GroupShield 60 Ex Product Guide en

Product Guide
McAfee® GroupShield™
version 6.0
for Microsoft® Exchange

COPYRIGHT
Copyright © 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a
retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its
suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano,
Texas 75024, or call +1-972-963-8000.
TRADEMARK ATTRIBUTIONS
Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, Appera, AVERT, Bomb Shelter, Certified Network
Expert, Clean-Up, CleanUp Wizard, ClickNet, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System,
Distributed Sniffer System (in Katakana), Dr Solomon’s, Dr Solomon’s label, E and Design, Entercept, Enterprise SecureCast, Enterprise SecureCast (in Katakana), ePolicy
Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HelpDesk IQ,
HomeGuard, Hunter, Impermia, InfiniStream, Intrusion Prevention Through Innovation, IntruShield, IntruVert Networks, LANGuru, LANGuru (in Katakana), M and design,
Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking,
NA Network Associates, Net Tools, Net Tools (in Katakana), NetAsyst, NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Performance
Orchestrator, NetXray, NotesGuard, nPO, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey –
International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, SecureSelect, SecurityShield, Service Level
Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total
Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, VIDS, Virex, Virus Forum, ViruScan, VirusScan,
WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, What's The State Of Your IDS?, Who’s Watching Your Network, WinGauge, Your E-Business
Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer®
brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Attributions
This product includes or may include:
s Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
s Cryptographic software written by Eric A. Young and software written by Tim J. Hudson.
s Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other
rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered
under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under
the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program
that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein.
s Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.
s Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. All rights reserved.
s Software written by Douglas W. Sauder.
s Software developed by the Apache Software Foundation (http://www.apache.org/).
s International Components for Unicode (“ICU”) Copyright © 1995-2002 International Business Machines Corporation and others. All rights reserved.
s Software developed by CrystalClear Software, Inc., Copyright © 2000 CrystalClear Software, Inc.
s FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany.

s Outside In® Viewer Technology © 1992-2001 Stellent Chicago, Inc. and/or Outside In® HTML Export, © 2001 Stellent Chicago, Inc.
s Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000.
s Software copyrighted by Expat maintainers.
s Software copyrighted by The Regents of the University of California, © 1989.
s Software copyrighted by Gunnar Ritter.
s Software copyrighted by Sun Microsystems®, Inc.

s Software copyrighted by Gisle Aas. All rights reserved, © 1995-2003.
s Software copyrighted by Michael A. Chase, © 1999-2000.
s Software copyrighted by Neil Winton, © 1995-1996.

s Software copyrighted by RSA Data Security, Inc., © 1990-1992.
s Software copyrighted by Sean M. Burke, © 1999, 2000.
s Software copyrighted by Martijn Koster, © 1995.

s Software copyrighted by Brad Appleton, © 1996-1999.
s Software copyrighted by Michael G. Schwern, © 2001.
s Software copyrighted by Graham Barr, © 1998.

s Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000.
s Software copyrighted by Frodo Looijaard, © 1997.
PATENT INFORMATION
Protected by US Patents 6,029,256; 6,230,288; 6,594,686; 6,151,643; 6,457,076; 6,035,423; 6,269,456; 6,542,943; 6,006,035; 6,266,811; 6,496,875; 6,611,925; 6,622,150
Issued December 2003 / GroupShield™ software version 6.0

DBN 009-EN
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Getting information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Contacting McAfee Security & Network Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1 About GroupShield 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

What is GroupShield? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
How does GroupShield work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
About GroupShield add-on packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
GroupShield policies management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Anti-spam add-on package for GroupShield 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Evaluation and licensed versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
GroupShield features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Anti-virus scanning within Microsoft® Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Content filtering within Microsoft® Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
File filtering within Microsoft® Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
eXtended Policy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Anti-spam scanning within Microsoft® Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Enterprise rollout, administration, updating and reporting using McAfee ePolicy
Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Section 1
Understanding GroupShield
2 Where GroupShield Sits on Your Network . . . . . . . . . . . . . . . . . 27
E-mail server protection —McAfee GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Other areas to protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Internet gateway protection — McAfee WebShield . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Document repository protection — McAfee PortalShield . . . . . . . . . . . . . . . . . . . . . . 30
Desktop and file server protection — McAfee VirusScan Enterprise . . . . . . . . . . . . . 30
Management solution — McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . 31
Product Guide iii

Contents
3 How GroupShield Protects Exchange . . . . . . . . . . . . . . . . . . . . . 33

Protecting Microsoft® Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
When a virus or banned content is detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4 Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
How does scanning work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
What and when to scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Types of scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
On-access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Background scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Proactive scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
GroupShield and Microsoft® Exchange interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Moving messages into public folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Searching within From: To: cc: and bcc: fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Content Management Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Threats to your organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Policy actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Creating policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Considering legal implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
What is a global policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Where does a policy apply? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Rules and settings within a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Scanning for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Setting the action against viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Setting the level of scanning and type of protection . . . . . . . . . . . . . . . . . . . . . 50
Customizing anti-virus settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Blocking specific threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Scanning for content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Creating rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Importing and exporting content rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
iv GroupShield™ software version 6.0

Contents
Creating content rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Giving a name and description to the rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Specifying where the rule applies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Specifying the action to take when the rule is triggered . . . . . . . . . . . . . . . . . . 54
Specifying the word or phrase you want to detect . . . . . . . . . . . . . . . . . . . . . . . 55
Adding optional advanced features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Understanding complex content rules for e-mail messages . . . . . . . . . . . . . . . 58
Understanding limitations in content scanning . . . . . . . . . . . . . . . . . . . . . . . . . 59
Scanning for spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Understanding spam scores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Tips for avoiding spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Filtering of files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Adding disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Handling encrypted content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Limiting the size and numbers of attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Handling digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Handling corrupt content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Preventing denial-of-service attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Issuing alerts and notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Section 2
Using GroupShield
6 GroupShield Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
About the GroupShield interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
GroupShield Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
GroupShield Stand-alone Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Opening the GroupShield interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Administering GroupShield from a different computer . . . . . . . . . . . . . . . . . . . . . . . . 73
Introducing the GroupShield interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Navigation pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Quick Help pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Links bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
The GroupShield Home page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Real-time scanning statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Product versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Recently Scanned Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Product Guide v
Contents
7 Options for Viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Detected Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Querying the Detected Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Viewing the results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Displayed information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Getting more information about viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Using displayed information to refine your query . . . . . . . . . . . . . . . . . . . . . . . 87
Using the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Handling quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Releasing items from the Detected Items database . . . . . . . . . . . . . . . . . . . . . 89
Exporting the query results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Viewing your scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Modify an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Delete an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Running an existing scheduled task now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Viewing the progress of a scheduled task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Stopping a running task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Viewing the results of a scheduled task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Product Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Querying the Product Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Viewing the Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Displayed information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Getting more information about entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Using displayed information to refine your query . . . . . . . . . . . . . . . . . . . . . . . 95
Using the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Exporting the query results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
8 Options for Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Product update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
About McAfee Common Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
About McAfee AutoUpdate Architect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Creating a schedule to update GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
On-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating a schedule to run an On-demand scan . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Viewing the Results of an On-Demand Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Creating a schedule to generate a status report . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
vi GroupShield™ software version 6.0

Contents
9 Configuring Anti-Virus and Content . . . . . . . . . . . . . . . . . . . . . . 105

The interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Tree pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Right-click menus in the tree pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Details pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Toolbars and buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Drag and drop feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Managing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Creating a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Deleting policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Managing items within a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Adding rules to the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Modifying items in the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Deleting items in the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Managing content rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Creating a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Exporting rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Importing rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Renaming a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Deleting a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Creating a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Changing a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Assigning rules to a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Deleting a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Setting up items in the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Preventing denial-of-service attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Scanning for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Setting the actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Protecting against specific threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Setting the level of protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Ensuring your anti-virus protection is current . . . . . . . . . . . . . . . . . . . . . . . . . 133
Customizing the settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Scanning for content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Scanning for spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Product Guide vii

Contents
Filtering file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Adding a new file-filtering rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Managing the file-filtering rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Limiting the size of e-mail messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Adding disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Handling signed e-mail messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Handling encrypted content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Handling corrupt content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Examples of content rules for messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Blocking simple file name traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Blocking joke programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Blocking entertainment files (images, movies, audio) . . . . . . . . . . . . . . . . . . . . . . . 152
Keeping information confidential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Examples of content rules for e-mail messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Preventing e-mail leaving your organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Blocking hoaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Keeping information confidential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Controlling the flow of important information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Reducing network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Blocking offensive words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Stopping nuisance e-mail messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Reducing distracting advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Blocking games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Reducing unsolicited e-mail messages (spam) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Testing anti-virus settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Testing the anti-spam settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Testing a new content rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10 Configuring GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Configuring Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Using tokens in alert notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
On-Access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Setting on-access scanning time-outs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
About Microsoft Virus Scanning API (VSAPI) options . . . . . . . . . . . . . . . . . . . . . . . 169
Defining on-access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
General on-access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Setting Microsoft Virus Scanning API (VSAPI) options . . . . . . . . . . . . . . . . . . 171
viii GroupShield™ software version 6.0

Contents
Anti-spam settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Specifying junk folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Detected Items Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring the Detected Items database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Product Log Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring the Product Log Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Personal Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Configuring your personal preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Configuring Debug Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Denial Of Service Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Network Associates Error Reporting Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Using Network Associates Error Reporting Service . . . . . . . . . . . . . . . . . . . . 184
Configuring Network Associates Error Reporting Service . . . . . . . . . . . . . . . . 185
Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Adding Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Importing Policy Groups from Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Import and Export Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Importing and exporting configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Section 3
Appendices
A Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Reporting problems with GroupShield 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
MERTool and the Network Associates Error Reporting Service . . . . . . . . . . . . . . . 193
Introducing MERTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Using MERTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Introducing the Network Associates Error Reporting Service . . . . . . . . . . . . . . . . . 195
Using the Network Associates Error Reporting Service . . . . . . . . . . . . . . . . . . . . . . 196
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions about updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions about scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Questions about Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Error messages and event log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Product Guide ix
Contents
B Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Virus Definition (DAT) files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
GroupShield default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Anti-Virus and Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
On-Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Anti-Spam Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Detected Items Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Product Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Personal Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Import and Export Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
C Alert Messaging with Alert Manager 4.7 . . . . . . . . . . . . . . . . . . 219

Starting Alert Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Configure Alert Manager recipients and methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Overview of adding alert methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Sending a test message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Setting the alert priority level for recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Viewing the Summary page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Forwarding alert messages to another computer . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Sending an alert as a network message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Sending alert messages to e-mail addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Sending alert messages to a printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Sending alert messages via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Launching a program as an alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Logging alert notifications in a computer’s event log . . . . . . . . . . . . . . . . . . . . . . . . 239
Sending a network message to a terminal server . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Using Centralized Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Customizing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Enabling and disabling alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Editing alert messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Changing alert priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Editing alert message text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Using Alert Manager system variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
x GroupShield™ software version 6.0

Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Product Guide xi
Contents
xii GroupShield™ software version 6.0

Preface
This guide introduces McAfee® GroupShield™ software version 6.0 for Microsoft®
Exchange, and provides the following information:
n Overview of the product.

n Descriptions of product features.
n Detailed instructions for configuring and deploying the software.
n Procedures for performing tasks.

n Troubleshooting information.
Audience
This information is designed for system and network administrators who are
responsible for their company’s anti-virus and security program.
Product Guide 13
Preface
Conventions
This guide uses the following conventions:
Bold All words from the user interface, including options, menus,
buttons, and dialog box names.
Example
Type the User name and Password of the desired account.
Courier The path of a folder or program; a web address (URL); text that
represents something the user types exactly (for example, a
command at the system prompt).
Examples
The default location for the program is:
C:\Program Files\Network Associates\VirusScan
Visit the Network Associates web site at:

http://www.networkassociates.com
Run this command on the client computer:

C:\SETUP.EXE
Italic For emphasis or when introducing a new term; for names of

product manuals and topics (headings) within the manuals.
Example
Refer to the VirusScan Enterprise Product Guide for more
information.
<TERM> Angle brackets enclose a generic term.

Example
In the console tree under ePolicy Orchestrator, right-click
<SERVER>.
NOTE Supplemental information; for example, an alternate method of

executing the same command.
WARNING Important advice to protect a user, computer system, enterprise,

software installation, or data.
14 GroupShield™ software version 6.0

Getting information
Getting information
Installation Guide *^ System requirements and instructions for installing and starting the software.
McAfee GroupShield 6.0 for Microsoft Exchange Installation Guide
Product Guide * Product introduction and features, detailed instructions for configuring the
software, information on deployment, recurring tasks, and operating procedures.
McAfee GroupShield 6.0 for Microsoft Exchange Product Guide (this guide)
Related Guides:
McAfee Alert Manager 4.7 Product Guide
McAfee ePolicy Orchestrator 2.5.1 Product Guide
McAfee ePolicy Orchestrator 3.0 Product Guide
QuickHelp § Contained within the interface, the QuickHelp gives you overview information
abut each page, and provides links into the high-level Help.
Help § High-level and detailed information on configuring and using the software.
Configuration Guide * For use with ePolicy Orchestrator™. Procedures for configuring, deploying, and
managing your McAfee Security product through ePolicy Orchestrator
management software.
Release Notes ‡ ReadMe. Product information, resolved issues, any known issues, and
last-minute additions or changes to the product or its documentation.
Contacts ‡ Contact information for McAfee Security and Network Associates services and
resources: technical support, customer service, AVERT (Anti-Virus Emergency
Response Team), beta program, and training. This file also includes phone
numbers, street addresses, web addresses, and fax numbers for Network
Associates offices in the United States and around the world.
* An Adobe Acrobat .PDF file on the product CD or the McAfee Security download site.
^ A printed manual that accompanies the product CD. Note: Some language manuals may be available only as a .PDF file.
‡ Text files included with the software application and on the product CD.
§ Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What’s
This? help.
Product Guide 15
Preface
Contacting McAfee Security & Network Associates

Technical Support
Home Page http://www.networkassociates.com/us/support/
KnowledgeBase Search https://knowledgemap.nai.com/phpclient/homepage.aspx
PrimeSupport Service Portal * https://mysupport.nai.com
McAfee Security Beta Program http://www.networkassociates.com/us/downloads/beta/
Security Headquarters — AVERT (Anti-Virus Emergency Response Team)
Home Page http://www.networkassociates.com/us/security/home.asp
Virus Information Library http://vil.nai.com
Submit a Sample — https://www.webimmune.net/default.asp
AVERT WebImmune
AVERT DAT Notification http://vil.nai.com/vil/join-DAT-list.asp
Service
Download Site
Home Page http://www.networkassociates.com/us/downloads/
DAT File and Engine Updates http://www.networkassociates.com/us/downloads/updates/
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x
Product Upgrades * https://secure.nai.com/us/forms/downloads/upgrades/login.asp
Training
McAfee Security University http://www.networkassociates.com/us/services/education/mcafee/univer
sity.htm
Network Associates Customer Service
E-mail services_corporate_division@nai.com
Web http://www.networkassociates.com/us/index.asp
US, Canada, and Latin America toll-free:
Phone +1-888-VIRUS NO or +1-888-847-8766
Monday – Friday, 8 a.m. – 8 p.m., Central Time
For additional information on contacting Network Associates and McAfee Security— including toll-free
numbers for other geographic areas — see the Contact file that accompanies this product release.
* Logon credentials required.

About GroupShield 6.0
1
This section introduces McAfee GroupShield 6.0 and describes how it protects
your Microsoft® Exchange software from viruses and other potentially harmful or
undesirable content.
The following topics are included:
n What is GroupShield? on page 18

n How does GroupShield work? on page 18
n About GroupShield add-on packages on page 19
n GroupShield features on page 21
Product Guide 17
What is GroupShield?
McAfee GroupShield 6.0 software provides virus protection and content
management for these versions of Microsoft® Exchange servers;
n Microsoft® Exchange 2000.
n Microsoft® Exchange 2003 (previously known as “Titanium”).
How does GroupShield work?

The GroupShield software integrates with Microsoft® Exchange to scan messages
for viruses and banned content.
Each time a message is written to or read from the store, the GroupShield software
scans it, comparing it with a list of known viruses and suspected virus-like
behavior. GroupShield can also scan for content within the message, using rules
and policies defined within the GroupShield software.
When installed on Microsoft® Exchange 2000, GroupShield 6.0 can also be

configured to use transport scanning of messages as they pass through your
Microsoft® Exchange server. Transport scanning can perform scanning of routed
mail — e-mail messages that are not destined for the local server), and can stop the
delivery of messages.
Before configuring GroupShield 6.0 to use transport scanning, consider that

transport scanning only supports quarantining, item replacement and cleaning for
MIME messages only. Messages are presented as MIME format as follows:
n The message is sent from a non-MAPI client application, from a mailbox on the
local server. (This means that messages from Microsoft Outlook or Microsoft
Outlook Web Access on your local server would not be scanned.)
n The message is sent from outside of, or are about to leave, your Microsoft®
Exchange organization.
Because of the above points, configuring GroupShield 6.0 to use transport

scanning is best reserved for use on gateway servers.

About GroupShield add-on packages
About GroupShield add-on packages

When you install GroupShield 6.0 for Microsoft® Exchange, the software enables
you to protect your Microsoft® Exchange server and your client e-mail computers
from viruses, Trojan horses, potentially harmful software and other types of e-mail
based attacks on your organization.
NOTE
The basic GroupShield 6.0 installation does not include
anti-spam protection.
GroupShield policies management

With either the evaluation or the licensed basic installations of GroupShield 6.0,
you can define up to ten policies to detect against e-mail threats. You can apply
these policies to groups of users, by defining policy groups and assigning different
policies to each policy group.
Adding eXtended Policy Support to GroupShield

If you find that you require more than ten policies, you can purchase eXtended
Policy Support for GroupShield 6.0. This add-on package for the licensed version
of GroupShield 6.0 enables you to effectively define unlimited numbers of policies
and rules to protect your Microsoft® Exchange servers.
NOTE
The exact number of policies that can be defined with the
eXtended Policy Support add-on package is limited by the
resources available within your Microsoft® Exchange server.
However, this is a theoretical limit, and is unlikely to be
exceeded in a “real-life” installation scenario.
Please see the McAfee GroupShield 6.0 for Microsoft Exchange Installation Guide for
information about adding eXtended Policy Support to your licensed GroupShield
6.0 installation.
NOTE
You cannot add eXtended Policy Support to evaluation
versions of GroupShield 6.0 for Microsoft® Exchange.
Product Guide 19
Anti-spam add-on package for GroupShield 6.0

If “spam” or unsolicited and unwanted e-mail is causing problems for your
organization, you can install the anti-spam add-on package for GroupShield 6.0.
This provides additional protection for your Microsoft® Exchange server, filtering
all incoming e-mail messages and assigning “spam scores” to each. You can then
choose to block messages above a certain score, and to mark lower-scoring
messages as possibly containing spam.
Installing the anti-spam add-on package

You can install either the evaluation version or the licensed version of the
anti-spam add-on package to your GroupShield 6.0 installation.
The anti-spam add-on package evaluation version is fully functioning, but is

limited to 90 days use. After this time, the anti-spam add-on package will stop
scanning for spam messages.
information about installing the anti-spam add-on package to your GroupShield
6.0 installation.
Evaluation and licensed versions

McAfee GroupShield 6.0 for Microsoft® Exchange and the anti-spam add-on
package are available in both evaluation and licensed versions.
The evaluation versions have the same functionality as the basic licensed versions,
but are only functional for 90 days. After this 90 day period, the software will stop
scanning your Microsoft® Exchange server, and you will not be able to update the
virus definition (DAT) files or the anti-virus engine (on GroupShield 6.0) or the
spam update rules (for anti-spam add-on package).
You can install the evaluation version of anti-spam add-on package to both the
evaluation or licensed version of GroupShield 6.0.
Activation of evaluation versions

If you have installed the evaluation version of either McAfee GroupShield 6.0 for
Microsoft® Exchange or the anti-spam add-on package, you can convert the
software from the evaluation version to the licensed version by purchasing the
relevant activation package.
information about activating the evaluation versions of GroupShield 6.0 and the
anti-spam add-on package.

GroupShield features
This release of the GroupShield software introduces the following major features:
n Anti-virus scanning within Microsoft® Exchange
n Content filtering within Microsoft® Exchange on page 21

n File filtering within Microsoft® Exchange on page 22
n eXtended Policy Support on page 22
n Anti-spam scanning within Microsoft® Exchange on page 23

n Enterprise rollout, administration, updating and reporting using McAfee ePolicy
Orchestrator on page 23
Anti-virus scanning within Microsoft® Exchange

Description The GroupShield software provides the ability to scan for viruses contained in
messages that are held within the Microsoft® Exchange store.
Where to find The following chapters provide specific information on setting up GroupShield
to scan your Microsoft® Exchange server:
n Configuring Anti-Virus and Content on page 105
n On-Access settings on page 167

For more Further details on scanning for viruses can be found in:
information
n Virus Scanning on page 35
Content filtering within Microsoft® Exchange

Description The GroupShield software provides the ability to scan for content contained in
messages that are held within the Microsoft® Exchange store.
Product Guide 21
File filtering within Microsoft® Exchange

Description The GroupShield software provides the ability to filter files by file name, by
extension or by the actual — rather than the displayed extension — file type.
n Filtering file types on page 141
eXtended Policy Support
Description In its basic configuration, GroupShield 6.0 enables you to define up to ten
policies to assist you protect your Microsoft® Exchange server.
The eXtended Policy Support add-on package gives you a virtually limitless
number of policies that you can define to protect your Microsoft® Exchange
servers.
Benefits eXtended Policy Support gives you the ability to define policies for different
teams, departments, offices or even counties within your corporate e-mail
system.
For more Information about installing the eXtended Policy Support add-on can be found
information in the following guide:
n McAfee GroupShield 6.0 for Microsoft Exchange Installation Guide

Anti-spam scanning within Microsoft® Exchange
Description Increasingly, “spam” or unsolicited and unwanted e-mail messages are

becoming an issue within the workplace. Spam consumes system resources by
taking up band-width and storage within your corporate systems, and distracts
staff from their key job functions as they have to deal with the unwanted e-mail
within their mailboxes.
GroupShield 6.0 now includes the optional anti-spam add-on package, to
incorporate the features found within the anti-spam add-on package for
GroupShield 6.0.
Benefits By scanning and deleting the obvious spam, and marking the potential spam so
that it can be easily checked, GroupShield 6.0 can help you save on band-width
and the storage required by your Microsoft® Exchange servers.
For more Information about installing the anti-spam add-on package can be found in the
information following guide:
n McAfee GroupShield 6.0 for Microsoft Exchange Installation Guide
Enterprise rollout, administration, updating and reporting using

McAfee ePolicy Orchestrator
Description McAfee GroupShield 6.0 integrates with McAfee ePolicy Orchestrator to provide
a centralized method for rolling out, administering and updating the
GroupShield software across your Microsoft® Exchange system. ePolicy
Orchestrator also enables centralized reporting of GroupShield activity.
Benefits The ability to centrally manage an organization-wide implementation of the
GroupShield software reduces the time required to administer and update the
system.
Where to find Additional information relating to using ePolicy Orchestrator to rollout,
configure and administer your GroupShield installations is available in the
following guide:
n McAfee GroupShield 6.0 for Microsoft Exchange Configuration Guide
Product Guide 23

SECTION 1
Understanding GroupShield
Where GroupShield Sits on Your Network

How GroupShield Protects Exchange
Virus Scanning
Content Management Concepts
Where GroupShield Sits on
Your Network 2
The creators of viruses are always looking for new ways of getting past your
anti-virus solution, so we provide a multi-tiered approach to the detection of
viruses. By holding information on more than 80,000 known viruses, your McAfee
Security anti-virus solution detects and neutralizes most viruses as soon as they
enter your network. If a new virus attacks, your anti-virus system can use other
methods to identify virus-like behavior, providing another barrier to the virus
attempting to infect your systems.
Because any computer network can be vulnerable to virus attack from many
sources, it is important that you deploy a multi-layered security solution.
A correctly configured Internet gateway protects your network from the majority
of viruses from the Internet.
Anti-virus protection of your corporate e-mail system is the next layer in your
corporate defense.
However, protecting your Internet gateway and your corporate e-mail systems
cannot protect against viruses that are transferred from computer to computer
within your network, or from an infected CD or disk, a handheld device or any
other device that can transfer files to a computer and download files to it. To
protect your network at this level, you need to add anti-virus protection to your
file servers and desktop computers.
Product Guide 27
The following is an example network configuration:
Figure 2-1. An example Network configuration
McAfee Security produces a range of products, each aimed at protecting a specific

area within your network. The next section discusses the McAfee GroupShield
software for Microsoft® Exchange.

E-mail server protection —McAfee GroupShield
E-mail server protection —McAfee GroupShield

McAfee GroupShield 6.0 integrates with Microsoft® Exchange, to protect against
viruses that may be transmitted using your corporate e-mail system.
Due to the close integration between your e-mail server and its GroupShield
anti-virus solution, GroupShield can do more than just protect your e-mail server
from viruses. Depending upon your choice of e-mail server, GroupShield can
protect from harmful script sent within the e-mail system, block messages with
specific attachments, block messages based on words that appear either within the
subject line or the body of the message, and block messages from specific
addresses.
Other areas to protect

The following key areas of your network can be protected by McAfee Security
products as part of your integrated virus defense solution:
n Internet gateway protection — McAfee WebShield
n Document repository protection — McAfee PortalShield
n Desktop and file server protection — McAfee VirusScan Enterprise
n Management solution — McAfee ePolicy Orchestrator
Internet gateway protection — McAfee WebShield

The major source of virus threat to your corporate network comes from Internet
traffic, either through e-mail or by connecting to web sites that might contain
potentially harmful code.
The McAfee® WebShield™ product range protects the gateway between your
internal networks, and the Internet. By scanning all inbound and outbound traffic
between your network and the Internet, WebShield stops viruses from entering
your network from the Internet.
By stopping viruses before they attack computers within your network, you
eliminate the damage and down-time that the attack can cause, saving your
organization the costs associated with down-time and lost or corrupted data.
Product Guide 29
Document repository protection — McAfee PortalShield

Using computers within the corporate environment has made it easy to create
documents that might contain mission-critical information. However, because of
the ease with which documents can be created, and the multiple storage places on
the network, it is often more difficult to locate the required information when
needed.
To address this issue, several software vendors produce portal servers to store,
index and control your critical documents in a way that enables them to be easily
located when needed. Because these portal servers are set up to store your critical
information, it is important that this information is also protected.
McAfee PortalShield 1.0 is currently available to protect Microsoft SharePoint
Portal Server 2001, Microsoft SharePoint Portal Server 2003 and Microsoft
Windows SharePoint Services. PortalShield integrates with the stores of these
products to provide scanning of documents each time they are accessed or saved
to the store.
PortalShield also enables you to scan the entire store at times of low usage, to
verify that no infected documents are held within the store.
Desktop and file server protection — McAfee VirusScan

Enterprise
Not all viruses are transmitted via e-mail. Many can be spread by reading from
physical media, such as diskettes or CDs. Others spread by using network shares
to copy themselves from one computer to another across your network.
From the viewpoint of somebody trying to attack your corporate network, your file
servers are a good target; because many other computers connect to each of your
file servers, infecting the file server is more likely to have serious consequences
than infecting, for example, a single desktop computer.
The VirusScan products protect desktop computers and file servers within your
network. As part of your integrated response to virus threats, VirusScan can be
viewed as your last line of defense, protecting each desktop computer and file
server from viruses that might spread using network shares or physical media.
VirusScan is available in versions to protect Microsoft Windows and Unix
computers, as well as all the leading wireless devices that might connect to your
PCs and network.
McAfee Virex provides protection for Apple Macintosh computers.

Other areas to protect
Management solution — McAfee ePolicy Orchestrator

It is imperative that companies manage their anti-virus solution with tools that
deliver an effective means of keeping anti-virus software up-to-date, the ability to
manage and enforce anti-virus configuration comprehensively, flexibility to scale
the solution according to ever-changing business needs, and up-to-date visibility
into the solution's stability.
With ePolicy Orchestrator, you can update all your McAfee anti-virus solutions
across your network from a single point, ensuring that your virus definition (DAT)
files and virus-scanning engines are up-to-date, and that suitable policies are in
place to deal with any attacks to your network.
ePolicy Orchestrator also provides enterprise reporting, giving you confidence
that all desktop computers, servers, groupware, and gateway computers are
up-to-date with the latest DAT file and engine.
Product Guide 31

How GroupShield Protects
Exchange 3
McAfee GroupShield 6.0 protects the following products within the Microsoft®
Exchange product line:
n Microsoft® Exchange 2000

n Microsoft® Exchange 2003
Microsoft® Exchange provides your organization with the ability to communicate

electronically, and to organize and manage information and messages, to arrange
meetings and enable collaboration between team members and colleagues.
However, any system that is designed to create, transmit, store and open messages
can be vulnerable to virus attack. This is especially true if the e-mail message
originates from outside the organization’s network.
GroupShield software protects your Microsoft® Exchange server, detecting and

cleaning or removing viruses, as well as searching for banned content within the
messages that are stored within your Microsoft® Exchange mailboxes.
Product Guide 33
How GroupShield Protects Exchange
Protecting Microsoft® Exchange

GroupShield uses the virus scanning interface provided with your version of
Microsoft® Exchange to gain full access to all messages that are being read from,
or written to the store by Microsoft® Exchange.
This presents all message components to GroupShield 6.0 for scanning by the
virus-scanning engine and the content management engine, before being written
to the file system, or being read by users of Microsoft® Exchange.
Once presented to GroupShield, the virus-scanning engine compares the message
with all the known virus signatures stored within the currently installed virus
definition (DAT) file, as well as checking the message using your selected heuristic
detection methods.
The content management engine searches the message for banned content, as
specified in the content management policies that you have running within
GroupShield software.
If these checks do not find any virus or banned content within the message,
GroupShield then passes the information back to virus-scanning API, for
completion of the original message request within Microsoft® Exchange.
NOTE
The GroupShield software can also be configured to use
transport scanning when installed on Microsoft® Exchange
2000.
When a virus or banned content is detected

If a virus is detected within the message components, or the Content Management
engine detects that a content rule has been violated, GroupShield takes the actions
that have been defined within its configuration settings.
The default actions may be different, depending upon the installed version of
Microsoft® Exchange and, where applicable, the chosen scanning method.

