option definitions Maximum nesting depth


Option

Definition

If nesting depth
exceeds

Specifies the limit. The default value is:

(menu)

Provides a main action to take. The available options are:

Nesting depth 100

Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

292

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-117 Option definitions Maximum nesting depth (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

293

Overview of Email menu


Email Policies

Table 4-117 Option definitions Maximum nesting depth (continued)


Option

Definition

When triggered, adds a header without removing any pre-existing


headers.
When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If a denial of service
action results in an
alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Table 4-118 Option definitions Maximum scan time


Option

Definition

If the scan time


exceeds

Specifies the limit. The default value is:

(menu)

Provides a main action to take. The available options are:

Scanning time 8 minutes

Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

294

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-118 Option definitions Maximum scan time (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to the
intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

295

Overview of Email menu


Email Policies

Table 4-118 Option definitions Maximum scan time (continued)


Option

Definition

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If a denial of service
action results in an
alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Alert settings
Use this page to control the format and appearance of the alert message that users receive when the
appliance detects a threat.

Email | Email Policies | Scanning Policies [Scanner Options] -- Alert settings

Benefits of configuring Alert Settings


Understand the benefits of configuring the alert settings.
The Alert Settings page enables you to configure extra text (a header and footer), which appears around
the alert text. For example, you can include your companys name or logo, a legal statement, or
contact information. You might need several alert settings for different groups in your network.

Option definitions Alert Settings


Understand the options presented on the Alert Settings page.
Table 4-119 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

296

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition

Alert format

Provides a choice of formats.

Header text

Specifies the text for the top of each alert message.

Show

Shows the header text as HTML source (showing tags such as <p>) or as users see
the text (WYSIWYG). This option is not applicable for text alerts.

Footer text

Specifies the text for the bottom of each alert message.

Show

Shows the footer text as HTML source (showing tags such as <p>) or as users see
the text (WYSIWYG). This option is not applicable for text alerts.

Restore Defaults

When clicked, displays the original text of the alert.

Character encoding Offers a choice of encoding for the alert text.


Numeric character references enables the use of special characters for alerts in HTML
format.
Big 5 to UTF-8 provides character encoding for plain texts.
Default value is Numeric character references.
Alert filename

Specifies the name of the file that contains the alert. Default value is warning.htm or
warning.txt.

Option definitions Alert Editor


This information describes the options available in each policy's Alert Editor to create and view the
policy's alert notification message.
Option

Definition

Style / Font / Size Select the paragraph style, size, and font that you want to apply to the text.
Tokens

Select the token variables that you want to appear in the message, such as the name
of the attachment and the policy that it infringed.

Show

Choose how you want to view the notification text in the Alert Editor.

Use Default

Select to have the notification appear in the default format.

Content Handling Settings Email Options Basic Options


Use this page to specify some basic settings when handling email.

Email | Email Policies | Policy Options | Content handling | Email Options | Basic Options
To cater for the needs of various departments, you might need several policies, each with its own
disclaimer. Alternatively, you can configure policy exceptions, to reduce the total number of policies
you need to maintain.
Table 4-120 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

297

Overview of Email menu


Email Policies

Table 4-120 Option definitions Policy exceptions (continued)


Option

Definition
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-121 Option definitions Content Handling Settings Email Options Basic
Options
Option

Definition

Add a prefix to the subject of


modified emails

Specifies a prefix that the appliance adds to the subject line after a major
modification to the message, for example when an alert message replaces
an infected item.
If this prefix is added to the subject line, it precedes other prefixes such as
those that indicate spam or phish detections. If you add a disclaimer to a
message, its subject line is not affected.

Enable the use of disclaimers

When selected, adds extra text to each email message.


The appliance cannot add a disclaimer to an email message that contains
unsupported character sets, such as the Hebrew character set,
ISO-8859-8-I.

Disclaimer text

Specifies the text, which can be a legal disclaimer, or an advertisement, or


general information such as addresses and telephone numbers.
For the HTML disclaimer to appear in an email, the email must be received
in HTML format.
If you refer to an image (using <img>), the recipient will see the image
only if it is publicly available. In other words, the image must be accessible
via the Internet, with a full path such as http://www.example.com/abc.gif.

Placement

Offers a choice of location for the attachment text.

When re-encoding
attachments

Offers a choice of re-encoding if the message was cleaned.

When re-encoding modified


subject lines

Offers a choice of re-encoding.

If there's an error re-encoding Offers a choice of re-encoding.


a modified subject line

Content Handling Settings Email Options Advanced Options


Use this page to specify advanced settings for handling email.

Email | Email Policies | Policy Options | Content handling | Email Options | Advanced Options
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.

298

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-122 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-123 Option definitions Content Handling Settings Email Options Advanced
Options
Option

Definition

Preferred transfer encoding for text

Offers a choice of encoding:


8-bit - for SMTP servers that support the transport SMTP extension,
8BITMIME.
Base64 for non-text data and for messages that do not have
much ASCII text.
Quoted-printable for messages that contain mainly ASCII
characters and also some byte values outside that range.

But do not encode if the text is already When selected, prevents encoding of 7-bit data.
7-bit
Default decode character set

Offers a set to use if one is not specified in the MIME headers. To


specify further sets, see the Character Sets tab.

Maximum number of MIME parts

Specifies a maximum, which can help prevent denial-of-service


attacks.
Default value is 10000.

Treat corrupt message headers the


same as corrupt content

If selected, the email message is handled according to the action that


the policy applies to any corrupt content.

Treat NULL characters in message


headers the same as corrupt content

When selected, acts on NULL characters.

Remove any Received-From headers


to obscure..

Select this to obscure any network information displayed in the


Received headers. The Last Received header, added by your
appliance, is not removed.
Enabling Header Stripping prevents emails being blocked due to the
Maximum number of hops, as the Received headers are used to find the
number of hops the email message has taken.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

299

Overview of Email menu


Email Policies

Content Handling Settings Email Options Missing/Empty Headers


Use this page to specify how the appliance handles an email message that has empty or missing
headers.

Email | Email Policies | Policy Options | Content handling | Email Options | Missing / Empty Headers
In spam and spoofed email, headers are sometimes altered to hide the identity of the sender.
Table 4-124 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-125 Option definitions Content Handling Settings Email Options Missing/
Empty Headers
Option

Definition

Take action under the


following circumstances

Never Select this option if you do not need the feature.


When one or more email headers have no value Select this option to detect any
suspicious headers.
When one or more of the following headers are missing or empty Select this option to
specify the headers, such as From, Sender, and Reply-to. For a full list of
headers, see RFC 2822.

Action

Provides a main action to take. The available options are:


Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

300

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-125 Option definitions Content Handling Settings Email Options Missing/
Empty Headers (continued)
Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to
all addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to
all the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender
of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

McAfee Email Gateway 7.6.400 Appliances

Product Guide

301

Overview of Email menu


Email Policies

Table 4-125 Option definitions Content Handling Settings Email Options Missing/
Empty Headers (continued)
Option

Definition
the intended recipients. Click Manage templates to change the way the subject is
re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email options

Follow the link to configure the options for notification messages and annotated
email messages.

If either of the above


actions results in an alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Content Handling Settings Email Options Text and binary MIME types
Use this page to specify special MIME types as text or binary to improve the efficiency of the scanning.

