Beruflich Dokumente
Kultur Dokumente
McAfee® GroupShield™
version 6.0
TRADEMARK ATTRIBUTIONS
Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network
Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System,
Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy
Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ,
HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design,
Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking,
NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance
Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey –
International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, SecurityShield, Service Level
Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total
Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan,
WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business
Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer®
brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Attributions
This product includes or may include:
s Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
s Cryptographic software written by Eric A. Young and software written by Tim J. Hudson.
s Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other
rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered
under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under
the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program
that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.
s Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.
s Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved.
s International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved.
s Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc.
s Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000.
PATENT INFORMATION
Protected by US Patents 6,029,256; 6,230,288; 6,594,686; 6,151,643; 6,457,076; 6,035,423; 6,269,456; 6,542,943; 6,006,035; 6,266,811; 6,496,875; 6,611,925; 6,622,150
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Section 1
Understanding GroupShield
2 Where GroupShield Sits on Your Network . . . . . . . . . . . . . . . . . 27
E-mail server protection —McAfee GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Other areas to protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Internet gateway protection — McAfee WebShield . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Document repository protection — McAfee PortalShield . . . . . . . . . . . . . . . . . . . . . . 30
Desktop and file server protection — McAfee VirusScan Enterprise . . . . . . . . . . . . . 30
Management solution — McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . 31
4 Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
How does scanning work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
What and when to scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Types of scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
On-access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Background scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Proactive scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
GroupShield and Microsoft® Exchange interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Moving messages into public folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Searching within From: To: cc: and bcc: fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Section 2
Using GroupShield
6 GroupShield Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
About the GroupShield interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
GroupShield Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
GroupShield Stand-alone Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Opening the GroupShield interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Administering GroupShield from a different computer . . . . . . . . . . . . . . . . . . . . . . . . 73
Introducing the GroupShield interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Navigation pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Quick Help pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Links bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
The GroupShield Home page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Real-time scanning statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Product versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Recently Scanned Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Product Guide v
Contents
Section 3
Appendices
A Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Reporting problems with GroupShield 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
MERTool and the Network Associates Error Reporting Service . . . . . . . . . . . . . . . 193
Introducing MERTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Using MERTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Introducing the Network Associates Error Reporting Service . . . . . . . . . . . . . . . . . 195
Using the Network Associates Error Reporting Service . . . . . . . . . . . . . . . . . . . . . . 196
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions about updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions about scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions about Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Error messages and event log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Product Guide ix
Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Product Guide xi
Contents
This guide introduces McAfee® GroupShield™ software version 6.0 for Microsoft®
Exchange, and provides the following information:
Audience
This information is designed for system and network administrators who are
responsible for their company’s anti-virus and security program.
Product Guide 13
Preface
Conventions
This guide uses the following conventions:
Bold All words from the user interface, including options, menus,
buttons, and dialog box names.
Example
Type the User name and Password of the desired account.
Courier The path of a folder or program; a web address (URL); text that
represents something the user types exactly (for example, a
command at the system prompt).
Examples
The default location for the program is:
C:\Program Files\Network Associates\VirusScan
Example
Refer to the VirusScan Enterprise Product Guide for more
information.
Getting information
Installation Guide *^ System requirements and instructions for installing and starting the software.
McAfee GroupShield 6.0 for Microsoft Exchange Installation Guide
Product Guide * Product introduction and features, detailed instructions for configuring the
software, information on deployment, recurring tasks, and operating procedures.
McAfee GroupShield 6.0 for Microsoft Exchange Product Guide (this guide)
Related Guides:
McAfee Alert Manager 4.7 Product Guide
McAfee ePolicy Orchestrator 2.5.1 Product Guide
McAfee ePolicy Orchestrator 3.0 Product Guide
QuickHelp § Contained within the interface, the QuickHelp gives you overview information
abut each page, and provides links into the high-level Help.
Help § High-level and detailed information on configuring and using the software.
Configuration Guide * For use with ePolicy Orchestrator™. Procedures for configuring, deploying, and
managing your McAfee Security product through ePolicy Orchestrator
management software.
Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and
last-minute additions or changes to the product or its documentation.
Contacts ‡ Contact information for McAfee Security and Network Associates services and
resources: technical support, customer service, AVERT (Anti-Virus Emergency
Response Team), beta program, and training. This file also includes phone
numbers, street addresses, web addresses, and fax numbers for Network
Associates offices in the United States and around the world.
* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.
^ A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.
‡ Text files included with the software application and on the product CD.
§ Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’s
This? help.
Product Guide 15
Preface
Product Guide 17
About GroupShield 6.0
What is GroupShield?
McAfee GroupShield 6.0 software provides virus protection and content
management for these versions of Microsoft® Exchange servers;
n Microsoft® Exchange 2000.
Each time a message is written to or read from the store, the GroupShield software
scans it, comparing it with a list of known viruses and suspected virus-like
behavior. GroupShield can also scan for content within the message, using rules
and policies defined within the GroupShield software.
Product Guide 19
About GroupShield 6.0
This provides additional protection for your Microsoft® Exchange server, filtering
all incoming e-mail messages and assigning “spam scores” to each. You can then
choose to block messages above a certain score, and to mark lower-scoring
messages as possibly containing spam.
Please see the McAfee GroupShield 6.0 for Microsoft Exchange Installation Guide for
information about activating the evaluation versions of GroupShield 6.0 and the
anti-spam add-on package.
GroupShield features
This release of the GroupShield software introduces the following major features:
Product Guide 21
About GroupShield 6.0
Description In its basic configuration, GroupShield 6.0 enables you to define up to ten
policies to assist you protect your Microsoft® Exchange server.
The eXtended Policy Support add-on package gives you a virtually limitless
number of policies that you can define to protect your Microsoft® Exchange
servers.
Benefits eXtended Policy Support gives you the ability to define policies for different
teams, departments, offices or even counties within your corporate e-mail
system.
For more Information about installing the eXtended Policy Support add-on can be found
information in the following guide:
Product Guide 23
About GroupShield 6.0
Understanding GroupShield
However, protecting your Internet gateway and your corporate e-mail systems
cannot protect against viruses that are transferred from computer to computer
within your network, or from an infected CD or disk, a handheld device or any
other device that can transfer files to a computer and download files to it. To
protect your network at this level, you need to add anti-virus protection to your
file servers and desktop computers.
Product Guide 27
Where GroupShield Sits on Your Network
Due to the close integration between your e-mail server and its GroupShield
anti-virus solution, GroupShield can do more than just protect your e-mail server
from viruses. Depending upon your choice of e-mail server, GroupShield can
protect from harmful script sent within the e-mail system, block messages with
specific attachments, block messages based on words that appear either within the
subject line or the body of the message, and block messages from specific
addresses.
By stopping viruses before they attack computers within your network, you
eliminate the damage and down-time that the attack can cause, saving your
organization the costs associated with down-time and lost or corrupted data.
Product Guide 29
Where GroupShield Sits on Your Network
To address this issue, several software vendors produce portal servers to store,
index and control your critical documents in a way that enables them to be easily
located when needed. Because these portal servers are set up to store your critical
information, it is important that this information is also protected.
McAfee PortalShield 1.0 is currently available to protect Microsoft SharePoint
Portal Server 2001, Microsoft SharePoint Portal Server 2003 and Microsoft
Windows SharePoint Services. PortalShield integrates with the stores of these
products to provide scanning of documents each time they are accessed or saved
to the store.
PortalShield also enables you to scan the entire store at times of low usage, to
verify that no infected documents are held within the store.
From the viewpoint of somebody trying to attack your corporate network, your file
servers are a good target; because many other computers connect to each of your
file servers, infecting the file server is more likely to have serious consequences
than infecting, for example, a single desktop computer.
The VirusScan products protect desktop computers and file servers within your
network. As part of your integrated response to virus threats, VirusScan can be
viewed as your last line of defense, protecting each desktop computer and file
server from viruses that might spread using network shares or physical media.
VirusScan is available in versions to protect Microsoft Windows and Unix
computers, as well as all the leading wireless devices that might connect to your
PCs and network.
With ePolicy Orchestrator, you can update all your McAfee anti-virus solutions
across your network from a single point, ensuring that your virus definition (DAT)
files and virus-scanning engines are up-to-date, and that suitable policies are in
place to deal with any attacks to your network.
ePolicy Orchestrator also provides enterprise reporting, giving you confidence
that all desktop computers, servers, groupware, and gateway computers are
up-to-date with the latest DAT file and engine.
Product Guide 31
Where GroupShield Sits on Your Network
Product Guide 33
How GroupShield Protects Exchange
This presents all message components to GroupShield 6.0 for scanning by the
virus-scanning engine and the content management engine, before being written
to the file system, or being read by users of Microsoft® Exchange.
Once presented to GroupShield, the virus-scanning engine compares the message
with all the known virus signatures stored within the currently installed virus
definition (DAT) file, as well as checking the message using your selected heuristic
detection methods.
The content management engine searches the message for banned content, as
specified in the content management policies that you have running within
GroupShield software.
If these checks do not find any virus or banned content within the message,
GroupShield then passes the information back to virus-scanning API, for
completion of the original message request within Microsoft® Exchange.
NOTE
The GroupShield software can also be configured to use
transport scanning when installed on Microsoft® Exchange
2000.
The engine uses a technique called heuristic analysis to help it search for unknown
viruses. This involves analysis of some of the object’s program code and searching
for distinctive features typically found in viruses.
Once the engine has confirmed the identity of a virus, it cleans the object as far as
possible, for example by removing an infected macro from the attachment in which
it is found or by deleting the virus code in an executable file. In some instances, for
example if the virus has destroyed data, the file cannot be fixed and the engine
must make the file safe so that it cannot be activated and infect other files.
Product Guide 35
Virus Scanning
Your GroupShield software provides a range of options that you can further
configure according to the demands of your system. These demands are
dependent upon when and how the component parts of your system operate, and
how they interact with each other and with the outside world, particularly through
e-mail and Internet access.
Types of scanning
The different types of scanning fall into two main groups, on-access scanning and
on-demand scanning. They detect the same viruses, but can scan at different entry
points on your server, can scan at different times, and can scan at different stages
in the handling of objects.
On-access scanning
On-access scanning (also known as real-time scanning) examines objects as they
are accessed by the user or the system. It may scan files when the user opens them
or when the user writes to them.
When you first install GroupShield software, on-access scanning defaults are set
but you can configure these to suit your system. You can set global options that
determine how scanning is carried out, including the way the scanner deals with
different types of object, specifying what is to be done with infected items, and
how quarantine and notification is handled.
Within Microsoft® Exchange 2000, GroupShield 6.0 provides two methods of
on-access scanning:
VSAPI scanning
The Microsoft Virus-Scanning Application Programming Interface (VSAPI)
enables GroupShield 6.0 to access the component-parts that make up e-mail
messages directly from Microsoft® Exchange. GroupShield 6.0 can then scan each
of these parts for viruses, banned content, and check the file type information.
Once GroupShield 6.0 has scanned all the parts of the message, and carried out the
relevant actions, the parts as returned to Microsoft® Exchange, again using VSAPI.
Using VSAPI also allows GroupShield 6.0 to use related scanning techniques, such
as Background scanning and Proactive scanning. See Background scanning on
page 38 and Proactive scanning on page 39 to learn more about these.
Transport scanning
Scan email using enables you to select either VSAPI or Transport Scanning as your
on-access scanning method.
Transport scanning is best used when you have configured your Microsoft®
Exchange 2000 server as a gateway server, because it allows scanning of routed
mail (mail that is not destined for the local Microsoft® Exchange server). Transport
scanning also allows you stop the delivery of unwanted messages.
Transport scanning is useful when you are receiving messages in MIME format.
Messages are likely to be in this format when:
n They are send from a non-MAPI client from a mailbox on the local server. (Not
from Microsoft Outlook or Microsoft Outlook Web Access.)
n The messages are arriving from outside of your organization.
Product Guide 37
Virus Scanning
On-demand scanning
GroupShield enables you to create scheduled on-demand scans. You can create
multiple schedules, each running automatically at predetermined intervals or
times.
A scan can be defined to run at a predetermined time and date, or can be set to run
immediately, once it has been created.
You may want to perform an on-demand scan for a number of reasons, for
example:
n To check a specific file or files that have been uploaded or published.
n To check that the messages within your Microsoft® Exchange server are
virus-free, possibly following DAT update, in case new viruses can be detected.
n If you have detected and cleaned a virus and want to check that your computer
is completely clean.
Background scanning
Background scanning is a type of on-access scanning that is made possible within
Microsoft® Exchange by using the Microsoft virus-scanning API (VS API.)
Performing scans in this way means that not all files need to be scanned when
accessed, reducing the workload of the scanner when it is busy.
Background scanning scans the contents of all folders within your Exchange
server, then sets a flag at folder level indicating that the scan has been completed.
Once this is done, that folder it is not checked again until the next background
scan, which then only needs to scan new or unscanned folder content.
For further details of how to enable background scanning, see On-Access settings
on page 167.
NOTES
Background scanning is configured to use the On-Access
Scanner policy. See Managing items within a policy on page 117
for more information. Any configuration options that you
specify for on-access scanning also apply to background
scanning. Background scanning is off by default.
Proactive scanning
Proactive scanning is a type of on-access scanning that is made possible by
Microsoft VSAPI.