Virus Scanning
4
There are several types of virus scanning that your GroupShield software can
perform on your Microsoft® Exchange servers to provide as much anti-virus
protection as possible. You can configure a number of these scanning features,
including selecting the type of scan to be carried out, deciding which objects (for
example archive files) you want the software to scan, and when you want the scan
to run.
This provides an overview of how virus scanning works and describes the
different types of scanning that are available.
How does scanning work?

Central to your GroupShield software is the McAfee Security virus-scanning
engine and the virus definition (DAT) files. The engine is a complex data analyzer,
and the DAT files contain a great deal of information, including thousands of
different drivers, each of which contains detailed instructions on how to identify a
virus or type of virus.
The McAfee Security virus-scanning engine works with the DAT files. It identifies
the type of object being scanned (often a file) and decodes the contents of that
object, so that it “understands” what the object is. It then uses the information in
the DAT files to search for and locate known viruses. Many viruses have a
distinctive signature, this is a sequence of characters unique to that virus, and the
engine searches for that signature.
The engine uses a technique called heuristic analysis to help it search for unknown
viruses. This involves analysis of some of the object’s program code and searching
for distinctive features typically found in viruses.
Once the engine has confirmed the identity of a virus, it cleans the object as far as
possible, for example by removing an infected macro from the attachment in which
it is found or by deleting the virus code in an executable file. In some instances, for
example if the virus has destroyed data, the file cannot be fixed and the engine
must make the file safe so that it cannot be activated and infect other files.
Product Guide 35
Virus Scanning
What and when to scan

The threat from viruses can come from many directions, including infected
macros, shared program files, files shared across a network, e-mail messages and
attachments, floppy disks, and files downloaded from the Internet. Individual
McAfee Security anti-virus software products target specific areas of vulnerability.
We recommend a multi-tiered approach to provide the full range of virus
detection, security and cleaning capability that you require.
Your GroupShield software provides a range of options that you can further
configure according to the demands of your system. These demands are
dependent upon when and how the component parts of your system operate, and
how they interact with each other and with the outside world, particularly through
e-mail and Internet access.
A variety of options can be configured or enabled which allow you to determine

how your anti-virus scanning software should deal with different types of file and
what it should do with infected or suspicious items.
For further information about configuring your GroupShield software, see
Configuring Anti-Virus and Content on page 105.
Types of scanning
The different types of scanning fall into two main groups, on-access scanning and
on-demand scanning. They detect the same viruses, but can scan at different entry
points on your server, can scan at different times, and can scan at different stages
in the handling of objects.
On-access scanning
On-access scanning (also known as real-time scanning) examines objects as they
are accessed by the user or the system. It may scan files when the user opens them
or when the user writes to them.
When you first install GroupShield software, on-access scanning defaults are set
but you can configure these to suit your system. You can set global options that
determine how scanning is carried out, including the way the scanner deals with
different types of object, specifying what is to be done with infected items, and
how quarantine and notification is handled.
Within Microsoft® Exchange 2000, GroupShield 6.0 provides two methods of
on-access scanning:
n On-access scanning using the Microsoft Virus-Scanning Application

Programming Interface (VSAPI).
n On-access scanning using Transport Scanning.

Types of scanning
VSAPI scanning
The Microsoft Virus-Scanning Application Programming Interface (VSAPI)
enables GroupShield 6.0 to access the component-parts that make up e-mail
messages directly from Microsoft® Exchange. GroupShield 6.0 can then scan each
of these parts for viruses, banned content, and check the file type information.
Once GroupShield 6.0 has scanned all the parts of the message, and carried out the
relevant actions, the parts as returned to Microsoft® Exchange, again using VSAPI.
Using VSAPI also allows GroupShield 6.0 to use related scanning techniques, such
as Background scanning and Proactive scanning. See Background scanning on
page 38 and Proactive scanning on page 39 to learn more about these.
Transport scanning
Scan email using enables you to select either VSAPI or Transport Scanning as your
on-access scanning method.
Transport scanning is best used when you have configured your Microsoft®
Exchange 2000 server as a gateway server, because it allows scanning of routed
mail (mail that is not destined for the local Microsoft® Exchange server). Transport
scanning also allows you stop the delivery of unwanted messages.
Transport scanning is useful when you are receiving messages in MIME format.
Messages are likely to be in this format when:
n They are send from a non-MAPI client from a mailbox on the local server. (Not
from Microsoft Outlook or Microsoft Outlook Web Access.)
n The messages are arriving from outside of your organization.
n The messages are leaving your organization.
Product Guide 37
Virus Scanning
On-demand scanning
GroupShield enables you to create scheduled on-demand scans. You can create
multiple schedules, each running automatically at predetermined intervals or
times.
A scan can be defined to run at a predetermined time and date, or can be set to run
immediately, once it has been created.
You may want to perform an on-demand scan for a number of reasons, for
example:
n To check a specific file or files that have been uploaded or published.
n To check that the messages within your Microsoft® Exchange server are
virus-free, possibly following DAT update, in case new viruses can be detected.
n If you have detected and cleaned a virus and want to check that your computer
is completely clean.
For further details of how to configure a scheduled on-demand scan, see

On-demand scan on page 102.
Background scanning
Background scanning is a type of on-access scanning that is made possible within
Microsoft® Exchange by using the Microsoft virus-scanning API (VS API.)
Performing scans in this way means that not all files need to be scanned when
accessed, reducing the workload of the scanner when it is busy.
Background scanning scans the contents of all folders within your Exchange
server, then sets a flag at folder level indicating that the scan has been completed.
Once this is done, that folder it is not checked again until the next background
scan, which then only needs to scan new or unscanned folder content.
When enabled in the GroupShield 6.0 interface, background scanning will be

initiated when the McAfee GroupShield service is started or as soon as a DAT or
Engine update is complete
For further details of how to enable background scanning, see On-Access settings
on page 167.
NOTES
Background scanning is configured to use the On-Access
Scanner policy. See Managing items within a policy on page 117
for more information. Any configuration options that you
specify for on-access scanning also apply to background
scanning. Background scanning is off by default.

Types of scanning
Proactive scanning
Proactive scanning is a type of on-access scanning that is made possible by
Microsoft VSAPI.
It enables objects from the store to be scanned in order of priority.
Items passing in and out of the store receive a priority rating and are placed in a
scanning queue. The scanning queue allows prioritization and reprioritization of
items in the queue; for example, if a user tries to open an item that has not been
scanned, it is assigned a high priority, whereas items being saved or posted to
public folders are assigned a low priority. This is known as priority based queuing.
When all the high priority items have been scanned, scanning of lower priority
items begins. The latter scans on a first-in-first-out (FIFO) basis.
Any configuration options specified for on-access scanning also apply to proactive
scanning.
For further details of how to enable proactive scanning, see On-Access settings on
page 167.
Product Guide 39
Virus Scanning
GroupShield and Microsoft® Exchange

interactions
McAfee GroupShield 6.0 protects your Microsoft® Exchange server from viruses,
Trojan horses and other potentially harmful content within e-mail messages set to
and from your organization.
Due to the way that GroupShield 6.0 and Microsoft® Exchange interact, there are
some occasions that GroupShield 6.0 may behave in a manner slightly different to
one that you expect. These interactions are described in the following section.
Moving messages into public folders

If you, as the Exchange Administrator, move e-mail messages from mailboxes into
public folders, any policy decisions taken by GroupShield 6.0 are based on the
original sender of the messages, rather than being based on your sender
credentials.
For example, one user is included within a policy group that is configured to have
scanning disabled when sending messages within your organization and another
user is included within a policy group that requires all messages to be scanned. If
you move messages from both these users, the messages from the first user will not
be scanned when you move them, because GroupShield 6.0 makes its policy
decisions based on the original sender.
Searching within From: To: cc: and bcc: fields

When searching for content within the addressee fields — the To:, From:, cc: and
bcc: fields — the only appropriate actions that can be taken are Replace the item
with an alert message or Delete the item. This is because the actions available when
searching for content in the Subject:, body or attachments of the message are not
appropriate in these fields.

Content Management
Concepts 5
GroupShield 6.0 uses the McAfee security content management engine within its
architecture.
The concepts relating to content management are discussed and described in these
topics:
n Introduction.
n Threats to your organization on page 42.
n Policies on page 44.
n Rules and settings within a policy on page 49.
Introduction
In the electronic world of commerce, your organization is susceptible to many
threats that affect company image, employees, computers and networks:
n Company image can be damaged by loss of confidential information or abuse

that leads to legal action.
n Various electronic distractions and unrestricted use of e-mail and Internet can
affect employees’ productivity.
n Viruses and other potentially unwanted software can render computers

unusable.
n Uncontrolled use of various types of file on your networks can cause

performance problems for your entire organization.
For more information, see Threats to your organization.
Product Guide 41
Threats to your organization

Type of threat Description
Damage to company image An unguarded or ill-informed remark by an employee might cause legal
problems, unless it is covered by a disclaimer.
See Adding disclaimers on page 63 (concept).
See Adding disclaimers on page 146.
Spam (unsolicited e-mail) Unsolicited commercial e-mail messages are the electronic equivalent of
junk mail. Often they contain advertising that was not expected by the
recipients. Such mail is often sent out by the hundreds or thousands.
Unless the recipient is already a customer, or has asked for the
information, the e-mail message is usually unwelcome. Other types of
unsolicited e-mail messages include political messages, virus hoaxes,
poetry, jokes, and chain letters.
Although it is more of a nuisance that a threat, spam can degrade the
performance of your network.
See Reducing unsolicited e-mail messages (spam) on page 158.
See Scanning for spam on page 136.
Large e-mail messages E-mail messages with large or numerous attachments can slow the
performance of mail servers. The overall message size, and the size and
number of e-mail attachments that users can send and receive needs to
be controlled.
See Limiting the size of e-mail messages on page 144.
Mass-mailer viruses Although these can be cleaned like any other virus, their rapid spread can
quickly degrade the performance of your network.
See Blocking specific threats on page 52.
E-mail messages from Disgruntled ex-employees and unscrupulous traders who know the e-mail
undesired sources addresses of your employees can cause distress and distraction.
See Stopping nuisance e-mail messages on page 158.
Non-business use of e-mail If most employees are using e-mail only within the organization, any of
their messages that leave the organization are likely to be for
non-business use.
See Considering legal implications on page 47.
Loss of company-confidential This can happen if someone sends a message or document that contains
information details of unreleased products, a document that is marked as
confidential, or a file such as a database of customer details.
See Keeping information confidential on page 156.

Threats to your organization
Type of threat Description
Offensive language Offensive words and phrases can appear in e-mail messages sent,
received, and in attachments. Besides causing offense, they can even
provoke legal action.
See Scanning for content on page 52.
See Blocking offensive words on page 157.
Transfer of “entertainment” files File types such as video files like MPEG and audio files like MP3 are
often intended for entertainment only, and not for business use. Their
large sizes may also slow your network performance. Some executables
(.EXE and .COM files) might be games or illegally copied software.
See Blocking entertainment files (images, movies, audio) on page 152.
Inefficient file types Some types of file use large amounts of memory and can be slow to
transfer, but alternatives are often available. For example, .GIF and
JPEG files are much smaller than their equivalent .BMP files, and .PDF
files are smaller than their equivalent PostScript files.
See Filtering of files on page 62.
See Reducing network load on page 157.
Transfer of large files The transfer of large files can slow the performance of your network.
Such transfers ought to be limited to certain groups of people.
See Filtering of files on page 62.
Denial-of-service attack A deliberate surge of large files could seriously affect the performance of
your network, making it unusable to its legitimate users.
See Blocking specific threats on page 52.
Pornographic text Numerous strange and offensive terms abound.
See Blocking offensive words on page 157.
See Scanning for spam on page 136.
Viruses and other potentially Viruses and other potentially unwanted software can quickly make
unwanted software computers and data unusable.
See Scanning for viruses on page 50 (concept).
See Scanning for viruses on page 129.
Corrupt content This type of content cannot be scanned, so you need to decide how to
handle it.
See Handling corrupt content on page 150.
Encrypted content This type of content cannot be scanned, so you need to decide how to
handle it.
See Handling encrypted content on page 149.
Product Guide 43
Policies
GroupShield 6.0 helps you to control these electronic threats with special sets of
rules and settings — called policies — that you create to suit your organization. You
can apply a ready-made policy (known as a global policy) to your entire
organization, and you can also create other policies based on the global policy to
suit the specific needs of any part of your organization.
n Features on page 45.
n Policy actions on page 46.
n Creating policies on page 46.

n Considering legal implications on page 47.
n Considering legal implications on page 47.
n What is a global policy? on page 47.
n Where does a policy apply? on page 48.

Policies
Features
Much like an insurance policy, GroupShield protects you against a number of
threats.
When first installed, GroupShield 6.0 contains the following default policies:
n On-Access Scanner
n On-Demand (Default)
n On-Demand (Find Viruses)
n On-Demand (Remove Viruses)
n On-Demand (Find Banned Content)
n On-Demand (Remove Banned Content)
n On-Demand (Full Scan)
n Outbreak Manager
n Gateway
You can customize these policies to more precisely specify the threats to your
organization:
n Virus scanning — you specify how to handle various types of infected items.
See Scanning for viruses on page 50.
n Content scanning — you specify words and phrases that must not appear in
the subject line or body of e-mail messages. Each specification is known as a
content rule. See Scanning for content on page 52.
n Scanning for spam — you specify how to handle various types of unwanted
e-mail messages. See Scanning for spam on page 59.
n File filtering — you specify the names, types and sizes of files to block, using
file-filtering rules. See Filtering of files on page 62.
n Disclaimers — you specify the wording and how to include them in e-mail
messages. See Adding disclaimers on page 63.
n Encrypted content — you specify how to handle it. See Handling encrypted
content on page 63.
n Limits to the size of e-mail messages — you specify the size and quantity of
attachments that are allowed with each e-mail message, and any special
handling for large messages. See Limiting the size and numbers of attachments on
page 64.
n Corrupt content — you specify how to handle it. See Handling corrupt content
on page 65.
n Signed e-mail messages — you specify how to handle digital signatures when
infected files are cleaned. See Handling digital signatures on page 64.
Product Guide 45
Policy actions
A policy specifies how GroupShield must act when a threat becomes a reality.
Your policies prescribe the action that GroupShield must take against the many
threats described in Threats to your organization on page 42.
You prescribe the action that GroupShield must take when any part of the policy
is violated. For example, if a virus is detected, you can choose to clean, quarantine,
or delete the infected item. If GroupShield finds an undesirable phrase that you
specified in a content rule, you can choose to block the item or allow it through,
optionally inform other users, or record the event in a log. If a large file is detected,
you can choose to block it, or you can allow it through and issue an alert.
Quarantine
Whenever GroupShield detects an item that is infected with a virus or has some
undesirable content, GroupShield may quarantine the item, if you have configured
that action. GroupShield reserves a special area for quarantined items — the
Detected Items database — that you can inspect at a later date. All quarantined items
are tagged with a number for ease of reference.
Depending on how the configuration has been set up, GroupShield can alert the
sender, recipient and administrator.
Although the use of a quarantine area allows you to monitor the attacks on your
organization, consider carefully how much you will use it, especially if you
encounter a large number of viruses daily or you have many content rules. To
conserve your disk space, examine and empty the quarantine area regularly.
Alert messages
GroupShield integrates with McAfee Alert Manager 4.7 to provide you with a
seamless alerting system across the different McAfee anti-virus products used
within your network.
You can configure GroupShield to inform the sender, the recipient and an
administrator with an alert message whenever an event occurs — GroupShield
detects a virus, some undesirable content, or a file that is larger than allowed.
See Alert Messaging with Alert Manager 4.7 on page 219 to learn more about alert
messages.
Creating policies
GroupShield uses policies to enable you to define how it scans the messages within
your Microsoft® Exchange environment, and how it should react when it detects a
virus, banned content or other specified message.
GroupShield includes a number of global policies — such as the On-Access Scanner

policy — which are used to define the actions for global scanning.

Policies
You can create additional policies that are applied to specific policy groups. A policy
group might be a geographical area, a department, a domain, or some other
distinct part of the organization. For example, you can apply a policy to any group
of people. Within an organization, you might need to apply separate policies to
each department.
In the following example, the policy on the left is called the global policy. It is well
suited to most departments in the organization. However, it is not ideal for the
sales department because they often handle much larger files for customers.
Therefore the sales department needs a different policy. You can create their policy
by creating a new policy based on the global policy, then modifying some parts to
better suit that department.
Table 5-1. Creating policies
Global policy Policy for Sales Department
Apply medium-level scanning for viruses. Apply medium-level scanning for viruses.
Do not accept files that are larger than Do not accept files that are larger than
10MB. 50MB.
The sales department has inherited one item from the global policy (for
medium-level scanning) and modified one item (for the size of files).
Considering legal implications

Before applying any restrictions on employees’ e-mail and Internet access, check
any requirements in your local laws. In some instances, such restrictions might be
illegal. You should at least consider informing employees that restrictions are in
force. It might be useful to display a statement when they start up their computers.
We advise you to discuss the implications with your legal department.
What is a global policy?

When it is first installed, GroupShield has nine global policies defined. These are:
n On-Access Scanner n On-Demand (Remove Banned

Content)
n On-Demand (Default) n On-Demand (Full Scan)
n On-Demand (Find Viruses) n Outbreak Manager
n On-Demand (Remove Viruses) n Gateway
n On-Demand (Find Banned

Content)
Product Guide 47
These global policies describe how items will be scanned for viruses, file-filtering
rules, and various other settings in different circumstances. These global policies
apply to the whole organization.
From these policies, you can create further policies as necessary to apply to groups
of users or domains.
As you create further policies, each one records whether any of its current settings
are inherited from the global policy. A change to the global policy — such as an
increased level of anti-virus protection or a new file-filtering rule — is propagated
instantly to the other policies. The global policy also indicates how many other
policies have inherited its settings.
Where does a policy apply?

The global policy applies to all users within the organization. However, you can
create further policies in case you need exceptions to the global policy to suit more
precisely any geographical areas, functions, mailboxes, domains or departments
within your organization. In GroupShield, the general term for any such part is a
policy group.

Rules and settings within a policy

This section describes in further detail the rules and settings that a policy contains,
and how to alert users that the policy has been violated.
WARNING
The content rules supplied with GroupShield 6.0 are provided
as sample rules, from which you can generate your own rules
to meet the requirements of your organization. McAfee does
not guarantee that these rules will detect all inappropriate
content, or that the rules will not be triggered by content that
you consider appropriate to your business needs.
We recommend that you test all default or new rules using

Allow the item through and Log the item actions, to monitor the
effects of the rules on the type of messages you normally
receive. When you are confident that the rules will not cause
unexpected loss of information that you consider benign and
valuable, you can then assign actions that can modify your
data, such as Replace the item with an alert message or Delete
the item.
n Scanning for viruses.
n Scanning for content on page 52.
n Scanning for spam on page 59.
n Preventing denial-of-service attacks on page 65.
n Filtering of files on page 62.
n Adding disclaimers on page 63.
n Handling encrypted content on page 63.

n Limiting the size and numbers of attachments on page 64.
n Handling corrupt content on page 65.

n Handling digital signatures on page 64.
n Issuing alerts and notifications on page 66.
n Setting up items in the policy.
Product Guide 49
Scanning for viruses

When you prepare settings for scanning viruses and other potentially unwanted
software, you need to consider the following:
n Action to take when a virus is found. See Setting the action against viruses on
page 50.
n How to handle mass-mailer viruses. See Blocking specific threats on page 52.
n The level of anti-virus protection that you need. See Setting the level of scanning
and type of protection on page 50 and Customizing anti-virus settings on page 51.
Setting the action against viruses

You can choose to clean each virus that is detected. If this is not possible, for
example, a file is read-only, you may delete the infected file or move it to a safe area
(or “quarantine”). Additionally, you may inform an administrator of the detection,
or record the event in a log.
See Setting the actions on page 131 to learn how to do this.
Setting the level of scanning and type of protection

Not all files are prone to virus infection. For example, simple text and graphic files
are only data, they do not run as executable computer code, and therefore cannot
propagate viruses. Compressed files are also unlikely to propagate viruses, until
they are first decompressed then executed. If your site employs other
virus-scanning techniques — such as on-access scanning which detects viruses
inside messages as they are viewed and executed — you might not need some of
the higher and more time-consuming levels of scanning. Therefore GroupShield
provides several levels of anti-virus protection, allowing you to choose high,
medium, and low levels of scanning:
n High — Most secure. Scans all files, including compressed files.
n Medium — Scans executables, Microsoft Office files and compressed files.
n Low — Least secure. Scans executables and Microsoft Office files.
Be aware that a higher level of scanning provides good security but can affect
performance. In some cases, high levels of scanning are unnecessary if data is
being scanned for viruses elsewhere in your network.
In addition, you can customize the scanning by choosing exactly what to scan from
a range of options. See Customizing anti-virus settings on page 51.

Customizing anti-virus settings

Besides giving you the preset levels of scanning described in Setting the level of
scanning and type of protection on page 50, GroupShield also allows you to specify
various options when scanning for viruses. Be aware that although more options
can provide greater security, the scanning will take longer. The scanning options
are described next.
n Scan all files.
Some operating systems such as Microsoft Windows use the extension name
of a file to identify its type. For example, files with the extension .EXE are
programs. However, if a virus-infected file is renamed with a harmless
extension such as .TXT, it can escape detection. The operating system cannot
run the file as a program, unless it is renamed later. This option ensures that
every file is scanned.
n Scan default file types.
Normally the scanner examines only the default file types — in other words, it
concentrates its efforts on scanning those files that are susceptible to viruses.
For example, many popular text and graphic formats are not affected by
viruses. Currently the scanner examines over 100 types by default, which
includes .EXE and .COM.
n Scan defined file types.
Some operating systems such as Microsoft Windows use file name extensions
to identify the type of file. For example, files with the extension .EXE are
programs, files with the extension .TXT are simple text files. GroupShield
allows you to specify the types of files you wish to scan according to their file
name extension.
n Scan archive files (sucha s WinZip, Arj, RAR)
By default, the scanner scans inside file archives such as .ZIP or .LZH files.
n Find unknown file viruses and Find unknown macro viruses
An anti-virus scanner typically detects viruses by looking for virus signatures,

which is a binary pattern that is found in a virus-infected file. However, this
approach cannot detect a new virus because its signature is not yet known,
therefore GroupShield uses another technique — heuristic analysis.
Programs, documents or e-mail messages that carry a virus often have
distinctive features. They might attempt unprompted modification of files,
invoke mail clients, or use other means to replicate themselves. The scanner
analyzes the program code to detect these kinds of computer instructions.
Find unknown file viruses tics scans program files and identifies potential new
file viruses.
Product Guide 51
Find unknown macro viruses scans for macros in the attachments (such as those
used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identifies
potential new macro viruses.
n Find all macros and treat as infected.
Macros inside documents are a popular target for virus writers. Therefore for
added security, you might consider scanning all files for macros within
attachments.
n Remove all macros from documents.
You can choose to have all macros removed, regardless of whether it is infected
or not.
n Find joke programs.
These programs are not harmful. They play tricks on the user such as
displaying a hoax message.
n Find suspicious programs.
These programs might be dangerous but they are not viruses. They include
programs such as remote-access utilities and password crackers.
Blocking specific threats

Normally, GroupShield handles all potentially harmful software in the same way,
however you can specify that certain types are handled differently.
For example, you can configure GroupShield to inform the sender, the recipient
and an administrator with an alert message whenever a virus is detected in an
e-mail message. This feature is useful in that it shows that the anti-virus scanner is
working correctly, but it can become a nuisance when a mass-mailer virus is
encountered. Mass-mailer viruses such as Melissa and Bubbleboy propagate
themselves rapidly using e-mail services. As a result, numerous alerts are
generated, and these can be as irritating as the surge of infected e-mail messages
that have been blocked.
A feature in GroupShield allows you to handle any mass-mailer virus separately

from other types of virus.
A feature in GroupShield allows you to handle a mass-mailer virus differently. For
example, you can choose to discard the infected document immediately, and
thereby suppress any alert messages that would otherwise be generated.
Scanning for content

GroupShield can scan e-mail messages and their attachments for undesirable
content. You can create the rules stating what words or phrases are not permitted
in any message or attachment, and GroupShield uses the rules to prevent such
messages and attachments reaching the intended destination.

You can have a large number of rules, and each rule can specify words in various
combinations. The rules can be simple such as detecting the use of a single word
or phrase. They can be more complex and include combinations of phrases that
appear closely together. A complex rule can allow the use of a word in one
situation, but prevent its use in others.
Typically, you will want a rule to scan for undesirable words in the content of each
message. However, you can also scan the following items:
n Content in attachments.
n Names of files attached to e-mail messages.
n Name of sender.
n Name of recipient.
n Name of domain.
Creating rule groups

Many rules exist in groups. For example, rules about vehicles restrict their parking,
speed, and weight. Similarly, you also organize your content rules into groups.
For example, you can create a rule group, called Offensive descriptions, then within
the group you can create one rule that detects cruel, another rule that detects
unkind, and another rule that detects uncaring, and so on.
Your content rules are likely to grow in number and complexity over time,
therefore it is important to consider carefully how you group your rules and how
you name the rule groups and each rule. In GroupShield, rules are held separately
from policies. You develop your rules, then assign each rule group to a policy, and
finally specify the actions to suit the policy.
Importing and exporting content rules

Having created a content rule, you can share its rules and settings with other
computers and with our other products, because rules can be imported and
exported as text files in XML format.
For information about how to do this, see:

n Exporting rule groups on page 122.
n Importing rule groups on page 122.
Product Guide 53
Creating content rules

To use content scanning, you create rules using the following steps:
1 Giving a name and description to the rule on page 54.
2 Specifying where the rule applies on page 54.
3 Specifying the action to take when the rule is triggered on page 54.
4 Adding optional advanced features on page 56.
These steps are next described in more detail.
Giving a name and description to the rule

Over time, you can create many rules, so each needs an accurate name and
description.
Remember that when the rule is violated, the name of the rule appears in the alert
message that users see. Therefore, if you are trying to prevent the use of an
insulting phrase, do not include that phrase in the name of the rule. Instead, name
your rule as something like “Ban Insult 23.”
Each rule can also have a description. You can provide more information here about
the purpose of the rule. The rule’s description does not appear in the alert message.
Specifying where the rule applies

A banned phrase might appear in the body of the message, its subject line or even
inside a plain-text attachment. GroupShield can scan the file name of any
attachments too, so you can block attachments by exact name, such as
goodgame.exe, or by file types, such as *.JPG files. A scan on each message sender
will block known senders, especially those sending nuisance mail.
See also the anti-spam features, described in Scanning for spam on page 59.
Specifying the action to take when the rule is triggered

You can take several actions against any item that triggers a rule. The available
range of actions include:
n Replace the item with an alert message — The item is automatically replaced by
an alert in the e-mail message body or attachments, explaining why the
original was replaced.
n Delete the item — The item is deleted when it is detected.
n Allow the item through — The item is not changed, and is allowed through to
the intended recipients.
In addition, one or more of the following secondary actions can be specified:

n Log the item — Your primary action is carried out, but, in addition,
GroupShield 6.0 logs the rule violation.
n Quarantine the item— GroupShield places the item in a quarantine area — the
Detected Items Database — where you can examine the item and decide how to
handle it.
n Notify Administrator — Your primary action is carried out, but, in addition,
GroupShield 6.0 sends a notification message to the administrator.
n Notify Sender — Your primary action is carried out, but, in addition,
GroupShield 6.0 sends a notification message to the sender.
Specifying the word or phrase you want to detect

You can specify precisely how a word or phrase appears by specifying its case,
using wild cards, and specifying its position:
n Ignoring case.
Normally GroupShield scans for the word or phrase exactly as it is written. If

you specify that case is to be ignored, GroupShield matches the word or phrase
regardless of its case. So, “abc” will match abc, Abc, ABC and aBc, or any
combination of uppercase and lowercase letters contained in the phrase.
n Using wildcards.
With this feature, you can use the characters * and ? to represent missing
characters:
w ? represents any single character.
For example, “??g” will match dig, dog and tug.
w * represents any number of characters including none at all.
For example, “s*ing” will match sing, singing and sting.
n Specifying characters at the start or end of words.
You can match characters that appear only at the start of a word.
For example, “hat” matches hat, hate, hats, and hatter.
You can match characters that appear only at the end of a word.
For example, “hat” matches hat, that and what.
You can match characters at the start and at the end of a word.
For example, “hat” matches hat but does not match hate, that, or what.
You can match characters anywhere in the word.