Email | Email Policies | Policy Options | Content handling | Email Options | Text and binary MIME types
The appliance handles common MIME types. You need only specify any new or unusual MIME types
here.
Table 4-126 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

302

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-127 Option definitions Content Handling Settings Email Options Text and
binary MIME types
Option

Definition

Treat the following MIME types as text attachments

Allows you to build a list of text MIME types.

Treat the following MIME types as binary attachments

Allows you to build a list of binary MIME types.

About MIME formats


Multipurpose Internet Mail Extensions (MIME) is a communications standard that enables the transfer
of non-ASCII formats over protocols, like SMTP, that support only 7-bit ASCII characters.

Email | Email Policies | Policy Options | Content handling | Email Options | Text and binary MIME types
Examples of non-ASCII formats, include:

8-bit audio

Video files

Character sets of many non-English languages

MIME defines different ways of encoding the non-ASCII formats so that they can be represented using
characters in the 7-bit ASCII character set.
MIME also defines extra email headers that contain further information:

Version of MIME used.

Type of content in the MIME message.

Type of encoding method used.

Content part identifier for multi-part MIME messages.

The resulting MIME message can be "decoded" or "re-encoded" after transmission. We say
"re-encoded", because the MIME messages can be converted into a different character set from the
original message.

Content Handling Settings Email Options Character sets


Use this page to specify one or more alternative character sets to try if you have problems decoding
email messages in the given character set.

Email | Email Policies | Policy Options | Content handling | Email Options | Character sets
You can select a fixed mapping (always use the alternative character set) or a list of alternatives to be
used only if decoding fails.
Table 4-128 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

303

Overview of Email menu


Email Policies

Table 4-128 Option definitions Policy exceptions (continued)


Option

Definition

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-129 Option definitions Email Options Character sets
Option

Definition

Character sets

Specifies the original character set in the email message.

Fixed

If selected, you can choose one alternative character set.


If deselected, provides any number of choices.
To select several items, use Ctrl-click, or click and Shift-click.
Specifies the alternative character encodings.

Alternatives

Content Handling Settings HTML Options


Use this page to specify how the appliance handles certain elements and components embedded in
HTML data.

Email | Email Policies | Policy Options | Content handling | HTML Options


Table 4-130 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

304

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-131 Option definitions HTML Options


Option

Definition

Script elements to ActiveX components When selected, the item is removed.


Flash objects are ActiveX objects, so you can choose to keep them.
Comments to Raw HTML

When selected, the items are scanned for inappropriate content.

Content Handling Settings Corrupt or Unreadable Content Corrupt


content
Use this page to specify how to handle corrupt content.

Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Corrupt content
Scanners and other applications can have difficulty reading corrupt content. You can specify the action
to take when the appliance detects corrupt content in:

Email messages

Archives

Documents

Table 4-132 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

305

Overview of Email menu


Email Policies

Option

Definition

If corrupt content is
detected

Provides a main action to take. The available options are:


Deny connection (Block)

Replace all attachments with an alert (Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

306

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option

Definition

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If either of the above


actions results in an
alert

Select to use the default alert, or follow the link to make changes to the alert text.

Content Handling Settings Corrupt or Unreadable Content Protected


files
Use this page to specify what action to take against files that are protected in some way.

Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Protected files
You can specify the action to take when the appliance is unable to scan into an email attachment
(either archive or document) or a file that is being requested from a website, because it has been
password protected. If the content is protected by password, the appliance cannot examine the
contents because they are encrypted.
If you choose to allow such files into your network, you must ensure that their contents can be
scanned later for any threats by an on-access scanner.
Table 4-133 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

307

Overview of Email menu


Email Policies

Table 4-134 Option definitions


Option

Definition

If a read protected document Provides a main action to take. The available options are:
is detected
Deny connection (Block)
Replace all attachments with an alert
(Modify)
Refuse the data and return an error code
(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


The action associated with read protected documents will only trigger when
compliance scanning is enabled, and the contents of the document can not be
extracted.

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to
the sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to
all addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to
all the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the
sender of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the
auditing email list.
Deliver the modified email to the sender Deliver the email message to the
sender, with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

308

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-134 Option definitions (continued)


Option

Definition
the intended recipients. Click Manage templates to change the way the subject
is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Notification and annotated


email options

Follow the link to configure the options for notification messages and
annotated email messages.

If an action results in an
alert

Select to use the default alert, or follow the link to make changes to the alert
text.

If a password-protected
archive file is detected

Provides a main action to take. The available options are:


Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

Reroute to an alternative relay (Reroute)

McAfee Email Gateway 7.6.400 Appliances

Product Guide

309

Overview of Email menu


Email Policies

Table 4-134 Option definitions (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the
Quarantine database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue
into which the email message is placed. This selection can include custom
quarantine queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to
the sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to
all addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to
all the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the
sender of the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the
auditing email list.
Deliver the modified email to the sender Deliver the email message to the
sender, with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also
include any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email
message using user-definable templates, and then delivers the message to

310

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-134 Option definitions (continued)


Option

Definition
the intended recipients. Click Manage templates to change the way the subject
is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the
intended recipients. You can select multiple header modification templates.
Click Manage templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of


the same name.

When triggered, adds a header without removing any pre-existing


headers.

When triggered, removes any pre-existing headers of the same name.

Notification and annotated


email options

Follow the link to configure the options for notification messages and
annotated email messages.

If an action results in an
alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Content Handling Settings Corrupt or Unreadable Content Partial/


external messages
Use this page to specify the action to take against two types of message that can be difficult to scan.

Email | Email Policies | Scanning Policies | Scanner Options | Content Handling | Corrupt or Unreadable Content

A partial message. If a message has been divided into smaller parts for sending as several separate
email messages, each part is called a partial message.

An external-body message. The message contains a reference to an external resource and the
scheme (usually FTP) that retrieves that resource.

Table 4-135 Option definitions Policy exceptions


Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

McAfee Email Gateway 7.6.400 Appliances

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

Product Guide

311

Overview of Email menu


Email Policies

Table 4-135 Option definitions Policy exceptions (continued)


Option
Edit exception properties

Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

312

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-136 Option definitions


Option

Definition

If a message/partial
type is encountered

Provides a main action to take. The available options are:


Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

313

Overview of Email menu


Email Policies

Table 4-136 Option definitions (continued)


Option

Definition
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If a message/
external-body type is
encountered

Provides a main action to take. The available options are:


Deny connection (Block)

Replace all attachments with an alert


(Modify)

Refuse the data and return an error code


(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)

314

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-136 Option definitions (continued)


Option

Definition

And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

315

Overview of Email menu


Email Policies

Table 4-136 Option definitions (continued)


Option

Definition

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If either of the above


actions results in an
alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Content handling Corrupt or Unreadable Content Unscannable Content


Use this page to specify what action to take against files that cannot be scanned.

Email | Email Policies | Policy Options | Content handling | Corrupt or Unreadable Content | Unscannable Content
You can specify the action to take when the appliance finds a file that is unscannable.
Table 4-137 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

Move

Edit exception properties

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

316

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-138 Option definitions


Option

Definition

If unscannable content Provides a main action to take. The available options are:
is detected
Deny connection (Block)
Replace the content with an alert (Modify)
Refuse the data and return an error code
(Block)

Allow Through (Monitor)

Accept and then drop the data (Block)


And also

Specify the secondary actions to take.


Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the
Quarantine database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all
the recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing
email list.
Deliver the modified email to the sender Deliver the email message to the sender,
with modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include
any custom notification templates that you create.

Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers
using user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

317

Overview of Email menu


Email Policies

Table 4-138 Option definitions (continued)


Option

Definition
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Notification and
annotated email
options

Follow the link to configure the options for notification messages and annotated
email messages.

If the action results in


an alert

Select to use the default alert, or follow the link to make changes to the alert
text.

Policy-based actions
Policy-based actions execute when an email message matches a configured policy, without needing a
scan to trigger the selected action.
Contents
Benefits of fine-tuning scanning with policy-based actions
Option definitions Policy based actions
Scenario - Configure Policy based actions
Applying policy exceptions to Policy based actions
Task - Add an exception to a policy based action

Benefits of fine-tuning scanning with policy-based actions


A policy is a group of settings that tell the appliance how to scan or process an email. Policy-based
actions provide increased flexibility for administrators when applying policies. You can use
policy-based actions for such things as applying policies to messages that would not trigger an action,
or turning off all scanners for specific messages.
Policy-based actions enable you, for example, to apply policies to messages that would not trigger a
scanner action. For example, you could rewrite the subjects of all messages to a particular recipient or
group. The messages might not require any other action.

Option definitions Policy based actions


Use these options to configure the default actions triggered by specific policies.
Table 4-139 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

318

Move

When you have two or more policy exceptions, you can change the
priority in which they are used by using the
and
buttons. The
exception at the top of the list is given the highest priority.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-139 Option definitions Policy exceptions (continued)


Option
Edit exception properties

Definition
Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception

McAfee Email Gateway 7.6.400 Appliances

Product Guide

319

Overview of Email menu


Email Policies

Table 4-140 Option definitions Policy based actions


Option

Definition

If an email matches Drop-down list displays possible primary actions.


this policy
Select one of the following:
Deny connection (Block)
Refuse the data and return an error code (Block)
Accept and then drop the data (Block)
Route to an alternative relay (Reroute)
Allow through (Monitor)
Skip scanning This action turns off all scanners for specific messages.
Using this setting can allow viruses and other undesirable content to pass through.

And also

Specify the secondary actions to take.


The available secondary actions depend on the selected primary action.

Quarantine options
Quarantine original Select to have the original message added to the Quarantine
database.
Quarantine modified Select to have the modified message added to the Quarantine
database.
If you are using off-box quarantine, you can also select the quarantine queue into
which the email message is placed. This selection can include custom quarantine
queues that you have created.

Notification email options


Send one or more notification emails Use notification templates to customize the
notifications send. Click Manage templates to make changes to the notification
options.
Annotate and deliver original to sender Deliver the original email message to the
sender, with annotations added.
Deliver a notification email to 'Notification Email List' Deliver a notification email to all
addresses defined within the notification email list.
Deliver a notification email to the original recipient(s) Deliver a notification email to all the
recipients on the original email message.
Deliver a notification email to the sender Deliver a notification email to the sender of
the email message.
Deliver an audit copy to 'Auditing Email List' Deliver a copy of the original email
message for auditing purposes to all addresses defined within the auditing email
list.
Deliver the modified email to the sender Deliver the email message to the sender, with
modifications made by McAfee Email Gateway included.
Show selected/Show all To help manage the options shown, you can hide
unselected notification templates.
In addition to the pre-defined templates shown above, this list will also include any
custom notification templates that you create.

320

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-140 Option definitions Policy based actions (continued)


Option

Definition
Other actions
Modify subject McAfee Email Gateway rewrites the subject of the email message
using user-definable templates, and then delivers the message to the intended
recipients. Click Manage templates to change the way the subject is re-written.
Modify headers McAfee Email Gateway modifies the email message headers using
user-definable templates, and then delivers the message to the intended
recipients. You can select multiple header modification templates. Click Manage
templates to change the way the headers are re-written.
The following icons indicate the template settings:

When triggered, adds a header, and removes pre-existing headers of the


same name.

When triggered, adds a header without removing any pre-existing headers.

When triggered, removes any pre-existing headers of the same name.

Deliver message using encryption Attempt delivery of the message using your
configured encryption settings.
In the options, n represents the number of lists you select for each related action.

Notification and
annotated email
options

Opens the Default Notification and Routing Settings page.

Exceptions

Click the Exceptions tab at the left side of the Policy Based Action Settings window to show
or hide the policy exceptions options.
With Exceptions showing, you can configure or edit exceptions and set the actions for
them.

Scenario - Configure Policy based actions


You can configure Policy based actions for inbound or outbound messages. The messages can still proceed
through configured scanners, if you want them to.
Policy based actions apply to all messages that do not match any other policies. Policy based actions also apply
to matching policies that do not override the settings for Policy based actions.

Scenario Encrypt all messages sent by the Legal Department


Since messages from the Legal Department usually contain confidential information, using encryption
ensures the security of sensitive content.
Before you begin
If necessary, create a group that includes proper members of the Legal Department with a
rule type of Sender email address. The following exercise then applies policy based actions to
the Legal Department user group.
You can configure McAfee Email Gateway to scan the messages with any settings you prefer. For this
example, no scanning is needed.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

321

Overview of Email menu


Email Policies

Task
1

Log on to McAfee Email Gateway and select Email | Email Polices.

Click Add Policy.


The Scanning Policies New Policy window appears.

Create the new policy.


a

Type a policy name, such as Legal Outbound.

[Optional] Type a policy description.


A description is useful for explaining the purpose for the policy.

From the drop-down list, select the policy from which the new policy inherits settings. In this
case, select Default policy.

To set the email direction, select the Outbound option.

To set the Match logic, select Match one or more of the following rules.

Click Add Rule.


The Add Rule window appears.

For Rule type, select User Group.

For Match, select is.

For Value, select Legal Department.

Click OK.
The Add Rule window closes and the new rule appears on the Scanning Policies New Policy window.

Click OK.
The Scanning Policies New Policy window closes, and the new policy appears at the top of the list on
the Email Policies page.

Within the new policy, select the Policy Options | Policy based action link.
Be sure you select options within the new policy, rather than the default or any other configured
policies!

The Policy Based Action Settings window appears.


6

Configure the desired policy-based actions.


a

Ensure that Use the same settings as the default policy is not selected.

For the primary action, select Skip scanning from the drop-down list.

For the secondary action, select Other Actions | Deliver message using encryption.

Click OK.
The Policy Based Action Settings window closes, and the policy-based actions appear under Policy
Options.

Confirm your settings are correct, then apply the changes.

Outbound messages from the Legal Department are encrypted, and are not scanned.

322

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Scenario Review all messages received from a specific sender


Review all messages from a particular competitor, XYZ Corp.
Email Gateway performs configured scans on all messages.
Task
1

Log on to McAfee Email Gateway and select Email | Email Polices.

Click Add Policy.


The Scanning Policies New Policy window appears.

Create the new policy.


a

Type a policy name, such as Competitor inquiries.

[Optional] Type a policy description.


A description is useful for explaining the purpose for the policy.

From the drop-down list, select the policy from which the new policy inherits settings. In this
case, select Default policy.

To set the email direction, select the Inbound option.

To set the Match logic, select Match one or more of the following rules.

Click Add Rule.


The Add Rule window appears.

For Rule type, select Sender email address.