Items passing in and out of the store receive a priority rating and are placed in a
scanning queue. The scanning queue allows prioritization and reprioritization of
items in the queue; for example, if a user tries to open an item that has not been
scanned, it is assigned a high priority, whereas items being saved or posted to
public folders are assigned a low priority. This is known as priority based queuing.
When all the high priority items have been scanned, scanning of lower priority
items begins. The latter scans on a first-in-first-out (FIFO) basis.
Any configuration options specified for on-access scanning also apply to proactive
scanning.
For further details of how to enable proactive scanning, see On-Access settings on
page 167.
Product Guide 39
Virus Scanning
Due to the way that GroupShield 6.0 and Microsoft® Exchange interact, there are
some occasions that GroupShield 6.0 may behave in a manner slightly different to
one that you expect. These interactions are described in the following section.
The concepts relating to content management are discussed and described in these
topics:
n Introduction.
n Threats to your organization on page 42.
Introduction
In the electronic world of commerce, your organization is susceptible to many
threats that affect company image, employees, computers and networks:
n Various electronic distractions and unrestricted use of e-mail and Internet can
affect employees’ productivity.
Product Guide 41
Content Management Concepts
Damage to company image An unguarded or ill-informed remark by an employee might cause legal
problems, unless it is covered by a disclaimer.
See Adding disclaimers on page 63 (concept).
See Adding disclaimers on page 146.
Spam (unsolicited e-mail) Unsolicited commercial e-mail messages are the electronic equivalent of
junk mail. Often they contain advertising that was not expected by the
recipients. Such mail is often sent out by the hundreds or thousands.
Unless the recipient is already a customer, or has asked for the
information, the e-mail message is usually unwelcome. Other types of
unsolicited e-mail messages include political messages, virus hoaxes,
poetry, jokes, and chain letters.
Although it is more of a nuisance that a threat, spam can degrade the
performance of your network.
See Reducing unsolicited e-mail messages (spam) on page 158.
See Scanning for spam on page 136.
Large e-mail messages E-mail messages with large or numerous attachments can slow the
performance of mail servers. The overall message size, and the size and
number of e-mail attachments that users can send and receive needs to
be controlled.
See Limiting the size of e-mail messages on page 144.
Mass-mailer viruses Although these can be cleaned like any other virus, their rapid spread can
quickly degrade the performance of your network.
See Blocking specific threats on page 52.
E-mail messages from Disgruntled ex-employees and unscrupulous traders who know the e-mail
undesired sources addresses of your employees can cause distress and distraction.
See Stopping nuisance e-mail messages on page 158.
Non-business use of e-mail If most employees are using e-mail only within the organization, any of
their messages that leave the organization are likely to be for
non-business use.
See Considering legal implications on page 47.
Loss of company-confidential This can happen if someone sends a message or document that contains
information details of unreleased products, a document that is marked as
confidential, or a file such as a database of customer details.
See Keeping information confidential on page 156.
Offensive language Offensive words and phrases can appear in e-mail messages sent,
received, and in attachments. Besides causing offense, they can even
provoke legal action.
See Scanning for content on page 52.
See Blocking offensive words on page 157.
Transfer of “entertainment” files File types such as video files like MPEG and audio files like MP3 are
often intended for entertainment only, and not for business use. Their
large sizes may also slow your network performance. Some executables
(.EXE and .COM files) might be games or illegally copied software.
See Blocking entertainment files (images, movies, audio) on page 152.
Inefficient file types Some types of file use large amounts of memory and can be slow to
transfer, but alternatives are often available. For example, .GIF and
JPEG files are much smaller than their equivalent .BMP files, and .PDF
files are smaller than their equivalent PostScript files.
See Filtering of files on page 62.
See Reducing network load on page 157.
Transfer of large files The transfer of large files can slow the performance of your network.
Such transfers ought to be limited to certain groups of people.
See Filtering of files on page 62.
See Reducing network load on page 157.
Denial-of-service attack A deliberate surge of large files could seriously affect the performance of
your network, making it unusable to its legitimate users.
See Blocking specific threats on page 52.
See Reducing network load on page 157.
Pornographic text Numerous strange and offensive terms abound.
See Blocking offensive words on page 157.
See Scanning for spam on page 136.
Viruses and other potentially Viruses and other potentially unwanted software can quickly make
unwanted software computers and data unusable.
See Scanning for viruses on page 50 (concept).
See Scanning for viruses on page 129.
Corrupt content This type of content cannot be scanned, so you need to decide how to
handle it.
See Handling corrupt content on page 150.
Encrypted content This type of content cannot be scanned, so you need to decide how to
handle it.
See Handling encrypted content on page 149.
Product Guide 43
Content Management Concepts
Policies
GroupShield 6.0 helps you to control these electronic threats with special sets of
rules and settings — called policies — that you create to suit your organization. You
can apply a ready-made policy (known as a global policy) to your entire
organization, and you can also create other policies based on the global policy to
suit the specific needs of any part of your organization.
n Features on page 45.
Features
Much like an insurance policy, GroupShield protects you against a number of
threats.
When first installed, GroupShield 6.0 contains the following default policies:
n On-Access Scanner
n On-Demand (Default)
n On-Demand (Find Viruses)
n On-Demand (Remove Viruses)
n On-Demand (Find Banned Content)
n On-Demand (Remove Banned Content)
n On-Demand (Full Scan)
n Outbreak Manager
n Gateway
You can customize these policies to more precisely specify the threats to your
organization:
n Virus scanning — you specify how to handle various types of infected items.
See Scanning for viruses on page 50.
n Content scanning — you specify words and phrases that must not appear in
the subject line or body of e-mail messages. Each specification is known as a
content rule. See Scanning for content on page 52.
n Scanning for spam — you specify how to handle various types of unwanted
e-mail messages. See Scanning for spam on page 59.
n File filtering — you specify the names, types and sizes of files to block, using
file-filtering rules. See Filtering of files on page 62.
n Disclaimers — you specify the wording and how to include them in e-mail
messages. See Adding disclaimers on page 63.
n Encrypted content — you specify how to handle it. See Handling encrypted
content on page 63.
n Limits to the size of e-mail messages — you specify the size and quantity of
attachments that are allowed with each e-mail message, and any special
handling for large messages. See Limiting the size and numbers of attachments on
page 64.
n Corrupt content — you specify how to handle it. See Handling corrupt content
on page 65.
n Signed e-mail messages — you specify how to handle digital signatures when
infected files are cleaned. See Handling digital signatures on page 64.
Product Guide 45
Content Management Concepts
Policy actions
A policy specifies how GroupShield must act when a threat becomes a reality.
Your policies prescribe the action that GroupShield must take against the many
threats described in Threats to your organization on page 42.
You prescribe the action that GroupShield must take when any part of the policy
is violated. For example, if a virus is detected, you can choose to clean, quarantine,
or delete the infected item. If GroupShield finds an undesirable phrase that you
specified in a content rule, you can choose to block the item or allow it through,
optionally inform other users, or record the event in a log. If a large file is detected,
you can choose to block it, or you can allow it through and issue an alert.
Quarantine
Whenever GroupShield detects an item that is infected with a virus or has some
undesirable content, GroupShield may quarantine the item, if you have configured
that action. GroupShield reserves a special area for quarantined items — the
Detected Items database — that you can inspect at a later date. All quarantined items
are tagged with a number for ease of reference.
Depending on how the configuration has been set up, GroupShield can alert the
sender, recipient and administrator.
Although the use of a quarantine area allows you to monitor the attacks on your
organization, consider carefully how much you will use it, especially if you
encounter a large number of viruses daily or you have many content rules. To
conserve your disk space, examine and empty the quarantine area regularly.
Alert messages
GroupShield integrates with McAfee Alert Manager 4.7 to provide you with a
seamless alerting system across the different McAfee anti-virus products used
within your network.
You can configure GroupShield to inform the sender, the recipient and an
administrator with an alert message whenever an event occurs — GroupShield
detects a virus, some undesirable content, or a file that is larger than allowed.
See Alert Messaging with Alert Manager 4.7 on page 219 to learn more about alert
messages.
Creating policies
GroupShield uses policies to enable you to define how it scans the messages within
your Microsoft® Exchange environment, and how it should react when it detects a
virus, banned content or other specified message.
You can create additional policies that are applied to specific policy groups. A policy
group might be a geographical area, a department, a domain, or some other
distinct part of the organization. For example, you can apply a policy to any group
of people. Within an organization, you might need to apply separate policies to
each department.
In the following example, the policy on the left is called the global policy. It is well
suited to most departments in the organization. However, it is not ideal for the
sales department because they often handle much larger files for customers.
Therefore the sales department needs a different policy. You can create their policy
by creating a new policy based on the global policy, then modifying some parts to
better suit that department.
Apply medium-level scanning for viruses. Apply medium-level scanning for viruses.
Do not accept files that are larger than Do not accept files that are larger than
10MB. 50MB.
The sales department has inherited one item from the global policy (for
medium-level scanning) and modified one item (for the size of files).
Product Guide 47
Content Management Concepts
These global policies describe how items will be scanned for viruses, file-filtering
rules, and various other settings in different circumstances. These global policies
apply to the whole organization.
From these policies, you can create further policies as necessary to apply to groups
of users or domains.
As you create further policies, each one records whether any of its current settings
are inherited from the global policy. A change to the global policy — such as an
increased level of anti-virus protection or a new file-filtering rule — is propagated
instantly to the other policies. The global policy also indicates how many other
policies have inherited its settings.
Product Guide 49
Content Management Concepts
n Action to take when a virus is found. See Setting the action against viruses on
page 50.
n How to handle mass-mailer viruses. See Blocking specific threats on page 52.
n The level of anti-virus protection that you need. See Setting the level of scanning
and type of protection on page 50 and Customizing anti-virus settings on page 51.
Be aware that a higher level of scanning provides good security but can affect
performance. In some cases, high levels of scanning are unnecessary if data is
being scanned for viruses elsewhere in your network.
In addition, you can customize the scanning by choosing exactly what to scan from
a range of options. See Customizing anti-virus settings on page 51.
Some operating systems such as Microsoft Windows use the extension name
of a file to identify its type. For example, files with the extension .EXE are
programs. However, if a virus-infected file is renamed with a harmless
extension such as .TXT, it can escape detection. The operating system cannot
run the file as a program, unless it is renamed later. This option ensures that
every file is scanned.
n Scan default file types.
Normally the scanner examines only the default file types — in other words, it
concentrates its efforts on scanning those files that are susceptible to viruses.
For example, many popular text and graphic formats are not affected by
viruses. Currently the scanner examines over 100 types by default, which
includes .EXE and .COM.
n Scan defined file types.
Some operating systems such as Microsoft Windows use file name extensions
to identify the type of file. For example, files with the extension .EXE are
programs, files with the extension .TXT are simple text files. GroupShield
allows you to specify the types of files you wish to scan according to their file
name extension.
By default, the scanner scans inside file archives such as .ZIP or .LZH files.
n Find unknown file viruses and Find unknown macro viruses
Find unknown file viruses tics scans program files and identifies potential new
file viruses.
Product Guide 51
Content Management Concepts
Find unknown macro viruses scans for macros in the attachments (such as those
used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identifies
potential new macro viruses.
n Find all macros and treat as infected.
Macros inside documents are a popular target for virus writers. Therefore for
added security, you might consider scanning all files for macros within
attachments.
n Remove all macros from documents.
You can choose to have all macros removed, regardless of whether it is infected
or not.
These programs are not harmful. They play tricks on the user such as
displaying a hoax message.
n Find suspicious programs.
These programs might be dangerous but they are not viruses. They include
programs such as remote-access utilities and password crackers.
You can have a large number of rules, and each rule can specify words in various
combinations. The rules can be simple such as detecting the use of a single word
or phrase. They can be more complex and include combinations of phrases that
appear closely together. A complex rule can allow the use of a word in one
situation, but prevent its use in others.
Typically, you will want a rule to scan for undesirable words in the content of each
message. However, you can also scan the following items:
n Content in attachments.
n Names of files attached to e-mail messages.
n Name of sender.
n Name of recipient.
n Name of domain.
Product Guide 53
Content Management Concepts
3 Specifying the action to take when the rule is triggered on page 54.
4 Adding optional advanced features on page 56.
Remember that when the rule is violated, the name of the rule appears in the alert
message that users see. Therefore, if you are trying to prevent the use of an
insulting phrase, do not include that phrase in the name of the rule. Instead, name
your rule as something like “Ban Insult 23.”
Each rule can also have a description. You can provide more information here about
the purpose of the rule. The rule’s description does not appear in the alert message.
See also the anti-spam features, described in Scanning for spam on page 59.
n Allow the item through — The item is not changed, and is allowed through to
the intended recipients.
n Log the item — Your primary action is carried out, but, in addition,
GroupShield 6.0 logs the rule violation.
n Quarantine the item— GroupShield places the item in a quarantine area — the
Detected Items Database — where you can examine the item and decide how to
handle it.
n Notify Administrator — Your primary action is carried out, but, in addition,
GroupShield 6.0 sends a notification message to the administrator.
n Notify Sender — Your primary action is carried out, but, in addition,
GroupShield 6.0 sends a notification message to the sender.
You can match characters that appear only at the start of a word.
For example, “hat” matches hat, hate, hats, and hatter.
You can match characters that appear only at the end of a word.
For example, “hat” matches hat, that and what.
You can match characters at the start and at the end of a word.
For example, “hat” matches hat but does not match hate, that, or what.