For example, “hat” matches hat, hate, that and what.
Product Guide 55
Some types of file use special formatting characters to specify the layout of text.
For example, attachments can contain characters to denote word breaks, line
breaks, tabs, cells, end of lines, and other format information. See Table 5-2 on
page 57 for details.
Some characters such as currency symbols and accented characters might be

difficult to match because of variations in character sets. You might need to
experiment to ensure that your rules can detect such characters.
Adding optional advanced features

You can further refine the conditions that trigger a rule by specifying how other
words or phrases may appear in combination with the first word or phrase — their
context and their nearness.
n Words in context with other words on page 56.
n Words that are near other words on page 57.
Words in context with other words

n A rule may trigger if all of the additional words or phrases are present.
For example, a rule is triggered when the name of a secret new product is used
in the same e-mail message as the date for the product’s launch.
n A rule may trigger if any of the additional words or phrases are present.
For example, a rule is triggered when any word appears that is on a list of
offensive words, or a list of secret projects.
n A rule may trigger if none of the additional words or phrases are present.
For example, a rule is triggered when an offensive word, such as dog, is used
except when it was used to specify a type of that animal, for example, a corgi
or alsatian.

Words that are near other words

Normally, when you are searching content in any small document, the banned
words are near each other. However in a longer document, the words might
appear anywhere, and falsely trigger the rule. To avoid this, your rule can
consider the nearness of the words.
As a simple example, a rule might trigger if two words such as ugly and
manager appear together within a block of 50 characters. In this case, the
second paragraph will be detected and can be blocked to prevent the insult.
The latest version of the product looks ugly. We need to consider several problems
with here. I will discuss improvements with the manager of that department.
I attended the meeting about that new product today. The new manager is so ugly,
nobody will ever want to work with him.
This feature is useful in blocking some offensive phrases. They often contain
words that do not cause offence when used alone, but become offensive when
grouped together.
Note that nearness is best suited to plain text. It cannot accurately interpret
character counts in binary files or files that contain complex text formatting.
Definition of a word
A word is any number of characters bounded by a word delimiter, which is usually
some form of punctuation. GroupShield uses the word delimiters in the following
table, which are taken from the UNICODE character definitions in the
Punctuation, Separator, and Math Symbol sets.
Table 5-2. Word delimiters
horizontal tab line feed line break

space exclamation mark (!) quotation mark (“)
number sign (#) percent sign (%) ampersand (&)
apostrophe (') left parenthesis '(' right parenthesis ')'
asterisk (*) plus sign (+) comma ()
hyphen-minus (-) full stop (.) solidus (/)
colon (:) semicolon (;) less-than sign (<)
equals sign (=) greater-than sign (>) question mark (?)
commercial at (@) left square bracket ([) reverse solidus (\)
right square bracket (]) low line (_) left curly bracket ({)
vertical line (|) right curly bracket (}) tilde (~)
Product Guide 57
Understanding complex content rules for e-mail messages

E-mail messages typically have a different structure to documents, and this can
affect the way that content rules apply.
For example, consider the following text in a document:

I think our manager is stupid and ugly.
To prevent the words “stupid” and “ugly” appearing together in a document, you
can create a rule with a complex phrase — the rule triggers when these words appear
together.
The same rule will work on the following simple e-mail message:
To: user1@example.com
From: user2@example.com
Subject: Our manager

I think he is stupid and ugly. What do you think?
Now consider a second example:

To: user1@example.com
From: user2@example.com
Subject: Our stupid manager

I think he is ugly too. What do you think?
The complex rule you have already created will not trigger in this case. Most e-mail
messages are based on the MIME format, and they comprise several parts. You can
think of each part as a separate file — one for the “To” address, the “From”
address, the subject line, and the message body. In this example, no part contains
both words — “stupid” is in the subject line, while “ugly” is in the message body.
To trigger a content rule on the words “stupid” and “ugly” appearing together in
an e-mail message, you must create a rule that combines two simple conditions — the
rule triggers when the word “stupid” appears anywhere in an e-mail message and
when the word “ugly” appears anywhere in an e-mail message.

Understanding limitations in content scanning

A rule can only apply to a single file, document or attachment at any time.
For example, you may have a rule that triggers on finding the word “ugly” in
databases and in spreadsheets. When GroupShield encounters any database, it
searches for the word “ugly”. Similarly, when GroupShield encounters any
spreadsheet, it searches for the word.
You can make such a rule more complex. For example, you may make the rule
search for both “ugly” and “stupid” in databases and in spreadsheets. When
GroupShield encounters any database, it searches for the word “ugly” and the
word “stupid”. If both words are present, the rule triggers your defined action.
When GroupShield encounters any spreadsheet, the rule is also triggered.
It is possible to create combinations of rules that will not work. For example, you
can create a rule which detects “ugly” in databases, and “stupid” in spreadsheets.
If used separately, those rules will work. However a compressed file (such as a
WinZip file) could contain a database with “ugly” and a spreadsheet with
“stupid”. This combination of files will not be detected.
Scanning for spam

You can install the anti-spam add-on package for GroupShield 6.0 to provide you
with anti-spam protection of your Microsoft® Exchange servers.
Once installed, the anti-spam add-on package enables you to control the amount
of spam that your organization receives by blocking all e-mail messages from
known senders, marking the subject line of any suspicious e-mail messages,
deleting messages, or moving messages to users junk folder. Additionally, you can
inform an administrator of the detection, or record the event in a log.
GroupShield provides several techniques to guard against the nuisance of spam
e-mail messages:
n Blacklists
GroupShield matches every e-mail message against a blacklist. A blacklist is the
list of e-mail addresses from which your company does not want to receive
messages because those messages are always spam messages. Besides
blacklisting “From” addresses, you can also blacklist “To” addresses. For
example, if an e-mail address in your organization receives a large amount of
spam, you can prevent that address forwarding any e-mail.
n Whitelists
GroupShield matches every e-mail message against a whitelist. A whitelist is

the list of e-mail addresses that you trust not to send unwanted messages. The
list can contain addresses of business partners or organizations that sell
essential products. Such messages are allowed through without scanning for
spam phrases.
Product Guide 59
n Rules and scores
GroupShield matches an extensive set of rules against every e-mail message.

Each rule is associated with a score — positive or negative. Rules that match
for spam-like characteristics give a positive score. Rules that match attributes
of legitimate messages give a negative score. When added together, the scores
give each message an overall spam score. Some rules are simple, and match
only on popular phrases. Other rules are more complex and match on the
header information and structure of e-mail messages.
Understanding spam scores

Spam often contains well-known phrases. For example, these phrases are good
indicators:
Phrase Spam score per phrase
Dear Friend 1.5

amazing offers 1.0
believe your eyes 1.2
incredibly low 0.8
best ever 0.8
(The values shown here are for example only. The actual values might be different
in the product. This example is deliberately simple, and does not attempt to
demonstrate any complex matching.)
Consider the following two messages. The phrases are highlighted for clarity.
Message Total spam score
Dear John,
Our computer suppliers have some amazing offers on PCs 1.0 + 0.8 = 1.8
this year. I’ll send you their catalogue and discuss my
requirements with you on Tuesday. Looking forward to our
best ever year on this project!
Regards, Peter
Dear Friend,
See our web site for amazing offers on PCs. You won’t 1.5 + 1.0 + 1.2
believe your eyes! These incredibly low prices are our best + 0.8 + 0.8 = 5.3
ever!

The second message has a higher score, which indicates that it is possibly spam. It
is possible for a legitimate message to attain a high score. Therefore, the detection
of spam cannot be precise. You can determine how GroupShield will respond to
messages based on their spam scores:
n You can specify a level at which you regard a message as spam. Typically, a
score of 5 indicates that a message is spam. You can inform the recipients that
a message is likely to be spam by adding some text, such as ** SPAM **, to the
subject line of the message. Recipients can then easily identify a spam e-mail
message, and decide how to handle the message. For example, some e-mail
products such as Microsoft Outlook and Lotus Notes can redirect mail to
specific folders based on rules or filters.
n You can specify a level at which GroupShield will handle spam messages
automatically. For example, GroupShield can automatically block or
quarantine messages that have high spam scores. In addition, you can inform
an administrator or log the event.
n You can specify that GroupShield adds a report to a message’s Internet headers
that tells its recipients of any rules that triggered and the message’s spam
score. You can choose whether to add the report, and whether such
information is included in all messages or only those messages that
GroupShield identifies as spam.
The report includes a spam score and optionally a spam score indicator. For
example, a spam score of 5.6 can have an indicator of five asterisks, and a spam
score of 6.2 can have an indicator of six asterisks. The indicator is rounded to
the integer and ignores any decimal fraction. The indicator provides a simple
character string for filtering messages.
We recommend that you set this option for initial testing only, because it can
impact your server’s performance. When you have the information that you
need, turn the option off.
Tips for avoiding spam

We recommend the following tips to reduce unwanted e-mail messages. Make
these tips available to users to help them reduce the amount of spam they receive:
n Use a different e-mail address or “public” e-mail address when participating
in news groups, joining contests, or responding to any third-party requests
online.
n Avoid using a Reply or Remove option. Some senders remove the address, but
others record the e-mail address and later send more spam, or sell the address
to other spammers.
n Limit Internet usage at work. When at work, do not access sites that are not
business-related such as message boards, e-trade sites, Internet auctions, and
e-commerce sites.
Product Guide 61
n Don't post e-mail addresses online. Know whether your e-mail address will be
displayed or used before posting an e-mail address online. Read the privacy
policy on the web site before posting your address and opt out, if possible.
n Beware of purchasing products that are advertised by spam. When you
respond to this type of e-mail message, you often make more personal
information such as your name, address, telephone number or credit-card
numbers available to spammers, which can lead to increased spam.
Furthermore, in order to provide themselves with an income, spammers must
issue large numbers of e-mail messages in order to get enough responses. By
not responding at all, you can discourage this advertising technique by making
it unprofitable.
Filtering of files
Any network contains many types and sizes of files, though not all are useful or
desirable to your organization:
n Some graphic file formats such as bitmap (suffixed “.BMP”) use large amounts
of computer memory and can affect network speed when transferred. You
might prefer that users work with other more compact formats such as GIF or
JPEG.
For example, if your organization produces computer software, you might see
executable files (suffixed with the file name extension “.EXE”) moving around
the network. Within any other organization, those files might be games or
illegal copies of software. Similarly with movie files (suffixed “.MPEG”),
unless your organization handles files of this type, they are probably for
entertainment only.
n Much of your organization’s most valuable information — such as designs and

lists of customers — is in databases or other special files, so it is important to
control the movement of these files. However, it is possible to make any file
masquerade as another. An employee with malicious intent might rename an
important database file called CUSTOMERS.MDB to NOTES.TXT and attempt
to transfer that file, believing that it cannot be detected. Fortunately, you can
configure GroupShield to examine each file based on its content or file format,
and not on its file name extension alone.
The file-filtering rules provided by GroupShield enable you to examine any file in
several ways:
n Name of the file, such as GOODGAME.EXE.

n Type of the file as indicated by its extension, such as *.EXE and *.JPG.
n Format of the file as indicated by its content such as a spreadsheet data or

graphic data.
n Size of the file, whether above or below a specified size.

When you create settings to control the use of any file, remember that some
departments within your organization might need fewer constraints. For example,
a marketing department might use large high-quality graphic files for advertising
purposes.
Two types of filtering

GroupShield allows you to control files in two ways:
n Blacklist — Allow through all files except those specifically forbidden within
rules. In this case, you set file-filtering rules to block or quarantine. If no
file-filtering rules apply to the scanned file, you allow it to pass.
n Whitelist — Block all files except those specifically allowed within rules. In this
case, you set file-filtering rules to allow files to pass. If no file-filtering rules
apply to the scanned file, you block the file.
NOTE
If a file has passed through as the result of a rule, you can
configure GroupShield to log and notify this event. After any
file has passed through the file-filtering rules, it is always
scanned for viruses and content, as determined by policy.
Adding disclaimers
A disclaimer is some text — an explanation, information, a legal statement, or
warning — that GroupShield can append to an e-mail message as it passes through
the mail server.
By adding a disclaimer to outbound messages, you can limit the liability posed by
statements that might be legally damaging, for example, those containing
offensive remarks. Disclaimers are also useful for renouncing the contents of a
message as the view of the author, not of the organization, to avoid any damaging
publicity. For example:
The information contained in this message is confidential and may be
legally privileged. Views or opinions expressed in this e-mail
message are those of the author only.
Handling encrypted content

If content is encrypted, it cannot be scanned for viruses or undesirable content.
Such content must be scanned after it is decrypted, and this typically occurs at the
client computer.
You must choose how to handle such content at this stage — this might mean that
you delete, quarantine, or allow it to pass. If you rarely receive such content, or you
cannot guarantee that such content will be scanned in its decrypted form at a later
stage within your network, we recommend that you delete and quarantine it.
Product Guide 63
Limiting the size and numbers of attachments

An attachment, typically a graphic, a document, or a spreadsheet can greatly
increase the size of a complete message — a typical memo of a few kilobytes can
grow to many megabytes. Normally this flow of information is necessary for your
organization to function, but problems arise when attachments are used
excessively or when their use is abused.
For example, computer games are sometimes attached to e-mail messages. Each
game typically consumes a few megabytes. Large audio or graphics files —
whether for entertainment or business purposes — approach similar sizes. Popular
items, when copied and forwarded many times over, can add a heavy load to your
mail server. All users will suffer from the slower performance.
GroupShield allows you to remove attachments from e-mail messages if they

exceed a specified size or quantity. Discarded attachments are replaced by a small
text file, which informs the recipient that attachments were removed. You can also
specify special actions against any e-mail message that exceeds a specified size
overall.
Handling digital signatures

Whenever information is sent electronically, it runs the risk of being accidentally
or wilfully altered. To overcome this, some e-mail software uses a digital signature
— the electronic form of a handwritten signature. A digital signature is extra
information added to a sender’s message, which identifies and authenticates the
sender and the information in the message. It acts like a unique summary of the
data. Typically, a long string of letters and numbers appears at the end of a
received e-mail message. The e-mail software then re-examines the information in
the sender’s message, and creates a digital signature. If that signature is identical
to the original, you can be sure that the data has not been altered.
While this method is useful most of the time, it can cause problems if the message
violates your policy. For example, if the message contains a virus, bad content, too
many attachments, or attachments that are too large, GroupShield might clean or
remove some part of the message. The original digital signature is now ‘broken’.
In other words, although the message is still valid (and usually readable), its
signature is invalidated. Now the recipient cannot rely on the contents of the
message at all because the contents might also have been tampered with in other
ways.
You need to consider carefully how you handle signed messages:
n Replace the item with an alert message — You can replace signed messages with
an alert message. This choice is unsuitable if most of the messages are signed.
n Delete — You can avoid any risks with signed messages, by deleting them. This
choice is unsuitable if most of the messages are signed.

n Allow modifications to break the signature — Most e-mail software informs the
recipient that the digital signature is broken, but still allows the recipient to
read the remainder of message. In this case, you can allow GroupShield to
modify the content of the message.
n Allow the item through — Some e-mail software might not accept any changes
to the signed message, and therefore you cannot allow GroupShield to alter the
content. The danger here is that if you choose to allow all signed messages
through, an undesirable item can escape detection if it is inside a signed
message. If you allow all signed messages through, you need to be sure that the
messages come from a trusted source, or that they will be scanned at a later
stage.
In all cases, you can select one or more of the following secondary actions:
n Log the item — Your primary action is carried out, but, in addition,
GroupShield 6.0 logs the rule violation.
n Quarantine the item— GroupShield places the item in a quarantine area, where
you can examine the item and decide how to handle it.
n Notify Administrator — Your primary action is carried out, but, in addition,

GroupShield 6.0 sends a notification message to the administrator.
n Notify Sender — Your primary action is carried out, but, in addition,

GroupShield 6.0 sends a notification message to the sender.
n Notify Recipients — Your primary action is carried out, but, in addition,

GroupShield 6.0 also attempts to send a notification message to the recipients
of the message.
Handling corrupt content

If content is corrupt, GroupShield might not be able to scan the file for viruses or
banned content.
You must choose how to handle such content at this stage — typically delete,
quarantine or allow through. If you rarely receive such content, we recommend
that you delete and quarantine it.
Preventing denial-of-service attacks

Large or complex files such as compressed files or .ZIP files can take some time to
scan. Such files can be used to attack your network, deliberately slowing its
performance. For these reasons, you can limit the size to which any file may be
expanded and the depth of nesting.
You can also specify the amount of time that GroupShield may spend scanning any
file.
Product Guide 65
Depth of nesting in compressed files

To understand the effect of scanning to a depth of nesting, consider the next
diagram. This shows a compressed file, which contains documents and a
compressed file. That compressed file contains documents and another
compressed file, and so on.
n A depth of 1 scans only the non-compressed files inside a compressed file (as
shaded). The contents of any compressed files are not scanned.
n A depth of 2 scans the non-compressed files inside a compressed file, plus only
the non-compressed files inside any compressed file that it contains (as
shaded).
Depth of nesting in HTML files

An HTML file can contain several parts:
n Normal HTML content is considered to be at a depth of 1.
n The contents of HTML tags and META data is considered to be at a depth of 2.
If you intend to scan HTML files, you should scan to a depth of 2 at least.
Issuing alerts and notifications

Each item in the policy has an action associated with it. When a rule or setting is
violated, both the user and an administrator can be informed.

GroupShield will replace the offending message or attachment with text that you
prepare. Any users who later read the message will see the replacement text
instead. You can also request GroupShield to send a message to an administrator,
and record the event in a log.
Product Guide 67

SECTION 2
Using GroupShield
GroupShield Interface
Options for Viewing
Options for Scheduling
Configuring Anti-Virus and Content
Configuring GroupShield
6
Once McAfee GroupShield 6.0 for Microsoft® Exchange has been correctly
installed and configured on your computer, it protects your Microsoft® Exchange
stores by running a Windows service named McAfeeGroupShield.
To make changes to your GroupShield software configuration, or to view

information about your software, you need to start the GroupShield interface.
n Introducing the GroupShield interface on page 75
n The GroupShield Home page on page 79
Product Guide 71
About the GroupShield interface

Depending on the installation options that you choose, there are two methods of
accessing the GroupShield 6.0 interface. These are:
n Administrative Web Interface
n Administrative Client Interface (stand-alone interface)
If you installed using the Typical settings, only the Administrative Client Interface
is installed on your Microsoft® Exchange server. Selecting Complete installs both
the Administrative Client Interface and the Administrative Web Interface.
GroupShield Web Interface

When installed, the GroupShield Web Interface enables you to manage and
configure GroupShield 6.0 using HTTP connecting to the Microsoft Internet
Information Services (IIS) running on the Microsoft® Exchange server.
When using this method, the default URL for the GroupShield 6.0 interface is:
http://localhost/groupshield/splash.htm
When using the Administrative Web Interface, you can use the IIS administration
tools to customize the way that GroupShield 6.0 is hosted by IIS. For example, you
can configure IIS to serve the GroupShield 6.0 interface over HTTPS. To do this,
you will have to create and install an SSL certificate.
GroupShield Stand-alone Interface

When installed, the GroupShield Stand-alone Interface enables you to manage and
configure GroupShield 6.0 without using Microsoft Internet Information Services
(IIS).
The GroupShield Stand-alone Interface is a separate executable program that uses
the standard Microsoft Internet Explorer control, but, rather than using HTTP to
communicate between the interface and the GroupShield back-end, it uses named
pipes. The GroupShield Stand-alone Interface can be installed either on the
Microsoft® Exchange server, or on a remote workstation.

Opening the GroupShield interface
Opening the GroupShield interface

To start either GroupShield Web Interface or the GroupShield Stand-alone
Interface — when installed — click Start | Programs | Network Associates.
Two entries are listed that start the GroupShield 6.0 interface (assuming that both
interfaces have been installed). These are:
GroupShield Stand-alone Interface
GroupShield Web Interface
Select the required GroupShield 6.0 interface.

A new Window is created, displaying the GroupShield 6.0 splash screen. After a
short time, the GroupShield 6.0 home page is displayed.
Administering GroupShield from a different computer

You can install the GroupShield Stand-alone interface on Microsoft Windows 2000
(or above) computers other than your Microsoft® Exchange server.
Once installed, you can remotely administer GroupShield 6.0. You need to know
the name of the server that has Microsoft® Exchange and GroupShield 6.0
installed.
You must also have login credentials for the Microsoft® Exchange Server.
From the remote computer:
1 Click Start | Programs | Network Associates | McAfee GroupShield.

The GroupShield window opens.
2 Click Change Server.
3 Click New connection to specific the Microsoft® Exchange server and

GroupShield 6.0 interface to view.
Product Guide 73
4 Enter the details of the server you want to connect to.
Microsoft Internet Explorer attempts to connect to the Exchange server.

Depending upon your current login credentials and the way your network
security is set up, you may be prompted to log on to the Microsoft® Exchange
Server. Use the login information for that server.
The GroupShield 6.0 interface is displayed.

NOTE
When administering GroupShield 6.0 from a remote
computer, it may take a few minutes for any changes to be
updated.

Introducing the GroupShield interface

The GroupShield interface uses a simple and intuitive layout.
Figure 6-1. GroupShield 6.0 interface — Home page
The interface consists of the following main areas:

n Navigation pane
n Console on page 77
n Quick Help pane on page 78

n Links bar on page 78
Product Guide 75
Navigation pane
The navigation pane is located on the left side of the GroupShield interface. This
provides links to each page, with similar links grouped together.
Figure 6-2. GroupShield 6.0 Navigation pane
The groups used are:
n View
The View area provides a convenient location from which to view information
about your GroupShield software installation. The available options are:
w Detected Items on page 83
w Scheduled tasks on page 91
w Product Log on page 93

n Schedule
Options that enable you to set up schedules for running on-demand scans and
for updating the virus definition (DAT) files used by GroupShield include:
w Product update on page 100
w On-demand scan on page 102
w Status Report on page 104
n Configure
Options to enable you to configure GroupShield include:
w Configuring Anti-Virus and Content on page 105

w Notifications on page 164
w On-Access settings on page 167
w Anti-spam settings on page 171
w Detected Items Database on page 173
w Product Log Database on page 176
w Personal Preferences on page 179
w Diagnostics on page 181
w Policy Groups on page 186
w Import and Export Configuration on page 188
The navigation pane also includes following links:
n Home
The GroupShield Home page provides a convenient location to find

information about Scanning Statistics since the server was last rebooted or the
GroupShield service was last restarted, about Product Versions and about
Recently Scanned Items.
n Show/Hide Quick Help
The GroupShield interface includes the Quick Help pane, which is usually
displayed to the right of the GroupShield interface.
Console
The central area, or console, of the GroupShield interface displays each selected
page.
Product Guide 77
Quick Help pane

The Quick Help pane provides an area to display basic information about each page
displayed within the console area of the GroupShield interface. The Quick Help
includes links to the GroupShield online Help system, to the Network Associates
web site and to other sources of product information.
You can show or hide Quick Help, using the Show Quick Help or Hide Quick Help
menu options from the navigation pane.
Links bar
The links bar is displayed at the top of the GroupShield interface. This contains
links to useful resources, such as the AVERT Virus Information Library and to the
GroupShield software Help Topics.

The GroupShield Home page

The Home page is displayed by default when you first start the GroupShield
software. Click Home from the navigation pane to return to this page.
The page consists of the following areas:

n Real-time scanning statistics on page 79
n Product versions on page 80

n Recently Scanned Items on page 80
You can show or hide each of these areas. To do so, click:
to hide the information.
to show the information.
By default, the Home page is automatically refreshed, using the refresh time
specified in the Home area of Configure Personal Preferences, see Personal
Preferences on page 179.
To manually refresh the Home page at any time, click Refresh.
Real-time scanning statistics

The Real-time scanning statistics area of the Home page provides information on
the actions that GroupShield has recently taken.
Within this area of the Home page, the following information is recorded:
n Scanned — the number of items that have been scanned by the GroupShield
software since the server was last rebooted.
n Clean — the number of clean items — items that have not been detected as
either infected or banned — that have been scanned by the GroupShield
software since the server was last rebooted.
n Average scan time (ms) — the average time, in milliseconds, taken to scan each
item.
n Infected — the number of infected items that have been detected by
GroupShield since the server was last rebooted.
n Banned Content — the number of items containing banned words or phrases
that GroupShield has detected since the server was last rebooted.
n Banned File Type — the number of items containing banned file types that
GroupShield has detected since the server was last rebooted.
Product Guide 79
n Potential Spam — the number of items that have been detected as “spam”
messages.
n Encrypted Or Corrupted — the number of items containing either encrypted or

corrupted files that cannot be scanned.
Product versions
The Product versions area of the Home page provides a convenient location to
check information about your GroupShield product versions.
The following version information is displayed:

n DAT Version — the version of the currently installed virus definition (DAT) files
being used by your GroupShield software.
n DAT Date — the date that McAfee Security released the currently installed
virus definition (DAT) files.
n Engine version — the version of the currently installed anti-virus engine being
used by your GroupShield software.
n Product version — the version and build number of your GroupShield
software.
n Product Description — the full name of the product.
n GroupShield Exchange — License status for the GroupShield software.
n Anti-Spam add-on — License status for the anti-spam add-on package for
GroupShield 6.0.
Recently Scanned Items

The Recently Scanned Items area of the Home page provides information about
items that have recently been scanned by your GroupShield software.
NOTE
The number of items displayed in Recently Scanned Items can
be configured from Personal Preferences on page 179. Click
Settings to display the Configure Personal Preferences page.
The following information is provided on each of the items in the Recently Scanned
Items list:
n Date/time — GroupShield notes the date and time that the message was
scanned.
n Sender — The information contained within the e-mail message about the
originator of the e-mail message.
n Recipients — The recipients to which the message was sent.

n Result — if no virus or banned content is found in the file, the Result is listed
as Clean. If a virus, or banned content is discovered by GroupShield, this field
reflects the action taken by GroupShield.
n Scanned by — GroupShield reports the name of the scanner or the scheduled
task that scanned the item.
Product Guide 81

Options for Viewing
7
From the View area of the navigation pane, you can view information relating to
the following:
n Detected Items
n Scheduled tasks on page 91
n Product Log on page 93
Detected Items
The Detected Items page enables you to search the Detected Items, using a range of
search criteria.
You can check the information that has been logged against messages that have
viruses or banned content within them, and can also download the items that have
been added to the Detected Items database.
WARNING
Items held within the Detected Items database still contain
viruses or banned content. When downloading quarantined
files, make sure that you do not infect your computer or
network.
NOTES
Do not delete temporary internet files, offline content or
cookies whilst using the GroupShield interface. GroupShield
uses these files to maintain information, such as the Detected
Items list. Removing these files will result in GroupShield
being unable to query the Detected Items.
Due to the interaction between GroupShield 6.0 and the

Microsoft® Exchange Virus-Scanning API (VSAPI),
GroupShield 6.0 scans e-mail messages and attachments as a
number of separate components. Therefore, only the
components that contain viruses or other banned content are
added to the Detected Items database, not the entire message.
Product Guide 83
Options for Viewing
The Detected Items page consists of two parts:

n Query area
n Search Results
NOTE
Only items that have been detected as containing a virus or
banned content are shown within the Detected Items.
Querying the Detected Items

The Detected Items page, available from the navigation pane within the
GroupShield software includes a query filter, enabling you to query the detected
items.
Figure 7-1. View Detected Items — Query
You can query the Detected Items database by looking at entries made between,
before or after a specified date and time.
You can also query the Detected Items database by using logical filters. The query
option also allows you to use both the logical filters and the specified date and
time.
Searching for files stored after a specified date.

From the Detected Items page:
1 Select Stored from.
2 Enter the date and time.

3 Click Find records.
After a short time, the Results area of the Detected Items page is updated with
all items stored in the Detected Items database since the specified date.

Detected Items
Searching for files stored before a specified date

1 Select to.
all items stored in the Detected Items database before the specified date.
Searching for files stored between the specified dates

1 Select both the Stored from and to fields.
2 Enter the dates and times into both fields.

all items stored in the Detected Items database between the specified dates and
times.
Searching for files with known properties

1 Select where.
2 Select the message property to match.

The drop-down list contains all the column headings that are available within
the Results area of View Detected Items.
NOTE
To use the Date/time stored value as the search string, the date
and time must be entered in the ISO date and time format:
yyyy mm dd hh:mm:ss, for example, 2003 08 15 09:45:30.
3 Enter the text to match.
NOTE
If you already have a detected item of the type you are search
for displayed in the Results area, you can select the both the
message property to match and the matching information, by
clicking on the information within Results.
Product Guide 85
Options for Viewing
all items stored in the Detected Items database that match the selected search
criteria.
Filtering files in the Detected Items database

1 Select matching filter.
2 Enter your logical search string.
For information on the parameters and operators that you can use within your
searches, see Using the Filter on page 87.
Viewing the results

Beneath the Query area of the Detected Items page is the Results area. Information
about the files found by your query are displayed in this area.
Displayed information
The Results area of the Detected Items page consists of a number of columns, each
with a specific category of information about the detected item.
You can select the information that you want displayed for the items found as a
result of your query.
NOTE
The link Click here to change displayed columns, to the right of
the Results title bar takes you to the Personal Preferences
page, where you can select the information to be displayed
within the Results area. See Personal Preferences on page 179
for more information.
Getting more information about viruses

In the left column of the Results table, GroupShield displays the following icon:
Detected Item detail icon.
Clicking the Detected Item detail icon displays the Detected Item detail dialog box.
If the detected item is a known virus, this detailed information includes a link
additional information relating to the virus within the AVERT Virus Information
Library.

Detected Items
Using displayed information to refine your query

You can further define your query, using the displayed results fields.
Example
You might carry out a query on all items detected in the last 24 hours, using Stored
from and yesterday’s date and time attributes. This could produce a number of
items that have been detected within the specified time frame.
Upon further inspection, you notice that several of the detected items contain the
same virus. You want to refine the query so that you search just for this virus:
1 Deselect Stored from, to remove the date-sensitive element of the query.
2 Select where.
3 Move the cursor over the Virus found (vrs) column of the Results table.
4 Click the virus name.
The text Virus found is added to the where field, and text matching virus being
searched for, for example EICAR test file, is added to the is field.
5 Click Find Records.