For Match, select is like.

For Value, type *@xyzcorp.com.

Click OK.
The Add Rule window closes and the new rule appears on the Scanning Policies New Policy window.

Click OK.
The Scanning Policies New Policy window closes, and the new policy appears at the top of the list on
the Email Policies page.

Within the new policy, select the Policy Options | Policy based action link.
Be sure you select options within the new policy, rather than the default or any other configured
policies!

The Policy Based Action Settings window appears.


6

Configure the desired policy-based actions.


a

Ensure that Use the same settings as the default policy is not checked.

For the primary action, select Allow through (Monitor) from the drop-down list.

For the secondary action, check Original email options | Forward original to n lists.

Click the Edit link associated with the secondary action.


The Email Recipients window appears.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

323

Overview of Email menu


Email Policies

Select one or more recipient lists.


The Email Recipients window closes.

Click OK.
The Policy Based Action Settings window closes, and the policy-based actions appear under Policy
Options.

Confirm your settings are correct, then apply the changes.

A designated reviewer receives original email messages from XYZ Corp. and can take further action.

Applying policy exceptions to Policy based actions


You can apply exceptions to Policy based actions just as you can to most other features and feature
settings.
Policy exceptions allow you to configure processing for special circumstances without adding new
policies.

Examples using policy exceptions


The following examples illustrate how you might use policy exceptions with Policy based actions, based on
your configured default policy and another policy for outbound mail. You would like to use exceptions
to resolve specific situations.
Issue Your default policy includes a policy-based action to send a notification to the original sender
for email messages addressed to customer support. Your outbound policy includes a policy-based
action to encrypt all outbound messages from customer support. You have a customer who reports
some unusual issues. First, due to the nature of the issues, you want the research group to follow the
case, while customer support helps the customer. Second, you want an administrator to monitor
outbound messages to the customer.
Solution 1 Create a policy exception to send audit copies of any messages from the specific
customer to the research group.
Solution 2 Create another policy exception, for your outbound mail, to send audit copies of
messages addressed to the customer to the administrator.
To configure this exception, you might need to create a custom notification template for sending audit
copies.

Issue You have to send audit copies of email messages to specific auditors, based on either the
sender or the recipient of the message. You want to do this using your default policy, rather than
creating policies to meet the requirement. For example, you might want to send the legal group audit
copies of messages addressed to tax accounting. You might also want to send sales management
copies of messages from field representatives.
Solution Without changing your default policy, add a policy exception to send audit copies of
messages destined for anyone in tax accounting to the legal team. Then create another exception to
send copies of messages from field representatives to sales management.
Creating user groups for members of tax accounting, field representatives, and sales managers might
be helpful.

324

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Task - Add an exception to a policy based action


Policy exceptions allow you to configure processing for special circumstances without adding new
policies.
You can configure only one policy based action for any feature setting, but you can configure multiple
exceptions.
Task
1

Log on to Email Gateway and select Email | Email Polices.

In policies table, for the policy where you want to add an exception, select Policy based actions.
The Policy Based Action Settings window opens.

Select the Exceptions tab to display an Exceptions list.


The list displays the name of the policy for which you want to add an exception, plus any previously
configured exceptions.

Click the Add exception icon at the bottom of the list.


The Scanning Policies - New Policy Exception window opens.

Configure the exception.


a

Type an exception name for the new exception.

[Optional] Add a description.

Select the proper match logic for this exception.

Select Add Rule.


The Add Rule window opens.

Configure the parameters for the new rule.

Click OK, then click OK again.


The new exception appears in the Exceptions list.

Click OK in the Policy Based Action Settings window.

The new exception applies to the selected policy.

Notification and Routing Settings Notification Emails


Specify the email addresses for messages from the appliance to users and to administrators.
For example, the appliance can send a notification email if it detects a threat in an email message or it
cannot deliver a message.
Changing these settings can affect scanning performance. If you are not sure about the impact of
making any changes, ask your network expert.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

325

Overview of Email menu


Email Policies

Table 4-141 Option definitions Notification emails


Option

Definition

Sender

Specifies the From address that the appliance uses when sending a
response to the sender of email that contained a threat.

Subject

Define the subject line to be used in notification emails

Display (including Edit the


alert text and Name:)

Decide how the notification will be displayed:


As an attachment
Inline (default)
Click Edit the alert text to make changes to the alert text to be used.
When you select As an attachment, you can also specify the Name: of the
attachment.

Table 4-142 Option definitions Annotated emails


Option

Definition

Sender

Specifies the From address that the appliance uses when sending a response to
the sender of email that contained a threat.

Subject

Define the subject line to be used in annotated emails.

Content

Decide the content of the notification to be displayed:


Notification alert text
Scanner-specific alert
Click Show example to see examples of the currently selected notification.

Display (including
Name:)

Decide how the notification will be displayed:


As an attachment
Inline (default)
Click Edit the alert text to make changes to the alert text to be used.
When you select As an attachment, you can also specify the Name: of the
attachment.

Table 4-143 Option definitions Bounce messages


Option Definition
Sender

Specifies the From address that the appliance uses when sending a response to the sender
bounce email messages.

Subject

Define the subject line to be used in bounced messages.

Table 4-144 Option definitions Modified messages returned to the sender


Option Definition

326

Sender

Specifies the From address that the appliance uses when sending a response to the modified
email messages being returned to the sender.

Subject

Define the subject line to be used in modified email messages being returned to the sender.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Table 4-145 Option definitions Forwarded emails


Option Definition
Sender

Select the sender from whom forwarded emails appear to come from. The options are:
Original sender (default)
Notification email sender

Table 4-146 Option definitions Audit copies


Option

Definition

Sender address Add a sender address for audit copies of messages.


To use the sender information from the original email message, leave this field empty.

Notification and Routing Settings Routing


Select a device to which the appliance can redirect email.

Email | Email Policies | Policy Options | Notifications and routing | Routing


Table 4-147 Option definitions
Option

Definition

Route the email to an alternative SMTP relay Selects the relay from the list on the SMTP Relays page.
Manage the list of relays

When clicked, opens a window where you can make a list of SMTP
relays.

Notification and Routing Settings SMTP Relays


Make a list of alternative relays for redirected email.

Email | Email Policies | Policy Options | Notifications and routing | SMTP Relays
Table 4-148 Option definitions
Option

Definition

Relay List

Specifies the relays. To edit the list, click the blue link to open the Edit List window.

Notification and Routing Settings Encryption Servers


Make a list of encryption servers to use.

Email | Email Policies | Policy Options | Notifications and routing | Encryption Servers
Table 4-149 Option definitions
Option

Definition

Server Group Specifies the name of the list of encryption servers. To edit the list, click the blue link to
open the Edit List window.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

327

Overview of Email menu


Email Policies

Notification and Routing Settings Email Recipients


Build a list of recipients for email that the appliance generates automatically.

Email | Email Policies | Policy Options | Notifications and routing | Email Recipients
For example, you can make lists of email addresses for administration and auditing. The lists are used
by several pages in the interface, for example: Email | Email Policies | Scanning Policies [Scanner Options] |
Notification and routing | Audit Copies
Table 4-150 Option definitions
Option Definition
Email List Specifies the name of the list. To edit the list, click the blue link to open the Edit List window.

McAfee Global Threat Intelligence (GTI) feedback settings


Use this page to submit threat detection feedback, and usage statistics from your product to McAfee.