Product Guide 55
Content Management Concepts
Some types of file use special formatting characters to specify the layout of text.
For example, attachments can contain characters to denote word breaks, line
breaks, tabs, cells, end of lines, and other format information. See Table 5-2 on
page 57 for details.
For example, a rule is triggered when the name of a secret new product is used
in the same e-mail message as the date for the product’s launch.
n A rule may trigger if any of the additional words or phrases are present.
For example, a rule is triggered when any word appears that is on a list of
offensive words, or a list of secret projects.
n A rule may trigger if none of the additional words or phrases are present.
For example, a rule is triggered when an offensive word, such as dog, is used
except when it was used to specify a type of that animal, for example, a corgi
or alsatian.
The latest version of the product looks ugly. We need to consider several problems
with here. I will discuss improvements with the manager of that department.
I attended the meeting about that new product today. The new manager is so ugly,
nobody will ever want to work with him.
This feature is useful in blocking some offensive phrases. They often contain
words that do not cause offence when used alone, but become offensive when
grouped together.
Note that nearness is best suited to plain text. It cannot accurately interpret
character counts in binary files or files that contain complex text formatting.
Definition of a word
A word is any number of characters bounded by a word delimiter, which is usually
some form of punctuation. GroupShield uses the word delimiters in the following
table, which are taken from the UNICODE character definitions in the
Punctuation, Separator, and Math Symbol sets.
Product Guide 57
Content Management Concepts
To prevent the words “stupid” and “ugly” appearing together in a document, you
can create a rule with a complex phrase — the rule triggers when these words appear
together.
The same rule will work on the following simple e-mail message:
To: user1@example.com
From: user2@example.com
From: user2@example.com
The complex rule you have already created will not trigger in this case. Most e-mail
messages are based on the MIME format, and they comprise several parts. You can
think of each part as a separate file — one for the “To” address, the “From”
address, the subject line, and the message body. In this example, no part contains
both words — “stupid” is in the subject line, while “ugly” is in the message body.
To trigger a content rule on the words “stupid” and “ugly” appearing together in
an e-mail message, you must create a rule that combines two simple conditions — the
rule triggers when the word “stupid” appears anywhere in an e-mail message and
when the word “ugly” appears anywhere in an e-mail message.
For example, you may have a rule that triggers on finding the word “ugly” in
databases and in spreadsheets. When GroupShield encounters any database, it
searches for the word “ugly”. Similarly, when GroupShield encounters any
spreadsheet, it searches for the word.
You can make such a rule more complex. For example, you may make the rule
search for both “ugly” and “stupid” in databases and in spreadsheets. When
GroupShield encounters any database, it searches for the word “ugly” and the
word “stupid”. If both words are present, the rule triggers your defined action.
When GroupShield encounters any spreadsheet, the rule is also triggered.
It is possible to create combinations of rules that will not work. For example, you
can create a rule which detects “ugly” in databases, and “stupid” in spreadsheets.
If used separately, those rules will work. However a compressed file (such as a
WinZip file) could contain a database with “ugly” and a spreadsheet with
“stupid”. This combination of files will not be detected.
Product Guide 59
Content Management Concepts
(The values shown here are for example only. The actual values might be different
in the product. This example is deliberately simple, and does not attempt to
demonstrate any complex matching.)
Consider the following two messages. The phrases are highlighted for clarity.
Dear John,
Our computer suppliers have some amazing offers on PCs 1.0 + 0.8 = 1.8
this year. I’ll send you their catalogue and discuss my
requirements with you on Tuesday. Looking forward to our
best ever year on this project!
Regards, Peter
Dear Friend,
See our web site for amazing offers on PCs. You won’t 1.5 + 1.0 + 1.2
believe your eyes! These incredibly low prices are our best + 0.8 + 0.8 = 5.3
ever!
The second message has a higher score, which indicates that it is possibly spam. It
is possible for a legitimate message to attain a high score. Therefore, the detection
of spam cannot be precise. You can determine how GroupShield will respond to
messages based on their spam scores:
n You can specify a level at which you regard a message as spam. Typically, a
score of 5 indicates that a message is spam. You can inform the recipients that
a message is likely to be spam by adding some text, such as ** SPAM **, to the
subject line of the message. Recipients can then easily identify a spam e-mail
message, and decide how to handle the message. For example, some e-mail
products such as Microsoft Outlook and Lotus Notes can redirect mail to
specific folders based on rules or filters.
n You can specify a level at which GroupShield will handle spam messages
automatically. For example, GroupShield can automatically block or
quarantine messages that have high spam scores. In addition, you can inform
an administrator or log the event.
n You can specify that GroupShield adds a report to a message’s Internet headers
that tells its recipients of any rules that triggered and the message’s spam
score. You can choose whether to add the report, and whether such
information is included in all messages or only those messages that
GroupShield identifies as spam.
The report includes a spam score and optionally a spam score indicator. For
example, a spam score of 5.6 can have an indicator of five asterisks, and a spam
score of 6.2 can have an indicator of six asterisks. The indicator is rounded to
the integer and ignores any decimal fraction. The indicator provides a simple
character string for filtering messages.
We recommend that you set this option for initial testing only, because it can
impact your server’s performance. When you have the information that you
need, turn the option off.
Product Guide 61
Content Management Concepts
n Don't post e-mail addresses online. Know whether your e-mail address will be
displayed or used before posting an e-mail address online. Read the privacy
policy on the web site before posting your address and opt out, if possible.
n Beware of purchasing products that are advertised by spam. When you
respond to this type of e-mail message, you often make more personal
information such as your name, address, telephone number or credit-card
numbers available to spammers, which can lead to increased spam.
Furthermore, in order to provide themselves with an income, spammers must
issue large numbers of e-mail messages in order to get enough responses. By
not responding at all, you can discourage this advertising technique by making
it unprofitable.
Filtering of files
Any network contains many types and sizes of files, though not all are useful or
desirable to your organization:
n Some graphic file formats such as bitmap (suffixed “.BMP”) use large amounts
of computer memory and can affect network speed when transferred. You
might prefer that users work with other more compact formats such as GIF or
JPEG.
For example, if your organization produces computer software, you might see
executable files (suffixed with the file name extension “.EXE”) moving around
the network. Within any other organization, those files might be games or
illegal copies of software. Similarly with movie files (suffixed “.MPEG”),
unless your organization handles files of this type, they are probably for
entertainment only.
The file-filtering rules provided by GroupShield enable you to examine any file in
several ways:
When you create settings to control the use of any file, remember that some
departments within your organization might need fewer constraints. For example,
a marketing department might use large high-quality graphic files for advertising
purposes.
n Blacklist — Allow through all files except those specifically forbidden within
rules. In this case, you set file-filtering rules to block or quarantine. If no
file-filtering rules apply to the scanned file, you allow it to pass.
n Whitelist — Block all files except those specifically allowed within rules. In this
case, you set file-filtering rules to allow files to pass. If no file-filtering rules
apply to the scanned file, you block the file.
NOTE
If a file has passed through as the result of a rule, you can
configure GroupShield to log and notify this event. After any
file has passed through the file-filtering rules, it is always
scanned for viruses and content, as determined by policy.
Adding disclaimers
A disclaimer is some text — an explanation, information, a legal statement, or
warning — that GroupShield can append to an e-mail message as it passes through
the mail server.
By adding a disclaimer to outbound messages, you can limit the liability posed by
statements that might be legally damaging, for example, those containing
offensive remarks. Disclaimers are also useful for renouncing the contents of a
message as the view of the author, not of the organization, to avoid any damaging
publicity. For example:
The information contained in this message is confidential and may be
legally privileged. Views or opinions expressed in this e-mail
message are those of the author only.
You must choose how to handle such content at this stage — this might mean that
you delete, quarantine, or allow it to pass. If you rarely receive such content, or you
cannot guarantee that such content will be scanned in its decrypted form at a later
stage within your network, we recommend that you delete and quarantine it.
Product Guide 63
Content Management Concepts
For example, computer games are sometimes attached to e-mail messages. Each
game typically consumes a few megabytes. Large audio or graphics files —
whether for entertainment or business purposes — approach similar sizes. Popular
items, when copied and forwarded many times over, can add a heavy load to your
mail server. All users will suffer from the slower performance.
n Replace the item with an alert message — You can replace signed messages with
an alert message. This choice is unsuitable if most of the messages are signed.
n Delete — You can avoid any risks with signed messages, by deleting them. This
choice is unsuitable if most of the messages are signed.
n Allow modifications to break the signature — Most e-mail software informs the
recipient that the digital signature is broken, but still allows the recipient to
read the remainder of message. In this case, you can allow GroupShield to
modify the content of the message.
n Allow the item through — Some e-mail software might not accept any changes
to the signed message, and therefore you cannot allow GroupShield to alter the
content. The danger here is that if you choose to allow all signed messages
through, an undesirable item can escape detection if it is inside a signed
message. If you allow all signed messages through, you need to be sure that the
messages come from a trusted source, or that they will be scanned at a later
stage.
In all cases, you can select one or more of the following secondary actions:
n Log the item — Your primary action is carried out, but, in addition,
GroupShield 6.0 logs the rule violation.
n Quarantine the item— GroupShield places the item in a quarantine area, where
you can examine the item and decide how to handle it.
You must choose how to handle such content at this stage — typically delete,
quarantine or allow through. If you rarely receive such content, we recommend
that you delete and quarantine it.
Product Guide 65
Content Management Concepts
n A depth of 1 scans only the non-compressed files inside a compressed file (as
shaded). The contents of any compressed files are not scanned.
n A depth of 2 scans the non-compressed files inside a compressed file, plus only
the non-compressed files inside any compressed file that it contains (as
shaded).
If you intend to scan HTML files, you should scan to a depth of 2 at least.
GroupShield will replace the offending message or attachment with text that you
prepare. Any users who later read the message will see the replacement text
instead. You can also request GroupShield to send a message to an administrator,
and record the event in a log.
Product Guide 67
Content Management Concepts
Using GroupShield
GroupShield Interface
Options for Viewing
Options for Scheduling
Configuring Anti-Virus and Content
Configuring GroupShield
GroupShield Interface
6
Once McAfee GroupShield 6.0 for Microsoft® Exchange has been correctly
installed and configured on your computer, it protects your Microsoft® Exchange
stores by running a Windows service named McAfeeGroupShield.
Product Guide 71
GroupShield Interface
If you installed using the Typical settings, only the Administrative Client Interface
is installed on your Microsoft® Exchange server. Selecting Complete installs both
the Administrative Client Interface and the Administrative Web Interface.
http://localhost/groupshield/splash.htm
When using the Administrative Web Interface, you can use the IIS administration
tools to customize the way that GroupShield 6.0 is hosted by IIS. For example, you
can configure IIS to serve the GroupShield 6.0 interface over HTTPS. To do this,
you will have to create and install an SSL certificate.
Product Guide 73
GroupShield Interface
n Console on page 77
Product Guide 75
GroupShield Interface
Navigation pane
The navigation pane is located on the left side of the GroupShield interface. This
provides links to each page, with similar links grouped together.
n View
The View area provides a convenient location from which to view information
about your GroupShield software installation. The available options are:
w Detected Items on page 83
w Scheduled tasks on page 91
w Product Log on page 93
n Schedule
Options that enable you to set up schedules for running on-demand scans and
for updating the virus definition (DAT) files used by GroupShield include:
w Product update on page 100
w On-demand scan on page 102
w Status Report on page 104
n Configure
n Home
The GroupShield interface includes the Quick Help pane, which is usually
displayed to the right of the GroupShield interface.
Console
The central area, or console, of the GroupShield interface displays each selected
page.
Product Guide 77
GroupShield Interface
You can show or hide Quick Help, using the Show Quick Help or Hide Quick Help
menu options from the navigation pane.
Links bar
The links bar is displayed at the top of the GroupShield interface. This contains
links to useful resources, such as the AVERT Virus Information Library and to the
GroupShield software Help Topics.
By default, the Home page is automatically refreshed, using the refresh time
specified in the Home area of Configure Personal Preferences, see Personal
Preferences on page 179.
To manually refresh the Home page at any time, click Refresh.
Product Guide 79
GroupShield Interface
n Potential Spam — the number of items that have been detected as “spam”
messages.
Product versions
The Product versions area of the Home page provides a convenient location to
check information about your GroupShield product versions.
n Anti-Spam add-on — License status for the anti-spam add-on package for
GroupShield 6.0.
The following information is provided on each of the items in the Recently Scanned
Items list:
n Date/time — GroupShield notes the date and time that the message was
scanned.
n Sender — The information contained within the e-mail message about the
originator of the e-mail message.
n Result — if no virus or banned content is found in the file, the Result is listed
as Clean. If a virus, or banned content is discovered by GroupShield, this field
reflects the action taken by GroupShield.
n Scanned by — GroupShield reports the name of the scanner or the scheduled
task that scanned the item.
Product Guide 81
GroupShield Interface
n Detected Items
n Scheduled tasks on page 91
Detected Items
The Detected Items page enables you to search the Detected Items, using a range of
search criteria.
You can check the information that has been logged against messages that have
viruses or banned content within them, and can also download the items that have
been added to the Detected Items database.
WARNING
Items held within the Detected Items database still contain
viruses or banned content. When downloading quarantined
files, make sure that you do not infect your computer or
network.