All records contained within the Detected Items database are searched, and all
that match the virus name are displayed.
Using the Filter

The filter within GroupShield 6.0 enables you to create complex searches of files
contained within the Detected Items database.
Table 7-1. Searchable Filter properties for the Detected Items database
Property Displayed Name Description
Identifier
dts Date/time stored The date and time the item was written to the
database
sbj Subject The subject field of the E-mail.
sdr Sender The sender of the E-mail.
rpt Recipients The recipients list if the E-mail.
ftr Reason The reason the entry was made in the
database, this is the natural language string
representation, the numeric equivalent is
available via (rsn) but is not supported.
vrs Virus found The name of the virus found if applicable
Product Guide 87
Options for Viewing
Identifier
qtn Quarantined item The Quarantined item data. When rendered in
the user interface this is a link to perform a
download of the data.
act Result The result of the action taken on the item, this
can be one of:
w Clean (0),
w Cleaned (1),
w Replaced (2),
w Removed(3),
w Logged(4),
w Denied Access (5).
This is the natural language string
representation, the numeric equivalent is
available via (res) but is not supported
rul Rule The content scanning rule fired
tn Scanned by The scan source that scanned the item
sz Size The size of the item that as scanned
tme Date/time submitted The date and time the item was submitted to the
product for scanning
fln Filename The file name of the item
fdr Folder The name of the containing folder the item was in
if applicable.
cc CC The list of carbon copy recipients of the E-mail
tik Ticket Number A unique number for the item generated by the
product to identify it
efn Detected File Name The name(s) of the files which caused the
detection(s) to occur. If there is more than one
detection then file names are ordered to match
"Reason" above.
idy Policy Group The name of the policy group that was used to
apply settings

Detected Items
Identifier
ssc Spam Score The spam score returned by the Anti-Spam
engine if installed, this is a positive or negative
number (negative because of whitelist scoring)
srt Spam Routing The action taken as a result of the spam
scanning, can be any of
w Allowed through
w System junk folder
w User junk folder
w Rejected
w Deleted
Handling quarantined items

GroupShield 6.0 provides you with the option to move items containing viruses
that cannot be cleaned or banned content to the Detected Items database.
WARNING
Messages that are quarantined within the Detected Items
database may still contain harmful viruses. Take care not to
infect your system when checking files that have been sent to
the Detected Items database.
Releasing items from the Detected Items database

After GroupShield 6.0 has quarantined an item that contains a virus or banned
content into the Detected Items database, you can:
n Download the quarantined item.
n Forward the quarantined item.
Downloading the quarantined item enables you to save it to your local computer,
where you can check the content of the item.
WARNINGS
Please consider the legal implications of inspecting items from
e-mail messages sent to employees within your organization.
Before downloading and opening any item from within the
Detected Items database, ensure that any virus has been
cleaned or replaced.
When you are sure that items are not infected, you can forward them from the
Detected Items database to the intended recipients.
Product Guide 89
Options for Viewing
Downloading or forwarding quarantined messages

1 Select Click here to change displayed columns.

2 On the Personal Preferences page, select the Quarantined item (qtn) checkbox.
3 Click Apply to register the change.
4 Choose Detected Items from the View area of the navigation pane.
5 In the new Quarantined item (qtn) column, there are two buttons: Download
and Forward.
w Choose Download to view a message and click OK to close the confirmation
dialog box that appears.
w Choose Forward to send the message to, for example, the intended
recipient.
Exporting the query results

To enable you to further analyze the results of queries that you run on the Detected
Items database, you can export the results in Comma Separated variable (.CSV)
format. This results file can then be imported into third-party software, such as
Microsoft® Excel® for further analysis.
To export the query results, first ensure that you run a query suitable for the
information that you require.
1 Click Export to CSV File.

The Microsoft Internet Explorer File Download dialog is displayed.
2 Click Save.
The Save As dialog is displayed.

3 Select the location and file name for the saved file.
4 Click Save.

Scheduled tasks
Scheduled tasks
McAfee GroupShield uses scheduled tasks to enable you to define either updates
to the GroupShield software or on-demand scans of your Exchange server. You
can choose for these tasks to run immediately, to run once at a future time or date,
or to run repeatedly, at a frequency specified by you.
Scheduled tasks, available from the View options, enables you to see all tasks that
are scheduled. In addition, you can see information about each scheduled task,
such as the Type of task, the Status of the scheduled task, when the task was Last
run: and when the task is due to be Next run.
Viewing your scheduled tasks

The Scheduled Tasks page, available from the navigation pane within GroupShield
enables you to view the details of all currently scheduled tasks:
Click Scheduled Tasks from the View area of the navigation pane.
From Scheduled Tasks, you can view the currently defined schedules.
Modify an existing scheduled task

If you have an existing task that you no longer require, but want to set up a similar
task, you can modify the existing task.
1 Select the scheduled task that you want to modify.
2 Click Modify.
3 Follow the procedures given in either:
w Creating a schedule to update GroupShield on page 101

w Creating a schedule to run an On-demand scan on page 102.
Delete an existing scheduled task

If you no longer require a scheduled task to be stored, you can delete the task.
To delete a scheduled task, either a scheduled on-demand scan or a scheduled

update:
1 Select the scheduled task that you want to delete.
2 Click Delete.
A dialog box is displayed, requesting that you confirm that you want to
permanently delete the task.
3 Click OK.
Product Guide 91
Options for Viewing
Running an existing scheduled task now

To run an existing scheduled task now, click Run Now. The task will be started
immediately, using the settings defined within the task.
Viewing the progress of a scheduled task

When a scheduled task is being run, GroupShield displays a progress pop-up.
If the progress pop-up is not displayed — perhaps because you had closed the
pop-up — when a scheduled task is being run, you can open the progress pop-up
by clicking Progress from the currently running task.
NOTE
When the scheduled task completes the scheduled action, the
Progress button is removed from the interface.
Stopping a running task

To end a scheduled On-Demand Scan or Update task that is currently running, click
Stop.
Viewing the results of a scheduled task

When either a scheduled update or a scheduled on-demand scan has completed, a
Results button is displayed on the appropriate scheduled task.
Click this to display a summary of the completed scheduled task.

Product Log
Product Log
GroupShield 6.0 includes the ability to write events to both the Application log
area within the Windows Event log and to the GroupShield 6.0 Product Log.
When checking the GroupShield 6.0 events within the Windows Event log, the
source is listed as McAfee GroupShield.
Refer to Error messages and event log entries on page 200 for information about the
events that may be logged.
Querying the Product Log

The Product Log page, available from the navigation pane within the GroupShield
software includes a query filter, enabling you to query the product log.
You can query the Product Log by looking at entries made between, before or after
a specified date and time.
You can also query the Product Log by using logical filters. The query option also
allows you to use both the logical filters and the specified date and time.
Searching for files stored after a specified date.

From the Product Log page:
1 Select Logged from.

After a short time, the Results area of the Product Log page is updated with all
items stored in the Product Log since the specified date.
Searching for files stored before a specified date

1 Select to.
items stored in the Product Log before the specified date.
Product Guide 93
Options for Viewing
Searching for files stored between the specified dates

1 Select both the Logged from and to fields.

2 Enter the dates and times into both fields.
items stored in the Product Log between the specified dates and times.
Searching for files with known properties

1 Select where.
2 Select the message property to match.

The drop-down list contains all the column headings that are available within
the Results area of View Product Log.
NOTE
To use the Date/time stored value as the search string, the date
and time must be entered in the ISO date and time format:
yyyy mm dd hh:mm:ss, for example, 2003 08 15 09:45:30.
3 Enter the text to match.
NOTE
If you already have a detected item of the type you are search
for displayed in the Results area, you can select the both the
message property to match and the matching information, by
clicking on the information within Results.
items stored in the Product Log that match the selected search criteria.
Filtering files in the Product Log

1 Select matching filter.
2 Enter your logical search string.
For information on the parameters and operators that you can use within your
searches, see Using the Filter on page 87.

Product Log
Viewing the Results

Beneath the Query area of the Product Log page is the Results area. Information
about the files found by your query are displayed in this area.
Displayed information
The Results area of the Product Log page consists of a number of columns, each
with a specific category of information about the detected item.
Getting more information about entries

In the left column of the Results table, GroupShield displays the following icon:
Product Log detail icon.
Clicking the Product Log detail icon displays the Product Log detail dialog box.
See Error messages and event log entries on page 200 for more information about the
Error Codes used within the Product Log.
Using displayed information to refine your query

You can further define your query, using the displayed results fields.
Example
You might carry out a query on all items detected in the last 24 hours, using Logged
from and yesterday’s date and time attributes. This could produce a number of
items that have been detected within the specified time frame.
Upon further inspection, you notice that several of the product log contain the
same virus. You want to refine the query so that you search just for this virus:
1 Deselect Logged from to remove the date-sensitive element of the query.
2 Select where.
3 Move the cursor over the Level (lvl) column of the Results table.
4 Click the error type - Information, Error or Warning.
The text Level is added to the where field, and text matching the error type
being searched for, for example Error, is added to the is field.
5 Click Find Records.
All records contained within the Product Log are searched, and all that match
the search criteria are displayed.
Product Guide 95
Options for Viewing
Using the Filter

The filter within GroupShield 6.0 enables you to create complex searches of files
contained within the Product Log.
Table 7-2. Searchable Filter properties for the Product Log

Property Description
Identification
dts Date/time stored
id The identity of the log entry
dsc Description of the logged item.
lvl The severity of the loggd item - either Informational, Warning or Error.
Table 7-3. Available Filter operators

Operator Description
== Case-sensitive equals without wildcards
~== Case-insensitive equals without wildcards
= Case-sensitive equals with wildcards
~= Case-insensitive equals with wildcards
> Case-sensitive greater than with wildcards
~> Case-insensitive greater than with wildcards
< Case-sensitive less than with wildcards
~< Case-insensitive less than with wildcards

Product Log
Exporting the query results

To enable you to further analyze the results of queries that you run on the Product
Log, you can export the results in Comma Separated variable (.CSV) format. This
results file can then be imported into third-party software, such as Microsoft®
Excel® for further analysis.
To export the query results, first ensure that you run a query suitable for the
information that you require.
1 Click Export to CSV File.
The Microsoft Internet Explorer File Download dialog is displayed.
2 Click Save.
The Save As dialog is displayed.
3 Select the location and file name for the saved file.
4 Click Save.
Product Guide 97
Options for Viewing

8
Within the navigation pane, options are available that enable you to create
schedules for the following tasks:
n Product update on page 100

n On-demand scan on page 102
n Status Report on page 104
Product updating and on-demand scans are likely to be required on a regular

basis. GroupShield enables you to create multiple schedules, for running Product
Updates and On-Demand Scans at predetermined intervals.
You can also use the schedule options to create an immediate Product Update or
On-Demand Scan. These would be created in response to a suspected virus attack,
where you want to use the latest available DAT files to counter any new viruses.
Product Guide 99
Product update
The GroupShield software depends on information in the virus definition (DAT)
files and the virus-scanning engine to identify viruses. Without regularly updated
information on the latest virus threats, anti-virus software cannot detect new virus
strains or respond to them effectively. Anti-virus software that is not using the
current DAT files and virus-scanning engine can compromise your virus-protection
program.
New viruses appear at the rate of more than 500 per month. To meet this challenge,
McAfee Security releases new DAT files every week, incorporating the results of its
ongoing research into the characteristics of new or mutated viruses. When
required, McAfee Security also release emergency or extra DAT files to counter
specific virus threats. Also, periodically, the virus-scanning engine is upgraded, to
take advantage of new technology or to counter specific new types of threat to your
network. The update task that is provided with the GroupShield software makes
it easy to take advantage of these services.
NOTE
To update GroupShield, your server needs to have at least one
of the following:
w Access to http://www.networkassociates.com/us/downloads/.
w McAfee AutoUpdate Architect installed on the same network.
w A method for downloading update files from
http://www.networkassociates.com/us/downloads/ and transferring them
to your GroupShield server.
About McAfee Common Updater

Included within GroupShield 6.0 is the McAfee Common Updater technology, to
provide easier, more flexible updating. Common Updater allows you to download
the latest DAT and virus-scanning engine update files, using an immediate update
or a scheduled update.
About McAfee AutoUpdate Architect

McAfee AutoUpdate Architect software allows you to manage updates to your
entire company’s anti-virus software. McAfee AutoUpdate Architect creates and
maintains internal software repositories where you define exactly which McAfee
anti-virus software updates to deploy to the computers on your network.
When using McAfee AutoUpdate Architect software to keep GroupShield
up-to-date, the Site List provides GroupShield 6.0 with the locations of your
internal anti-virus update repositories.

Product update
GroupShield 6.0 also is compatible with McAfee AutoUpdate Architect, with the
ability for you to import McAfee AutoUpdate Architect Site Lists into GroupShield
6.0, enabling GroupShield 6.0 to obtain updates from the McAfee AutoUpdate
Architect repositories within your network.
See Importing and exporting configurations on page 188 for more information about
importing sites lists into GroupShield 6.0.
Creating a schedule to update GroupShield

Create a schedule to update your GroupShield software.
1 Click on Product Update.

2 Choose when to update.
a Select how frequently you want the update to occur.
b If you select any option other than Immediately, enter further details for the
date, day, month and time (as appropriate) for the update to run.
c Click Next.
3 Enter a task name.
a Enter a unique name for the update.
This enables you to easily locate it at a later date from Scheduled Tasks,
within the View options.
b Click Finish.
GroupShield displays the Scheduled Tasks (see Scheduled tasks on page 91 for
further information) and the update runs at the times defined in the schedule.
Product Guide 101

On-demand scan
GroupShield scans all messages as they are written to or read from the store.
During these scans, GroupShield uses the installed virus definition (DAT) files to
check for virus or potentially harmful content within the messages .
On-demand scanning provides a method for scanning all parts of your computer
for viruses, at convenient times or at regular intervals. Use it to supplement the
continuous protection that the on-access scanner offers, or to schedule regular scan
operations when they will not interfere with your work.
You can perform a one-time on-demand scan when you want to scan a file or
location that you believe is vulnerable or suspect of containing a virus infection, or
you can perform scheduled scanning activities at convenient times or at regular
intervals.
Creating a schedule to run an On-demand scan

Create a schedule to run an on-demand scan.
1 Choose when to scan.
a Select how frequently you want the scan to run.
date, day, month and time (as appropriate) for the scan to run.
c Click Next.
2 Choose what to scan.
a Select either Scan all folders, Scan selected folders or Scan all except
selected folders.
b If you select Scan selected folders, select the folders to include in the scan.
Click >> to include just the selected folder, or click >>> to include the
selected folder and all its subfolders.
c If you select Scan all except selected folders, select the folders to exclude
from the scan. Click >> to exclude just the selected folder, or click >>> to
exclude the selected folder and all its subfolders.
d Click Next.

On-demand scan
3 Resumable scanning.
a Select Enabled to make the scheduled on-demand scan resumable.
b Enter the number of minutes between GroupShield starting the

on-demand scan and the scan pausing.
c Enable Restart from last item to continue the scan from the last item
scanned.
4 Select the on-demand policy to be used by the scheduled scan.
a Enter a unique name for the on-demand scan.

This enables you to easily locate this scheduled scan at a later date from
Scheduled Tasks, within the View options.
b Click Finish.
NOTE
Once you have scheduled an on-demand scan, you need to
ensure that the On-Demand Scanner Policy is correctly set up.
See Managing items within a policy on page 117.
further information) and the on-demand scan runs at the times defined in the
schedule.
When a scheduled task is being run, a Progress button is displayed on the running
task. See Viewing the progress of a scheduled task on page 92.
Viewing the Results of an On-Demand Scan

When a scheduled on-demand scan has been run, click the Results button. This
displays the View Detected Items screen, with a query entered that displays the
results from the completed on-demand scan. See Viewing the results of a scheduled
task on page 92.
Product Guide 103

Status Report
GroupShield 6.0 enables you to schedule status reports, and to e-mail those reports
to named people or distribution groups within your organization.
Creating a schedule to generate a status report

Create a schedule to generate a status report.
1 Choose when to report.

a Select the date, time and repeating frequency for the status report.
date, day, month and time (as appropriate) for the scan to run.
c Click Next.
2 Choose who to report to.
a Enter the Recipient Email address. This can be either a person or a

distribution list set up within your Microsoft® Exchange system.
b Enter a Subject line for report.
c Click Next.
a Enter a unique name for the status report.

This enables you to easily locate this report at a later date from Scheduled
Tasks, within the View options.
b Click Finish.
further information) and the status report is run at the times defined in the
schedule.

Configuring Anti-Virus and
Content 9
To manage the policies that protect your Microsoft® Exchange servers, click
Anti-Virus and Content in the navigation pane. The center of the window displays
the policies and content rules. The workings of the panes of this window are
described next.
n The interface on page 106.
n Managing policies on page 115.

n Managing items within a policy on page 117.
n Managing content rules on page 121.

n Setting up items in the policy on page 128.
n Examples of content rules for messages on page 151.
n Examples of content rules for e-mail messages on page 154.
Product Guide 105

The interface
Figure 9-1. Interface
The interface has several areas:

Left — see Tree pane on page 106.
Right — see Details pane on page 108.
Top — see Toolbars and buttons on page 113.
Icons used throughout the interface are also described in Icons on page 113.
Tree pane
This pane shows icons that represent the policies and rule groups that you can
manage. For example:
Policy
Policy Groups

The interface
The icons are organized in a “tree” structure. You can click the “+” symbols to
expand each node and see all parts of the tree. Here you can manage the items —
create, modify, and delete them — by using the buttons in the toolbar above the
tree and details pane, or the menus that appear when you right-click any item in
this pane.
For more information, see Right-click menus in the tree pane and Toolbars and buttons
on page 113.
Right-click menus in the tree pane

To manage items in the tree pane — policies and rule groups — you can select
options from a menu by right-clicking the icon. For example:
Figure 9-2. Typical right-click menu
You can also run many of these same functions using the toolbar icons (described
under Combined icons on page 114) or from the navigation pane.
The following right-click menus are available:
n Policies on page 107.
n Rule groups on page 108.
Policies
Table 9-1. Right-click menu for policies
Menu option Description
Create Policy Create a new policy. See Creating a policy on page 115.
Delete Policy Delete the selected policy.See Deleting policies on page 116.
(This option is not permitted at the global policy.)
Add Settings Add extra items, such as content rules to your policy. See
Adding rules to the policy on page 117.
Paste Paste rules that have been cut or copied from other policies.
Product Guide 107

Rule groups
Table 9-2. Right-click menu for rule groups
Create Rule Group Create a new rule group.

See Creating a rule group on page 121.
Export Export the selected rule group as an XML file.
See Exporting rule groups on page 122.
Import Import a rule group as an XML file.
See Importing rule groups on page 122.
Delete Rule Group Delete a new rule group. You cannot delete a rule if it is in use
by any policy.
See Deleting a rule group on page 123.
Rename Rule Group Change the name of a rule group.
See Renaming a rule group on page 122.
Create Content Rule Create a new rule.
See Creating a rule on page 123.
Assign Rules Assign a rule or group of rules to a policy.
See Assigning rules to a policy on page 126.
Cut, Copy, Paste Make a copy of the selected rule to create new rules based on
these, or to add the rules to a policy.
See Creating a rule on page 123.
Details pane
When you select an item such as a rule group in the tree pane, this pane (to the
right) displays the details. See the following table. You can access more
information by clicking this icon:
Table 9-3. Relationship between tree pane and details pane
Icon Description Content of details pane Description of details pane

Policy Items within the policy. See Policy on page 109.
Rule Group Rules within the rule group. See Rules on page 111.

The interface
Policy
The following table shows part of a typical policy.
Table 9-4. Content of details pane for policies
Item Inherited
Scanner Settings
Anti-virus Settings
Content Settings
Corrupt Content
Encrypted Content
n Item — The checkbox on the left of an item indicates whether the item is
available. If the checkbox is greyed, the item is inherited from the global policy,
and therefore you cannot alter it here.
If the checkbox is not greyed, you can disable the content scanning if, for
example, you do not want to use it.
If the checkbox is greyed and selected, you cannot disable the feature. For
example, encrypted content must be handled in some way.
n Inherited — You do not see this column if you are viewing the global policy.
This column uses the following icons to indicate whether an item in the policy
is inherited from the global policy. In other words, it indicates whether this
item is the same as the item in the global policy.
Inherited
Not Inherited
Product Guide 109

n Inherited by— You see this column only if you are viewing the global policy.
The column uses the following icons, and states how many items are inherited
from the global policy.
This item in the global policy is inherited by other policies.
This item in the global policy is not inherited by other policies.
To see a brief description of any item in the policy, move your cursor over the text
and wait for a pop-up message to appear.
To sort the items into a different order, click the headings.
To manage the items within a policy, right-click a row to display a menu. The
menu options are briefly described in the following table.
Table 9-5. Right-click menu for items in a policy
Add Settings Add settings such as new content rules and anti-virus, and
specify their actions and any time restrictions. (You cannot
add extra anti-virus settings to the global policy.)
Paste Add rules (previously cut or copied) to the selected policy.
Delete Delete an item. See Deleting items in the policy on page 119.
Edit Settings Change the details of settings.
For some items such as anti-virus settings, you can change
the action and time restrictions. (You cannot change the time
value for anti-virus settings in the global policy.)
Instead of using this menu option, you may double-click the
row.
The items in the policy are listed in the following table.
Table 9-6. Policy items and procedures
Policy item Procedure
Anti-Spam See Scanning for spam on page 136.

Anti-Virus See Scanning for viruses on page 129.
Content Scanner See Scanning for content on page 135.
Corrupt Content See Handling corrupt content on page 150.

The interface
Table 9-6. Policy items and procedures (Continued)
Policy item Procedure
Disclaimer Text See Adding disclaimers on page 146.

Encrypted Content See Handling encrypted content on page 149.
File Filtering See Filtering file types on page 141.
Mail Size Filtering See Limiting the size of e-mail messages on page 144.
Scanner Control See Preventing denial-of-service attacks on page 129.
Signed Messages See Handling signed e-mail messages on page 148.
Rules
When you select a rule group in the tree pane, the details pane displays a summary
of its rules. The summary shows each rule by name and description. It also
includes a checkbox so that you can disable any rule, if necessary. The following
table shows an example.
Table 9-7. Example details pane for rule groups
Rule name Description
Insult 1 One insult
Insult 2 Another insult
Product Guide 111

To manage the rules within a rule group, right-click a row to display a menu. The
menu options are briefly described in the following table:
Table 9-8. Right-click menu for rules
Create Content Rule Create a new rule. See Creating a rule on page 123.
Edit Content Rule Modify the content rule. See Changing a rule on page 126.
Assign Rules Assign selected rules or an entire rule group to the policy
associated with a policy group. See Assigning rules to a
policy on page 126.
Cut, Copy, Paste These functions allow you to move rules to other rule groups.
Delete Delete a rule. See Deleting a rule on page 127.
Policy Groups
When you select a policy group in the tree pane, the details pane displays a list of
the policy groups.
To manage any policy group, right-click its row to display a menu. The menu
options are briefly described in the following table:
Table 9-9. Right-click menu for policy groups
Create Policy Create a new policy. See Creating a policy on page 115.
Delete Policy Delete the selected policy. See Deleting policies on
page 116.
Add Settings Add settings to the policy group. See Adding rules to the
policy on page 117.

The interface
Icons
The tree pane includes numerous icons, as shown in the following table.
Table 9-10. Icons in the tree pane
Icon Description
Policies The container for all the policies.
Global Policy icon. The container for all global policies.
A policy group.
Rule Groups The container for all the rule groups.
A rule group.
Toolbars and buttons

The toolbars at the top of the panes contain numerous buttons that help you
perform common tasks quickly. The icons in the toolbars change as you select
items in the panes. The purpose of buttons on this toolbar is described next.
These common buttons in the following table are always available.
Table 9-11. Common buttons
Copy the selected item. Paste the selected item.
Cut the selected item. Display help information.
Some buttons in the toolbars have icons that are made from a combination of other
icons. They include a ‘verb’ to help to describe their function. The verbs are
described in the following table.
Product Guide 113

Table 9-12. Verbs
Add Import
Create Export
Rename Assign
(Label appears below icon)
Edit Delete
Reorder
The following table shows examples of combined icons:
Table 9-13. Combined icons
Create a rule group Delete a rule group
Import a rule group Export a rule group.
Create a content rule. Assign a content rule.
Edit a content rule. Delete a content rule.
Create a policy.
Drag and drop feature

In the tree pane, you can drag and drop some icons onto others. Generally, this
feature applies wherever you can perform cut, copy and paste operations.

Managing policies
Managing policies
You can perform the following actions on policies:
n Creating a policy on page 115.
n Deleting policies on page 116.
For more information, see Policies on page 44.
Creating a policy
By default, GroupShield has nine global policies defined. These are:
n On-Access Scanner n On-Demand (Remove Banned

Content)
n On-Demand (Default) n On-Demand (Full Scan)
n On-Demand (Find Viruses) n Outbreak Manager
n On-Demand (Remove Viruses) n Gateway
n On-Demand (Find Banned

Content)
If you require a policy, that has different settings to the default policies listed
above, you can either modify one of the default policies, or you can create a new
policy — based on one of the default policies.
NOTE
Before creating a new policy, ensure that you have already set
up the policy group to which you want the policy to apply.
To create a new policy:

1 In the tree pane, select the policy on which to base your new policy.
Product Guide 115

2 Right-click the policy, and select Create Policy to open the Create Policy dialog
box.
Figure 9-3. Create Policy dialog box
3 Select the policy groups to which the new policy will apply. To select multiple
policy groups, hold down the <CTRL> key when selecting each policy.
4 Click OK to close the dialog box.
The new policy appears as an icon in the tree pane. Initially, the new policy is
identical to the policy from which it was created. To change any part of the new
policy, you modify the items in the policy. For information, see Setting up items in
the policy on page 128.
Deleting policies
Occasionally, you may want to delete a policy that you have previously created,
perhaps because you find you do not use it, or because the policy groups to which
it applies are no longer valid.
NOTE
You can only delete policies that you have created. You cannot
delete the default policies.
To delete a policy:
1 In the tree pane, select the policy to be deleted. The details pane displays the
information about the selected policy.
2 Right-click the icon to display the menu, and select Delete Policy.
3 Confirm that you want to delete the selected policy.

Managing items within a policy
NOTE
A deleted policy cannot be restored.
The policy icon is removed.

You can perform the following actions on policies:
n Adding rules to the policy on page 117.

n Modifying items in the policy on page 118.
n Deleting items in the policy on page 119.
For more information, see Rules and settings within a policy on page 49.
See also Setting up items in the policy on page 128.
Adding rules to the policy

You can add content rules to policies that include content scanning.
NOTE
You cannot add rules to the following policies:
w On-Demand (Find Viruses)

w On-Demand (Remove Viruses)
w Gateway
For more information, see Creating content rules on page 54.
1 In the tree pane, select the policy to which you want to add rules. The details
pane displays the information about the selected policy.
Product Guide 117

2 In the tree pane, right-click the policy, and select Add Settings from the menu.
Figure 9-4. Add Settings dialog box
3 Under Available Settings, select the required rule groups or rules.

4 Under Properties, specify how GroupShield will respond to viruses and
banned content. For more information, see Setting the actions on page 131.
5 To close the dialog box, click OK.
The rules and any time restrictions on the anti-virus settings appear in the policy.
Modifying items in the policy

1 In the tree pane, select the policy icon. The details pane displays the
2 In the policy, right-click any item under the Setting column, and select Edit
Settings from the menu to open a dialog box.
3 Make your changes in the dialog box. For information about using each dialog
box, refer to the item in the following table.

Table 9-14. Policy items and procedures
Policy item Procedure For more information, see:
Anti-virus Settings Scanning for viruses on Scanning for viruses on

page 129. page 50.
Content Settings Scanning for content on Scanning for content on
page 135. page 52.
Corrupt Content Handling corrupt content on Handling corrupt content on
page 150. page 65.
Disclaimer Text Settings Adding disclaimers on Adding disclaimers on
page 146. page 63.
Encrypted Content Handling encrypted content Handling encrypted content
on page 149. on page 63.
File Filtering Filtering file types on Filtering of files on page 62.
page 141.
Mail Size Filtering Limiting the size of e-mail Limiting the size and
messages on page 144. numbers of attachments on
page 64.
Scanner Settings Preventing denial-of-service Preventing denial-of-service
attacks on page 129. attacks on page 65.
Signed Messages Handling signed e-mail Handling digital signatures on
messages on page 148. page 64.
Anti-spam Settings Scanning for spam on Scanning for spam on
page 136. page 59.
NOTE
Not all of these policy items appear in all policies. For
example, Anti-Spam Settings only appear in the Gateway
policy when the anti-spam add-on has been installed.
Deleting items in the policy

You can delete any item that you have added to a policy, whether it is a default
policy or one that you have created.
NOTE
You cannot delete any of the items that appear in policies by
default.
To delete policy items:
1 In the tree pane, select the policy icon.The details pane displays the
Product Guide 119

2 In the policy, select the item to be removed. Right-click and select Delete from
the menu.
NOTE
If the Delete option is unavailable, the selected item is part of
the default configuration for the selected policy and cannot be
deleted.
3 Confirm that you want to delete the selected policy item.

NOTE
A deleted policy item cannot be restored.
The item is removed from the policy.

Managing content rules

You can perform the following actions on content rules. For more information, see
Creating content rules on page 54.
n Creating a rule group on page 121.
n Exporting rule groups on page 122.
n Importing rule groups on page 122.

n Renaming a rule group on page 122.
n Deleting a rule group on page 123.
n Creating a rule on page 123.

n Changing a rule on page 126.
n Deleting a rule on page 127.
n Assigning rules to a policy on page 126.