Email | Email Policies | Scanning Policies | Scanner Options | McAfee GTI feedback

System | Setup Wizard

Dashboard | Services

Encryption settings
Define the encryption settings for this policy.

Benefits of configuring email encryption


This information describes the benefits associated with configuring email encryption.
These options allow you to configure, for this policy, whether a message should be encrypted, and the
encryption method that you want to use.

Option definitions Encryption Settings (SMTP)


This information describes the options available on this page.

Encryption Settings
Option

Definition

Encryption server / server group

Selects where encryption occurs, either on the appliance, or externally.


Click Manage the server groups to add other encryption servers.

328

Manage the server groups

Click to open the Encryption Servers dialog box where you add lists of
encryption servers.

Prioritize encryption over reroute


actions

If a message triggers a reroute action, you can choose to override the


reroute with the encryption action.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

On-box Encryption Options


Option

Definition

Encrypt the message


using one of

Choose from:
S/MIME
PGP
Secure Web Mail
If more than one encryption option is chosen, the encryption methods are
attempted in the order that you see here until one is successful.

Prioritize TLS over


content encryption

If selected, Email Gateway attempts to use TLS to secure the link. If TLS is
established, the content of the email message is not encrypted.
However, if TLS cannot be established, then the email message content is
encrypted using your chosen encryption methods.

If none of the selected If the selected encryption method(s) fail, specify the action that you want to
encryption methods are take:
possible
Attempt delivery using TLS and send an NDR if that is not possible TLS is enforced for
delivery subject to your TLS settings
Send an NDR without attempting delivery using TLS the email is not delivered, and a
report is sent to the sender.

On-box Decryption Options


Option

Definition

Attempt to decrypt S/MIME-encrypted Enable this to configure your appliance to attempt the decryption of
emails
email messages encrypted using S/MIME.
By default, this option is disabled.
Attempt to decrypt PGP-encrypted
emails

Enable this to configure your appliance to attempt the decryption of


email messages encrypted using PGP.
By default, this option is disabled.

The decryption settings are based on the highest-order policy that applies to all recipients. Decryption
cannot be configured for policies that only apply to a sub-set of users.

If these options are left disabled, or the appliance is unable to decrypt the message, the
Encrypted Content settings are used.

Task Enabling Secure Web Mail


Enable Secure Web Mail on your McAfee Email Gateway.
Before you begin
If you are using port 443 for management traffic to your McAfee Email Gateway, you
cannot enable Secure Web Mail. If you have the management port set to 443, the user
interface provides a link to System | Appliance Management | Remote Access, where you can change
this.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

329

Overview of Email menu


Email Policies

Task
1

Navigate to Email | Email Policies | Policy Options | Encryption.

In On-box Encryption Options, select Secure Web Mail.

If required, select Send an NDR if message encryption is not possible.

Click OK.

Apply the changes.

Once you have enabled Secure Web Mail, you will need to configure your Email Policies to use this feature.

Option definitions Email Recipients


Use this dialog box to create lists of recipients who will receive notification messages.
Option Definition
Email List Displays the lists of email recipients. three lists come with the appliance by default:
Administration Email List, Notification Email List, and Auditing Email List. The default lists cannot be
removed from the list, even if they are empty.
Add

Click to open the Edit List dialog box where you can create a new notification list.

Reset

Click reset to remove the information within all fields in the dialog box .

Option definitions Edit List


Use this dialog box to edit a list of recipients who will receive notification of a detection.
Option

Definition

List name

Displays the name of the list - either Administration Email List, Notification Email List, or
Auditing Email List, or a list that you created yourself.

Email address A list of email addresses that belong to the list. Use the trashcan icon to remove a
selected address from the list. The trashcan icon becomes active only when more than
one address exists in the list.
Add

Click to open the Edit Email Address dialog box where you can either type or use a template
to add a new email address to the list.

Delete

Deletes the selected user-created notification lists.


You cannot delete the built-in lists provided with the appliance.

Option definitions Edit Email Address


Use this dialog box to create an email address that will receive notification of a detection.

330

Option

Definition

Standard

Type in the email address that you want to use.

Template

Use the template fields to create the email address.

Reset

Click to remove all information from the fields in this dialog box.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


Email Policies

Option definitions URL reputation blacklists and whitelists


Blacklists and whitelists enable you to fine-tune the list of URLs that are blocked or allowed by McAfee
Email Gateway.
Table 4-151 Option definitions Policy exceptions
Option

Definition

Number of exceptions

Displays the number of exceptions configured for the specific policy. If no


exceptions exist, the box displays No exceptions.

Policy name

Displays the name of the policy you select.

Exception name

Displays the name of the exception. If more than one exception is


configured, each exception has its own tab. To view or edit the exception,
click the relevant exception tab.
Opens the Scanning Policies New Policy Exception window, enabling you to
create a policy exception.

Add exception
Move up and
down

When you have two or more policy exceptions, you can change the

Move

priority in which they are used by using the


and
buttons. The
exception at the top of the list is given the highest priority.

Edit exception properties

Click to open the Scanning Policies Edit Policy Exception Details window to edit
the properties of the selected policy exception.
Click to delete the selected policy exception.

Delete exception
Table 4-152

Blacklist and whitelist options

Option

Definition

URLs that should always be


blocked

The upper table shows all URLs currently configured to be blacklisted.

Search

Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.

Type

Simple pattern or regular expression

Description

Any descriptive text that identifies the URL.

Pattern

The entire regular expression (all fields concatenated).


Simple patterns show '*' for any unspecified parts. Regular expressions show
the entire pattern.

Match Case

Indicates whether the regular expression should evaluate the URL on a


case-sensitive basis.

Edit

Clicking this link opens the URL Expression Builder where you can edit this URL .

Add Simple Pattern

Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.

Add Regular Expression

Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.

Delete Selected Patterns

Click this button to delete any patterns you have checked in this table.

URLs that should always be


allowed

The lower table shows all URLs currently configured to be whitelisted.

Search

Type any portions of the URL as search parameters. Applies to the Description
and Pattern columns.

Type

Simple pattern or regular expression

Description

Any descriptive text that identifies the URL.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

331

Overview of Email menu


DLP and Dictionaries overview

Table 4-152

Blacklist and whitelist options (continued)

Option

Definition

Pattern

The entire regular expression (all fields concatenated).


Simple patterns show '*' for any unspecified parts. Regular expressions show
the entire pattern.

Match Case

Indicates whether the regular expression should evaluate the URL on a


case-sensitive basis.

Edit

Clicking this link opens the URL Expression Builder where you can edit this URL .

Add Simple Pattern

Click this button to open the URL Expression Builder to add a URL by entering a
simple DOS pattern.

Add Regular Expression

Click this button to open the URL Expression Builder to add a URL by entering a
regular expression.

Delete Selected Patterns

Click this button to delete any patterns you have checked in this table.

DLP and Dictionaries overview


The DLP and Dictionaries pages enable you to register documents that you want to prevent from data loss,
create content categories, and set up the compliance dictionaries that you want to adhere to.

Email | DLP and Dictionaries


Contents
Registered Documents
Compliance Dictionaries
Option definitions Add Dictionary Details
Option definitions Applicable File Formats
Option definitions OR Condition
Option definitions AND Condition
Option definitions Edit Regular Expression

Registered Documents
Use this page to register documents for inclusion in the Data Loss Prevention policies.