NOTES
Do not delete temporary internet files, offline content or
cookies whilst using the GroupShield interface. GroupShield
uses these files to maintain information, such as the Detected
Items list. Removing these files will result in GroupShield
being unable to query the Detected Items.
Product Guide 83
Options for Viewing
n Search Results
NOTE
Only items that have been detected as containing a virus or
banned content are shown within the Detected Items.
You can query the Detected Items database by looking at entries made between,
before or after a specified date and time.
You can also query the Detected Items database by using logical filters. The query
option also allows you to use both the logical filters and the specified date and
time.
After a short time, the Results area of the Detected Items page is updated with
all items stored in the Detected Items database since the specified date.
1 Select to.
2 Enter the date and time.
After a short time, the Results area of the Detected Items page is updated with
all items stored in the Detected Items database before the specified date.
1 Select where.
Product Guide 85
Options for Viewing
After a short time, the Results area of the Detected Items page is updated with
all items stored in the Detected Items database that match the selected search
criteria.
For information on the parameters and operators that you can use within your
searches, see Using the Filter on page 87.
Displayed information
The Results area of the Detected Items page consists of a number of columns, each
with a specific category of information about the detected item.
You can select the information that you want displayed for the items found as a
result of your query.
NOTE
The link Click here to change displayed columns, to the right of
the Results title bar takes you to the Personal Preferences
page, where you can select the information to be displayed
within the Results area. See Personal Preferences on page 179
for more information.
Clicking the Detected Item detail icon displays the Detected Item detail dialog box.
If the detected item is a known virus, this detailed information includes a link
additional information relating to the virus within the AVERT Virus Information
Library.
Example
You might carry out a query on all items detected in the last 24 hours, using Stored
from and yesterday’s date and time attributes. This could produce a number of
items that have been detected within the specified time frame.
Upon further inspection, you notice that several of the detected items contain the
same virus. You want to refine the query so that you search just for this virus:
1 Deselect Stored from, to remove the date-sensitive element of the query.
2 Select where.
3 Move the cursor over the Virus found (vrs) column of the Results table.
The text Virus found is added to the where field, and text matching virus being
searched for, for example EICAR test file, is added to the is field.
Product Guide 87
Options for Viewing
Table 7-1. Searchable Filter properties for the Detected Items database
Property Displayed Name Description
Identifier
qtn Quarantined item The Quarantined item data. When rendered in
the user interface this is a link to perform a
download of the data.
act Result The result of the action taken on the item, this
can be one of:
w Clean (0),
w Cleaned (1),
w Replaced (2),
w Removed(3),
w Logged(4),
w Denied Access (5).
This is the natural language string
representation, the numeric equivalent is
available via (res) but is not supported
rul Rule The content scanning rule fired
tn Scanned by The scan source that scanned the item
sz Size The size of the item that as scanned
tme Date/time submitted The date and time the item was submitted to the
product for scanning
fln Filename The file name of the item
fdr Folder The name of the containing folder the item was in
if applicable.
cc CC The list of carbon copy recipients of the E-mail
tik Ticket Number A unique number for the item generated by the
product to identify it
efn Detected File Name The name(s) of the files which caused the
detection(s) to occur. If there is more than one
detection then file names are ordered to match
"Reason" above.
idy Policy Group The name of the policy group that was used to
apply settings
Table 7-1. Searchable Filter properties for the Detected Items database
Property Displayed Name Description
Identifier
ssc Spam Score The spam score returned by the Anti-Spam
engine if installed, this is a positive or negative
number (negative because of whitelist scoring)
srt Spam Routing The action taken as a result of the spam
scanning, can be any of
w Allowed through
w System junk folder
w User junk folder
w Rejected
w Deleted
Downloading the quarantined item enables you to save it to your local computer,
where you can check the content of the item.
WARNINGS
Please consider the legal implications of inspecting items from
e-mail messages sent to employees within your organization.
Before downloading and opening any item from within the
Detected Items database, ensure that any virus has been
cleaned or replaced.
When you are sure that items are not infected, you can forward them from the
Detected Items database to the intended recipients.
Product Guide 89
Options for Viewing
4 Choose Detected Items from the View area of the navigation pane.
5 In the new Quarantined item (qtn) column, there are two buttons: Download
and Forward.
w Choose Download to view a message and click OK to close the confirmation
dialog box that appears.
w Choose Forward to send the message to, for example, the intended
recipient.
To export the query results, first ensure that you run a query suitable for the
information that you require.
2 Click Save.
4 Click Save.
Scheduled tasks
McAfee GroupShield uses scheduled tasks to enable you to define either updates
to the GroupShield software or on-demand scans of your Exchange server. You
can choose for these tasks to run immediately, to run once at a future time or date,
or to run repeatedly, at a frequency specified by you.
Scheduled tasks, available from the View options, enables you to see all tasks that
are scheduled. In addition, you can see information about each scheduled task,
such as the Type of task, the Status of the scheduled task, when the task was Last
run: and when the task is due to be Next run.
Click Scheduled Tasks from the View area of the navigation pane.
From Scheduled Tasks, you can view the currently defined schedules.
2 Click Modify.
2 Click Delete.
A dialog box is displayed, requesting that you confirm that you want to
permanently delete the task.
3 Click OK.
Product Guide 91
Options for Viewing
If the progress pop-up is not displayed — perhaps because you had closed the
pop-up — when a scheduled task is being run, you can open the progress pop-up
by clicking Progress from the currently running task.
NOTE
When the scheduled task completes the scheduled action, the
Progress button is removed from the interface.
Product Log
GroupShield 6.0 includes the ability to write events to both the Application log
area within the Windows Event log and to the GroupShield 6.0 Product Log.
When checking the GroupShield 6.0 events within the Windows Event log, the
source is listed as McAfee GroupShield.
Refer to Error messages and event log entries on page 200 for information about the
events that may be logged.
1 Select to.
2 Enter the date and time.
After a short time, the Results area of the Product Log page is updated with all
items stored in the Product Log before the specified date.
Product Guide 93
Options for Viewing
After a short time, the Results area of the Product Log page is updated with all
items stored in the Product Log between the specified dates and times.
1 Select where.
For information on the parameters and operators that you can use within your
searches, see Using the Filter on page 87.
Displayed information
The Results area of the Product Log page consists of a number of columns, each
with a specific category of information about the detected item.
Clicking the Product Log detail icon displays the Product Log detail dialog box.
See Error messages and event log entries on page 200 for more information about the
Error Codes used within the Product Log.
Example
You might carry out a query on all items detected in the last 24 hours, using Logged
from and yesterday’s date and time attributes. This could produce a number of
items that have been detected within the specified time frame.
Upon further inspection, you notice that several of the product log contain the
same virus. You want to refine the query so that you search just for this virus:
2 Select where.
3 Move the cursor over the Level (lvl) column of the Results table.
The text Level is added to the where field, and text matching the error type
being searched for, for example Error, is added to the is field.
5 Click Find Records.
All records contained within the Product Log are searched, and all that match
the search criteria are displayed.
Product Guide 95
Options for Viewing
2 Click Save.
The Save As dialog is displayed.
3 Select the location and file name for the saved file.
4 Click Save.
Product Guide 97
Options for Viewing
You can also use the schedule options to create an immediate Product Update or
On-Demand Scan. These would be created in response to a suspected virus attack,
where you want to use the latest available DAT files to counter any new viruses.
Product Guide 99
Options for Scheduling
Product update
The GroupShield software depends on information in the virus definition (DAT)
files and the virus-scanning engine to identify viruses. Without regularly updated
information on the latest virus threats, anti-virus software cannot detect new virus
strains or respond to them effectively. Anti-virus software that is not using the
current DAT files and virus-scanning engine can compromise your virus-protection
program.
New viruses appear at the rate of more than 500 per month. To meet this challenge,
McAfee Security releases new DAT files every week, incorporating the results of its
ongoing research into the characteristics of new or mutated viruses. When
required, McAfee Security also release emergency or extra DAT files to counter
specific virus threats. Also, periodically, the virus-scanning engine is upgraded, to
take advantage of new technology or to counter specific new types of threat to your
network. The update task that is provided with the GroupShield software makes
it easy to take advantage of these services.
NOTE
To update GroupShield, your server needs to have at least one
of the following:
w Access to http://www.networkassociates.com/us/downloads/.
w McAfee AutoUpdate Architect installed on the same network.
w A method for downloading update files from
http://www.networkassociates.com/us/downloads/ and transferring them
to your GroupShield server.
GroupShield 6.0 also is compatible with McAfee AutoUpdate Architect, with the
ability for you to import McAfee AutoUpdate Architect Site Lists into GroupShield
6.0, enabling GroupShield 6.0 to obtain updates from the McAfee AutoUpdate
Architect repositories within your network.
See Importing and exporting configurations on page 188 for more information about
importing sites lists into GroupShield 6.0.
b If you select any option other than Immediately, enter further details for the
date, day, month and time (as appropriate) for the update to run.
c Click Next.
This enables you to easily locate it at a later date from Scheduled Tasks,
within the View options.
b Click Finish.
GroupShield displays the Scheduled Tasks (see Scheduled tasks on page 91 for
further information) and the update runs at the times defined in the schedule.
On-demand scan
GroupShield scans all messages as they are written to or read from the store.
During these scans, GroupShield uses the installed virus definition (DAT) files to
check for virus or potentially harmful content within the messages .
On-demand scanning provides a method for scanning all parts of your computer
for viruses, at convenient times or at regular intervals. Use it to supplement the
continuous protection that the on-access scanner offers, or to schedule regular scan
operations when they will not interfere with your work.
You can perform a one-time on-demand scan when you want to scan a file or
location that you believe is vulnerable or suspect of containing a virus infection, or
you can perform scheduled scanning activities at convenient times or at regular
intervals.
b If you select any option other than Immediately, enter further details for the
date, day, month and time (as appropriate) for the scan to run.
c Click Next.
2 Choose what to scan.
a Select either Scan all folders, Scan selected folders or Scan all except
selected folders.
b If you select Scan selected folders, select the folders to include in the scan.
Click >> to include just the selected folder, or click >>> to include the
selected folder and all its subfolders.
c If you select Scan all except selected folders, select the folders to exclude
from the scan. Click >> to exclude just the selected folder, or click >>> to
exclude the selected folder and all its subfolders.
d Click Next.
3 Resumable scanning.
b Click Finish.
NOTE
Once you have scheduled an on-demand scan, you need to
ensure that the On-Demand Scanner Policy is correctly set up.
See Managing items within a policy on page 117.
GroupShield displays the Scheduled Tasks (see Scheduled tasks on page 91 for
further information) and the on-demand scan runs at the times defined in the
schedule.
When a scheduled task is being run, a Progress button is displayed on the running
task. See Viewing the progress of a scheduled task on page 92.
Status Report
GroupShield 6.0 enables you to schedule status reports, and to e-mail those reports
to named people or distribution groups within your organization.
b If you select any option other than Immediately, enter further details for the
date, day, month and time (as appropriate) for the scan to run.
c Click Next.
c Click Next.
b Click Finish.
GroupShield displays the Scheduled Tasks (see Scheduled tasks on page 91 for
further information) and the status report is run at the times defined in the
schedule.
The interface
Tree pane
This pane shows icons that represent the policies and rule groups that you can
manage. For example:
Policy
Policy Groups
The icons are organized in a “tree” structure. You can click the “+” symbols to
expand each node and see all parts of the tree. Here you can manage the items —
create, modify, and delete them — by using the buttons in the toolbar above the
tree and details pane, or the menus that appear when you right-click any item in
this pane.
For more information, see Right-click menus in the tree pane and Toolbars and buttons
on page 113.
You can also run many of these same functions using the toolbar icons (described
under Combined icons on page 114) or from the navigation pane.
The following right-click menus are available:
Policies
Table 9-1. Right-click menu for policies
Create Policy Create a new policy. See Creating a policy on page 115.
Delete Policy Delete the selected policy.See Deleting policies on page 116.
(This option is not permitted at the global policy.)
Add Settings Add extra items, such as content rules to your policy. See
Adding rules to the policy on page 117.
Paste Paste rules that have been cut or copied from other policies.
Rule groups
Table 9-2. Right-click menu for rule groups
Details pane
When you select an item such as a rule group in the tree pane, this pane (to the
right) displays the details. See the following table. You can access more
information by clicking this icon:
Rule Group Rules within the rule group. See Rules on page 111.
Policy
The following table shows part of a typical policy.
Item Inherited
Scanner Settings
Anti-virus Settings
Content Settings
Corrupt Content
Encrypted Content
n Item — The checkbox on the left of an item indicates whether the item is
available. If the checkbox is greyed, the item is inherited from the global policy,
and therefore you cannot alter it here.
If the checkbox is not greyed, you can disable the content scanning if, for
example, you do not want to use it.
If the checkbox is greyed and selected, you cannot disable the feature. For
example, encrypted content must be handled in some way.
n Inherited — You do not see this column if you are viewing the global policy.
This column uses the following icons to indicate whether an item in the policy
is inherited from the global policy. In other words, it indicates whether this
item is the same as the item in the global policy.
Inherited
Not Inherited
n Inherited by— You see this column only if you are viewing the global policy.
The column uses the following icons, and states how many items are inherited
from the global policy.
To see a brief description of any item in the policy, move your cursor over the text
and wait for a pop-up message to appear.
To manage the items within a policy, right-click a row to display a menu. The
menu options are briefly described in the following table.