When it is first installed, GroupShield contains some example rules that you can
enable and modify.
Creating a rule group

You can create a completely new rule group, or copy and modify another. For
more information, see Creating content rules on page 54.
To create a new rule group:
1 In the tree pane, right-click the Rule Groups icon or any rule group, and select
Create Rule Group from the menu.
2 In the Create Rule Group dialog box, enter a suitable unique name.
The new rule group is added below the Rule Groups icon.
To create a rule group from a copy:
1 In the tree pane, right-click the original rule group, and select Copy from the
menu.
2 Right-click again, and select Paste. The copied rule group appears with a name
based on the original.
3 Right-click the new rule group and select Rename Rule Group from the menu.
4 Enter the new name in the dialog box, and click OK.
Note that your new rule group is not assigned to any policies, even if the original
rule group was assigned.
Product Guide 121

Exporting rule groups

For more information, see Importing and exporting content rules on page 53.
To export a rule group:

1 Right-click the Rules Groups icon, and select Export from the menu.
2 In the Select Items To Export dialog box, select the rule groups and rules.
Note that a rule is always exported as part of its rule group.

3 Click OK to open the Choose Export File dialog box.
4 Select the folder where you want to save the exported rule groups.
5 Enter a file name or select an existing file, then click OK to close the dialog box.
An XML file is created.
Importing rule groups

For more information, see Importing and exporting content rules on page 53.
To import a rule group:
1 Right-click the Rules Groups icon, and select Import from the menu.
2 In the Choose Import File dialog box, select the XML file, and click Open.
3 If some rules in the XML file have similar names, choose which to accept in the
Replace Existing Rules dialog box.
The new rules are added below the Rules Groups icon.
Renaming a rule group

You normally rename a rule group if you have copied it from an existing rule
group. If you have a large number of rule groups, renaming can help you
recognize each rule group more easily.
To rename a rule group:

1 Right-click the rule group, and select Rename Rule Group from the menu.
2 Enter the new name in the dialog box, and click OK. The name must be unique.
The rule group is renamed. Any occurrences of the rule group within policies is
renamed automatically.

Deleting a rule group

If a rule group is no longer in use, you may delete it. You cannot delete a rule group
that is currently assigned to a policy.
To delete a rule group:

1 In the tree pane, right-click the rule group, and select Delete Rule Group from
the menu.
2 Confirm that you want to delete the selected rule group.
NOTE
A deleted rule group cannot be restored.
The rule group is removed.
Creating a rule
Each rule must belong to a rule group. You can add your new rule to an existing
group, or you can create a new rule group for your new rule. See Creating a rule
group on page 121.
You can also create a new rule by copying an existing rule, then renaming it, and
changing its details.
To create a rule:
1 Under the Rule Groups icon, select the rule group. The details pane shows the
rules within the group.
2 In the details pane, right-click anywhere, and select Create Content Rule from
the menu to open the New Content Rule dialog box.
Figure 9-5. New Content Rule dialog box
3 Enter the rule name and its description. For more information, see Giving a
name and description to the rule on page 54.
Product Guide 123

4 Click Add Condition to open a dialog box.
Figure 9-6. Add Condition dialog box
5 Enter the word or phrase, select the checkboxes as required, and click OK.
6 If you are only trying to stop a simple phrase, go to Step 11.

To create a more complex rule, click Advanced to expand the dialog box.
7 Choose an option under Select a condition .... See Words in context with other
words on page 56 for more information.
8 Click Add to open the Add Banned Phrase dialog box.
Figure 9-7. Add Banned Phrase dialog box
9 Enter an additional phrase, and click OK. The phrase is added below
Additionally look for ....
10 Use Add, Edit and Delete to build more complex rules. See Adding optional
advanced features on page 56 for more information.
If you set a value for Within a block of characters in some combinations of Starts
with and Ends with, GroupShield might prompt you to adjust the value.

11 Click OK. The File Formats dialog box opens, allowing you to decide where the
rule applies.
Figure 9-8. File Formats dialog box
12 Select the general group in the left list, then select or deselect individual
formats in the right list. You may use Select All and Clear to select and deselect
formats quickly. As you make your selections in the right list, icons in the left
list change accordingly:
All formats are selected in this group.
Some formats are selected in this group.
No formats are selected in this group.
13 Click OK to return to the New Content Rule dialog box. The rule is displayed in
the pane.
14 You can modify the rule in several ways:
n Add a further condition to trigger the rule by clicking Add Condition.
Product Guide 125

n Edit an existing rule condition by double-clicking the blue text.

n Add an alternative term to a selected condition by clicking Insert Phrase.
n Delete a selected condition by clicking Delete.
Changing a rule
To change a rule:
1 Select the rule group under the Rule Groups icon. The details pane displays the
names of the rules.
2 In the details pane, right-click the rule name in the Rule Name column, and
select Edit Content Rule to open a dialog box.
3 Make changes to the rule. The dialog box is similar to that described in Creating
a rule on page 123.
Assigning rules to a policy

Although you build a rule in isolation, it becomes effective only when you assign
the rule to a policy. You can assign either a single rule to a policy — or a number
of policies — or you can assign a rule group and all the rules that are contained
within it.
names of the rules.
2 In the details pane, select the rules in the Rule Name column, then right-click,
and select Assign Rules to open a dialog box.

Figure 9-9. Assign Rule dialog box
NOTE
When appling a rule group to a policy, the dialog box is
slightly different to the one shown above. The Assign selected
rules only and Assign entire rule group options are not
displayed.
3 Choose to assign the selected rules, or an entire rule group.
4 Under To the following policies, select the policies to which the rule or rule
groups.
NOTE
Any policies that are disabled cannot have rules asigned them.
5 Under When banned content is found, take the following action: select the
required action.
Deleting a rule
To delete a rule:
names of the rules.
2 In the details pane, right-click the name in the Rule Name column, and select
Delete.
Product Guide 127

3 Confirm the deletion. Note that a deleted rule cannot be restored.
The rule is removed from the details pane.
Setting up items in the policy

For more information, see Policies on page 44.
n Preventing denial-of-service attacks on page 129.
n Scanning for viruses on page 129.

n Scanning for content on page 135.
n Scanning for spam on page 136.
n Filtering file types on page 141.
n Limiting the size of e-mail messages on page 144.
n Adding disclaimers on page 146.
n Handling signed e-mail messages on page 148.
n Handling encrypted content on page 149.
n Handling corrupt content on page 150.
See also Managing items within a policy on page 117.

Preventing denial-of-service attacks

You can set the anti-virus and content scanners to limit the scanning in order to
overcome performance problems caused by a complex file or a denial-of-service
attack. For more information, see Preventing denial-of-service attacks on page 65.
To protect against a denial-of-service attack:
1 In the tree pane, select the policy icon. The details pane displays the policy.
2 In the policy, double-click Scanner Control to open a dialog box.
(If you are making changes within the global policy, you do not see the Inherit
settings from ... checkbox.)
Figure 9-10. Scanner Control dialog box
3 To inherit settings from the global policy, select Inherit settings from ..., then
click OK to close this dialog box and return to the policy.
4 To modify settings here to create an individual policy, deselect Inherit settings
from ....
5 Under Denial of Service Protection, enter some suitable values.

For Scan into maximum depth ..., we recommend 100.
If you intend to scan HTML files, this value must be 2 or more.
For Do not expand ..., we recommend a maximum value of 500.

6 Click OK to return to the policy.
Scanning for viruses

When you create a policy item for scanning viruses (and other potentially
unwanted software), you need to consider the following:
n What action to take when a virus is found. See Setting the actions on page 131.
Product Guide 129

n How to handle malicious mail. See Protecting against specific threats on page 132.
n How to ensure that the anti-virus protection is up to date. See Ensuring your
anti-virus protection is current on page 133.
n What level of anti-virus protection you need. See Setting the level of protection on
page 132.
n An alert message to announce that a virus was detected.
To specify how GroupShield applies virus scanning:
2 In the policy, double-click Anti-Virus to open a dialog box.
Figure 9-11. Anti-Virus dialog box
click OK to close this dialog box, and return to the policy.


from ....
5 If you do not want anti-virus scanning in this policy, deselect Enable ..., then
6 To change the action, select the blue text next to Action and use the dialog box.
See Setting the actions on page 131.
7 To change the handling of malicious mailers, select the blue text beside
Malicious mail action. See Protecting against specific threats on page 132.
8 Set the level of protection. See Setting the level of protection on page 132.
9 To protect against denial-of-service attacks, enter a value in Maximum scan time
per item. The minimum value is one minute. We recommend 15 minutes when
in use on a server.
NOTE
An item can be a message or an attachment. A message that
contains several attachments, or an attachment such as a .ZIP
file, is regarded as several items, not one item.
10 Under Alert, enter the text that will appear in the infected document/message.
To view the text in its finished form, click Preview.
The dialog box closes, and GroupShield displays the updated policy.
Setting the actions

At this dialog box, you specify how GroupShield will handle any viruses that it
detects.
Figure 9-12. Anti-virus — Actions dialog box
Product Guide 131

1 To clean any virus, select Attempt to clean, and optionally specify any further
actions.
2 Specify how GroupShield will handle a virus if cleaning fails.

3 Click OK to return to the main dialog box (Step 6 on page 131).
Protecting against specific threats

To learn more about this type of protection, see Blocking specific threats on page 52.
1 Click the blue text next to Custom malware actions to open a dialog box.
Figure 9-13. Anti-Virus — Custom Malware Actions dialog box
2 Select the threats and the action to take.
Setting the level of protection

For more information, see Setting the level of scanning and type of protection on
page 50.

Under Level of protection, choose from the following levels:

n High — Most secure. Scans all files, including compressed files.
n Medium — Scans executables, Microsoft Office and compressed files.
n Low — Least secure. Scans executables and Microsoft Office files.
n Custom — You choose what types of file to scan and a range of scanning
options. For details, see Customizing the settings on page 133.
Continue from Step 8 on page 131.
Ensuring your anti-virus protection is current

To ensure your anti-virus protection is current, examine the details in the
Anti-Virus dialog box under Scanner information. You can confirm the numbers for
the latest engine and virus definition (DAT) file by referring to our web site. The
date is also useful. The DAT files are normally updated weekly but sometimes
more often.
To update engine and virus definition (DAT) file, see Product update on page 100.
Customizing the settings

For more information about this feature, see Customizing anti-virus settings on
page 51.
To customize your virus scanning:

1 In the Anti-Virus dialog box under Level of Protection, select Custom, and click
Settings to open the Custom Settings dialog box.
Product Guide 133

Figure 9-14. Anti-virus settings — Custom Settings dialog box
2 Select the types of file to scan.
For highest security, choose Scan all files, but be aware that this might affect
performance.
Default types are the most susceptible types. To see a list of default file types,
click View.
To create your own list of file types, select Scan defined file types, and click Edit
to open the File extensions dialog box.
Figure 9-15. File extension dialog boxes
In this dialog box, use Add, Edit and Delete to create your own list.

To create a defined list based on the default list, click Add defaults, then use the
other buttons to build the list.
3 Click OK to return to the Custom Settings dialog box.

Scanning for content

(To create the content rules, see Managing content rules on page 121.)
To specify how GroupShield applies content scanning:
2 In the policy, double-click Content Scanner to open the dialog box.

Figure 9-16. Content Scanner dialog box
from ....
5 If you do not want content scanning in this policy, deselect Enable ..., then click
OK to close this dialog box and return to the policy.
Product Guide 135

6 To scan for text strings within all attachments, select Extend text scanning to all
attachments.
7 Write the text to replace the banned content. Use either plain text or HTML
format. You may use tokens so that GroupShield can insert extra details:
w %FILTERNAME% — substitutes a list of names of the rule group that were

triggered, for example: Profanity.
w %FILTERCONTEXT% — substitutes a list of rules that were triggered,

each with rule group name, for example: “Profanity > Rule 1, Profanity >
Rule2”. (Rule1 and Rule2 were both triggered in the Profanity group).
w %ATTACHMENTNAME% — substitutes the name of the attachment that
triggered the rule, for example: test1.eml.
w %ATTACHMENTCONTEXT% — substitutes more detail about the
attachment that triggered the rule.
Scanning for spam

To specify how GroupShield scans for spam:
2 In the policy, double-click Anti-Spam to open a dialog box.

Figure 9-17. Anti-Spam dialog box
from ....
5 If you do not want to scan for spam in this policy, deselect Enable ..., then click
OK to close this dialog box and return to the policy.
6 To take action against spam, click each of the three “score” lines under
Properties Summary to open the Action dialog box.
NOTE
If you use these dialog boxes, be aware that you can block
legitimate messages. We recommend that you experiment
first with the use of quarantine and a prefix to subject lines.
Product Guide 137

Figure 9-18. Anti-spam Action dialog box
7 Select When the spam score is, and specify the spam score. You can select from
low, medium, or high values which are 5, 10 and 15 respectively. Alternatively,
you can enter a custom value.
For example, you can choose to quarantine messages that have a low spam
score, and block messages that have a high spam score.
8 To make any changes to the blacklist and whitelist, click Blacklist and whitelists
to open a dialog box.

Figure 9-19. Black and white list dialog box
9 In the Whitelists and Blacklists dialog box, use Add, Edit, and Remove to build
your lists. You can create lists for e-mail messages sent to or from specific e-mail
addresses. To import these lists to use on other computers, click Export.
Entries in the list can contain the asterisk character ‘*’ as a wildcard in order to
match portions of an address such as an entire domain. For example:
*@example.com Refers to all users at example.com.

user1@example.* Refers to user1 at example.net, example.com,
example.org and so on.
Product Guide 139

10 To disable any anti-spam rules, click Disabled Rules to open a dialog box.
Figure 9-20. Disabled rules dialog box
11 In the Disabled Rules dialog box, use Add and Remove to modify the list.

Filtering file types

For more information, see Filtering of files on page 62.
To restrict the use of files:

2 In the policy, double-click File filtering to open the dialog box.
Figure 9-21. File Filtering dialog box

from ....
5 If you do not want file filtering in this policy, deselect Enable ..., then click OK
to close this dialog box and return to the policy.
Product Guide 141

6 Add the rules. See Adding a new file-filtering rule.

7 Select an action to take when no file filtering applies.
8 Under Replace banned files ..., specify the text (in plain text or HTML format)
that will replace any banned item. To view the text in its finished form, click
Preview.
Adding a new file-filtering rule

To add a new file-filtering rule:
1 Click Create in the File Filtering dialog box to open the Create Rule dialog box.
Here you can specify the file names, file types and file formats.
Figure 9-22. File Filtering — Create Rule dialog box

2 At Rule name, enter an accurate description for your new rule. Remember that
over time, your list of rules might become large, so accurate naming is
important.
3 Under When the rule applies ..., select an action such as blocking.
4 To act on a particular file, enter its full name. Note that case is not important.
For example, you may enter GOODGAME.EXE or goodgame.exe.
5 To act on a family of files, use the wildcard asterisk symbol (*).
For example:
*.EXE refers to all files that have the file name extension “.EXE”, such as
GOODGAME.EXE and AB.EXE.
FILE.* refers to files such as FILE.EXE, FILE.AB, FILE.TXT.HTM, FILE.

(which has a final dot), and FILE.1 but not FILE alone.
6 To act on files with a particular format, select When the file format is. In the table
below the checkbox, select a format in the left list and then select individual
formats in the right list.
Icons in the left list change as you select or deselect items in the right list:
All formats are selected in this group.
Some formats are selected in this group.
No formats are selected in this group.
You can use Select all and Clear to select and deselect formats quickly.
7 To act on files of a certain size, select When the file size is and set other details.
NOTE
Note that the selections in Step 4 to Step 7 act in combination.
For example, to create a rule that acts on large program files,
detect “*.EXE” files that are greater than 10MB.
8 Click OK to return to the main dialog box (Step 6 on page 142). The rule is
enabled.
9 To disable the rule, deselect the checkbox next to the rule name.
Product Guide 143

Managing the file-filtering rules

Buttons on the File Filtering dialog box enable you to manage the rules.
Table 9-15. Buttons on the File Filtering dialog box
Button Action
Create Create a new file-filtering rule.

Edit Edit the selected rule.
Delete Delete the selected rule.
Move up Change the priority of the selected rule. Rules at the top of the list are
Move down applied first.
Limiting the size of e-mail messages

Large e-mail messages, and especially those with large attachments or a large
number of attachments can seriously affect the performance of a network. When
you apply settings to control these, we recommend that you consider carefully
whether individual policies need to differ from the global policy. The constraints
might seriously disrupt the workings of some departments within your
organization.
To restrict the size of e-mail messages:
2 In the policy, double-click Mail Size Filtering to open the dialog box.

Figure 9-23. Mail Size Filtering dialog box
from ....
5 Select Mail Size Filtering to enable this feature.
Product Guide 145

6 Optionally, specify how to handle any large e-mail message. Double-click on

the blue text to open the Action dialog box.
Figure 9-24. Action dialog box
Specify a limit to the overall size of any e-mail message and the action to take
against it, such as blocking. Click OK to close the dialog box.
7 If you do not want to limit the number of attachments, select Allow all
attachments. Otherwise, select Remove attachments if, then select from the
checkboxes.
GroupShield replaces unwanted multiple attachments with a single warning

message. It does not issue a warning when removing big attachments.

Adding disclaimers
A disclaimer can be added to all incoming and outgoing e-mail messages. For
examples of disclaimers, see Adding disclaimers on page 63.
To specify how to use disclaimers:

2 In the policy, double-click Disclaimer Text to open the dialog box.

Figure 9-25. Disclaimer Text dialog box
from ....
5 If you do not want to use disclaimers in this policy, deselect Enable ..., then
click OK.
6 Select the position for the disclaimer text.
7 Choose how to handle signed messages.

8 Enter the disclaimer text as plain text or in HTML format.
Product Guide 147

Handling signed e-mail messages

The digital signature in a message might no longer be valid if GroupShield has
cleaned a virus or removed an attachment. For more information, see Handling
digital signatures on page 64.
To specify how to handle signed messages:
1 In the tree pane, select the policy. The details pane displays the policy.
2 In the policy, double-click Signed Messages to open the dialog box.
Figure 9-26. Signed Messages dialog box
from ....
5 Select the action that GroupShield must take when a signed message is
detected. These options are described in Handling digital signatures on page 64.
6 Select any other actions.

Handling encrypted content

Scanners cannot read encrypted content, so you must specify how GroupShield
will handle this. For more information, see Handling encrypted content on page 63.
2 In the policy, double-click Encrypted Content to open the dialog box.
Figure 9-27. Encrypted Content dialog box
from ....
5 Select an action, such as blocking.

The dialog box closes and GroupShield displays the updated policy.
Product Guide 149

Handling corrupt content

Scanners and other applications can have difficulty reading corrupt content, so
you must specify how GroupShield will handle this type of content. For more
information, see Handling corrupt content on page 65.
To specify how to handle corrupt content:
2 In the policy, double-click Corrupt Content to open the dialog box.
Figure 9-28. Corrupt Content dialog box
from ....
5 Select the action that GroupShield must take when it detects corrupt content,
such as blocking.
6 Select any other actions.
The dialog box closes and GroupShield displays the updated policy.

Examples of content rules for messages

This section describes how you can use content rules in your policies.
n Blocking simple file name traps on page 151.
n Blocking joke programs on page 152.

n Blocking entertainment files (images, movies, audio) on page 152.
n Keeping information confidential on page 153.
See also Examples of content rules for e-mail messages on page 154 and Testing a new
content rule on page 162.
Blocking simple file name traps

One common trick employed by writers of potentially unwanted software is to use
an unusual extension to mislead the user about the contents of a file or document.
File names such as readme.txt are common, and therefore a readme.exe might
be mistaken for a text file when it is really an executable program that probably
contains a virus. Similarly, a tempting file name like YouMustReadThis.vbs might
be unwanted software; it carries the extension “.vbs” which denotes a Visual Basic
script.
Furthermore, in Microsoft Windows Explorer, you may hide file extensions. In that
case, a file called readme.txt or readme.exe appears as readme. Similarly, a file
called readme.txt.exe appears as readme.txt. This technique of using a double
extension (in this case .txt.exe) presents a simple trap for any user who
double-clicks the file to open it and inadvertently activates a virus.
To protect against simple file name traps, create a content rule that detects files
with double-extension names, by using wildcard characters such as *.*.* or
*.???.???.
For more information, see Creating content rules on page 54 and Managing content
rules on page 121.
Product Guide 151

Blocking joke programs

A joke program is any program that plays a trick on the user, such as opening the
CD disk drive or displaying an annoying message. It is not necessarily a virus.
To protect against joke programs:

1 In the policy, select Anti-Virus.
2 In the dialog box under Level of Protection, select Custom and click Settings.
3 In the next dialog box, select Find joke programs. (Find malicious programs is
automatically selected.)
4 Click OK to close the dialog box, and return to the Anti-Virus dialog box.
5 Click OK to close the dialog box, and return to the policy.
Blocking entertainment files (images, movies, audio)

Entertainment files have extensions such as .JPG, .MPEG, and .AVI, and you can
block them by filtering those files.
To block entertainment files:

1 Select File Filtering in the policy.
2 At the dialog box, ensure that file filtering is enabled.
3 Create a new rule and give it a name.
4 Specify the actions.
5 Select When the file name is, and click Add.
6 In the next dialog box, add the banned file name extensions.
For full details, see Filtering file types on page 141.

Keeping information confidential

If your organization prefers that details of a new event, product or project are
discussed only inside the immediate team, you can prevent the name being
discussed in e-mail messages.
For example, your company plans to release a new product called SuperThing. To
prevent anyone outside the project team knowing about the product, you need to
detect the word inside any published document. Create a rule called “Confidential
project information,” and specify SuperThing as the word on which to trigger the
rule.
As a second example, your organization plans to launch the new product in

January. The date must be kept secret. Announcements like this must not be made
available to the whole organization:
We are ready to launch SuperThing in January.
Before that date, less harmful messages will discuss the product’s details and
preparations for its launch. Other products will also be launched, but their dates
are less relevant. You do not want to block this information:
The agenda for tomorrow’s meeting:
1 Progress towards the launch of SuperThing
2 How to reduce our stationery costs
3 Launch of MegaBox in January
You can create a rule that triggers only when the two words — SuperThing and
January — are close to each other, perhaps within 30 characters.
As a final example, your organization is planning to promote Mr. Jones to the

position of CEO, but this information must not be announced yet. Your rule must
trigger on the combination of two words — CEO and Jones.
Product Guide 153

Examples of content rules for e-mail messages

If your organization relies heavily on e-mail messages to conduct its business, it is
important to be able to block any e-mail messages that are distracting or offensive.
Content scanning enables you to create rules that detect the appearance of words
and phrases in many situations and combinations, as in the following examples:
n Preventing e-mail leaving your organization on page 155.
n Blocking hoaxes on page 155

n Keeping information confidential on page 156.
n Controlling the flow of important information on page 157.
n Reducing network load on page 157.
n Blocking offensive words on page 157.
n Stopping nuisance e-mail messages on page 158.
n Reducing distracting advertisements on page 158.
n Blocking games on page 158.
n Reducing unsolicited e-mail messages (spam) on page 158.
Each example described here can block an e-mail message — by destroying it, or
by moving it to a quarantine area where they can be examined later. You need to
be aware of local legislation that affects how e-mail may be treated. See Considering
legal implications on page 47.
You use similar stages when creating these rules:
1 Specify the combination of words and phrases, as described in the example.
For details, see Creating a rule on page 123.
Next, you choose where the rule applies.
2 In the File Formats dialog box, choose Applies to all selected file formats.
3 Deselect all the formats except E-mail messages, then select the required part
— such as sender, recipient, or subject line.
5 Assign the rule to a policy that applies to the group of users, and choose a
blocking or quarantine action. For details, see Adding rules to the policy on
page 117.

Preventing e-mail leaving your organization

If a group of employees use e-mail within the organization only, you can prevent
them sending e-mail messages outside the organization. All such employees must
come under the same policy group in order to apply this rule to them all.
For example, if your organization has e-mail addresses such as user1@example.com,

your rule must allow through messages for a recipient such as user2@example.com
but must block an e-mail address such as user99@AnotherCompany.com.
To do this, you create a rule that triggers on the name of the recipient when it has
the @ symbol but does not have your organization’s domain name (such as
example.com). This is described briefly here.
To prevent e-mail leaving your organization:

1 Create a rule. For details, see Creating a rule on page 123.
2 Add a condition, with the trigger word such as @.
3 Click Advanced, and select the condition Trigger if NONE ....
4 Click Add, and enter your organization’s mail domain, for example,
example.com.
5 Click OK to close the dialog box, and open the File Formats dialog box.
6 Choose Apply to selected.
7 Deselect all the formats except Recipient in E-mail messages.
9 Assign the rule to a policy that applies to the group of users, and choose a
blocking action. For details, see Assigning rules to a policy on page 126.
Blocking hoaxes
A hoax often appears as an e-mail message that fools readers into thinking that
their computers have been infected by a virus, or that warns them of some
fictitious virus that might arrive soon. Such hoaxes often have a predictable subject
line, such as “Read this Virus Warning immediately,” which you can configure
GroupShield to detect.
To protect against hoaxes, create a content rule that detects phrases such as “virus
warning” in the subject line of the e-mail message.
For more information, see Creating content rules on page 54 and Managing content
rules on page 121.
Product Guide 155

Keeping information confidential

If your organization prefers that details of a new event, product or project are not
discussed outside the company, you can prevent the name being discussed in
outbound e-mail messages. Sometimes information can be inadvertently passed
onto unintended recipients. This can happen when a long e-mail discussion (or
thread) takes place about a confidential matter. Later, the discussion changes to
something less confidential, then the whole message is sent in an outbound e-mail
message.
For example, your company plans to release a new product called SuperThing. To
prevent anyone outside the organization knowing about the product, you need to
detect the word inside each e-mail message.
You create a rule called “Confidential product information” and apply this rule to
a plain-text attachment, the body of the message, and the subject line of message.
You specify SuperThing as the word on which to trigger the rule.
As a second example, your organization plans to launch the new product,

SuperThing in January. The date must be kept secret. Messages like this must not
leave the organization:
We are ready to launch SuperThing in January.
Before that date, less harmful e-mail messages will discuss the product’s details
and preparations for its launch. Other products will also be launched, but their
dates are less relevant. You do not want to block this message:
The agenda for tomorrow’s meeting:
1 Progress towards the launch of SuperThing
2 How to reduce our stationery costs
3 Launch of MegaBox in January
You can create a rule which triggers only when the two words — SuperThing and
January — are close to each other, perhaps within 30 characters.
As a final example, your organization is planning to promote Mr. Jones to the

position of CEO, but this information must not be announced yet. Your rule must
trigger on the combination of two words — CEO and Jones.

Controlling the flow of important information

Much of your organization’s most valuable information such as designs and lists
of customers is probably in databases or other large files. Even small documents
(those typically marked as “confidential” inside) can contain valuable information.
It is important to control the movement of these files. However, any file can
masquerade as another. For example, anyone with malicious intent can rename a
database file called CUSTOMERS.MDB to NOTES.TXT, then attempt to transfer that file,
believing that it cannot be detected.
You can use a combination of measures to control the flow of valuable information:
n Mail-size filtering to block the sending of large attachments. See Limiting the
size of e-mail messages on page 144.
n Content rules to detect the use of phrases. See Scanning for content on page 135
and Managing content rules on page 121.
n File filtering to detect files by name, file name extension, and file format. See
Filtering file types on page 141.
Reducing network load

The transfer of some file types, such as movie files (MPEGs) and bitmap graphics
impact heavily on networks. By creating a list of unacceptable file extensions, you
can discourage their use. Your trigger words might be “.BMP” or “.MPG” and you
set them to apply to the names of attachments only. See Scanning for content on
page 135 and Managing content rules on page 121.
You can also block the sending of large e-mail messages. See Limiting the size of
e-mail messages on page 144.
Blocking offensive words

Insulting messages from your own staff or customers might damage the
company's reputation. By creating a list of unacceptable words, you can prevent
their use. GroupShield includes some rules to block pornographic words. These
rules are supplied in an XML file.
For example, imagine that it is very offensive to say “You are a dog” to another
person. However when used in other contexts, such as discussing types of dog like
corgi or alsatian, the word is not offensive. To prevent the word entering or leaving
the company in its offensive context, create a new rule called “Offensive word —
dog.” You set the rule to apply inside the body of the message, and you set an
action to discard such messages. After entering the word “dog,” you can further
refine its context. For example, this rule is to be triggered only if none of these
words — alsatian, corgi, spaniel, and so on — appear in the message.
Product Guide 157

Stopping nuisance e-mail messages

Nuisance e-mail messages can come from disgruntled ex-employees, virus
hoaxers, and unscrupulous retailers, who know some of the e-mail addresses used
within your organization.
For example, John Smith has been annoying employees by sending unwanted
e-mail messages. The content of his messages vary but he always uses one of two
e-mail addresses. You create a rule called Annoying Person. As the trigger phrase,
enter John Smith’s two e-mail addresses, and apply the rule to the sender of the
e-mail message only.
Reducing distracting advertisements

When frequent inappropriate messages are distracting your staff, GroupShield
can block these messages and deter their senders. For example, advertisements
broadcast via e-mail might have “Car for sale” or “House for sale” as their subject
line. The messages waste your e-mail resources and distract your staff. To block
such an e-mail message, you create a rule called “Distracting Advertisements.”
Specify the trigger phrase as “for sale” and apply the rule to the subject line of a
message only.
Blocking games
Many games are sent by e-mail as computer programs (.EXE files). To block these
games, create a content rule that detects *.EXE and *.COM in the name of any
attachment. This type of rule has an added advantage because games are a popular
hiding place for viruses.
Reducing unsolicited e-mail messages (spam)

If you do not have specific software for detecting ‘spam’, you can use content rules
to block some spam by detecting some common phrases. For example, some
advertisements include phrases like “as seen on TV” or “as seen on national
television.”
To create a rule that detects these phrases:
1 In the Add condition dialog box, enter as seen on in Trigger if ....