Email | DLP and Dictionaries | Registered Documents

Benefits of Data Loss Prevention (DLP)


Use this information to understand the benefits of using Data Loss Prevention with your Email
Gateway.
You can restrict the flow of sensitive information sent by email through the appliance. For example,
block the transmission of a sensitive document such as a financial report that is to be sent outside of
your organization. Detection occurs whether the original document is sent as an email attachment, or
even as just a section of text taken from the original document.
Configuring DLP takes place in two phases:

332

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

Registering the documents that you want to protect (this topic)

Setting the DLP policy to action, and control the detection

Sensitive documents can be uploaded where the content is then transformed into a set of signatures
representing the original content. Note that only the signatures are permanently stored on the
appliance, not the original contents. Once the policy is set, these signatures are compared against all
content sent by email through the appliance to prevent data leakage occurring.
If a document is used by a data loss prevention policy, you cannot delete either the document, or any
categories that the document belongs to. To delete either the category, or the document, the document
must first be removed from any associated policies. Hover the cursor over the Used by column to see
the policies that use either the category, or the document.

Option definitions DLP Registered Documents


Use this information to understand the options available on the DLP Registered Documents pages of
the user interface.
Option

Definition

Categories

Groups of registered documents. Contains the Excluded Content category by default.


Excluded Content is a system category for uploaded standard corporate text (boilerplate
text), and corporate templates that you want the appliance to ignore in its data loss
prevention checks.
Documents in the Excluded Content category have a higher number of signatures than
those in other categories. A document in the Excluded Content category can be copied to
other categories, but retains its higher number of signatures.

Status

shows that there are two possible states, with appropriate tool tips:
The category has been modified (renamed)
Documents have been added or removed from the category

indicates that the category is new and does not exist in the Data Loss Prevention
database. This status disappears as soon as the configuration is applied.
indicates that everything is normal

Used by

Displays the number of data loss policies that use this category.

Documents

Displays the number of documents to which this content category applies.

Add

Create a content category.

Clear Selection Click to not have any category selected.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

333

Overview of Email menu


DLP and Dictionaries overview

Option definitions Documents


Use this information to understand the options available on the Documents pages of the user
interface.
Option

Definition
Copy selected documents to another category. When you select this option, it opens the
Search feature which will look for categories without that document.
Documents from other categories cannot be copied into the Excluded Content category.
However, you can upload documents from other categories to the Excluded Content
category.
When you upload a document from another category to the Excluded Content category, the
document's signatures increase. The version of the document in the other category has
the same higher number of signatures as the version in the Excluded Content category.

Look for documents by name in all categories, or just a selected category.


Click on Clear Selection first, to select a document in all the categories, or select a category
to search for a document only in that category.

Delete multiple documents by name. When you select this option, it opens the Search
feature which looks for documents by name in all categories or just a selected category.
To delete documents from all the categories click on Clear Selection first. If no category is
selected, the selected documents are deleted in every category so that the document is
removed entirely from the registered documents database.

File Name

Lists all the documents associated with the selected document category.

Status

indicates that there is an error in the document. See the tooltip to see the reason,
either:
an error in the database
an error occurred while uploading the document
an error occurred during document training

indicates that there are modifications that have not yet been applied.
indicates that the document is new. Documents are trained when they are
uploaded.
indicates that the document is normal, either:
the document is unchanged.
the uploaded document was trained successfully.

Digest

A unique identifier for a file.

Size

The size of a file.

Excluded by

The number of policies that have this file in the exclusion list.

Referenced by The number of categories that contain this document.

334

Signatures

The number of signatures representing this document.

Trained on

The date the document was registered.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

Option

Definition

Upload

Click to register documents against this category, either individually or within an archive.
Supported archive formats are:
Zip (*.zip)

Tar (*.tar)

Gzip (*.gz)

gzipped tar (*.tar.gz, *.tgz)

Bzip2 (*.bz2, *.bz)

bzipped tar (*.tar.bz2, *.tar.bz,


*.tbz2, *.tbz)

The Character Encoding drop-down list allows you to specify the character set used for
filenames.
To upload files in .TXT format, McAfee recommends that you save them using Unicode or
UTF-8 formats.

Copy existing Click to copy an existing document from other categories into the selected category.
When you select this option, it opens the Search feature which will look for documents
that are not currently linked to the selected category, but that exist in other categories.

Documents and Categories behavior


Use this information to understand the behavior of documents and categories used by your Email
Gateway.
You might sometimes find that you are unable to edit or remove a content category, or remove a
document within that category, and the icon appears unavailable. This is because the category or
document is in use by a policy, or the category contains a document that is excluded by a policy. Hold
your cursor over the icon to see why it is unavailable. See the following table to find out what you can
do to edit or remove the category or document.
Tooltip text/reason

Solution

Cannot delete Document because it's


excluded by policy

Identify the policy by hovering over the value in the Excluded by


column, and remove the document from the policies listed in the
tooltip.

Cannot edit/delete Category because it's


non-editable default

This is the default exclusion list.

Cannot edit/delete Category because it's


in use by a policy

Identify the policy by hovering over the value in the Used by column,
and remove the category from the policies listed in the tooltip.

Cannot edit/delete Category because it


contains a document that is excluded by
a policy

1 Select the category to load the documents.


2 Sort the documents in descending order by clicking the column
name.
3 For each document excluded by one or more policies, hover over
the value in the Excluded by column, and remove the document
from the policies listed in the tooltip.

Task Register a document for the Finance group


Understand how to register a document for the Finance group.
Task
1

Go to Email | DLP and Dictionaries | Registered Documents.

Click Add, and type Finance.

Select the Finance category, and click Upload.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

335

Overview of Email menu


DLP and Dictionaries overview

Browse to the file that you want to register in the Finance category, and click OK.

Apply the changes.

Task Register multiple documents at the same time


Understand how to register many documents at a time.
Before you begin
Create a zip file that contains several files that you want to register.
Task
1

Go to Email | Email Policies | Registered Documents.

Either select a pre-defined category from the list, or create a new one.

Select the category, and click Upload.

Browse to the zip file that you created, and click OK.

Apply the changes.

Task Ignore corporate template text in registered documents


Configure your Email Gateway to ignore corporate template text when scanning registered documents.
Task
1

Go to Email | Email Policies | Registered Documents.

Select the Excluded Content category, and click Upload.

Browse to the template file that you want to ignore, and click OK.

Apply the changes.

Task Put a single document in multiple categories


Register a single document within multiple categories.
Task
1

Go to Email | Email Policies | Registered Documents.

In the Documents section, select the document, and click the Copy icon.

Select the categories to which you want the document to be associated, and click OK.

Apply the changes.

Task Remove a document that is excluded by a policy


Remove a document that has been excluded by a policy.
Task

336

Go to Email | Email Policies | Registered Documents.

In the document list, locate the file that you want to remove as registered document, and try to
click the Delete icon.

Hover the mouse cursor over the Excluded by entry for that document to find out which policy
excludes that document.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

Go to Policy Catalog | McAfee Email Gateway 7.6.4 | Email Policies and click Edit Settings.

In the Compliance area, select the Data Loss Prevention policy.

Expand the policy that contains the excluded document.

Click the Delete icon next to the appropriate document in the Exclusions list.