Add Settings Add settings such as new content rules and anti-virus, and
specify their actions and any time restrictions. (You cannot
add extra anti-virus settings to the global policy.)
Paste Add rules (previously cut or copied) to the selected policy.
Delete Delete an item. See Deleting items in the policy on page 119.
Edit Settings Change the details of settings.
For some items such as anti-virus settings, you can change
the action and time restrictions. (You cannot change the time
value for anti-virus settings in the global policy.)
Instead of using this menu option, you may double-click the
row.
Rules
When you select a rule group in the tree pane, the details pane displays a summary
of its rules. The summary shows each rule by name and description. It also
includes a checkbox so that you can disable any rule, if necessary. The following
table shows an example.
To manage the rules within a rule group, right-click a row to display a menu. The
menu options are briefly described in the following table:
Create Content Rule Create a new rule. See Creating a rule on page 123.
Edit Content Rule Modify the content rule. See Changing a rule on page 126.
Assign Rules Assign selected rules or an entire rule group to the policy
associated with a policy group. See Assigning rules to a
policy on page 126.
Cut, Copy, Paste These functions allow you to move rules to other rule groups.
Delete Delete a rule. See Deleting a rule on page 127.
Policy Groups
When you select a policy group in the tree pane, the details pane displays a list of
the policy groups.
To manage any policy group, right-click its row to display a menu. The menu
options are briefly described in the following table:
Create Policy Create a new policy. See Creating a policy on page 115.
Delete Policy Delete the selected policy. See Deleting policies on
page 116.
Add Settings Add settings to the policy group. See Adding rules to the
policy on page 117.
Icons
The tree pane includes numerous icons, as shown in the following table.
Icon Description
A policy group.
A rule group.
Some buttons in the toolbars have icons that are made from a combination of other
icons. They include a ‘verb’ to help to describe their function. The verbs are
described in the following table.
Add Import
Create Export
Rename Assign
(Label appears below icon)
Edit Delete
Reorder
Create a policy.
Managing policies
You can perform the following actions on policies:
Creating a policy
By default, GroupShield has nine global policies defined. These are:
If you require a policy, that has different settings to the default policies listed
above, you can either modify one of the default policies, or you can create a new
policy — based on one of the default policies.
NOTE
Before creating a new policy, ensure that you have already set
up the policy group to which you want the policy to apply.
2 Right-click the policy, and select Create Policy to open the Create Policy dialog
box.
3 Select the policy groups to which the new policy will apply. To select multiple
policy groups, hold down the <CTRL> key when selecting each policy.
4 Click OK to close the dialog box.
The new policy appears as an icon in the tree pane. Initially, the new policy is
identical to the policy from which it was created. To change any part of the new
policy, you modify the items in the policy. For information, see Setting up items in
the policy on page 128.
Deleting policies
Occasionally, you may want to delete a policy that you have previously created,
perhaps because you find you do not use it, or because the policy groups to which
it applies are no longer valid.
NOTE
You can only delete policies that you have created. You cannot
delete the default policies.
To delete a policy:
1 In the tree pane, select the policy to be deleted. The details pane displays the
information about the selected policy.
2 Right-click the icon to display the menu, and select Delete Policy.
NOTE
A deleted policy cannot be restored.
For more information, see Rules and settings within a policy on page 49.
See also Setting up items in the policy on page 128.
1 In the tree pane, select the policy to which you want to add rules. The details
pane displays the information about the selected policy.
2 In the tree pane, right-click the policy, and select Add Settings from the menu.
3 Make your changes in the dialog box. For information about using each dialog
box, refer to the item in the following table.
NOTE
Not all of these policy items appear in all policies. For
example, Anti-Spam Settings only appear in the Gateway
policy when the anti-spam add-on has been installed.
1 In the tree pane, select the policy icon.The details pane displays the
information about the selected policy.
2 In the policy, select the item to be removed. Right-click and select Delete from
the menu.
NOTE
If the Delete option is unavailable, the selected item is part of
the default configuration for the selected policy and cannot be
deleted.
1 In the tree pane, right-click the Rule Groups icon or any rule group, and select
Create Rule Group from the menu.
2 In the Create Rule Group dialog box, enter a suitable unique name.
The new rule group is added below the Rule Groups icon.
To create a rule group from a copy:
1 In the tree pane, right-click the original rule group, and select Copy from the
menu.
2 Right-click again, and select Paste. The copied rule group appears with a name
based on the original.
3 Right-click the new rule group and select Rename Rule Group from the menu.
4 Enter the new name in the dialog box, and click OK.
Note that your new rule group is not assigned to any policies, even if the original
rule group was assigned.
2 In the Select Items To Export dialog box, select the rule groups and rules.
4 Select the folder where you want to save the exported rule groups.
5 Enter a file name or select an existing file, then click OK to close the dialog box.
An XML file is created.
1 Right-click the Rules Groups icon, and select Import from the menu.
2 In the Choose Import File dialog box, select the XML file, and click Open.
3 If some rules in the XML file have similar names, choose which to accept in the
Replace Existing Rules dialog box.
The new rules are added below the Rules Groups icon.
2 Enter the new name in the dialog box, and click OK. The name must be unique.
The rule group is renamed. Any occurrences of the rule group within policies is
renamed automatically.
Creating a rule
Each rule must belong to a rule group. You can add your new rule to an existing
group, or you can create a new rule group for your new rule. See Creating a rule
group on page 121.
You can also create a new rule by copying an existing rule, then renaming it, and
changing its details.
To create a rule:
1 Under the Rule Groups icon, select the rule group. The details pane shows the
rules within the group.
2 In the details pane, right-click anywhere, and select Create Content Rule from
the menu to open the New Content Rule dialog box.
3 Enter the rule name and its description. For more information, see Giving a
name and description to the rule on page 54.
5 Enter the word or phrase, select the checkboxes as required, and click OK.
7 Choose an option under Select a condition .... See Words in context with other
words on page 56 for more information.
9 Enter an additional phrase, and click OK. The phrase is added below
Additionally look for ....
10 Use Add, Edit and Delete to build more complex rules. See Adding optional
advanced features on page 56 for more information.
If you set a value for Within a block of characters in some combinations of Starts
with and Ends with, GroupShield might prompt you to adjust the value.
11 Click OK. The File Formats dialog box opens, allowing you to decide where the
rule applies.
12 Select the general group in the left list, then select or deselect individual
formats in the right list. You may use Select All and Clear to select and deselect
formats quickly. As you make your selections in the right list, icons in the left
list change accordingly:
13 Click OK to return to the New Content Rule dialog box. The rule is displayed in
the pane.
Changing a rule
To change a rule:
1 Select the rule group under the Rule Groups icon. The details pane displays the
names of the rules.
2 In the details pane, right-click the rule name in the Rule Name column, and
select Edit Content Rule to open a dialog box.
3 Make changes to the rule. The dialog box is similar to that described in Creating
a rule on page 123.
NOTE
When appling a rule group to a policy, the dialog box is
slightly different to the one shown above. The Assign selected
rules only and Assign entire rule group options are not
displayed.
3 Choose to assign the selected rules, or an entire rule group.
4 Under To the following policies, select the policies to which the rule or rule
groups.
NOTE
Any policies that are disabled cannot have rules asigned them.
5 Under When banned content is found, take the following action: select the
required action.
6 Click OK to close the dialog box.
Deleting a rule
To delete a rule:
1 Select the rule group under the Rule Groups icon. The details pane displays the
names of the rules.
2 In the details pane, right-click the name in the Rule Name column, and select
Delete.
1 In the tree pane, select the policy icon. The details pane displays the policy.
2 In the policy, double-click Scanner Control to open a dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
n How to handle malicious mail. See Protecting against specific threats on page 132.
n How to ensure that the anti-virus protection is up to date. See Ensuring your
anti-virus protection is current on page 133.
n What level of anti-virus protection you need. See Setting the level of protection on
page 132.
n An alert message to announce that a virus was detected.
1 In the tree pane, select the policy icon. The details pane displays the policy.
2 In the policy, double-click Anti-Virus to open a dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box, and return to the policy.
5 If you do not want anti-virus scanning in this policy, deselect Enable ..., then
click OK to close this dialog box and return to the policy.
6 To change the action, select the blue text next to Action and use the dialog box.
See Setting the actions on page 131.
7 To change the handling of malicious mailers, select the blue text beside
Malicious mail action. See Protecting against specific threats on page 132.
8 Set the level of protection. See Setting the level of protection on page 132.
9 To protect against denial-of-service attacks, enter a value in Maximum scan time
per item. The minimum value is one minute. We recommend 15 minutes when
in use on a server.
NOTE
An item can be a message or an attachment. A message that
contains several attachments, or an attachment such as a .ZIP
file, is regarded as several items, not one item.
10 Under Alert, enter the text that will appear in the infected document/message.
To view the text in its finished form, click Preview.
The dialog box closes, and GroupShield displays the updated policy.
1 To clean any virus, select Attempt to clean, and optionally specify any further
actions.
1 Click the blue text next to Custom malware actions to open a dialog box.
The dialog box closes, and GroupShield displays the updated policy.
n Custom — You choose what types of file to scan and a range of scanning
options. For details, see Customizing the settings on page 133.
For highest security, choose Scan all files, but be aware that this might affect
performance.
Default types are the most susceptible types. To see a list of default file types,
click View.
To create your own list of file types, select Scan defined file types, and click Edit
to open the File extensions dialog box.
In this dialog box, use Add, Edit and Delete to create your own list.
To create a defined list based on the default list, click Add defaults, then use the
other buttons to build the list.
The dialog box closes, and GroupShield displays the updated policy.
1 In the tree pane, select the policy icon. The details pane displays the policy.
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
5 If you do not want content scanning in this policy, deselect Enable ..., then click
OK to close this dialog box and return to the policy.
6 To scan for text strings within all attachments, select Extend text scanning to all
attachments.
7 Write the text to replace the banned content. Use either plain text or HTML
format. You may use tokens so that GroupShield can insert extra details:
The dialog box closes, and GroupShield displays the updated policy.
1 In the tree pane, select the policy icon. The details pane displays the policy.
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
5 If you do not want to scan for spam in this policy, deselect Enable ..., then click
OK to close this dialog box and return to the policy.
6 To take action against spam, click each of the three “score” lines under
Properties Summary to open the Action dialog box.
NOTE
If you use these dialog boxes, be aware that you can block
legitimate messages. We recommend that you experiment
first with the use of quarantine and a prefix to subject lines.
7 Select When the spam score is, and specify the spam score. You can select from
low, medium, or high values which are 5, 10 and 15 respectively. Alternatively,
you can enter a custom value.
For example, you can choose to quarantine messages that have a low spam
score, and block messages that have a high spam score.
8 To make any changes to the blacklist and whitelist, click Blacklist and whitelists
to open a dialog box.
9 In the Whitelists and Blacklists dialog box, use Add, Edit, and Remove to build
your lists. You can create lists for e-mail messages sent to or from specific e-mail
addresses. To import these lists to use on other computers, click Export.
Entries in the list can contain the asterisk character ‘*’ as a wildcard in order to
match portions of an address such as an entire domain. For example:
10 To disable any anti-spam rules, click Disabled Rules to open a dialog box.
11 In the Disabled Rules dialog box, use Add and Remove to modify the list.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
5 If you do not want file filtering in this policy, deselect Enable ..., then click OK
to close this dialog box and return to the policy.
8 Under Replace banned files ..., specify the text (in plain text or HTML format)
that will replace any banned item. To view the text in its finished form, click
Preview.
The dialog box closes, and GroupShield displays the updated policy.
2 At Rule name, enter an accurate description for your new rule. Remember that
over time, your list of rules might become large, so accurate naming is
important.
3 Under When the rule applies ..., select an action such as blocking.
4 To act on a particular file, enter its full name. Note that case is not important.
For example, you may enter GOODGAME.EXE or goodgame.exe.
For example:
*.EXE refers to all files that have the file name extension “.EXE”, such as
GOODGAME.EXE and AB.EXE.
6 To act on files with a particular format, select When the file format is. In the table
below the checkbox, select a format in the left list and then select individual
formats in the right list.
Icons in the left list change as you select or deselect items in the right list:
You can use Select all and Clear to select and deselect formats quickly.
7 To act on files of a certain size, select When the file size is and set other details.
NOTE
Note that the selections in Step 4 to Step 7 act in combination.
For example, to create a rule that acts on large program files,
detect “*.EXE” files that are greater than 10MB.
8 Click OK to return to the main dialog box (Step 6 on page 142). The rule is
enabled.
9 To disable the rule, deselect the checkbox next to the rule name.
Button Action
1 In the tree pane, select the policy icon. The details pane displays the policy.
2 In the policy, double-click Mail Size Filtering to open the dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
Specify a limit to the overall size of any e-mail message and the action to take
against it, such as blocking. Click OK to close the dialog box.
7 If you do not want to limit the number of attachments, select Allow all
attachments. Otherwise, select Remove attachments if, then select from the
checkboxes.
Adding disclaimers
A disclaimer can be added to all incoming and outgoing e-mail messages. For
examples of disclaimers, see Adding disclaimers on page 63.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
5 If you do not want to use disclaimers in this policy, deselect Enable ..., then
click OK.
6 Select the position for the disclaimer text.
The dialog box closes, and GroupShield displays the updated policy.
1 In the tree pane, select the policy. The details pane displays the policy.
2 In the policy, double-click Signed Messages to open the dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
5 Select the action that GroupShield must take when a signed message is
detected. These options are described in Handling digital signatures on page 64.