2 Click Advanced, and under Select a condition ..., select Trigger if ANY ....
3 Under Additionally look for ..., use Add repeatedly to enter the phrases: TV,
national television, and so on. You can update your list of phrases over
time.

Phrases often seen in unsolicited advertisements

The following words and phrases often appear in unsolicited advertisements. By
creating content rules to block messages that contain these phrases, you can reduce
some spam. Be aware that your organization might use some of the phrases in
normal business. We recommend that you use a quarantine action (rather than
blocking) initially when applying any content rule.
Figure 9-29. Typical words and phrases seen in advertisements
Subject Typical phrases and words
Debt % APR debt repayment

credit card repayment re-mortgage
pay off all your debts low interest
Health improve your health better health
Money work from home millionaire
financial worries cash
your earning power be your own boss
Sexual girls, girls virility
enlargement Viagra
General no obligation amazing deal
money back if you are not satisfied
full refund get 100%
amazing results best yet
Product Guide 159

Testing anti-virus settings

You can verify that GroupShield scans properly for viruses with a test. This was
developed by the European Institute of Computer Anti-virus Research (EICAR), a
coalition of anti-virus vendors, as a method for their customers to test any
anti-virus software.
To test virus scanning:
1 Open a standard text editor, then type the following character string as one line,
with no spaces or line breaks:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
NOTE
The line shown above should appear as one line in your text
editor window, so be sure to maximize your text editor
window and delete any line breaks. Also, be sure to type the
letter O, not the number 0, in the “X5O...” that begins the test
message.
If you are reading this manual on your computer, you can
copy the line directly from the Acrobat PDF file and paste it
into your text editor. If you copy the line, be sure to delete any
line breaks or spaces.
2 Save the file with the name EICAR.COM. The file size will be 68 or 70 bytes.
3 Start your anti-virus software and allow it to scan the folder that contains
EICAR.COM.
If the scanner appears not to be working correctly, check that you have read
permissions on the test file.
NOTE
This file is not a virus — it cannot spread or infect other files, or
otherwise harm your computer. Delete the file when you have
finished testing your scanner to avoid alarming other users.

Testing the anti-spam settings
Testing the anti-spam settings

The GTUBE (General Test mail for Unsolicited Bulk E-mail) provides a test by
which you can verify that GroupShield has installed correctly and is detecting
incoming spam. The test e-mail message must be sent from an outside account.
1 On an SMTP client to your Exchange server, create a new e-mail message.

2 In the body of the message copy the text below. In your message, the first line
displayed below must be entered with no line breaks. The remainder of the text
must be entered exactly as it is written and spelled here.
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Generic
Test for
Unsolicited
Bulk
Email
3 Send the new e-mail message to a mailbox address on the Microsoft® Exchange
server where you have installed GroupShield.
GroupShield scans the message, recognizes it as a junk e-mail message and deals
with it accordingly. The GTUBE test overrides blacklists and whitelists.
Product Guide 161

Testing a new content rule

After you have created a content rule, you need to test it thoroughly to prevent the
accidental destruction of important e-mail messages and attachments.
If your content rule is intended to delete an unwanted item or to replace the item
with an alert message, you risk losing valid items if the rule was not correctly
defined. When you create any new rule, we recommend that you set the primary
action to Allow the item through, with a secondary action of Quarantine the item. You
can check the quarantine area to verify that the rule is working correctly. Then
later, you can change the action to delete or replace these types of items.

10
In addition to the information on:
the following areas can also be configured within the GroupShield software:
n Notifications on page 164

n On-Access settings on page 167
n Anti-spam settings on page 171
n Detected Items Database on page 173

n Product Log Database on page 176
n Personal Preferences on page 179
n Diagnostics on page 181

n Policy Groups on page 186
n Import and Export Configuration on page 188
Product Guide 163

Notifications
You can configure the notifications that GroupShield 6.0 sends when it detects a
virus or banned content within an e-mail message.
Configuring Notifications
To configure the notifications that GroupShield 6.0 sends, select Notifications from
the Configure tasks list on the left of the interface.
1 Enter the Administrator Email address. This can be a person or a distribution list
set up within your Microsoft® Exchange server.
2 Enter the Sender Email address. This can be a person or a distribution list set
up within your Microsoft® Exchange server.
3 Enter the Subject line for notification.
4 Click Edit to change the content of the notification text. See Using tokens in alert
notifications for further details.
5 If you want to be notified with task results, select Enable Task results
notification.
6 Click Apply.
Using tokens in alert notifications

You can use the following tokens to define the information contained within the
alert notifications:
Table 10-1. Alert Notification tokens

Displayed text Token Description
Date/Time sent: %dts% The date and time the item was sent.
Subject line: %sbj% The information contained in the subject field of the
scanned e-mail message.
From: %sdr% The sender of the scanned e-mail message, as
identified from the message header information.
To: %rpt% The recipients of the scanned e-mail message, as
identified from the message header information.
Action taken: %res% The action taken by GroupShield.
Reason: %rsn% The reason the entry was made in the database, this is
the natural language string representation, the numeric
equivalent is available via (rsn) but is not supported.
Virus found %vrs% The name of the virus found within the scanned e-mail
message, if applicable.

Notifications

Quarantined item %qtn% The Quarantined item data. When displayed within the
GroupShield 6.0 interface, this is formatted as a link,
enabling you to download the quarantined information
from the Detected Items database.
Result %act% The result of the action taken on the item, this can be
either:
w Clean
w Cleaned
w Replaced
w Removed
w Logged
w Denied Access
Rule %rul% The content scanning rule that was used to detect the
message.
Scanned by %tn% The scanner used to scan the item.
Size %sz% The size of the scanned item.
Date/time submitted %tme% The date and time the item was submitted to
GroupShield 6.0 for scanning.
Filename %fln% The file name of the scanned item.
Folder %fln% The name of the folder that contained the item, if
applicable.
CC %cc% The list of carbon copy recipients of the scanned e-mail
message, as identified from the message header
information.
Ticket Number %tik% The unique number, generated by GroupShield 6.0, to
identify the item placed into quarantine within the
Detected Items database.
Detected File Name %efn% The name(s) of the files which caused the detection(s)
to occur. If there is more than one detection then file
names are ordered to match the Reason: above.
Policy Group %idy% The name of the policy group that was used to apply
settings.
Product Guide 165


Spam Score %ssc% The spam score returned by the Anti-Spam engine — if
installed. This can be a positive or negative number
(negative because of whitelist scoring).
Spam Routing %srt% The action taken as a result of the spam scanning, can
be any of:
w Allowed through
w System junk folder
w User junk folder
w Rejected
w Deleted"

On-Access settings
On-Access settings
McAfee GroupShield integrates with Microsoft® Exchange by using Microsoft
Virus-Scanning APIs (VSAPI). The version of VSAPI used depends on the version
of Microsoft® Exchange that GroupShield is protecting:
n Microsoft® Exchange 2000 uses Microsoft Virus-Scanning API 2.0 (VSAPI 2).
n Microsoft® Exchange 2003 uses Microsoft Virus-Scanning API 2.5 (VSAPI 2.5).
In addition, when protecting Microsoft® Exchange 2000, you can specify that
GroupShield carries out Transport Scanning of all e-mail traffic.
To link to the On-Access scanning settings for your version of Microsoft®

Exchange, click the On-Access scanning: Enabled/Disabled status message and link
on the GroupShield Home page.
Figure 10-1. On-Access scanning status and link
Setting on-access scanning time-outs

When you install GroupShield, it integrates with your Microsoft® Exchange
system, using the appropriate virus-scanning application programming interface
(VSAPI). VSAPI controls the manner in which messages are sent to and read from
the Microsoft® Exchange store.
In the event of yourGroupShield software being unable to finish scanning a
message, due to the message containing an unknown virus or because the message
is badly formed, the on-access time-out sets a limit on the time that Microsoft®
Exchange will wait for a response from GroupShield 6.0, before continuing with
other tasks.
On-Access Settings, available from the Configure option within the navigation
pane, allows you to Select options provided by Microsoft Virus Scanning API
(VSAPI.)
Product Guide 167

Figure 10-2. Configure on-access settings page

On-Access settings
About Microsoft Virus Scanning API (VSAPI) options

The areas of Microsoft Virus Scanning API available from within the GroupShield
software are:
n Proactive scanning implements intelligent load-balancing, queuing

incoming items for scanning when resources are available.
Proactive scanning is on by default.
n Background scanning looks at each message item in turn for a version
stamp, comparing it with the current version stamp. The version stamp
identifies the version of the DAT files used to scan the message. If the item
has no stamp, or the stamp is different, the item is scanned. Once all
unscanned items have been scanned, background scanning waits until a
new virus scan .DLL is loaded or until the database is remounted.
NOTE
Once in progress, background scanning cannot be switched
off, except by unmounting the information store or by
restarting the GroupShield on-access scanner. Background
scanning is off by default.
Background scanning operates at low priority, and only presents unscanned or

out-of-date items for scanning. This has various benefits:
w Items are scanned during times when the CPU would otherwise be
idle.
w Once scanned, items need not be scanned when they are accessed, so
performance is improved.
n Scan timeout defines how long an attempt to access the item being scanned
continues before timing out.
If scanning does not complete before the scan timeout period expires, the
opening or accessing of the item fails with an Access Denied error. The
scanning of the item continues to completion, and later attempts to access the
item will succeed.
The default period is 180 seconds.

n Number of scan threads affects the overall performance of on-access scanning.
Changing the number of scan threads can improve the performance of

GroupShield, but may reduce the overall performance of the server.
The default is (2 * <no-of-processors> + 1).

For more details about types of scanning, see Virus Scanning on page 35.
Product Guide 169

Defining on-access settings

The following subsections describe how to configure the available on-access
settings.
General on-access settings

1 Select Enabled.
NOTE
We recommend that in normal use, you keep the GroupShield
6.0 on-access scanner enabled.
2 Select the required action for On Scan Failure.
NOTE
Be aware that setting the On Scan Failure to Allow Through
could result in viruses bypassing GroupShield 6.0.
When GroupShield 6.0 is installed on Microsoft® Exchange 2000, an additional
area within the On-Access Settings page is displayed:
3 On Microsoft® Exchange 2000 servers, you can also select the required Scan
email using... option.
Figure 10-3. Scan email using...
The options for this are:

w VSAPI
w Transport Scanning
Scan email using enables you to select either VSAPI or Transport Scanning as the
on-access scanning method.

Anti-spam settings
Transport scanning is best used when you have configured your Microsoft®
Exchange 2000 server as a gateway server, as it allows scanning of routed mail
(mail that is not destined for the local Microsoft® Exchange server). Transport
scanning also allows you stop the delivery of unwanted messages.
Setting Microsoft Virus Scanning API (VSAPI) options

4 Select Proactive Scanning.
Proactive Scanning enables queuing of messages to be scanned.
5 Select Background Scanning.

Background Scanning removes the load from the on-access scanning queue.
The messages then do not require rescanning unless the DAT files used are
updated or the anti-virus services are restarted.
6 Enter the Scan Timeout duration, in seconds, before GroupShield issues a

timeout warning.
7 To change the Number of Scan Threads, deselect Default and enter the required
number of threads.
By default, 2 scan threads are available.
Anti-spam settings
When used with the anti-spam add-on package, Anti-Spam Settings, available from
the Configure options in the navigation pane, allows you to:
n Specify the e-mail address that you want to use as the System Junk Folder on
the Exchange server.
n Have the anti-spam add-on package route potential spam messages to the user
junk folders on that Exchange server.
NOTE
If you are using Microsoft® Exchange Server 2003 and
Microsoft Outlook Web Access as your e-mail client then the
anti-spam add-on package will automatically route potential
spam messages to the user junk folder. User junk folders are
physically created the first time that a user receives a potential
spam message.
For more information about setting up anti-spam, see Scanning for spam on
page 136.
Product Guide 171

Figure 10-4. Configure Anti-Spam Settings
Specifying junk folders

1 In the System Junk Folder Address box, type the e-mail address to which you
want the anti-spam add-on package to forward spam messages.
Use the standard e-mail address format; user@example.com
2 If desired, select the Enable routing to the user junk folders on this server
checkbox.

Detected Items Database

Detected Items Database, available from the Configure option within the navigation
pane, allows you to:
n Limit the Detected Items Database to a maximum size.
n Limit the maximum age of entries within the Detected Items Database.
n Limit the maximum size of a message that can be placed in quarantine.

n Specify the location of the Detected Items Database.
n Specify the file name for the Detected Items Database.
Figure 10-5. Detected Items Database — Database Settings
Product Guide 173

NOTE
By default, all the Detected Items Database options are
displayed unselected.
The default settings are:
w Maximum database size: 2000GB
w Maximum age of entry: No limit
w Largest item to quarantine: No limit, up to the available storage within

the Detected Items Database (Max.
2000Gb)
w Database location: <drive>://program files/network
associates/mcafee groupshield/bin
w Database file name: DetectedItems.bin
Configuring the Detected Items database

When using McAfee GroupShield software to protect your Microsoft® Exchange,
especially when protecting large numbers of messages, the Detected Items
Database can become large.
To prevent the database from becoming overly large, you can limit either the
maximum size of the database, or you can limit the time that a record is held within
the database before it may be overwritten.
NOTE
uses these files to maintain information, such as the Detected
Items list. Removing these files will result in GroupShield
being unable to display the Detected Items information.
Limiting the size of the Detected Items database

1 Select Limit database size.
2 Enter the Maximum database size, selecting either Megabytes (MB) or
Kilobytes (KB).
If the Detected Items database reaches the maximum size that you have
specified, the oldest records in the database will be overwritten, to prevent the
database from exceeding the specified size.
Specifying a maximum age for files

1 Select Limit age of entries.
2 Enter the Maximum age of entry (days).

This is the number of days that a Detected Items entry may be displayed within
the Results area of the Detected Items page. The entry may be held in the
Detected Items database after this date, but is liable to be overwritten if the
database is approaching its maximum size.
NOTE
If you have set a Maximum database size and the Detected
Items Database is approaching that size, then detected items
database entries younger than the Maximum age of entry (days)
may be overwritten, to prevent the database expanding
beyond the Maximum database size.
Limiting the size of quarantined items

1 Select Limit size of quarantined items.
2 Enter the Largest item to quarantine, selecting either Megabytes (MB) or
Kilobytes (KB).
Setting this value prevents large items, which could use excessive amounts of
hard disk space, from being quarantined.
Specifying the location of the Detected Items Database

1 Select Specify location of database.
2 Select the required location from Database location.

If you select (Full Path), then enter an absolute UNC path, as follows:
\\<server name>\<shared folder or drive>\
If you select <Desktop>\, <Install Folder>\,< System Drive>, <Program Files>\ or
<Windows Folder>, you can specify a sub-folder in which to store the log files.
3 Click Apply, when all options on the Detected Items Database pane have been
selected to your satisfaction.
Specifying the file name for the Detected Items Database

1 Select Specify filename for database.
2 Enter the required file name in Database filename.
3 Click Apply when all options on the Detected Items Database pane have been
Product Guide 175

Product Log Database

Product Log Database, available from the Configure option within the navigation
pane, allows you to:
n Define the information to be written to the Product Log and the Event Log.
n Define the settings for the Product Log.
Figure 10-6. Product Log Settings

Product Log Database
NOTE
The default Product Log Database settings are:
w Maximum database size: 2000GB
w Maximum age of entry: No limit
w Product Log location: <drive>://program files/network

associates/mcafee groupshield/bin
w Product Log file name: productlog.bin
w Query Timeout (seconds): No timeout
Configuring the Product Log Database

When using McAfee GroupShield 6.0 software to protect your Microsoft®
Exchange server, the Product Log Database can become large.
To prevent the log from becoming overly large, you can limit either the maximum
size of the log, or you can limit the time that a record is held within the log before
it may be overwritten.
NOTE
uses these files to maintain information, such as the Product
Log Database. Removing these files will result in GroupShield
being unable to display the Product Log Database.
Limiting the size of the Product Log

1 Select Limit log size.
2 Enter the Maximum log size, selecting either Megabytes (MB) or Kilobytes (KB).
If the Detected Items database reaches the maximum size that you have
specified, the oldest records in the log will be overwritten, to prevent the log
from exceeding the specified size.
Specifying a maximum age for entries

1 Select Limit age of entries.
2 Enter the Maximum age of entry (days).

This is the number of days that a Product Log entry may be displayed within
the Results area of the Product Log page. The entry may be held in the Product
Log after this date, but is liable to be overwritten if the log is approaching its
maximum size.
Product Guide 177

NOTE
If you have set a Maximum log size and the Product Log is
approaching that size, then logged items younger than the
Maximum age of entry (days) may be overwritten, to prevent
the log expanding beyond the Maximum log size.
Specifying the location of the Product Log

1 Select Specify location of log.
2 Select the required location from log location.
If you select (Full Path), then enter an absolute UNC path, as follows:
<Windows Folder>, you can specify a sub-folder in which to store the debug log
files.
3 Click Apply, when all options on the Product Log pane have been selected to
your satisfaction.
Specifying the file name for the Product Log

By default, this is set as productlog.bin. To specify a different log file
1 Select Specify filename for log.
2 Enter the required file name in Log filename.
3 Click Apply when all options on the Product Log pane have been selected to
your satisfaction.
Specifying the query timeout

1 Select Specify a query timeout.
2 Enter the required timeout value, in Query Timeout (seconds).

Personal Preferences
The Personal Preferences page enables you to change options relating to the way
you view the Home page and the Detected Items page.
You can change options relating to the way you view the Home page and the
Detected Items page.
Figure 10-7. Personal Preferences page
Product Guide 179

Configuring your personal preferences

Depending on factors such as the number of e-mail messages being scanned by
GroupShield 6.0, you may want to change the amount of information displayed
within GroupShield.
NOTE
6.0 uses these files to maintain information, such as personal
preferences. Removing these files will result in GroupShield
6.0 no longer using your personal preference settings.
Home page
1 Deselect Automatic refresh to disable automatic refreshing of the information
displayed on the Home page.
When Automatic refresh is disabled, the Refresh rate field is also disabled.
2 To change the automatic Refresh rate:
a Ensure that Automatic refresh is selected.
b Enter the required Refresh rate, in seconds.
3 Enter the number of items to be displayed on the Home page in the Recently
scanned items area.
Detected items page

1 Enter the number of Records per page to be displayed in Detected Items.
2 Select the Columns that correspond to the information that you want displayed
on the Detected Items page.
3 Click Apply when all options on the Personal Preferences page have been

Diagnostics
Diagnostics
McAfee GroupShield includes Diagnostics within the interface. These are useful
tools in the event that the GroupShield software fails to operate in an expected
manner.
Figure 10-8. Diagnostics page
This page includes the following sections:

n Debug Logging
n Denial Of Service Protection

n Network Associates Error Reporting Service
Product Guide 181

Debug Logging
By default, debug logging is set to None. In this state, no debug log files are
generated, and there is no performance impact on the normal operations carried
out by GroupShield.
NOTE
We recommend that you enable debug logging only on the
advice of McAfee Security technical support, as using debug
logging can have performance implications for your Exchange
server.
Configuring Debug Logging

To assist with fault-finding, GroupShield includes Debug Logging, which you can
configure from within the interface.
By default, Debug Logging is set to None.
Levels of debug logging

The different levels of Debug Logging enable differing types of information to be
collected by GroupShield, and stored within the debug log files.
1 Select the required level for debug logging:
w None. No debug logging is carried out. This is the default level, and is used
when the GroupShield software is operating as expected.
w Low. When debug logging is set to Low, GroupShield writes information
relating to any error conditions that are issued by GroupShield processes.
This usually provides sufficient information for McAfee Security technical
support to diagnose any problems with your installation of GroupShield.
w Medium. When debug logging is set to Medium, the GroupShield software
writes information relating to any error conditions and any informational
messages that are issued by GroupShield processes. This is useful for
McAfee Security technical support if there is no obvious reason for the
error conditions occurring.
w High When debug logging is set to High, GroupShield writes information
relating to all error conditions, all informational messages and comments
from each line of code executed within GroupShield to the debug log files.
This level of debug logging can generate large quantities of information,
creating large log files. It may be necessary to set the maximum log file
limit, using Limit size of debug log files and Maximum size of each log file
(KB).
Limiting the size of debug log files

To prevent the debug log files from becoming overly large, you can limit their
maximum size.

Diagnostics
1 Select Limit size of debug log files.

2 Enter the Maximum size of each log file, selecting either Megabytes (MB) or
Kilobytes (KB).
If the debug log files reaches the maximum size that you have specified, the
oldest records in each file is overwritten, to prevent the log file from exceeding
the specified size.
Specifying the location of debug log files

By default, the debug log files are created and stored at in the /BIN folder within
the default GroupShield installation folder. If you want the debug log files in
another location:
1 Select Specify location for debug files.
2 Select the required location from Debug file location.

If you select (Full Path), enter an absolute UNC path, as follows:
<Windows Folder>, you can specify a subfolder in which to store the debug log
files.
3 Click Apply when all options on the Debug Logging page have been selected to
your satisfaction.
Denial Of Service Protection

To ensure the robustness of your Exchange server and of GroupShield,
GroupShield employes Denial of Service Protection.
If a virus causes the scanning process to fail, the denial of service features protect
Exchange from the effects of a failed scanning process on a message.
Configuring Denial Of Service Protection

Denial of Service Protection uses a scan timeout to specify the maximum time that
each scanning process can take to scan a message. If this scan timeout is exceeded,
the individual scan process is stopped.
By default, a scan timeout of 1800 seconds is set.
Network Associates Error Reporting Service

GroupShield includes an error reporting utility that is specifically designed to
track and log issues with the Network Associates software on your system. The
information obtained can be used to help analyze and correct any problems.
Product Guide 183

The Network Associates Error Reporting Service monitors the Network Associates
applications on your system and prompts the user when it detects a problem. It
collects data only from the computer on which it is installed, and its operation is
controlled from this computer. You can submit the data it collects to Network
Associates technical support to assist in the opening of a support case.
If the computer that experiences the failure is connected to a network that has Alert
Manager installed, Alert Manager can be configured to inform the network
administrator that a problem has been detected. The network administrator may
need to guide the user on what action to take.
By default, the Network Associates Error Reporting Service within GroupShield is
enabled. To disable Network Associates Error Reporting Service, deselect Enable.
Using Network Associates Error Reporting Service

Under normal circumstances this utility provides silent background monitoring of
Network Associates applications on each computer on which it is installed.
If a failure occurs, there are several ways in which the error detection software can
be used, depending on your organization requirements and how you have set up
your network.
The user is alerted and can choose to forward the data to the Network Associates
technical support web site, where it can be used to open a support case if
appropriate. Alternatively, the user can choose to ignore the log files, in which case
they are not submitted to the Network Associates web site.
The data that is collected is compressed for submission.
Errors that occur when the Network Associates Error Reporting Service is not
running, for example, when you have logged out, are processed the next time you
restart the service. The sort of errors that occur under these circumstances might
include those occurring in programs running as a service.

Diagnostics
Configuring Network Associates Error Reporting Service

The Network Associates Error Reporting Service section within Configure
Diagnostics contains the following options:
n Enable — deselect the checkbox to disable Network Associates Error Reporting

Service.
n Catch Exceptions — any programming events that could lead to unpredictable

behavior within GroupShield can be trapped by the error reporting service.
n Report Exceptions to Alert Manager — on trapping a suspect programming
event, the error reporting service notifies Alert Manager of the issue.
n Report Exceptions to User — on trapping a suspect programming event, the
error reporting service notifies the user.
To use Network Associates Error Reporting Service

1 When a failure of the Network Associates software on a user’s computer is
detected, a dialog box appears. Choose the required option:
w Submit Data — this creates a connection to the Network Associates
technical support web site and submits the data. If you select this option,
continue with Step 2 of this procedure.
w Ignore Error — no connection is created to the Network Associates
technical support web site. No further action is required.
2 The Network Associates Technical Support web site opens, and may prompt
you for additional information; follow any instructions that you are given.
The data you provide may be used to assist in the opening of a support-case if
appropriate.
3 If the problem has a known cause, you may be given the option to open a web
page that provides information about the problem and how you can deal with
it.
Product Guide 185

Policy Groups
Before you create anti-virus and content management policies in Anti-Virus and
Content, you must first create policy groups to which the policies will apply. Policy
groups are based on members of Active Directory Groups or SMTP e-mail addresses.
Figure 10-9. Policy Groups
Adding Policy Groups

1 To define the members of the group, choose Policy Groups from the navigation
pane and click Add.
2 Highlight the criteria that you want to define your policy group and click the
> arrow to indicate that you want to move it to the box on the right.
3 Depending on whether you chose to specify an Active Directory Group or an

SMTP e-mail address, the specification method differs:
w If you chose to add a Active Directory Group, select it from the box that
appears. Click OK to close the box.
You can use the Import option to bring in multiple security groups.
w If you chose to add an SMTP e-mail address, type the address in the box
that appears. Click OK to close the box.
Use the standard SMTP e-mail address format; user1@example.com
You can include as many items in the right-hand box as you want.
4 Use the Policy Group options to specify whether you want the rules to apply to
any, all, or none of the criteria that are in the box on the right.

Policy Groups
5 Click Next or Enter a name and, if desired, type a unique name for the policy
group.
We recommend that you name the policy group yourself rather than using the
name that GroupShield 6.0 gives it so that you can recognize it easily when you
come to set up your anti-virus and content scanning policies.
6 Click Finish.
The policy group will be available for you to choose when you create policies
in Anti-Virus and Content.
Importing Policy Groups from Active Directory

You can import the policy groups from Active Directory.
1 Click Import.
2 Select the required Import the following types of Active Directory Group: from
Universal, Global and Local.
3 Select the required Require the following to be members: options.
4 Click Next.
Check that the required Policy Groups are highlighted.
5 Click Finish.
Product Guide 187

Import and Export Configuration

To make the setting up of multiple GroupShield servers as simple as possible, the
GroupShield software provides the ability to export and import configuration
files.
Figure 10-10. Import and Export Configurations
Once you have set up one GroupShield server to your satisfaction, you can export
the configuration file, and then import and apply this file to other GroupShield
installations.
You can also import a site list that GroupShield will use to download virus
definition (DAT) files and Virus-Scanning engine updates.
Importing and exporting configurations

Exporting and Importing configuration files and importing site lists enable you to
change the configuration on a number of servers easily.
Exporting the configuration file

Before exporting the configuration, ensure that you have configured the
GroupShield software as you require.
1 Click Save.
Depending upon your current security settings within Microsoft Internet

Explorer, you may see the File Download dialog box displayed. If this happens,
click Save to continue.

2 The Save As dialog box is displayed. Browse to the location for the
configuration file to be saved.
By default, the file name for the configuration file is:

McAfeeConfigXML.cfg
3 Click Save.
The configuration file is downloaded to the selected location.
Importing a configuration file

To import and apply a configuration that has previously been exported from a
GroupShield server:
1 Browse to the required configuration file.
2 Click Load.
When the file has been successfully imported, a Microsoft Internet Explorer
File successfully uploaded dialog box is displayed.
3 Click OK.
Importing a site list

Once the site list file, SiteList.xml, has been updated by McAfee AutoUpdate
Architect to define the required update sites:
1 Browse to the required Site List configuration file.
2 Click Load.
When the file has been successfully imported, a Microsoft Internet Explorer
File successfully uploaded dialog box is displayed.
3 Click OK.
Product Guide 189


SECTION 2
Appendices
Troubleshooting
Default Settings
Alert Messaging with Alert Manager 4.7
Index
Troubleshooting
A
This section provides answers to common situations that you might encounter
when installing or using GroupShield software. It includes information on what to
do if GroupShield 6.0 experiences problems.
It also lists the error codes that are used within the GroupShield 6.0 software.
Reporting problems with GroupShield 6.0

GroupShield 6.0 includes two features that will help you if things go wrong with
your GroupShield 6.0 software; the McAfee Minimum Escalation Requirements
Tool (MERTool) and the Network Associates Error Reporting Service.
Both utilities are automatically installed as part of the GroupShield installation and
are present on each computer on which GroupShield runs.
MERTool and the Network Associates Error Reporting Service

MERTool and the Error Reporting Service collect different kinds of information
under different circumstances. The Error Reporting Service provides constant
background monitoring of Network Associates applications and prompts the user
when it detects a problem. MERTool however, only collects information following
user input, and must be launched manually.
Data collected by MERTool and the Error Reporting Service can be submitted to
Network Associates Technical Support to assist in the opening of a support case.
MERTool and the Error Reporting Service collect data only from the computer on
which they are installed, and their operation is controlled from this computer. If
the Error Reporting Service detects a problem it informs the user.
If this computer is connected to a network that has Alert Manager installed, then
Alert Manager notifies the network administrator that the Error Reporting Service
has detected a problem. The network administrator may then need to tell the user
what action to take and what to do with the data files created, in accordance with
departmental or company policy.
MERTool is a utility that is integrated into GroupShield, and which is specifically

designed to track and log failures in the Network Associates software on your
system. The information obtained can be used to help analyze problems.
Product Guide 193

Troubleshooting
Under normal circumstances, both MERTool and the Error Reporting Service are
invisible to the user. However, when the Error Reporting Service detects a
problem, the user of that computer receives information from the Error Reporting
Service, as described later in this chapter, and must respond appropriately.
There are several ways in which MERTool and the Error Reporting Service can be
used, depending on how your organization operates and how you manage your
network:
n The Error Reporting Service detects a problem and alerts the user.
n The network administrator detects a problem and instruct a user to run
MERTool.
n A user independently contacts Network Associates Technical Support who
instruct him or her to run MERTool.
After you run MERTool you must decide how the data file is going to be submitted
to your support representative, and whether you want to encrypt it. If you do, use
your standard encryption tools.
Introducing MERTool
MERTool is designed to be used when Network Associates products fail on a
computer. When launched, MERTool collects a variety of information from the
computer on which it is running, including event logs, registry information,
running process lists and Active Directory entries.
MERTool uses this information to create a TGZ file. A TGZ file is a type of
compressed file, so it is smaller and therefore easier to send electronically than an
uncompressed file.
Under some circumstances MERTool may not be able to collect all the information
that it needs. This may occur when:
n A computer is connected to a network and the user does not have full
administrator rights.
n The user of a standalone desktop computer has not been assigned
administrator rights. This only applies to operating systems where these
options are available, such as Microsoft Windows 2000 and Windows XP.
If this happens then do the following:

n On a networked computer, an administrator must log on to that computer as
ADMINISTRATOR and run MERTool again in order to get a complete set of
results.
n On a standalone desktop computer, the user must be assigned administrator
rights, they must then log off and log on again as this administrator, and then
relaunch MERTool.