Compliance Dictionaries
Use this page to view and edit compliance dictionaries.

Email | DLP and Dictionaries | Compliance Dictionaries


The compliance dictionaries contain words and phrases that might offend some readers.

Benefits of using compliance dictionaries


Use this information to understand the benefits of using compliance dictionaries.
Use Compliance scanning to assist with conformance to regulatory compliance and corporate operating
compliance. You can choose from a library of predefined compliance rules, or create your own rules
and dictionaries specific to your organization.
Compliance rules can vary in complexity from a straightforward trigger when an individual term within
a dictionary is detected, to building on and combining score-based dictionaries which will only trigger
when a certain threshold is reached. Using the advanced features of compliance rules, dictionaries can
be combined using logical operations of "any of", "all of", or "except".
To get information about using dictionaries, see Compliance Settings.

Option definitions Dictionary list


Use this information to understand the options available from within the user interface for the
Dictionaries.
Option

Definition

Language

Filters the dictionaries by locale.


Selecting a language selects all dictionaries available in that language, and any
language-neutral dictionaries.

Dictionary

Displays the name of the dictionary and a symbol to indicate its type:
Red book: Non score-based
Blue book: Score-based
Green book: User-defined
Open book: Currently selected item

Category

Dictionaries are grouped into related categories. For example, Profanity and Sex are
in the Acceptable Use category.

Used by

Displays the number of policies that use the dictionary.

Edit

When the icon is clicked, a window opens where you can change the dictionary name
and description.

Delete

When the icon is clicked, the dictionary on that row is removed.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

337

Overview of Email menu


DLP and Dictionaries overview

Option

Definition

Add dictionary

When clicked, adds a new dictionary. Type a name and description for your
dictionary, and select whether the dictionary will match on regular expressions, or
simple strings.
A new row for your dictionary appears at the bottom of the list of dictionaries. You
can add words to the new dictionary later.

Import dictionaries When clicked, imports a file to replace your existing dictionaries.
Export dictionaries When clicked, exports the dictionaries as an XML file. You can send the file to other
appliances, ensuring that content scanning is consistent.

Option definitions New Condition


Use this dialog box to enter new terms into a dictionary.

Email | DLP and Compliance | Compliance Dictionaries | Dictionary | Add Condition


Option

Definition

Match type

Select how the appliance matches terms within this dictionary.

Applies to

Select what the term applies to.


Click the link and select from the available options.

Term

Enter the term that you want the appliance to search for.

List of terms for selected dictionary


Use this information to understand the supporting information given when you select a dictionary.
Click a row within the dictionary list to display the contents of that dictionary.
Table 4-153 Option definitions
Option

Definition
Opens a Locate a term window, where you can type text to locate in the terms of the
currently selected dictionary.
You can type a regular expression here using Boost Perl Regular Expression Syntax.
Regular expressions are case sensitive; to make a pattern case insensitive, start it with
(?I).
Copy the listed terms within the selected dictionary
Paste the copied terms into the selected dictionary.
Open a window where you can change the description for the currently selected
dictionary. You cannot change the name of dictionaries supplied by McAfee.
Deletes the selected term.

Conditions
(OR)

For dictionaries that are not score-based, you can view lists of terms that are combined
using the logical OR operator. The dictionary will trigger when 'any of' the term lists
trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.

338

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

Table 4-153 Option definitions (continued)


Option

Definition

Term lists

For dictionaries that are score-based, you can view the individual lists of terms in the
selected dictionary.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.

Applies to

Click the link to specify the category and subcategory against which the terms will be
searched for, such as looking for terms within an email message subject line.

Term

Displays the trigger word or phrase. The icon before the term indicates whether it is a
regular expression, simple string or complex term.
Hover your mouse cursor over the icon to see the term type.

Score

Displays the score attributed to the term. To make the dictionary score-based, click Add.
To find out more about using thresholds and scores, see the tasks in Compliance
Settings.

Case sensitive

If selected, the appliance responds only to text that matches the term exactly in letter
case.
Example: If the term is Abc, the appliance responds to the word Abc. However, the
appliance ignores abc or ABC.

Wildcard

When selected, allows the use of ? and * in the term to represent unknown single or
multiple characters.
Example: If the term is ab?, the appliance responds to the word abc or abd. If the term
is ab*f, the appliance responds to the word abcdef or abcf.

Starts with

When selected, matches the term when it appears at the start of a word.
Example: If the term is bc, the appliance responds to the words bc, bcd or bcdef.
However, the appliance ignores abc or abcd.

Ends with

When selected, matches the term when it appears at the end of a word.
Example: If the term is bc, the appliance responds to the words bc or abc. However, the
appliance ignores bcd or abcd.
When used together, Starts with and Ends with match the term when it appears as a whole
word.
Example: If the term is bc, the appliance responds to the words bc. However, the
appliance ignores bcd or abc.

Edit

When clicked, opens a window that allows you to change the basic term properties, or
create a complex term.
Term details Edit the basic term properties including the actual text that you are
looking for, as well as case sensitive, wildcard, and starts with and ends with as
defined above.
Contextual matching (advanced) Set triggers for terms based on proximity to other terms.
To set these details, click Add Word or Phrase:
Display string Sets the display name for the term in the list of dictionary terms.
Enable near matching Enable or disable triggers based on proximity.
Condition Specify the conditions under which you want the term to trigger.
Within a block Set the proximity within which the terms must be found.
Word or phrase The list of terms.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

339

Overview of Email menu


DLP and Dictionaries overview

Table 4-153 Option definitions (continued)


Option
Delete
Add OR
condition

Definition
Removes the term from the dictionary.
For dictionaries that are not score-based, click to add new lists that are combined using
the logical OR operator using the following settings:
Name The name that you want to apply to the list of terms.
Description A unique description for the list.
Match type Specify whether the list contains regular expressions, or simple strings.
Applies to Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
Term Provide the first term in the list.
The dictionary will trigger when 'any of' the term lists trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.

Add AND
condition

For dictionaries that are not score-based, click to add new lists that are combined using
the logical AND operator using the following settings:
Match type Specify whether the list contains regular expressions, or simple strings.
Applies to Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
Term Provide the first term in the list.
The dictionary will trigger when 'all of' the conditions trigger.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.

340

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

Table 4-153 Option definitions (continued)


Option

Definition

Add Term List

For dictionaries that are score-based, click to add a list of terms in the selected
dictionary, using the following settings:
Name The name that you want to apply to the list of terms.
Description A unique description for the list.
Match type Specify whether the list contains regular expressions, or simple strings.
Applies to Click the link to specify the category and subcategory against which the
terms will be applied, such as looking for terms within an email message subject line.
Term Provide the first term in the list.
Individual term lists can apply to different contexts. For example, one term list might
look for terms within message bodies whilst another might look for terms within the
subject line.

Insert term

When clicked, opens a window where you can add a new term using the following
settings:
Term details Specify the basic term properties including the actual text that you are
looking for, as well as case sensitive, wildcard, and starts with and ends with as
defined above.
Contextual matching (advanced) Set triggers for terms based on proximity to other terms.
To set these details, click Add Word or Phrase:
Display string Set the display name for the term in the list of dictionary terms.
Enable near matching Enable or disable triggers based on proximity.
Condition Specify the conditions under which you want the term to trigger.
Within a block Set the proximity within which the terms must be found.
Word or phrase The list of terms.
This feature assumes that you have selected a dictionary and one of its terms. When
you click OK in the Term Details window, the appliance adds the term to the dictionary and
next to the selected term. Both terms have the same condition.