6 Select any other actions.
The dialog box closes, and GroupShield displays the updated policy.
1 In the tree pane, select the policy icon. The details pane displays the policy.
2 In the policy, double-click Encrypted Content to open the dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
The dialog box closes and GroupShield displays the updated policy.
1 In the tree pane, select the policy icon. The details pane displays the policy.
2 In the policy, double-click Corrupt Content to open the dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
5 Select the action that GroupShield must take when it detects corrupt content,
such as blocking.
6 Select any other actions.
The dialog box closes and GroupShield displays the updated policy.
See also Examples of content rules for e-mail messages on page 154 and Testing a new
content rule on page 162.
For more information, see Creating content rules on page 54 and Managing content
rules on page 121.
2 In the dialog box under Level of Protection, select Custom and click Settings.
3 In the next dialog box, select Find joke programs. (Find malicious programs is
automatically selected.)
4 Click OK to close the dialog box, and return to the Anti-Virus dialog box.
5 Click OK to close the dialog box, and return to the policy.
6 In the next dialog box, add the banned file name extensions.
7 Click OK to close the dialog box.
For full details, see Filtering file types on page 141.
For example, your company plans to release a new product called SuperThing. To
prevent anyone outside the project team knowing about the product, you need to
detect the word inside any published document. Create a rule called “Confidential
project information,” and specify SuperThing as the word on which to trigger the
rule.
Before that date, less harmful messages will discuss the product’s details and
preparations for its launch. Other products will also be launched, but their dates
are less relevant. You do not want to block this information:
The agenda for tomorrow’s meeting:
1 Progress towards the launch of SuperThing
2 How to reduce our stationery costs
3 Launch of MegaBox in January
You can create a rule that triggers only when the two words — SuperThing and
January — are close to each other, perhaps within 30 characters.
Each example described here can block an e-mail message — by destroying it, or
by moving it to a quarantine area where they can be examined later. You need to
be aware of local legislation that affects how e-mail may be treated. See Considering
legal implications on page 47.
You use similar stages when creating these rules:
1 Specify the combination of words and phrases, as described in the example.
For details, see Creating a rule on page 123.
Next, you choose where the rule applies.
2 In the File Formats dialog box, choose Applies to all selected file formats.
3 Deselect all the formats except E-mail messages, then select the required part
— such as sender, recipient, or subject line.
4 Click OK to close the dialog box.
5 Assign the rule to a policy that applies to the group of users, and choose a
blocking or quarantine action. For details, see Adding rules to the policy on
page 117.
To do this, you create a rule that triggers on the name of the recipient when it has
the @ symbol but does not have your organization’s domain name (such as
example.com). This is described briefly here.
4 Click Add, and enter your organization’s mail domain, for example,
example.com.
5 Click OK to close the dialog box, and open the File Formats dialog box.
9 Assign the rule to a policy that applies to the group of users, and choose a
blocking action. For details, see Assigning rules to a policy on page 126.
Blocking hoaxes
A hoax often appears as an e-mail message that fools readers into thinking that
their computers have been infected by a virus, or that warns them of some
fictitious virus that might arrive soon. Such hoaxes often have a predictable subject
line, such as “Read this Virus Warning immediately,” which you can configure
GroupShield to detect.
To protect against hoaxes, create a content rule that detects phrases such as “virus
warning” in the subject line of the e-mail message.
For more information, see Creating content rules on page 54 and Managing content
rules on page 121.
You create a rule called “Confidential product information” and apply this rule to
a plain-text attachment, the body of the message, and the subject line of message.
You specify SuperThing as the word on which to trigger the rule.
Before that date, less harmful e-mail messages will discuss the product’s details
and preparations for its launch. Other products will also be launched, but their
dates are less relevant. You do not want to block this message:
The agenda for tomorrow’s meeting:
1 Progress towards the launch of SuperThing
2 How to reduce our stationery costs
3 Launch of MegaBox in January
You can create a rule which triggers only when the two words — SuperThing and
January — are close to each other, perhaps within 30 characters.
It is important to control the movement of these files. However, any file can
masquerade as another. For example, anyone with malicious intent can rename a
database file called CUSTOMERS.MDB to NOTES.TXT, then attempt to transfer that file,
believing that it cannot be detected.
You can use a combination of measures to control the flow of valuable information:
n Mail-size filtering to block the sending of large attachments. See Limiting the
size of e-mail messages on page 144.
n Content rules to detect the use of phrases. See Scanning for content on page 135
and Managing content rules on page 121.
n File filtering to detect files by name, file name extension, and file format. See
Filtering file types on page 141.
You can also block the sending of large e-mail messages. See Limiting the size of
e-mail messages on page 144.
For example, John Smith has been annoying employees by sending unwanted
e-mail messages. The content of his messages vary but he always uses one of two
e-mail addresses. You create a rule called Annoying Person. As the trigger phrase,
enter John Smith’s two e-mail addresses, and apply the rule to the sender of the
e-mail message only.
Blocking games
Many games are sent by e-mail as computer programs (.EXE files). To block these
games, create a content rule that detects *.EXE and *.COM in the name of any
attachment. This type of rule has an added advantage because games are a popular
hiding place for viruses.
3 Under Additionally look for ..., use Add repeatedly to enter the phrases: TV,
national television, and so on. You can update your list of phrases over
time.
1 Open a standard text editor, then type the following character string as one line,
with no spaces or line breaks:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
NOTE
The line shown above should appear as one line in your text
editor window, so be sure to maximize your text editor
window and delete any line breaks. Also, be sure to type the
letter O, not the number 0, in the “X5O...” that begins the test
message.
If you are reading this manual on your computer, you can
copy the line directly from the Acrobat PDF file and paste it
into your text editor. If you copy the line, be sure to delete any
line breaks or spaces.
2 Save the file with the name EICAR.COM. The file size will be 68 or 70 bytes.
3 Start your anti-virus software and allow it to scan the folder that contains
EICAR.COM.
If the scanner appears not to be working correctly, check that you have read
permissions on the test file.
NOTE
This file is not a virus — it cannot spread or infect other files, or
otherwise harm your computer. Delete the file when you have
finished testing your scanner to avoid alarming other users.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Generic
Test for
Unsolicited
Bulk
3 Send the new e-mail message to a mailbox address on the Microsoft® Exchange
server where you have installed GroupShield.
GroupShield scans the message, recognizes it as a junk e-mail message and deals
with it accordingly. The GTUBE test overrides blacklists and whitelists.
If your content rule is intended to delete an unwanted item or to replace the item
with an alert message, you risk losing valid items if the rule was not correctly
defined. When you create any new rule, we recommend that you set the primary
action to Allow the item through, with a secondary action of Quarantine the item. You
can check the quarantine area to verify that the rule is working correctly. Then
later, you can change the action to delete or replace these types of items.
the following areas can also be configured within the GroupShield software:
Notifications
You can configure the notifications that GroupShield 6.0 sends when it detects a
virus or banned content within an e-mail message.
Configuring Notifications
To configure the notifications that GroupShield 6.0 sends, select Notifications from
the Configure tasks list on the left of the interface.
1 Enter the Administrator Email address. This can be a person or a distribution list
set up within your Microsoft® Exchange server.
2 Enter the Sender Email address. This can be a person or a distribution list set
up within your Microsoft® Exchange server.
3 Enter the Subject line for notification.
4 Click Edit to change the content of the notification text. See Using tokens in alert
notifications for further details.
5 If you want to be notified with task results, select Enable Task results
notification.
6 Click Apply.
On-Access settings
McAfee GroupShield integrates with Microsoft® Exchange by using Microsoft
Virus-Scanning APIs (VSAPI). The version of VSAPI used depends on the version
of Microsoft® Exchange that GroupShield is protecting:
n Microsoft® Exchange 2000 uses Microsoft Virus-Scanning API 2.0 (VSAPI 2).
n Microsoft® Exchange 2003 uses Microsoft Virus-Scanning API 2.5 (VSAPI 2.5).
In addition, when protecting Microsoft® Exchange 2000, you can specify that
GroupShield carries out Transport Scanning of all e-mail traffic.
w Items are scanned during times when the CPU would otherwise be
idle.
w Once scanned, items need not be scanned when they are accessed, so
performance is improved.
n Scan timeout defines how long an attempt to access the item being scanned
continues before timing out.
If scanning does not complete before the scan timeout period expires, the
opening or accessing of the item fails with an Access Denied error. The
scanning of the item continues to completion, and later attempts to access the
item will succeed.
Scan email using enables you to select either VSAPI or Transport Scanning as the
on-access scanning method.
Transport scanning is best used when you have configured your Microsoft®
Exchange 2000 server as a gateway server, as it allows scanning of routed mail
(mail that is not destined for the local Microsoft® Exchange server). Transport
scanning also allows you stop the delivery of unwanted messages.
7 To change the Number of Scan Threads, deselect Default and enter the required
number of threads.
Anti-spam settings
When used with the anti-spam add-on package, Anti-Spam Settings, available from
the Configure options in the navigation pane, allows you to:
n Specify the e-mail address that you want to use as the System Junk Folder on
the Exchange server.
n Have the anti-spam add-on package route potential spam messages to the user
junk folders on that Exchange server.
NOTE
If you are using Microsoft® Exchange Server 2003 and
Microsoft Outlook Web Access as your e-mail client then the
anti-spam add-on package will automatically route potential
spam messages to the user junk folder. User junk folders are
physically created the first time that a user receives a potential
spam message.
For more information about setting up anti-spam, see Scanning for spam on
page 136.
n Limit the maximum age of entries within the Detected Items Database.
NOTE
By default, all the Detected Items Database options are
displayed unselected.
To prevent the database from becoming overly large, you can limit either the
maximum size of the database, or you can limit the time that a record is held within
the database before it may be overwritten.
NOTE
Do not delete temporary internet files, offline content or
cookies whilst using the GroupShield interface. GroupShield
uses these files to maintain information, such as the Detected
Items list. Removing these files will result in GroupShield
being unable to display the Detected Items information.
This is the number of days that a Detected Items entry may be displayed within
the Results area of the Detected Items page. The entry may be held in the
Detected Items database after this date, but is liable to be overwritten if the
database is approaching its maximum size.
NOTE
If you have set a Maximum database size and the Detected
Items Database is approaching that size, then detected items
database entries younger than the Maximum age of entry (days)
may be overwritten, to prevent the database expanding
beyond the Maximum database size.
3 Click Apply, when all options on the Detected Items Database pane have been
selected to your satisfaction.
3 Click Apply when all options on the Detected Items Database pane have been
selected to your satisfaction.
NOTE
The default Product Log Database settings are:
To prevent the log from becoming overly large, you can limit either the maximum
size of the log, or you can limit the time that a record is held within the log before
it may be overwritten.
NOTE
Do not delete temporary internet files, offline content or
cookies whilst using the GroupShield interface. GroupShield
uses these files to maintain information, such as the Product
Log Database. Removing these files will result in GroupShield
being unable to display the Product Log Database.
2 Enter the Maximum log size, selecting either Megabytes (MB) or Kilobytes (KB).
If the Detected Items database reaches the maximum size that you have
specified, the oldest records in the log will be overwritten, to prevent the log
from exceeding the specified size.
NOTE
If you have set a Maximum log size and the Product Log is
approaching that size, then logged items younger than the
Maximum age of entry (days) may be overwritten, to prevent
the log expanding beyond the Maximum log size.
If you select (Full Path), then enter an absolute UNC path, as follows:
\\<server name>\<shared folder or drive>\
If you select <Desktop>\, <Install Folder>\,< System Drive>, <Program Files>\ or
<Windows Folder>, you can specify a sub-folder in which to store the debug log
files.
3 Click Apply, when all options on the Product Log pane have been selected to
your satisfaction.
3 Click Apply when all options on the Product Log pane have been selected to
your satisfaction.
Personal Preferences
The Personal Preferences page enables you to change options relating to the way
you view the Home page and the Detected Items page.
You can change options relating to the way you view the Home page and the
Detected Items page.
Home page
1 Deselect Automatic refresh to disable automatic refreshing of the information
displayed on the Home page.
When Automatic refresh is disabled, the Refresh rate field is also disabled.
3 Enter the number of items to be displayed on the Home page in the Recently
scanned items area.
2 Select the Columns that correspond to the information that you want displayed
on the Detected Items page.
3 Click Apply when all options on the Personal Preferences page have been
selected to your satisfaction.
Diagnostics
McAfee GroupShield includes Diagnostics within the interface. These are useful
tools in the event that the GroupShield software fails to operate in an expected
manner.
Debug Logging
By default, debug logging is set to None. In this state, no debug log files are
generated, and there is no performance impact on the normal operations carried
out by GroupShield.
NOTE
We recommend that you enable debug logging only on the
advice of McAfee Security technical support, as using debug
logging can have performance implications for your Exchange
server.
w None. No debug logging is carried out. This is the default level, and is used
when the GroupShield software is operating as expected.
w Low. When debug logging is set to Low, GroupShield writes information
relating to any error conditions that are issued by GroupShield processes.
This usually provides sufficient information for McAfee Security technical
support to diagnose any problems with your installation of GroupShield.
w Medium. When debug logging is set to Medium, the GroupShield software
writes information relating to any error conditions and any informational
messages that are issued by GroupShield processes. This is useful for
McAfee Security technical support if there is no obvious reason for the
error conditions occurring.
w High When debug logging is set to High, GroupShield writes information
relating to all error conditions, all informational messages and comments
from each line of code executed within GroupShield to the debug log files.