Using MERTool
There are several ways in which MERTool can be launched:
n When the Error Reporting Service submits data to Network Associates
Technical Support web site, more details are required and you are instructed
to run MERTool as described in Step 2 and Step 3 of the procedure To run
MERTool.
n You instruct a user to launch MERTool manually if you suspect that your
Network Associates software is not running optimally. To do this follow the
procedure To run MERTool. You should only do this if the user who is
currently logged on has administrator rights.
n A user who has a problem contacts Network Associates Technical Support

who instruct him or her to run MERTool.
To run MERTool
1 At NAMEDLOCATION, click on the MERTool icon. The MERTool Save As
window is displayed.
2 Enter a name for the file that MERTool is going to create, and select the folder
in which to save it. Click Save.
MERTool displays a progress bar while collecting information.
NOTE
In some circumstances MERTool can only collect the data it needs, if the
anti-spam software on the computer on which MERTool is running has
the DEBUG option switched on. Your Network Associates support
representative will tell you how to switch on Debug if it is necessary.
MERTool cannot automatically switch on the DEBUG option on your
McAfee anti-spam software.
3 When MERTool has finished collecting information, it displays a summary
message. Click OK.
4 You must now submit the results file to your Network Associates support
representative. Unless instructed otherwise, send the file by e-mail or copy it
to a CD and mail it to Network Associates. Information about contacting
Network Associates can be found in the front of this manual.
Introducing the Network Associates Error Reporting Service

GroupShield includes the Network Associates Error Reporting Service that is
specifically designed to track and log failures in the Network Associates software
on your system. The information obtained can be used to analyze problems.
Product Guide 195

Troubleshooting
This Error Reporting Service monitors the Network Associates applications on

your system and prompts the user when it detects a problem. It collects data only
from the computer on which it is installed, and its operation is controlled from this
computer. You can submit the data it collects to Network Associates technical
support to assist in the opening of a support case.
If the computer that experiences the failure is connected to a network that has Alert
Manager installed, Alert Manager informs the network administrator that a
problem has been detected. The network administrator may need to guide the user
on what action to take.
Using the Network Associates Error Reporting Service

Under normal circumstances this utility provides silent background monitoring of
Network Associates applications on each computer on which it is installed.
If a failure occurs, there are several ways in which the error detection software can
be used, depending on your organization requirements and how you have set up
your network.
The user is alerted and can choose to forward the data to the Network Associates
technical support web site, where it can be used to open a support case if
appropriate. Alternatively, the user can choose to ignore the log files, in which case
they are not submitted to the Network Associates web site.
The data that is collected is compressed for submission.
Errors that occur when the error reporting software is not running, for example,
when you have logged out, are processed the next time you log in. The sort of
errors that occur under these circumstances might include those occurring in
programs running as a service.
To use the Error Reporting Service

1 When Error Reporting Service detects a failure of the Network Associates
software on a user’s computer, it displays a dialog box.
2 In the Network Associates Error Reporting Service dialog box, select one of the
following options:
w Submit Data tells the Error Reporting Service to connect to the Network
Associates Technical Support web site and submit its data. If you select
this option, continue with Step 3 of this procedure.
w Ignore Error the Error Reporting Service does not open a connection to
the Network Associates Technical Support web site. Instead it saves
error data to the hard disk so that it is available for future use if
required. No further activity occurs.

3 The Error Reporting Service opens a URL on the Network Associates

Technical Support web site and prompts you for any additional information
that it needs. This data may be used to assist in the opening of a support case
if appropriate.
4 Follow any instructions that you are now given if it is necessary to launch
MERTool to obtain additional data.
Product Guide 197

Troubleshooting
Frequently asked questions

This topic contains troubleshooting information in the form of frequently asked
questions, which are divided into these categories:
n Questions about updating
n Questions about scanning
n Questions about Viruses
Questions about updating

How do I keep GroupShield up-to-date?
GroupShield enables you to schedule updates to ensure your GroupShield
software has the latest DAT and virus-scanning engine files installed.
To learn more about Scheduled Product Updates, see Creating a schedule to update
GroupShield on page 101.
I currently have GroupShield installed on a test network without internet

access. Can I still update it?
If GroupShield is installed on a network that does not have internet access, you can
still update your DAT and virus-scanning engine files.
You can use McAfee AutoUpdate Architect to update all McAfee anti-virus
software within your network, or you can manually update your DAT and
virus-scanning engine files. Refer to the Readme file that is included within the
DAT, the XDAT or the SDAT package for more information.
Questions about scanning

What is the difference between Real-time scanning and On-demand
scanning?
When configured to do so, GroupShield 6.0 scans each message being written to,
or read from your Microsoft® Exchange stores. This ensures that each message is
scanned before use, using the currently installed virus definition files.
You can schedule an On-Demand Scan to run at times convenient to you. An
on-demand scan scans all files in the selected folders. You should schedule an
on-demand scan to run after you have updated the virus definition (DAT) files, or
when you may suspect that you have a virus within your Microsoft® Exchange
system.

Frequently asked questions
Questions about Viruses

Why did GroupShield not detect the eicar test file?
There are two probable reasons that GroupShield did not detect the eicar virus test
file:
1 The eicar test file is not correctly formed. This could be because a character was
incorrectly copied, or because the word editing software used to create the
eicar test file added header information to the file.
The required eicar test string is:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This should be copied into a basic plain text editor, such as Notepad, and saved
with the file name eicar.com.
2 Virus scanning has been deselected in the Anti-Virus and Content settings. To
check this, select Anti-Virus and Content from within the Configure section of
the navigation pane. Select On Access Scanner, from within the Policies area.
Ensure that Anti-Virus is selected.
GroupShield did not detect the virus that received all the publicity last
week. Why?
For any anti-virus software to identify the latest virus threat, the software must
have signature information available for that virus.
McAfee Security update the virus definition (DAT) files for all McAfee Security
anti-virus software at least weekly, with additional updates being created to
counter specific new high-profile or particularly destructive virus threats.
Schedule a Product Update to run at least once a week. The DAT files are usually
updated each Wednesday or Thursday (depending on your geographical
location).
Also, regularly check for new virus scanning (DAT) file and virus-scanning engine
releases, by visiting:
http://www.mcafeesecurity.com/naicommon/download/dats/find.asp
Product Guide 199

Troubleshooting
Error messages and event log entries

This section displays some of the messages that can be displayed as error
messages:
Name Value Description

(hex)
McEFAIL 80004005 General, non-specific failure
McEOUTOFMEMORY 80040200 General, memory specific failure
McEINVALIDTYPE 80040201 Internal; quoted AtomicValue is of the wrong type
McENOENUMINPROGRESS 80040202 Internal; Enumeration token invalid
McESECTIONNOTFOUND 80040203 Not used
McECOMPONENTNOTFOUND 80040204 Internal; SubSystem name invalid
McEFACTORYFUNCTIONNOTFOUND 80040205 Internal; SubSystem does not support standard
entry points
McESTREAMNOTOPEN 80040206 Internal; Stream not open - access not allowed
McESTREAMSEEK 80040208 Internal; Stream Seek failed
McEINVALIDPARAM 80040209 General; Passed Parameter was
invalid/inappropriate
McESTREAMREAD 8004020a Internal; Failure during stream read
McESTREAMWRITE 8004020b Internal; Failure during stream write
McESETSTREAMSIZE 8004020c Internal; Failure during stream SetSize
McEFILEALREADYEXISTS 8004020d Internal; File already exists
McEINCONSISTENTPERSISTENCEMETHOD 8004020e Internal; Unsupported persistence method - file only
McESUBSYSTEMNOTSUPPORTED 8004020f cf McECOMPONENTNOTFOUND
McEINVALIDSTATE 80040210 General; Internal inconsistency problem
McEOBJECTNOTFOUND 80040211 General; Could not find item/object requested
McEFAILEDTOCREATESYSTEMOBJECT 80040212 Internal; Could not create FileChange monitor
McEXMLPARSERROR 80040213 General; Error during parsing of XML - corrupt,
malformed?
McEPOSTFIXEVALERROR 80040214 Internal; Error in PostFix Evaluate
McEINCOMPATIBLETYPES 80040215 Internal; c.f. McEINVALIDTYPE
McENOTSUPPORTED 80040216 General; Unsupported/NYI call
McESUBSYSTEMDOESNOTEXIST 80040217 Internal; Specified SubSystem is not valid
McEPROPNOTFOUND 80040218 Internal; Quoted property does not exist
McERECORDSETNOTOPEN 80040219 Not used
McECONNECTFAILED 8004021a Not used
McESTORENOTSTARTED 8004021b MSE MessageStore not started
McESTORELOCATIONNOTFOUND 8004021c MSE MessageStore not found
McEFAILEDAUTHENTICATION 8004021d MSE Authentication failed

Error messages and event log entries
Name Value Description

(hex)
McESTRINGNOTFOUND 8004021e General; requested String not found - strings.dll
missing/corrupt/wrong
McEXMLPARSEERROR 8004021f c.f. McEXMLPARSERROR
McEXSDPARSEERROR 80040220 c.f. McEXMLPARSERROR
McEFAILEDTOPENFILE 80040221 Not used
McEUNRECOGNISEDFILETYPE 80040222 Internal; Invalid Repository file
McECORRUPTFILE 80040223 General; Problem reading file
McECOUNTERNAMENOTFOUND 80040224 Internal; Performance Counter not found
McERECORDEXCEEDSMAXFILESIZE 80040225 Internal; Repository record too big
McENOMORERECORDS 80040226 Internal; No more records in query
McEINVALIDQUERY 80040227 Internal; Query malformed
McENOSUCHQUERYRECORD 80040228 Internal; No such record in Query
McECOMNOTINITIALISED 80040229 Internal; COM not started
McECANNOTCONNECTTOWEBSERVER 8004022a Internal; esoteric
McEINVALIDQUERYSYNTAX 8004022b Internal; Query invalid
McESCANNERFAILEDTOLOADFACTORY 8004022c Internal; failed to load Eservices
McESCANNERFAILEDTOINITLOADER 8004022d Internal; failed to initialise Eservices
McESCANNERFAILEDTOLOADPOLICY 8004022e Internal; Failed to load Eservices policy
McESCANNERFAILEDTOSCAN 8004022f Internal; Eservices failed to scan
McEFILEIOERROR 80040230 Internal; Generic IO file error
McEFILENOTFOUND 80040231 Internal; File not found
McETOOMANYOPENFILES 80040232 Internal; Too many file handles open
McEDISKFULL 80040233 Internal; Disk is full
McEACCESSDENIED 80040234 Internal; File access denied
McEPERFCOUNTERSNOTSTARTED 80040235 Internal; Problem with Performance Counter
McENORPCSERVER 80040236 Internal; Could not create the RPC server
McESERVERFAILED 80040237 Internal; Could not create OOP Server
McESQLQUERYFAILED 80040238 Not used
McETIMEOUT 80040239 Internal; Wait took too long and timed out
McEFAILEDTOLOADPOLICYXML 8004023a c.f. McEXMLPARSERROR
McETASKNOTFOUND 8004023b Internal; Quoted Task does not exist
McENORECORDS 8004023c Internal; No records in Repository
McENOPOLICYID 8004023d Internal; Eservices policy not found
Product Guide 201

Troubleshooting
Events
The following events can be generated when the anti-virus and content
management engines scan e-mail messages for viruses and banned content. The
events are used when generating reports, and can be logged and processed by the
e-mail, SNMP, ePolicy Orchestrator, and XML event handlers.
ID Level Description
2042 Information Scanner initialized.
2043 Information Scanned uninitialized.
2044 Error Scanner failed to initialize.
2045 Error Scanner failed to scan an item.
2046 Information The service has started.
2047 Information The service has stopped.
2048 Error The service failed to start.
2049 Error Failed to write an entry to the Detected Items database.
2050 Error Failed to load the XML configuration.
2051 Error Failed to save a change to the XML configuration.
2052 Information An Update completed successfully.
2053 Error An Update failed to complete successfully.

Default Settings
B
When first installed, GroupShield uses default settings to provide your Microsoft®
Exchange server with immediate protection against virus attack.
The following sections provide information on these default settings:

n Virus Definition (DAT) files
n GroupShield default settings
Virus Definition (DAT) files

McAfee Security regularly provide updated Virus Definition (DAT) files to detect
and clean the latest virus threats. Usually, we post a new DAT file each week.
However, if a particularly dangerous virus attack occurs, then we post emergency
DAT files to cope with the particular threat to your organization.
The GroupShield installation files include the DAT files that were current at the
time of posting. These DAT files, however, are likely to be out-of-date by the time
that you install GroupShield on your Exchange server.
We recommend that you schedule an immediate update as soon as you have
installed GroupShield, to ensure that you have the most up-to-date virus
protection available.
GroupShield default settings

The default settings found within the different areas within the GroupShield
interface are detailed in the following sub-sections:
n Scheduled Tasks
n Anti-Virus and Content

n Notifications
n On-Access Settings
n Anti-Spam Settings
n Detected Items Database
n Product Log
Product Guide 203

Default Settings
n Personal Preferences
n Diagnostics
n Policy Groups
n Import and Export Configuration
Scheduled Tasks
GroupShield has no scheduled tasks defined by default.
Anti-Virus and Content

When first installed, GroupShield includes one on access scanner policy and
several on demand scanner policies.

The on-access policy contains the settings shown below:
Figure B-1. Default settings for the On Access Scanner Policy
Product Guide 205

Default Settings
Anti-Virus settings
The default settings for Anti-Virus are shown below:
Figure B-2. Default settings for Anti-Virus
With the Level of protection set to the default selection (Medium), GroupShield uses
the following scanning options:
File types to scan Scan all files
Scanning Options Scan archive files (such as WinZip, ARJ, RAR)

Scan compressed executables (such as wwpack, pklite)
Scan all files for macros
Find joke programs
Find suspicious programs

Content Scanner settings

The default settings for Content Scanner are shown below:
Figure B-3. Default settings for Content Scanner
Corrupted Files settings

The default settings for Corrupted Files are shown below:
Figure B-4. Default settings for Corrupted Files
Product Guide 207

Default Settings
Encrypted Files settings

The default settings for Encrypted Files are shown below:
Figure B-5. Default settings for Encrypted Files
File Filtering settings

The default settings for File Filtering are shown below:
Figure B-6. Default settings for File Filtering

Scanner Control settings

The default settings for Scanner Control are shown below:
Figure B-7. Default settings for Scanner Control
Product Guide 209

Default Settings
Notifications
The default settings for Notifications are shown below:
Figure B-8. Default Notifications settings

On-Access Settings
When McAfee GroupShield is used to protect Microsoft® Exchange, the On-Access
Settings contain the following settings provided by the Microsoft Virus Scanning
API (VSAPI):
Figure B-9. Default Configure On-Access Settings
The default Number of Scan Threads is calculated as follows:

2* Number of Processors +1
Product Guide 211

Default Settings
Anti-Spam Settings
The default settings for Anti-Spam Settings are shown below:
Figure B-10. Default Anti-Spam settings


The default settings for the Detected Items Database are shown below:
Figure B-11. Default Detected Items Database settings
The default Database location is <Install Folder>\Bin and the default Database
filename is DetectedItems.bin.
Product Guide 213

Default Settings
Product Log
The default settings for Product Log are shown below:
Figure B-12. Default Product Log settings

The default settings for the Personal Preferences are shown below
Figure B-13. Default Personal Preferences settings
Product Guide 215

Default Settings
Diagnostics
The default settings for Diagnostics are shown below:
Figure B-14. Default Diagnostics settings

Policy Groups
The default settings for Policy Groups are shown below:
Figure B-15. Default Policy Groups settings

The file name used by default for the Export Configuration file is
McAfeeConfigXML.cfg
The file name used by default for the Import Site List file is SiteList.xml.
Product Guide 217

Default Settings

Alert Messaging with Alert
Manager 4.7 C
Alerting is incorporated into McAfee Security anti-virus client software, such as
GroupShield for Microsoft® Exchange. You can use McAfee® Alert Manager™ 4.7
to manage how alert messages generated by the GroupShield software are
handled. Most importantly, Alert Manager 4.7 can send out alert notifications
immediately when viruses are detected on computers in your network. These
alerts can be sent using a variety of messaging media, such as e-mail, print, and
SNMP traps.
Starting Alert Manager

You start and configure McAfee Alert Manager 4.7 directly from the Windows
desktop.
When starting Alert Manager 4.7 from the Windows Start menu, you have access
to two main components:
n Alert Manager Configuration. This component allows you to configure the

recipients, such as e-mail addresses, to which alert notifications are sent when
Alert Manager receives alerts from anti-virus software. To start Alert Manager
Configuration, click the Start button on the Windows desktop and select
Programs | Network Associates | Alert Manager Configuration.
See Configure Alert Manager recipients and methods on page 220 for details.
n Alert Manager Messages Config. This component allows you to configure the
alert messages themselves. You can edit message text and set priority levels for
specific alerts. To start Alert Manager Messages Config, click the Start button
on the Windows desktop and select Programs | Network Associates | Alert
Manager Messages Config.
See Customizing alert messages on page 244 for details.
Product Guide 219

Configure Alert Manager recipients and methods

When you start Alert Manager Configuration (see Starting Alert Manager on
page 219), the Alert Manager Properties dialog box opens. The Alert Manager
Properties dialog box allows you to configure the recipients of alert messages sent
out by Alert Manager, and also the method by which those recipients receive the
alert messages. Recipients can be e-mail addresses or computers on your network.
The methods by which recipients receive alert notifications can include e-mail
messages or network pop-up messages.
Figure A-1. Alert Manager Properties
To configure the recipients for a particular alert method:

1 Click the appropriate tab for a given alert method, such as Logging.
2 Configure the recipients that will receive alert notifications using that alert
method.
3 Click other tabs to configure recipients for any additional alert methods as
required.
4 When finished, click OK to save the configurations and close the Alert Manager
Properties dialog box.
Product Guide 220

For details on configuring specific alert methods and the recipients to which Alert
Manager sends alert messages via those methods, refer to the following sections:
n Viewing the Summary page on page 223

n Forwarding alert messages to another computer on page 225
n Sending an alert as a network message on page 228
n Sending alert messages to e-mail addresses on page 230

n Sending alert messages to a printer on page 234
n Sending alert messages via SNMP on page 236
n Launching a program as an alert on page 238

n Logging alert notifications in a computer’s event log on page 239
n Sending a network message to a terminal server on page 241. This method is only
available if terminal services are running on the computer where Alert
Manager is installed.
n Using Centralized Alerting on page 243
Overview of adding alert methods

The various tabs of the Alert Manager Properties dialog box allow you to configure
alerting methods. As you add each new method to your configuration, you have
two options:
n Sending a test message.
n Setting the alert priority level for recipients.
Sending a test message

When using the tabs of the Alert Manager Properties dialog box to add new alert
notification recipients, such as a network computer or an e-mail address, you can
test whether the destination is able to receive the message. To send the selected
destination a test message when configuring that method, click the Test button.
The message should appear at the configured destination if all is configured
correctly.
NOTE
An e-mail alert may take some time to reach its destination,
depending on both your SMTP server and the receiving e-mail
server.

Test messages that do not reach the target

If the target does not receive the message, review the list below and confirm, as
applicable, that:
n Any communication service required to implement the selected alerting
method, such as e-mail or SNMP, is enabled.
n Any device required to transmit or receive the message, such as a modem or
pager, exists and is operational.
n Any program that is to be executed in response to virus detection is located at
the path specified and is installed properly.
n Any destination printer or computer that you have targeted exists on your
network.
n Your network is functioning properly.
n The configuration information you have provided is accurate and complete.

Some property pages include secondary pages. For example, the E-Mail
Properties page links to a Mail Settings page. Be certain to review the
information on these secondary pages as well.
n If you installed Alert Manager using an account and password, make sure that
the specified account has sufficient rights for the action you are trying to
perform.
Setting the alert priority level for recipients

You can specify a priority level for each recipient that you add to your Alert
Manager configuration. Alert Manager only sends alert notifications of that
priority level or higher to the specified recipient, such as an e-mail address.
This is useful for filtering alert notifications. For example, you may want to record
alert messages of all priority levels to a computer’s event log using the Logging tab
of the Alert Manager Properties dialog box (see Logging alert notifications in a
computer’s event log on page 239). However, you may want Alert Manager to send
only serious alert notifications to a network administrator’s pager via e-mail. To do
this, set separate priority thresholds for your logging and e-mail recipients.
To set the alert priority level for a specific recipient:
1 On the Properties dialog box for an alert method, click the Priority Level button.
Product Guide 222

Figure A-2. Priority Level
2 In the Priority Level dialog box, drag the slider right or left to set the priority
level.
Drag to the right to send the recipient fewer, higher priority messages. Drag
the slider to the left to send the recipient more alert messages, including lower
priority messages.
3 Click OK to save the priority settings.
NOTE
On the Priority Level dialog box, you can specify the priority
level for specific recipients, such as a computer on a network
or an e-mail address. However, you cannot set the priority of
individual alert messages here. For information on setting the
priority levels of individual alert messages, see Customizing
alert messages on page 244.
Viewing the Summary page

The Summary tab of the Alert Manager Properties dialog box lists the recipients to
which Alert Manager will send any alert notifications it receives. Recipients are
grouped by alert method.

Figure A-3. Alert Manager Properties — Summary tab
Click next to each listed alert method to display the recipient computers,
printers, or e-mail addresses. To remove an alert notification recipient, select it,
then click Remove. To change the configuration options for a listed recipient, select
it, then click Properties to open the Properties dialog box for that alert method.
When you install Alert Manager, it is by default configured to send pop-up

network message to the computer on which it is installed and to log alert
notifications in that computer’s event log. If you have not yet configured Alert
Manager to send alert notifications to any recipients, the Summary tab displays
only these two methods. Alert Manager sets priority levels for these two default
methods to send alert notifications of all priorities except for the lowest,
Informational. See Setting the alert priority level for recipients on page 222 for details
on priority.
Product Guide 224

Forwarding alert messages to another computer
Alert Manager can forward the alert messages received from McAfee Security
anti-virus client or server products to another computer on your network that has
Alert Manager installed. Typically, you would do this when you wish to forward
messages to another Alert Manager server for further distribution.
NOTE
Alert Manager 4.7 can only forward alert notifications to, and
receive alerts forwarded from, servers running the same
version of Alert Manager. Forwarding alert notifications
between servers running older versions of Alert Manager is
not supported.
Forwarding alerts in a large organization

In a large organization you can use the forwarding feature to send alert
notifications to a central notification system or to an MIS (Management
Information System) department for tracking virus statistics and problem areas.
Also, large organizations tend to be spread out geographically, often with offices
in several different countries. In this case, you may wish to use a single Alert
Manager installed on a local server to handle alerting for that local subnet. You can
then configure that local Alert Manager server to forward high priority alert
notifications to another server in another part of your network for further
distribution.

Figure A-4. Forward alerts to another Alert Manager
To do this, configure the local Alert Manager to forward relevant alerts to the
computer where the second Alert Manager is installed. You then need to configure
the second Alert Manager to distribute alert notifications as desired. See
Configuring alert forwarding options on page 227 for details on doing this.
Forwarding alerts in a small organization

In a small organization, forwarding can also be useful. Suppose, for example, you
want to send all high priority alert notifications to a particular pager via e-mail, but
only one server on your network has direct Internet access.
To satisfy this requirement:

1 Configure Alert Manager on each Alert Manager server to forward high
priority alert messages to the modem-equipped computer.
Product Guide 226

2 Configure Alert Manager on the modem-equipped computer to send high
priority messages to the target pager’s e-mail address.
Configuring alert forwarding options

To configure forwarding options:
1 From the Alert Manager Properties dialog box, click the Forward tab.
The Forward page appears with a list of all of the computers you have chosen
to receive forwarded messages. If you have not yet chosen a destination
computer, this list is blank.
Figure A-5. Alert Manager Properties — Forward tab
2 To update this list, you can do any of the following:
w To add a computer, click Add to open the Forward Properties dialog box,
then enter the name of the computer that receives forwarded messages in
the text box. You can enter the computer name in Universal Naming
Convention (UNC) notation, or click Browse to locate the computer on the
network.
w To remove a listed computer, select one of the destination computers

listed, then click Remove.

w To change configuration options, select one of the destination computers

listed, then click Properties. Alert Manager opens the Forward Properties
dialog box. Enter the name of the computer to which you want Alert
Manager to forward messages, or click Browse to locate the computer on
the network.
Figure A-6. Forward Properties
3 Click Priority Level to specify which types of alert messages the destination
computer receives. See Setting the alert priority level for recipients on page 222.
4 Click Test to send the destination computer a test message. See Sending a test
message on page 221.
5 Click OK to return to the Alert Manager Properties dialog box.
Sending an alert as a network message

Alert Manager can send alert messages to other computers. A standard message
appears as a pop-up box on the recipient computer’s screen and requires the
recipient to acknowledge it.
It is not necessary for the recipient computers to have Alert Manager installed.
However, you might need to have the appropriate messaging client software for
your operating system running on the recipient computer. This messaging
software is always pre-installed on newer versions of the Windows operating
system, such as Windows NT, Windows 2000, Windows XP and Windows Server
2003. This service is usually running by default.
Product Guide 228

To configure Alert Manager to send alert notifications as network messages:
1 Open the Alert Manager Properties dialog box.
2 Click the Network Message tab. The Network Message page appears with a list
of the computers that you have configured to receive a network message. If
you have not yet chosen a recipient computer, this list is blank.
Figure A-7. Alert Manager Properties — Network Message tab
w To add a computer, click Add to open the Network Message Properties

dialog box. You can specify a recipient computer in one of two ways. You
can type the name of the computer directly into the Computer: text box in
UNC format, or you can select Browse to locate the computer on the
network.
w To remove a listed computer, select one of the recipient names listed, then
click Remove.
w To change configuration options, select one of the recipient names listed,

then click Properties. Alert Manager opens the Network Message Properties
dialog box. Change the information in the Computer: text box as necessary.

Figure A-8. Network Message Properties
4 Click Priority Level to specify which types of alert messages the recipient
receives. See Setting the alert priority level for recipients on page 222.
5 Click Test to send the recipient a test message. See Sending a test message on
page 221.
Sending alert messages to e-mail addresses

Alert Manager can send alert messages to a recipient’s e-mail address via Simple
Mail Transfer Protocol (SMTP). Alert messages appear in the recipient’s mail box.
If your message is particularly urgent, you can supplement an e-mail message with
other methods, such as pop-up network messages, to ensure that your recipient
sees the alert in time to take appropriate action.
NOTE
An e-mail alert may take some time to reach its destination,
depending on both your SMTP server and the receiving e-mail
server.
To configure Alert Manager to send e-mail alert notifications to recipients:

2 Click the E-Mail tab.
Product Guide 230

The E-Mail page appears with a list of the e-mail addresses that you have
chosen to receive alert messages. If you have not yet chosen an e-mail address,
this list is blank.
Figure A-9. Alert Manager Properties — E-Mail tab

w To add an e-mail address to the list, click Add to open the E-Mail Properties
dialog box. Enter the e-mail address for your alert notification recipient in
the Address text box, enter a subject in the Subject text box, then enter your
e-mail address in the From text box. Use the standard Internet address
format <username>@<domain>, such as administrator_1@mail.com.
To control the truncation of longer messages, for example, a message
containing a very long file and path name, append the address with a “*”,
like this: administrator_1@mail.com*. For more information, see Forcing
truncation of messages sent to specific e-mail addresses on page 234.
w To remove a listed address, select one of the e-mail addresses listed, then
click Remove.
w To change configuration options, select one of the e-mail addresses listed,
then click Properties. Alert Manager opens the E-Mail Properties dialog box.
Change the information in the text boxes as necessary.