Introduction to regular expressions


Use this information to understand how your McAfee Email Gateway responds to regular expressions
used when defining rules and dictionary entries.
A regular expression (abbreviated regex or regexp) is a sequence of characters that forms a
search pattern, mainly for use in pattern matching with strings, or string matching. In McAfee Email
Gateway, a regex can be used to specify a set of strings required for a particular purpose, such as
detecting specific strings within an email header, or defining terms for a compliance dictionary.
Construct regular expressions only if you have a firm understanding of how they work. Use the
information in this section as a reminder or quick reference.
For more information, browse the web pages or books that explain regular expressions in detail.

Each character in a regular expression is either a metacharacter with its special meaning, or a
regular character with its literal meaning. Together, they can identify textual material of a given
pattern, or process a number of instances of it that can vary from a precise equality to a very general
similarity of the pattern. All regular expressions follow the same basic structure: expression plus flag.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

341

Overview of Email menu


DLP and Dictionaries overview

Characters
A regular expression that contains no special characters ($()*+.?[^|) will match exactly what is
contained within the expression. Literal characters match themselves, so a simple regular expression
will produce results. However, special characters allow for more specific searches.
Metacharacters provide additional control to the matches a regex produces. The characters .[{()*?|^$
are metacharacters. For example,

. matches any character except for new line

\. matches a literal "." character

\\ matches a literal "\" character

(string1|string2) matches either string1 or string2

Anchors require that an expression is found in a particular place within a string, but do not match any
characters (zero width assertions):

\b matches a word boundary (start or end of a word)

^ matches the start of a line

$ matches the end of a line

Character classes match a particular type of character:

\s matches any whitespace character

\w matches any word character (a-z, A-Z, 0-9 and "_")

\d matches any digit

[abc] matches any one character a, b or c

You can also use the complements of these classes:

\S any non-whitespace character

\W any non-word character

\D any non-numeric character

[^abc] any character that isn't a, b or c

Quantifiers apply to the previous term:

* matches 0 or more of the previous term

+ matches 1 or more of the previous term

For example:

342

^aa matches lines that start with aa

bb$ matches lines that end with bb

cc matches ccd, acc, and accd

ab*c matches ac, abc and abbc

a\d+b matches a2b and a23456b, but not ab

a.c matches abc, but not ac or abbc

a.*c matches ac, abc and adefghb

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

a[bcd]e matches abe, ace and ade, but not abcde

It is (lunch|dinner) time matches "It is lunch time" or "It is dinner time"

Benefits of using validation algorithms


Validation algorithms enhance the effectiveness of regular expressions applied to specific kinds of
email content.
In McAfee Email Gateway, a regex can be used to specify a set of strings required for a particular
purpose. For instance, a regex can detect specific strings within an email header, or define terms for a
compliance dictionary. Validation algorithms refine the detection.
Example A bank uses a rule to detect credit card numbers in outgoing email messages. If the rule
triggers, Email Gateway quarantines the message.

Using a validation algorithm


This use case illustrates how you can use validation algorithms to improve the accuracy of detection
rules.
Issue You have configured a compliance rule to detect credit card numbers in email messages. You
get many false positive detections where series of numbers are mistaken for credit card numbers.
Solution Add the Luhn10 (Credit Card, IMEI etc.) validation algorithm to your rule. The algorithm ensures
that a detected series of 16 numbers is a valid credit card number.
This algorithm determines whether a group of digits that are the same length as a credit card number is
actually a valid card number. Otherwise, it is an unrelated group of digits that happen to be the same
length. If you create content rules to look for credit card, this algorithm can help avoid false positives.

Task Validate formats for credit card numbers


Use the Luhn10 (Credit Card, IMEI etc.) validation algorithm to verify the validity of credit card
numbers that appear in email messages.
Using the Luhn10 (Credit Card, IMEI etc.) algorithm with any regular expression identifies potential
credit card numbers. This action verifies that they are real credit card numbers, not a sequence of 16
numbers that looks like a credit card number.
Task
1

Select Email | DLP and Dictionaries | Compliance Dictionaries..

In the Dictionary List section of the page, scroll down and select Credit Card Number as the dictionary to
use.
The Dictionary section of the page populates with any configured conditions and regular expressions.

In the Dictionary section, select the regular expression to validate the credit card number.

Select the Edit icon for that regular expression.


The Edit Regular Expression dialog box opens.

In the Validation Algorithm drop-down list, select Luhn10 (Credit Card, IMEI etc.) as the validation
algorithm.
For any regular expression dictionary, users can choose a type of validation algorithm that best suits
their purpose. None is the default.

McAfee Email Gateway 7.6.400 Appliances

Product Guide

343

Overview of Email menu


DLP and Dictionaries overview

(Optional) Select Test to validate your selection.


The Regular Expression Test Interface dialog opens, showing the test results.

Click OK to close the test box.

On the Edit Regular Expression dialog, click OK to complete your selection.

Click the green checkmark icon to save your changes.

Introduction to Graymail
Graymail is bulk email that does not meet the definition of spam.
Graymail messages could be considered either spam or legitimate email, depending upon the opinion
of the recipient.

Characteristics of Graymail
Graymail is email sent to a large number of recipients, but it differs from spam in several ways:

The user, at one time or another, requested to receive the messages, by such things as supplying
an email address.

Graymail messages come from reputable sources who want a relationship with the recipient, such
as a customer or client relationship.

Graymail messages usually offer an unsubscribe option.

Graymail typically contains content that might be of value to the recipients, and that might appeal
to their interests.

Graymail often includes an element of timeliness, such as an expiration date for an offer of goods
or services.

Requested or solicited email messages become graymail when the recipient becomes less interested in
receiving them.

The Graymail dictionary


In the spam policy settings of the Default policy, McAfee Email Gateway includes the Graymail
dictionary.
The dictionary contains a static list of terms, and is read-only. It cannot be edited. You can copy terms
from the Graymail dictionary to be used in a new dictionary if necessary. You can find it in the list at
Email | DLP and Dictionaries | Compliance Dictionaries.

Using the Graymail dictionary


When you enable Spam (Email | Email Policies | Spam), the Graymail dictionary is available to be included
in your policies. Treat it as you would any other dictionary. You can enable it in the Default policy, or
create a new policy to apply it.
You can also enable or disable the Graymail feature through the Setup Wizard.

Graymail detections show in reports as Spam detections triggered against the Graymail rule group,
along with the term that triggered the detection.

Task - Configure Graymail in the Setup Wizard


You can enable or disable Graymail protection as part of setting up your appliance.
You can enable Graymail protection in your original setup, or return to the Setup Wizard to enable or
disable it.

344

McAfee Email Gateway 7.6.400 Appliances

Product Guide

Overview of Email menu


DLP and Dictionaries overview

Task
1

Navigate to the Setup Wizard (System | Setup Wizard).


The Setup Wizard opens to the first page.

Complete the steps, or click Next for each step to leave them unchanged, to step 6, Email Configuration.

Click the Enable Graymail Protection check box.

If you check the box, Graymail is enabled.

If you do not check the box, Graymail is disabled.

If you leave the check box unchanged from the way you found it, the Graymail configuration is
not u