This level of debug logging can generate large quantities of information,
creating large log files. It may be necessary to set the maximum log file
limit, using Limit size of debug log files and Maximum size of each log file
(KB).
3 Click Apply when all options on the Debug Logging page have been selected to
your satisfaction.
The Network Associates Error Reporting Service monitors the Network Associates
applications on your system and prompts the user when it detects a problem. It
collects data only from the computer on which it is installed, and its operation is
controlled from this computer. You can submit the data it collects to Network
Associates technical support to assist in the opening of a support case.
If the computer that experiences the failure is connected to a network that has Alert
Manager installed, Alert Manager can be configured to inform the network
administrator that a problem has been detected. The network administrator may
need to guide the user on what action to take.
By default, the Network Associates Error Reporting Service within GroupShield is
enabled. To disable Network Associates Error Reporting Service, deselect Enable.
The user is alerted and can choose to forward the data to the Network Associates
technical support web site, where it can be used to open a support case if
appropriate. Alternatively, the user can choose to ignore the log files, in which case
they are not submitted to the Network Associates web site.
The data that is collected is compressed for submission.
Errors that occur when the Network Associates Error Reporting Service is not
running, for example, when you have logged out, are processed the next time you
restart the service. The sort of errors that occur under these circumstances might
include those occurring in programs running as a service.
Policy Groups
Before you create anti-virus and content management policies in Anti-Virus and
Content, you must first create policy groups to which the policies will apply. Policy
groups are based on members of Active Directory Groups or SMTP e-mail addresses.
You can include as many items in the right-hand box as you want.
4 Use the Policy Group options to specify whether you want the rules to apply to
any, all, or none of the criteria that are in the box on the right.
5 Click Next or Enter a name and, if desired, type a unique name for the policy
group.
We recommend that you name the policy group yourself rather than using the
name that GroupShield 6.0 gives it so that you can recognize it easily when you
come to set up your anti-virus and content scanning policies.
6 Click Finish.
The policy group will be available for you to choose when you create policies
in Anti-Virus and Content.
1 Click Import.
2 Select the required Import the following types of Active Directory Group: from
Universal, Global and Local.
4 Click Next.
Check that the required Policy Groups are highlighted.
5 Click Finish.
Once you have set up one GroupShield server to your satisfaction, you can export
the configuration file, and then import and apply this file to other GroupShield
installations.
You can also import a site list that GroupShield will use to download virus
definition (DAT) files and Virus-Scanning engine updates.
2 The Save As dialog box is displayed. Browse to the location for the
configuration file to be saved.
2 Click Load.
When the file has been successfully imported, a Microsoft Internet Explorer
File successfully uploaded dialog box is displayed.
3 Click OK.
2 Click Load.
When the file has been successfully imported, a Microsoft Internet Explorer
File successfully uploaded dialog box is displayed.
3 Click OK.
Appendices
Troubleshooting
Default Settings
Alert Messaging with Alert Manager 4.7
Index
Troubleshooting
A
This section provides answers to common situations that you might encounter
when installing or using GroupShield software. It includes information on what to
do if GroupShield 6.0 experiences problems.
It also lists the error codes that are used within the GroupShield 6.0 software.
Data collected by MERTool and the Error Reporting Service can be submitted to
Network Associates Technical Support to assist in the opening of a support case.
MERTool and the Error Reporting Service collect data only from the computer on
which they are installed, and their operation is controlled from this computer. If
the Error Reporting Service detects a problem it informs the user.
If this computer is connected to a network that has Alert Manager installed, then
Alert Manager notifies the network administrator that the Error Reporting Service
has detected a problem. The network administrator may then need to tell the user
what action to take and what to do with the data files created, in accordance with
departmental or company policy.
Under normal circumstances, both MERTool and the Error Reporting Service are
invisible to the user. However, when the Error Reporting Service detects a
problem, the user of that computer receives information from the Error Reporting
Service, as described later in this chapter, and must respond appropriately.
There are several ways in which MERTool and the Error Reporting Service can be
used, depending on how your organization operates and how you manage your
network:
n The Error Reporting Service detects a problem and alerts the user.
n The network administrator detects a problem and instruct a user to run
MERTool.
n A user independently contacts Network Associates Technical Support who
instruct him or her to run MERTool.
After you run MERTool you must decide how the data file is going to be submitted
to your support representative, and whether you want to encrypt it. If you do, use
your standard encryption tools.
Introducing MERTool
MERTool is designed to be used when Network Associates products fail on a
computer. When launched, MERTool collects a variety of information from the
computer on which it is running, including event logs, registry information,
running process lists and Active Directory entries.
MERTool uses this information to create a TGZ file. A TGZ file is a type of
compressed file, so it is smaller and therefore easier to send electronically than an
uncompressed file.
Under some circumstances MERTool may not be able to collect all the information
that it needs. This may occur when:
n A computer is connected to a network and the user does not have full
administrator rights.
n The user of a standalone desktop computer has not been assigned
administrator rights. This only applies to operating systems where these
options are available, such as Microsoft Windows 2000 and Windows XP.
Using MERTool
There are several ways in which MERTool can be launched:
n When the Error Reporting Service submits data to Network Associates
Technical Support web site, more details are required and you are instructed
to run MERTool as described in Step 2 and Step 3 of the procedure To run
MERTool.
n You instruct a user to launch MERTool manually if you suspect that your
Network Associates software is not running optimally. To do this follow the
procedure To run MERTool. You should only do this if the user who is
currently logged on has administrator rights.
To run MERTool
1 At NAMEDLOCATION, click on the MERTool icon. The MERTool Save As
window is displayed.
2 Enter a name for the file that MERTool is going to create, and select the folder
in which to save it. Click Save.
MERTool displays a progress bar while collecting information.
NOTE
In some circumstances MERTool can only collect the data it needs, if the
anti-spam software on the computer on which MERTool is running has
the DEBUG option switched on. Your Network Associates support
representative will tell you how to switch on Debug if it is necessary.
MERTool cannot automatically switch on the DEBUG option on your
McAfee anti-spam software.
3 When MERTool has finished collecting information, it displays a summary
message. Click OK.
4 You must now submit the results file to your Network Associates support
representative. Unless instructed otherwise, send the file by e-mail or copy it
to a CD and mail it to Network Associates. Information about contacting
Network Associates can be found in the front of this manual.
If the computer that experiences the failure is connected to a network that has Alert
Manager installed, Alert Manager informs the network administrator that a
problem has been detected. The network administrator may need to guide the user
on what action to take.
Errors that occur when the error reporting software is not running, for example,
when you have logged out, are processed the next time you log in. The sort of
errors that occur under these circumstances might include those occurring in
programs running as a service.
2 Virus scanning has been deselected in the Anti-Virus and Content settings. To
check this, select Anti-Virus and Content from within the Configure section of
the navigation pane. Select On Access Scanner, from within the Policies area.
Ensure that Anti-Virus is selected.
GroupShield did not detect the virus that received all the publicity last
week. Why?
For any anti-virus software to identify the latest virus threat, the software must
have signature information available for that virus.
McAfee Security update the virus definition (DAT) files for all McAfee Security
anti-virus software at least weekly, with additional updates being created to
counter specific new high-profile or particularly destructive virus threats.
Schedule a Product Update to run at least once a week. The DAT files are usually
updated each Wednesday or Thursday (depending on your geographical
location).
Also, regularly check for new virus scanning (DAT) file and virus-scanning engine
releases, by visiting:
http://www.mcafeesecurity.com/naicommon/download/dats/find.asp
Events
The following events can be generated when the anti-virus and content
management engines scan e-mail messages for viruses and banned content. The
events are used when generating reports, and can be logged and processed by the
e-mail, SNMP, ePolicy Orchestrator, and XML event handlers.
ID Level Description
2042 Information Scanner initialized.
2043 Information Scanned uninitialized.
2044 Error Scanner failed to initialize.
2045 Error Scanner failed to scan an item.
2046 Information The service has started.
2047 Information The service has stopped.
2048 Error The service failed to start.
2049 Error Failed to write an entry to the Detected Items database.
2050 Error Failed to load the XML configuration.
2051 Error Failed to save a change to the XML configuration.
2052 Information An Update completed successfully.
2053 Error An Update failed to complete successfully.
The GroupShield installation files include the DAT files that were current at the
time of posting. These DAT files, however, are likely to be out-of-date by the time
that you install GroupShield on your Exchange server.
We recommend that you schedule an immediate update as soon as you have
installed GroupShield, to ensure that you have the most up-to-date virus
protection available.
n Scheduled Tasks
n On-Access Settings
n Anti-Spam Settings
n Product Log
n Personal Preferences
n Diagnostics
n Policy Groups
Scheduled Tasks
GroupShield has no scheduled tasks defined by default.
Anti-Virus settings
The default settings for Anti-Virus are shown below:
With the Level of protection set to the default selection (Medium), GroupShield uses
the following scanning options:
Notifications
The default settings for Notifications are shown below:
On-Access Settings
When McAfee GroupShield is used to protect Microsoft® Exchange, the On-Access
Settings contain the following settings provided by the Microsoft Virus Scanning
API (VSAPI):
Anti-Spam Settings
The default settings for Anti-Spam Settings are shown below:
The default Database location is <Install Folder>\Bin and the default Database
filename is DetectedItems.bin.
Product Log
The default settings for Product Log are shown below:
Personal Preferences
The default settings for the Personal Preferences are shown below
Diagnostics
The default settings for Diagnostics are shown below:
Policy Groups
The default settings for Policy Groups are shown below:
The file name used by default for the Import Site List file is SiteList.xml.
When starting Alert Manager 4.7 from the Windows Start menu, you have access
to two main components:
See Configure Alert Manager recipients and methods on page 220 for details.
n Alert Manager Messages Config. This component allows you to configure the
alert messages themselves. You can edit message text and set priority levels for
specific alerts. To start Alert Manager Messages Config, click the Start button
on the Windows desktop and select Programs | Network Associates | Alert
Manager Messages Config.
2 Configure the recipients that will receive alert notifications using that alert
method.
3 Click other tabs to configure recipients for any additional alert methods as
required.
4 When finished, click OK to save the configurations and close the Alert Manager
Properties dialog box.
n Sending a network message to a terminal server on page 241. This method is only
available if terminal services are running on the computer where Alert
Manager is installed.
n Using Centralized Alerting on page 243
2 In the Priority Level dialog box, drag the slider right or left to set the priority
level.
Drag to the right to send the recipient fewer, higher priority messages. Drag
the slider to the left to send the recipient more alert messages, including lower
priority messages.
3 Click OK to save the priority settings.
NOTE
On the Priority Level dialog box, you can specify the priority
level for specific recipients, such as a computer on a network
or an e-mail address. However, you cannot set the priority of
individual alert messages here. For information on setting the
priority levels of individual alert messages, see Customizing
alert messages on page 244.
Click next to each listed alert method to display the recipient computers,
printers, or e-mail addresses. To remove an alert notification recipient, select it,
then click Remove. To change the configuration options for a listed recipient, select
it, then click Properties to open the Properties dialog box for that alert method.
To do this, configure the local Alert Manager to forward relevant alerts to the
computer where the second Alert Manager is installed. You then need to configure
the second Alert Manager to distribute alert notifications as desired. See
Configuring alert forwarding options on page 227 for details on doing this.
1 From the Alert Manager Properties dialog box, click the Forward tab.
The Forward page appears with a list of all of the computers you have chosen
to receive forwarded messages. If you have not yet chosen a destination
computer, this list is blank.
w To add a computer, click Add to open the Forward Properties dialog box,
then enter the name of the computer that receives forwarded messages in
the text box. You can enter the computer name in Universal Naming
Convention (UNC) notation, or click Browse to locate the computer on the
network.
3 Click Priority Level to specify which types of alert messages the destination
computer receives. See Setting the alert priority level for recipients on page 222.
4 Click Test to send the destination computer a test message. See Sending a test
message on page 221.
5 Click OK to return to the Alert Manager Properties dialog box.
It is not necessary for the recipient computers to have Alert Manager installed.
However, you might need to have the appropriate messaging client software for
your operating system running on the recipient computer. This messaging
software is always pre-installed on newer versions of the Windows operating
system, such as Windows NT, Windows 2000, Windows XP and Windows Server
2003. This service is usually running by default.
2 Click the Network Message tab. The Network Message page appears with a list
of the computers that you have configured to receive a network message. If
you have not yet chosen a recipient computer, this list is blank.
w To remove a listed computer, select one of the recipient names listed, then
click Remove.
4 Click Priority Level to specify which types of alert messages the recipient
receives. See Setting the alert priority level for recipients on page 222.
5 Click Test to send the recipient a test message. See Sending a test message on
page 221.
6 Click OK to return to the Alert Manager Properties dialog box.
4 Click Mail Settings to specify the network server you use to send Internet mail
via SMTP.
NOTE
You must click Mail Settings and specify an SMTP server to be
able to send e-mail alert notifications. Do not skip this step.
Also, after configuring your SMTP mail settings the first time,
you will not be required to configure them again unless your
SMTP mail server information changes.
a In the dialog box that appears, enter the mail Server. You can enter the
server name as an Internet Protocol (IP) address, as a name your local
domain name server can recognize, or in Universal Naming Convention
(UNC) notation.
b If your SMTP server requires it, type a Login name to use for the mail
server.