Figure A-10. E-Mail Properties
4 Click Mail Settings to specify the network server you use to send Internet mail
via SMTP.
NOTE
You must click Mail Settings and specify an SMTP server to be
able to send e-mail alert notifications. Do not skip this step.
Also, after configuring your SMTP mail settings the first time,
you will not be required to configure them again unless your
SMTP mail server information changes.
Product Guide 232

Figure A-11. SMTP Mail Settings
a In the dialog box that appears, enter the mail Server. You can enter the
server name as an Internet Protocol (IP) address, as a name your local
domain name server can recognize, or in Universal Naming Convention
(UNC) notation.
b If your SMTP server requires it, type a Login name to use for the mail
server.
NOTE
Only enter a login name in the Login field if your SMTP mail
server is configured to use a login. Check your SMTP
configuration to see if this is required. Entering a login name
here when your mail server is not configured to use it may
cause problems with e-mail alerting.
c Click OK to return to the E-Mail Properties dialog box.
6 Click Test to send the recipient computer a test message. See Sending a test
7 If the test message is successful, click OK to return to the Alert Manager


Forcing truncation of messages sent to specific e-mail addresses

Sometimes alert notification messages can become very long, particularly when
containing %FILENAME% system variables populated with file names containing very
long path information. Very long messages containing long file and names can be
confusing and inconvenient. For example, when e-mail messages are sent to a
pager, some pager services truncate long messages abruptly, potentially removing
important information from the message. On the other hand, if a very long
message does get through to a pager, the recipient might be forced to scroll
through lines of path information in a file name to get to the critical information
contained in the alert.
You have two options for managing long messages in e-mail alert notifications:
n Append e-mail addresses with an asterisk (*), such as
administrator_1@mail.com*. Alert Manager truncates alerts sent to e-mail
addresses that are appended with an asterisk according to the current system
SMTP message length settings. The default SMTP length is 240 characters.
This is particularly valuable if Alert Manager sends alerts to pagers via e-mail.
Some pager services have a short message length limit, for example 200
characters. If a message is intended to be delivered to a pager via an e-mail
address, appending the address with an asterisk (*) lets you, rather than a
pager company, control where the message is truncated.
n You can also edit the message text in the Alert Manager Messages dialog box to
make sure important message content is preserved as much as possible in
truncated messages. To do this, you could either abbreviate some parts of the
message or move critical information to the beginning of the message, perhaps
leaving long file names for the end of the message.
Sending alert messages to a printer

Alert Manager can send alert notifications to a printer to print hardcopy messages.
To configure Alert Manager to send alert notifications to a print queue:
2 Click the Printer tab.
The Printer page appears with a list of all of the printer queues that you have
chosen to receive alert messages. If you have not yet chosen a printer queue,
this list is blank.
Product Guide 234

Figure A-12. Alert Manager Properties — Printer tab

w To add a print queue to the list, click Add to open the Printer Properties
dialog box, then enter the name of the print queue to which you want to
send messages. You can enter the print queue name or you can click
Browse to locate the printer on the network.
w To remove a listed print queue, select one of the printers listed, then click
Remove.
w To change configuration options, select one of the printers listed, then click
Properties. Alert Manager opens the Printer Properties dialog box. Change
the information in the Printer text box as necessary.

Figure A-13. Printer Properties
4 Click Priority Level to specify which types of alert notifications the recipient
printer receives. See Setting the alert priority level for recipients on page 222.
5 Click Test to send the recipient printer a test message. See Sending a test message
on page 221.
Sending alert messages via SNMP

Alert Manager can send alert messages to other computers via the Simple Network
Management Protocol (SNMP). To use this option, you must install and activate
the Microsoft SNMP service on your computer; see your operating system
documentation for details. To view the alert messages that the client anti-virus
software sends, you must also have an SNMP management system configured
properly with an SNMP viewer. To learn how to set up and configure your SNMP
management system, see the documentation for your SNMP management
product.
Product Guide 236

Figure A-14. Enable SNMP alerting
To configure the scanner to send alert messages via SNMP:

2 Click the SNMP tab.
3 Select Enable SNMP traps.
4 If Alert Manager is installed on a computer running the Windows NT 4

operating system, you can click Configure SNMP to display your Windows
Network dialog box and configure the Microsoft SNMP service. See your
operating system documentation for details.
6 Click Test to send the recipient computer a test message via SNMP. See Sending
a test message on page 221.
7 Click OK to save your changes and return to the Alert Manager Properties dialog
box.

Launching a program as an alert

Whenever Alert Manager receives an alert that a virus has been detected, it can
automatically start any executable program on your computer or anywhere on
your network. By default, Alert Manager runs VIRNOTFY.EXE, which is installed in
your Alert Manager installation directory. VIRNOTFY.EXE displays names of infected
files in a scrolling dialog box on the screen of the computer where Alert Manager
is installed.
NOTE
Alert Manager only launches a program when it receives
alerts specifically pertaining to viruses. The %VIRUSNAME% and
%FILENAME% system variables must be present in the alert
message. See Using Alert Manager system variables on page 248.
Alert Manager does not start a program unless these fields are
present in the alert, regardless of the priority level set for the
Program method. See Setting the alert priority level for recipients
on page 222 for more information about priority levels.
To configure Alert Manager to execute a program when it finds a virus:

2 Click the Program tab to open the Program page.
Figure A-15. Alert Manager Properties — Program tab
3 Select Execute Program.
Product Guide 238

4 Enter the path and file name of the executable program that you want to run
when your anti-virus software finds a virus, or click Browse to locate the
program file on your computer or network.
5 Select one of the following:
w To start the program only when your anti-virus software first finds a
particular virus, click First Time.
w To start the program each time the scanner finds a virus, click Every Time.
NOTE
If you select First time, the program you designate starts as
soon as the scanner initially encounters a particular virus, for
example VirusOne. If the scanner finds more than one
occurrence of VirusOne in the same folder, it does not start the
program again. However, if, after encountering VirusOne, the
scanner then encounters a different virus (VirusTwo), then
encounters VirusOne again, the program starts in response to
each encounter, in this example, three times in a row. Starting
multiple instances of the same program might cause your
server to run out of memory.
Remember that the Program method does not run a program unless the alert
pertains specifically to viruses. In other words, the alert must contain the
%VIRUSNAME% and %FILENAME% system variables. All other alerts, regardless of
priority level, are ignored.
Logging alert notifications in a computer’s event log

Alert Manager can log alert messages to the local event log on your computer or
the event log of another computer on your network.
To configure logging options:

2 Click the Logging tab.
The Logging page appears with a list of all of the computers you have chosen
to receive messages for logging. If you have not yet chosen a recipient
computer, this list is blank.

Figure A-16. Alert Manager Properties — Logging tab
w To add a computer, click Add to open the Logging Properties dialog box,
then enter the name of the computer that receives forwarded messages in
the text box. You can enter the computer name in Universal Naming
Convention (UNC) notation, or you can click Browse to locate the
computer on the network.
w To remove a listed computer, click the computer in the list and click the
Remove button.
w To change configuration options, select one of the recipient computers

listed, then click Properties. Alert Manager opens the Logging Properties
dialog box. Enter the name of the computer to which you want Alert
Manager to forward messages for logging. Click Browse to locate the
destination computer.
Product Guide 240

Figure A-17. Logging Properties
Sending a network message to a terminal server

Alert Manager can send alert messages to a terminal server. Pop-up network
messages display to the user whose session originated the alert.
The Alert Manager Properties dialog box only displays the Terminal Server tab if the
computer on which Alert Manager is installed is a terminal server.
To configure Alert Manager to send a message to a terminal server:

2 Click the Terminal Server tab.

Figure A-18. Alert Manager Properties — Terminal Server tab
3 To enable terminal server alerting, select Enable alerting to client.

4 Click Test to send the recipient computer a test message. The Select client for
test message dialog box appears, listing the current terminal server user
sessions for that computer.
Figure A-19. Send a terminal server user a test message
5 Select a user from the list and click OK to send that user a test message and
return to the Alert Manager Properties dialog box.
6 Click Priority Level to specify which types of alert messages the terminal server
users should receive. See Setting the alert priority level for recipients on page 222.
Product Guide 242

7 Click OK to save the terminal server settings and return to the Alert Manager
Using Centralized Alerting

Centralized Alerting provides an alternative to using regular Alert Manager
messaging. With centralized alerting, alert messages generated by anti-virus
software, such as VirusScan Enterprise 7.0, are saved to a shared folder on a server.
Then, Alert Manager is configured to read alert notifications from that same folder.
When the contents of the shared folder change, Alert Manager sends new alert
notifications using whatever alerting methods Alert Manager is already
configured to use, such as sending e-mail messages to a pager.
WARNING
Due to security issues with shared folders, we recommend
that you do not use centralized alerting. Instead, you should
configure your client anti-virus software to use the regular
Alert Manager alert notification methods.
If you decide to use centralized alerting, configure it as follows:
1 Configure the anti-virus software on client computers to send alert messages
to the appropriate alert folder. See your anti-virus software documentation for
instructions on how to do this.
NOTE
To allow other workstations on your network to send
messages to this folder, you must give file scan, write, create
and modify permissions for this folder to all users and
computers. See your operating system documentation for
details.
2 Make sure that all your users and computers are able to read and write to this
shared alert folder. If the folder is located on a computer running Windows
NT, you must properly configure a null session share. See your operating
system documentation for details.
3 Configure Alert Manager to monitor the centralized alert folder for activity. To
do this:
a From the Alert Manager Properties dialog box, select the Centralized Alert
tab.

Customizing alert messages
Figure A-20. Centralized Alerting Properties
b Select Enable centralized alerts.
c Type the location of the alert folder or click Browse to locate a folder
elsewhere on your server or on the network. This must be the same folder
to which your anti-virus software on client computers is using for
centralized alerts (see Step 1). The default location of the alert folder is:
C:\Program Files\Network Associates\Alert Manager\Queue\.
6 Click OK to save your centralized alerting settings and return to the Alert
Manager Properties dialog box.

Alert Manager comes with a wide range of alert messages suited to nearly all of the
situations you may encounter when a virus is detected on a computer in your
network. The alert messages include a preset priority level and incorporate system
variables that identify the infected file and system, the infecting virus, and other
information that you can use to get a quick but thorough overview of the situation.
Product Guide 244

To suit your own circumstances, you can enable or disable individual alert
messages or change the contents and priority level for any message. Because Alert
Manager still activates the alert message in response to specific trigger events, you
should try to retain the overall sense of any alert messages you choose to edit.
Use the Alert Manager Messages dialog box to customize alert messages. See
Starting Alert Manager on page 219 for details on how to access the Alert Manager
Messages dialog box.
Figure A-21. Alert Manager Messages
From here, you can do either of the following:
n Enabling and disabling alert messages.
n Editing alert messages.
Enabling and disabling alert messages

Although GroupShield can alert you whenever your anti-virus software finds a
virus or whenever nearly any aspect of its normal operation changes significantly,
you might not want to receive alert messages in each of these circumstances. Use
the Alert Manager Messages dialog box to disable specific alert messages that you
do not want to receive.
Next to each alert listed in the Alert Manager Messages dialog box is a checkbox. If
this is selected, the alert is enabled. If it is not selected, it is disabled. By default, all
of the available alert messages are enabled.
To enable or disable alert messages:

1 Select or deselect the corresponding checkbox for any alert messages you want
to enable or disable.
2 Click OK to save your changes and close the Alert Manager Messages dialog
box.
Editing alert messages

You can edit alert messages in the following two ways:
n Changing alert priority.
n Editing alert message text.
Changing alert priority

Some of the alerts that Alert Manager receives from your client anti-virus software
require more immediate attention than others. A default priority level is set for
each alert message, corresponding to the urgency most system administrators
would assign them. You can reassign these priority levels to suit your own needs.
Use them to filter the messages that Alert Manager will send to your recipients so
your recipients can concentrate on the most important ones first.
To change the priority level assigned to an alert message:

1 On the Alert Manager Messages dialog box (see Customizing alert messages on
page 244), click a message in the list once to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
Figure A-22. Edit the priority and text of an alert message
3 Choose a priority level from the Priority list. You can assign each alert message
a Critical, Major, Minor, Warning, or Informational priority.
The icons shown beside each message listed in the Alert Manager Messages
dialog box identify the priority level currently assigned to a message. Each icon
corresponds to a choice in the Priority drop-down list. The priority levels are:
Product Guide 246

Critical. Indicates your anti-virus software detected viruses in files that
could not be cleaned, quarantined or deleted.
Major. Indicates either that successful virus detection and cleaning has
occurred or that serious errors and problems that might cause your
anti-virus software to stop working. Examples include “Infected file
deleted,” “No licenses are installed for the specified product,” or “Out of
memory!”
Minor. Indicates lesser detection or status messages.
Warning. Indicates status messages that are more serious than

informational messages. These often relate to non-critical problems
encountered during the anti-virus scan.
Informational. Indicates standard status and informational messages,

such as “On-Access scan started” or “Scan completed. No viruses found.”
As you reassign the priority for a message, the icon beside it changes to show
its new priority status.
4 Click OK.
Filtering messages by priority level

To filter your messages, configure each alert method you have set up in Alert
Manager to accept only messages of a certain priority. For example, suppose you
want to have Alert Manager page you whenever your client anti-virus software
finds a virus on your network, but do not want it to send routine operational
messages. To do this, you would assign a Critical or Major priority to virus alerts,
and a Minor, Warning, or Informational priority to the routine informational
messages. Then, configure Alert Manager to send only high priority messages to
the e-mail address that goes to your pager.
See Setting the alert priority level for recipients on page 222 for information about
applying priority level filters for specific recipients.
Editing alert message text

To help you respond to a situation that requires your attention, Alert Manager
includes enough information in its messages to identify the source of whatever
problem it has found and some information about the circumstances in which it
found the problem. You can edit the message text as desired. For example, you can
add comments to the alert message that describe more about the problem or list
support contact information.

NOTE
Although you can edit the alert message text to say what you
want, you should try to keep its essence intact, because Alert
Manager sends each message only when it encounters certain
conditions. Alert Manager sends the “task has started” alert
message, for example, only when it actually starts a task.
To edit the alert message text:
1 From the Alert Manager Messages dialog box, click the alert message in the list
to select it.
2 Click Edit to open the Edit Alert Manager Message dialog box.
3 Edit the message text as desired. Text enclosed in percentage signs, such as
%COMPUTERNAME%, represents a variable that Alert Manager replaces with text at
the time it generates the alert message. See Using Alert Manager system variables
on page 248.
4 Click OK to save your changes and return to the Alert Properties dialog box.
Using Alert Manager system variables

Alert Manager 4.7 includes system variables that you can use in alert message text.
These variables refer to system features like system date and time, file names, or
computer names. When sending alert notifications, Alert Manager dynamically
replaces the variable with a specific value.
For example, the major alert Infected file successfully cleaned (1025) listed in the
Alert Manager Messages dialog box is by default set to the following:
The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. The file
was successfully cleaned with Scan engine version %ENGINEVERSION% and DAT
version %DATVERSION%.
When this alert is sent to Alert Manager from an anti-virus application, Alert
Manager dynamically populates the system variables with real values, for example
displaying MYDOCUMENT.DOC for the %FILENAME% variable.
Product Guide 248

Some of the most commonly-used system variables are:
%DATVERSION% The version of the current DAT files used by the anti-virus
software that generated the alert.
%ENGINEVERSION% The version of the current virus-scanning engine used by the
anti-virus software to detect an infection or other problem.
%FILENAME% The name of a file. This could include the name of an
infected file it found, or the name of a file it excluded from a
scan operation.
%TASKNAME% The name of an active task, such as an On-Access scan or
AutoUpdate task in VirusScan Enterprise 7.0. Alert Manager
might use this to report the name of the task that found a
virus, or the name of a task that reported an error during a
scan operation.
%VIRUSNAME% The name of an infecting virus.
%DATE% The system date of the Alert Manager computer.
%TIME% The system time of the Alert Manager computer.
%COMPUTERNAME% The name of a computer as it appears on the network. This
could include an infected computer, a computer that
reported a device driver error, or any other computer with
which the program interacted.
%SOFTWARENAME% The file name of an executable file. This could include the
application that detected a virus, an application that
reported an error, or any other application with which the
program interacted.
%SOFTWAREVERSION The version number taken from an active software package.
%
This could include the application that detected a virus, an
application that reported an error, or any other application
with which the program interacted.
%USERNAME% The login name of the user currently logged on to the server.
This can, for instance, tell you if somebody cancelled a scan.
WARNING
Be careful when editing message text to include system
variables that might not actually be used by the event
generating that alert message. Using system variables in alerts
that do not actually use that system variable field could cause
unexpected results, including garbled message text or even a
system crash.

Below is a complete list of the Alert Manager system variables that can be used in
Alert Manager messages:
%ACCESSPROCESSNAME% %NOTEID% %RESOLUTION%

%CLIENTCOMPUTER% %NOTESDBNAME% %SCANRETURNCODE%
%COMPUTERNAME% %NOTESSERVERNAME %SEVERITY%
%DATVERSION% %LANGUAGECODE% %SHORTDESCRIPT%
%DOMAIN% %LOCALDAY% %SOFTWARENAME%
%ENGINESTATUS% %LOCALHOUR% %SOFTWAREVERSION%
%ENGINEVERSION% %LOCALMIN% %SOURCEIP%
%EVENTNAME% %LOCALMONTH% %SOURCEMAC%
%FILENAME% %LOCALSEC% %SOURCESEG%
%GMTDAY% %LOCALTIME% %TARGETCOMPUTERNAME%
%GMTHOUR% %LOCALYEAR% %TARGETIP%
%GMTMIN% %LONGDESCRIPT% %TARGETMAC%
%GMTMONTH% %MAILCCNAME% %TASKID%
%GMTSEC% %MAILFROMNAME% %TASKNAME%
%GMTTIME% %NUMCLEANED% %TRAPID%
%GMTYEAR% %NUMDELETED% %TSCLIENTID%
%INFO% %NUMQUARANTINED% %URL%
%MAILIDENTIFIERINFO% %NUMVIRS% %USERNAME%
%MAILSUBJECTLINE% %OBRULENAME% %VIRUSNAME%
%MAILTONAME% %OS% %VIRUSTYPE%
%PROCESSORSERIA%
Product Guide 250

Index
Symbols anti-spam
.DAT files, 100 events, 202
assign (a rule to a policy), defined, 53
A audience for this manual, 13
Alert folder AutoUpdate Architect
function, 243 McAfee, 100
Alert Manager AVERT (Anti-Virus Emergency Response Team),
contacting, 16
configuration, 219
e-mail alert, 230
forwarding an alert, 225
B
background scanning, 38
launching a program, 238
banned content detection, 34
network broadcasting, 228
beta program, contacting, 16
printed messages, 234
bitmap, see BMP, 157
SNMP, 236
blacklist, file filtering, 63
Summary page, 223
BMP, 157
system variables, 248
broadcasting network messages, 228
Alert Manager Properties, 220
Bubbleboy, 52
Summary, 223
alert messages
broadcasting a network alert, 228
C
Centralized Alerting, 243
Centralized Alerting, 243
characters
customizing, 244
not detected, 56
disabling, 245
used as delimiters, 57
editing, 247
Common Updater
e-mail, 230
McAfee, 100
enabling, 245
confidential information, 153, 156
forwarding, 225
configuration
launching a program in response to, 238
Alert Manager recipients and methods, 220
sending to a printer, 234
Configuration file
sending via SNMP traps, 236
exporting, 188
truncating, 234
importing, 189
variables in, 249
Configure, 167
alert method
Detected Items Database, 173
configuring recipients, 220
Product Log, 176
alert priority
configure diagnostics, 181
changing, 246
Configure Import and Export Configuration, 188
types, 247
configure Personal Preferences, 179
Product Guide 252

Index
contacting McAfee Security, 16 Detected Items Database

content management engine, 34 configure, 173
content rules Detected Items database, 174 to 175, 177 to 178
see also rules and rule groups, 121 Detected Items results
defined, 45 viewing, 86, 95
do not work in e-mail messages!, 58 Detected viruses, getting more information, 86, 95
warning about names of, 54 detection
conventions used in this manual, 14 banned content, 34
corrupt content, 150 virus, 34
CSV diagnostics
exporting as, 90, 97 configure, 181
currency symbols, 56 disclaimers, 63
customer service, contacting, 16 distractions, 158
documentation for the product, 15
D download web site, 16
DAT file updates, web site, 16 downloading
DAT files, 100
Emergency, 100 quarantined messages, 90
Extra, 100
DAT Updates, 100 E
Debug Logging EICAR, 160
levels of logging, 182 e-mail
limiting size of debug logs, 182 sending virus alert via, 230
specify location for log files, 183 e-mail messages
default settings, 203 content rules do not work!, 58
anti-virus and content, 204 nuisance e-mail, 158
DAT files, 203 e-mail protection, 29
debug logging, 210, 212, 214, 216 to 217 Emergency DAT files, 100
detected items database, 213 encrypted content, 149
import and export configuration, 217 engine
on-access settings, 211 content management, 34
personal preferences, 215 virus-scanning, 34
scheduled tasks, 204 ePolicy Orchestrator management solution, 31
delimiter characters, 57 ePolicy Orchestrator support
denial-of-service attacks, 43, 65, 129 features, 23
depth of nesting, 65 error messages, 200
in compressed files, 66 error reporting, 183
in HTML files, 66 using, 184
desktop and file server protection, 30 error reporting utility, 183
Detected Items events, 202
querying, 84, 93 Extra.DAT files, 100
searching for files, 84 to 85, 93 to 94
viewing, 83

Index
F user interface
faqs Navigation pane, 76
virus questions opening, 73
frequently asked virus questions, 199 opening on a different computer, 73
features, 21 to 23 GroupShield console, 71
ePolicy Orchestrator support, 23 GroupShield interface, 71
file filtering in Exchange, 22 GroupShield user interface, 71
virus scanning in Exchange, 21 GTUBE spam detection test, 161
field delimiters, 57
file filtering, 62 H
blacklist and whitelist, 63 handling quarantined items, 89
features, 22 heuristic analysis, 51
file format, 62 in programs and macros, 51
filter
using, 87, 96 I
forwarding icons
quarantined messages, 90 global policy, 113
forwarding alerts policy groups, 106
large organization, 225 rule groups, 113
small organization, 226 Import and Export Configuration
frequently asked questions configure, 188
faqs, 198 importing a repository list, 189
frequently asked questions, troubleshooting, 198 importing site list, 189
inheritance
G policies, 47
gateway protection, 29 policies inherited by global policy, 110
getting information, 15 policies inherited from global policy, 109
global policy, 44 installation
defined, 47 troubleshooting, 198
icon, 113 Insult 23, 54
groups insulting phrase, name of rule for an, 54
rules, 121 Internet gateway protection, 29
GroupShield
e-mail protection, 29 K
interface KnowledgeBase search, 16
console, 77
Home page, 79 L
Links bar, 78 legal implications, use of e-mail and Internet, 47
overview, 75 liability, limiting, 63
Quick Help pane, 78 limiting size of database, 174, 177
on your network, 27 limiting size of quarantined files, 175, 178
updating, 100
Product Guide 254

Index
M deleting items from, 119

mail server, configuring for e-mail alerting, 232 inheritance, 47
management and reporting via ePolicy Orchestrator managing items in, 128
features, 23 modifying items in, 118
management solution, ePolicy Orchestrator, 31 right-click menu, 107
manuals, 15 policy groups
McAfee AutoUpdate Architect, 100 defined, 48
McAfee Common Updater, 100 icon, 106
McAfee Security University, contacting, 16 right-click menu, 112
Melissa, W97M/Melissa@MM virus, 52 PortalShield
Microsoft Exchange portal server protection, 30
protecting PrimeSupport, 16
protecting Microsoft Exchange, 34 prioritizing
modifying the subject line, 61 messages sent
MPEGs, 157 across the network, 228, 230, 233,
236 to 237, 239, 241 to 242
to another computer, 222
N
priority level, setting for alerts, 222
nesting, see depth of nesting, 65
proactive scanning, 39
network configuration, 28
product documentation, 15
network load, 157
Product Log
configure, 176
O
product overview, 18
offensive words, 157
product training, contacting, 16
on-access scanning, 36
product update, 100
on-access settings, 167
Product versions, 80
defining, 170
DAT date, 80
options, 167
DAT version, 80
setting Virus scanning API options, 167, 171
engine version, 80
on-demand scan, 102
GroupShield version, 80
on-demand scanning, 38
options
scheduling, 99
Q
quarantine, 154
Virus Scanning API, 169
conserving disk space, 46
overview
numbering, 46
GroupShield, 17
specifying action, 55, 65
quarantined items
P
handling, 89
quarantined messages
configure, 179
downloading, 90
configure Detected Items page options, 180
forwarding, 90
configure Home page options, 180
policies
defined, 46

Index
R proactive, 39
Real-time scanning statistics, 79 transport, 18
average scan time, 79 troubleshooting, 198
banned items, 79 to 80 what and when, 36
clean items, 79 scanning options
infected items, 79 expand archive files, 51
Potential Spam, 80 Find joke programs, 52
scanned items, 79 Find suspicious programs, 52
Recently Scanned Items, 80 Find unknown file viruses, 51
repository list Find unknown macro viruses, 52
importing, 189 scan all files, 51
right-click menus Schedule options, 99 to 102
appearance, 107 Scheduled Tasks, 91
items in a policy, 110 delete an existing, 91
policies, 107 modify an existing, 91
policy groups, 112 viewing, 91
rule, 112 score, spam, typical value, 61
rule groups, 108 security headquarters, contacting AVERT, 16
rule groups separators, for words, 57
creating, 121 service portal, PrimeSupport, 16
creating from a copy, 121 SMTP mail server, configuring for e-mail
alerting, 232
defined, 53
SNMP
deleting, 123
sending alerts via, 236
exporting, 122
** SPAM ** prefix, 61
icon, 113
spam, 61
importing, 122
blocking some with content rules, 158
renaming, 122
example phrases seen in, 159
right-click menu, 108
types of unsolicited commercial e-mail
rules, 154 messages, 42
description, 54 spam score indicator, 61
examples of, 151 spam score, typically 5, 61
name, 54 specify location of database, 175, 178
problems with complex rules, 59 specify name for database, 175, 178
right-click menu, 112 specifying maximum age of entries, 174, 177
rule does not work with extra condition!, 59 submitting a sample virus, 16
testing new, 162 system variables
alerting, 248
S
scanning T
affect on performance, 50 technical support, 16
background, 38 test alerting configuration, 221
on-access, 36 testing
on-demand, 38 anti-spam settings, 161
Product Guide 256

Index
content rules, 161 Internet gateway protection, 29

testing a new rule, 162 whitelist, file filtering, 63
thread, keeping information confidential, 156 wildcards, 55
training web site, 16 word delimiters, 57
Transport scanning, 18 word, defined, 57
Troubleshooting, 193
troubleshooting, 200
error messages, 200
FAQs, 198
truncating alert message, forced, 234
U
update GroupShield, 101
updating, 100
DATs, 100
updating GroupShield, 100
upgrade web site, 16
using the filter, 87, 96
V
VBS/Bubbleboy@MM virus, 52
Viagra, example of spam, 159
viewing Detected Items results, 86, 95
virus definition files (See DAT files)
virus detection, 34
Virus Information Library, 16
virus scanning, 35 to 39
features, 21
levels of protection, 50
testing, 160
Virus Scanning API options, 169
virus, submitting a sample, 16
VirusScan desktop and file server protection, 30
virus-scanning engine, 34
W
warnings
complex rules, 59
deleted policy cannot be restored, 117
deleted rule cannot be restored, 128
disclaimer, 63
virus hoax, 155
WebShield

GroupShield 60 Ex Product Guide en

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

GroupShield 60 Ex Product Guide en

Diunggah oleh

Hak Cipta:

Format Tersedia

Product Guide

for Microsoft® Exchange

s Software written by Douglas W. Sauder.

s Software developed by the Apache Software Foundation (http://www.apache.org/).

s FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany.

s Software copyrighted by Expat maintainers.

s Software copyrighted by The Regents of the University of California, © 1989.

s Software copyrighted by Gunnar Ritter.

s Software copyrighted by Sun Microsystems®, Inc.

s Software copyrighted by Michael A. Chase, © 1999-2000.

s Software copyrighted by Neil Winton, © 1995-1996.

s Software copyrighted by Martijn Koster, © 1995.

s Software copyrighted by Graham Barr, © 1998.

s Software copyrighted by Frodo Looijaard, © 1997.

Issued December 2003 / GroupShield™ software version 6.0

1 About GroupShield 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Product Guide iii

3 How GroupShield Protects Exchange . . . . . . . . . . . . . . . . . . . . . 33

5 Content Management Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 41

iv GroupShield™ software version 6.0

Creating content rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

7 Options for Viewing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

8 Options for Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

vi GroupShield™ software version 6.0

9 Configuring Anti-Virus and Content . . . . . . . . . . . . . . . . . . . . . . 105

Product Guide vii

Filtering file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

10 Configuring GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

viii GroupShield™ software version 6.0

Anti-spam settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

B Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

C Alert Messaging with Alert Manager 4.7 . . . . . . . . . . . . . . . . . . 219

x GroupShield™ software version 6.0

xii GroupShield™ software version 6.0

n Overview of the product.

n Detailed instructions for configuring and deploying the software.

n Procedures for performing tasks.

Visit the Network Associates web site at:

Run this command on the client computer:

Italic For emphasis or when introducing a new term; for names of

<TERM> Angle brackets enclose a generic term.

NOTE Supplemental information; for example, an alternate method of

WARNING Important advice to protect a user, computer system, enterprise,

14 GroupShield™ software version 6.0

Contacting McAfee Security & Network Associates

16 GroupShield™ software version 6.0

The following topics are included:

n What is GroupShield? on page 18

n About GroupShield add-on packages on page 19

n GroupShield features on page 21

n Microsoft® Exchange 2003 (previously known as “Titanium”).

How does GroupShield work?

When installed on Microsoft® Exchange 2000, GroupShield 6.0 can also be

Before configuring GroupShield 6.0 to use transport scanning, consider that

Because of the above points, configuring GroupShield 6.0 to use transport

18 GroupShield™ software version 6.0

About GroupShield add-on packages

GroupShield policies management

Adding eXtended Policy Support to GroupShield

Anti-spam add-on package for GroupShield 6.0

Installing the anti-spam add-on package

The anti-spam add-on package evaluation version is fully functioning, but is