NOTE
Only enter a login name in the Login field if your SMTP mail
server is configured to use a login. Check your SMTP
configuration to see if this is required. Entering a login name
here when your mail server is not configured to use it may
cause problems with e-mail alerting.
c Click OK to return to the E-Mail Properties dialog box.
5 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 222.
6 Click Test to send the recipient computer a test message. See Sending a test
message on page 221.
You have two options for managing long messages in e-mail alert notifications:
n Append e-mail addresses with an asterisk (*), such as
administrator_1@mail.com*. Alert Manager truncates alerts sent to e-mail
addresses that are appended with an asterisk according to the current system
SMTP message length settings. The default SMTP length is 240 characters.
This is particularly valuable if Alert Manager sends alerts to pagers via e-mail.
Some pager services have a short message length limit, for example 200
characters. If a message is intended to be delivered to a pager via an e-mail
address, appending the address with an asterisk (*) lets you, rather than a
pager company, control where the message is truncated.
n You can also edit the message text in the Alert Manager Messages dialog box to
make sure important message content is preserved as much as possible in
truncated messages. To do this, you could either abbreviate some parts of the
message or move critical information to the beginning of the message, perhaps
leaving long file names for the end of the message.
The Printer page appears with a list of all of the printer queues that you have
chosen to receive alert messages. If you have not yet chosen a printer queue,
this list is blank.
w To remove a listed print queue, select one of the printers listed, then click
Remove.
w To change configuration options, select one of the printers listed, then click
Properties. Alert Manager opens the Printer Properties dialog box. Change
the information in the Printer text box as necessary.
4 Click Priority Level to specify which types of alert notifications the recipient
printer receives. See Setting the alert priority level for recipients on page 222.
5 Click Test to send the recipient printer a test message. See Sending a test message
on page 221.
w To start the program only when your anti-virus software first finds a
particular virus, click First Time.
w To start the program each time the scanner finds a virus, click Every Time.
NOTE
If you select First time, the program you designate starts as
soon as the scanner initially encounters a particular virus, for
example VirusOne. If the scanner finds more than one
occurrence of VirusOne in the same folder, it does not start the
program again. However, if, after encountering VirusOne, the
scanner then encounters a different virus (VirusTwo), then
encounters VirusOne again, the program starts in response to
each encounter, in this example, three times in a row. Starting
multiple instances of the same program might cause your
server to run out of memory.
6 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 222.
Remember that the Program method does not run a program unless the alert
pertains specifically to viruses. In other words, the alert must contain the
%VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of
priority level, are ignored.
7 Click Test to send the recipient computer a test message. See Sending a test
message on page 221.
The Logging page appears with a list of all of the computers you have chosen
to receive messages for logging. If you have not yet chosen a recipient
computer, this list is blank.
w To add a computer, click Add to open the Logging Properties dialog box,
then enter the name of the computer that receives forwarded messages in
the text box. You can enter the computer name in Universal Naming
Convention (UNC) notation, or you can click Browse to locate the
computer on the network.
w To remove a listed computer, click the computer in the list and click the
Remove button.
4 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 222.
5 Click Test to send the recipient computer a test message. See Sending a test
message on page 221.
6 Click OK to return to the Alert Manager Properties dialog box.
5 Select a user from the list and click OK to send that user a test message and
return to the Alert Manager Properties dialog box.
6 Click Priority Level to specify which types of alert messages the terminal server
users should receive. See Setting the alert priority level for recipients on page 222.
3 Configure Alert Manager to monitor the centralized alert folder for activity. To
do this:
a From the Alert Manager Properties dialog box, select the Centralized Alert
tab.
c Type the location of the alert folder or click Browse to locate a folder
elsewhere on your server or on the network. This must be the same folder
to which your anti-virus software on client computers is using for
centralized alerts (see Step 1). The default location of the alert folder is:
C:\Program Files\Network Associates\Alert Manager\Queue\.
4 Click Priority Level to specify which types of alert messages the recipient
computer receives. See Setting the alert priority level for recipients on page 222.
5 Click Test to send the recipient computer a test message. See Sending a test
message on page 221.
6 Click OK to save your centralized alerting settings and return to the Alert
Manager Properties dialog box.
Use the Alert Manager Messages dialog box to customize alert messages. See
Starting Alert Manager on page 219 for details on how to access the Alert Manager
Messages dialog box.
1 Select or deselect the corresponding checkbox for any alert messages you want
to enable or disable.
2 Click OK to save your changes and close the Alert Manager Messages dialog
box.
3 Choose a priority level from the Priority list. You can assign each alert message
a Critical, Major, Minor, Warning, or Informational priority.
The icons shown beside each message listed in the Alert Manager Messages
dialog box identify the priority level currently assigned to a message. Each icon
corresponds to a choice in the Priority drop-down list. The priority levels are:
Major. Indicates either that successful virus detection and cleaning has
occurred or that serious errors and problems that might cause your
anti-virus software to stop working. Examples include “Infected file
deleted,” “No licenses are installed for the specified product,” or “Out of
memory!”
As you reassign the priority for a message, the icon beside it changes to show
its new priority status.
4 Click OK.
See Setting the alert priority level for recipients on page 222 for information about
applying priority level filters for specific recipients.
NOTE
Although you can edit the alert message text to say what you
want, you should try to keep its essence intact, because Alert
Manager sends each message only when it encounters certain
conditions. Alert Manager sends the “task has started” alert
message, for example, only when it actually starts a task.
To edit the alert message text:
1 From the Alert Manager Messages dialog box, click the alert message in the list
to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
3 Edit the message text as desired. Text enclosed in percentage signs, such as
%COMPUTERNAME%, represents a variable that Alert Manager replaces with text at
the time it generates the alert message. See Using Alert Manager system variables
on page 248.
4 Click OK to save your changes and return to the Alert Properties dialog box.
For example, the major alert Infected file successfully cleaned (1025) listed in the
Alert Manager Messages dialog box is by default set to the following:
The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file
was successfully cleaned with Scan engine version %ENGINEVERSION% and DAT
version %DATVERSION%.
When this alert is sent to Alert Manager from an anti-virus application, Alert
Manager dynamically populates the system variables with real values, for example
displaying MYDOCUMENT.DOC for the %FILENAME% variable.
%DATVERSION% The version of the current DAT files used by the anti-virus
software that generated the alert.
%ENGINEVERSION% The version of the current virus-scanning engine used by the
anti-virus software to detect an infection or other problem.
%FILENAME% The name of a file. This could include the name of an
infected file it found, or the name of a file it excluded from a
scan operation.
%TASKNAME% The name of an active task, such as an On-Access scan or
AutoUpdate task in VirusScan Enterprise 7.0. Alert Manager
might use this to report the name of the task that found a
virus, or the name of a task that reported an error during a
scan operation.
%VIRUSNAME% The name of an infecting virus.
%DATE% The system date of the Alert Manager computer.
%TIME% The system time of the Alert Manager computer.
%COMPUTERNAME% The name of a computer as it appears on the network. This
could include an infected computer, a computer that
reported a device driver error, or any other computer with
which the program interacted.
%SOFTWARENAME% The file name of an executable file. This could include the
application that detected a virus, an application that
reported an error, or any other application with which the
program interacted.
%SOFTWAREVERSION The version number taken from an active software package.
%
This could include the application that detected a virus, an
application that reported an error, or any other application
with which the program interacted.
%USERNAME% The login name of the user currently logged on to the server.
This can, for instance, tell you if somebody cancelled a scan.
WARNING
Be careful when editing message text to include system
variables that might not actually be used by the event
generating that alert message. Using system variables in alerts
that do not actually use that system variable field could cause
unexpected results, including garbled message text or even a
system crash.
Below is a complete list of the Alert Manager system variables that can be used in
Alert Manager messages:
Symbols anti-spam
.DAT files, 100 events, 202
assign (a rule to a policy), defined, 53
A audience for this manual, 13
Alert folder AutoUpdate Architect
function, 243 McAfee, 100
Alert Manager AVERT (Anti-Virus Emergency Response Team),
contacting, 16
configuration, 219
e-mail alert, 230
forwarding an alert, 225
B
background scanning, 38
launching a program, 238
banned content detection, 34
network broadcasting, 228
beta program, contacting, 16
printed messages, 234
bitmap, see BMP, 157
SNMP, 236
blacklist, file filtering, 63
Summary page, 223
BMP, 157
system variables, 248
broadcasting network messages, 228
Alert Manager Properties, 220
Bubbleboy, 52
Summary, 223
alert messages
broadcasting a network alert, 228
C
Centralized Alerting, 243
Centralized Alerting, 243
characters
customizing, 244
not detected, 56
disabling, 245
used as delimiters, 57
editing, 247
Common Updater
e-mail, 230
McAfee, 100
enabling, 245
confidential information, 153, 156
forwarding, 225
configuration
launching a program in response to, 238
Alert Manager recipients and methods, 220
sending to a printer, 234
Configuration file
sending via SNMP traps, 236
exporting, 188
truncating, 234
importing, 189
variables in, 249
Configure, 167
alert method
Detected Items Database, 173
configuring recipients, 220
Product Log, 176
alert priority
configure diagnostics, 181
changing, 246
Configure Import and Export Configuration, 188
types, 247
configure Personal Preferences, 179
F user interface
faqs Navigation pane, 76
virus questions opening, 73
frequently asked virus questions, 199 opening on a different computer, 73
features, 21 to 23 GroupShield console, 71
ePolicy Orchestrator support, 23 GroupShield interface, 71
file filtering in Exchange, 22 GroupShield user interface, 71
virus scanning in Exchange, 21 GTUBE spam detection test, 161
field delimiters, 57
file filtering, 62 H
blacklist and whitelist, 63 handling quarantined items, 89
features, 22 heuristic analysis, 51
file format, 62 in programs and macros, 51
filter
using, 87, 96 I
forwarding icons
quarantined messages, 90 global policy, 113
forwarding alerts policy groups, 106
large organization, 225 rule groups, 113
small organization, 226 Import and Export Configuration
frequently asked questions configure, 188
faqs, 198 importing a repository list, 189
frequently asked questions, troubleshooting, 198 importing site list, 189
inheritance
G policies, 47
gateway protection, 29 policies inherited by global policy, 110
getting information, 15 policies inherited from global policy, 109
global policy, 44 installation
defined, 47 troubleshooting, 198
icon, 113 Insult 23, 54
groups insulting phrase, name of rule for an, 54
rules, 121 Internet gateway protection, 29
GroupShield
e-mail protection, 29 K
interface KnowledgeBase search, 16
console, 77
Home page, 79 L
Links bar, 78 legal implications, use of e-mail and Internet, 47
overview, 75 liability, limiting, 63
Quick Help pane, 78 limiting size of database, 174, 177
on your network, 27 limiting size of quarantined files, 175, 178
updating, 100
R proactive, 39
Real-time scanning statistics, 79 transport, 18
average scan time, 79 troubleshooting, 198
banned items, 79 to 80 what and when, 36
clean items, 79 scanning options
infected items, 79 expand archive files, 51
Potential Spam, 80 Find joke programs, 52
scanned items, 79 Find suspicious programs, 52
Recently Scanned Items, 80 Find unknown file viruses, 51
repository list Find unknown macro viruses, 52
importing, 189 scan all files, 51
right-click menus Schedule options, 99 to 102
appearance, 107 Scheduled Tasks, 91
items in a policy, 110 delete an existing, 91
policies, 107 modify an existing, 91
policy groups, 112 viewing, 91
rule, 112 score, spam, typical value, 61
rule groups, 108 security headquarters, contacting AVERT, 16
rule groups separators, for words, 57
creating, 121 service portal, PrimeSupport, 16
creating from a copy, 121 SMTP mail server, configuring for e-mail
alerting, 232
defined, 53
SNMP
deleting, 123
sending alerts via, 236
exporting, 122
** SPAM ** prefix, 61
icon, 113
spam, 61
importing, 122
blocking some with content rules, 158
renaming, 122
example phrases seen in, 159
right-click menu, 108
types of unsolicited commercial e-mail
rules, 154 messages, 42
description, 54 spam score indicator, 61
examples of, 151 spam score, typically 5, 61
name, 54 specify location of database, 175, 178
problems with complex rules, 59 specify name for database, 175, 178
right-click menu, 112 specifying maximum age of entries, 174, 177
rule does not work with extra condition!, 59 submitting a sample virus, 16
testing new, 162 system variables
alerting, 248
S
scanning T
affect on performance, 50 technical support, 16
background, 38 test alerting configuration, 221
on-access, 36 testing
on-demand, 38 anti-spam settings, 161
U
update GroupShield, 101
updating, 100
DATs, 100
updating GroupShield, 100
upgrade web site, 16
using the filter, 87, 96
V
VBS/Bubbleboy@MM virus, 52
Viagra, example of spam, 159
viewing Detected Items results, 86, 95
virus definition files (See DAT files)
virus detection, 34
Virus Information Library, 16
virus scanning, 35 to 39
features, 21
levels of protection, 50
testing, 160
Virus Scanning API options, 169
virus, submitting a sample, 16
VirusScan desktop and file server protection, 30
virus-scanning engine, 34
W
warnings
complex rules, 59
deleted policy cannot be restored, 117
deleted rule cannot be restored, 128
disclaimer, 63
virus hoax, 155
WebShield