Protect what you value.

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Scanning in GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 McAfee Transport Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Scanning with VSAPI v2.5 and v2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Exchange Server Versions and Roles supported by GSE 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 GroupShield Installation and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Buffer Overflow Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Blocking Unsolicited Bulk Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Installation and Configuration (Best Practices) Based on Exchange Version and Role . . . . . . . . . . . . . . . . . . . . . . . . 3 Exchange 2003 Server in Bridge Head Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Exchange 2003 Mailbox Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Exchange 2007 Mailbox + Hub Role (Typical setup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exchange 2007 Mailbox Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exchange 2007 Hub Transport Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Exchange 2007 Edge Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Clustering on Exchange 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Clustering on Exchange 2007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Scheduling Tasks in GSE 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 On-Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Common Settings Applicable to All Exchange Versions and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 User Interface Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

McAfee GroupShield 7.0.1 Best Practices

McAfee GroupShield 7.0.1 (GSE 7.0.1) software provides protection against viruses, Trojans, malware, spywares, mass mailers, packers and potentially unwanted programs (PUP). GSE 7.0.1 also contains filters for many non-virus contents like spam, phishing, banned content, banned file types, signed content, and invalid MIME types. GSE 7.0.1 also protects the following 2 versions of Microsoft Exchange servers: Microsoft Exchange 2003 Microsoft Exchange 2007 (Mail Box Only, Hub Only, Mail Box + Hub and Edge Roles)
Scanning in GroupShield
GSE 7.0.1 has the capability to scan at the transport level (gateway) as well as at the exchange store level. By default, it uses McAfee Transport Scan to scan inbound, outbound and internal messages.

New Features
New DHTML based (non-java) web user interface Integration with V2 API scanning DATs and engine Capability of detecting more recent threats like PUPs and packers Supports micro-incremental AVVDAT update, incremental AVVDAT update and component based AV engine update Live streaming update for more accurate spam detection Integration with Spam Assassin SDK 2.1 for phishing detection Improved local quarantine management using Postgres database New centralized quarantine management using McAfee Quarantine Manager v5.0 Graphical reporting for detections Dashboard graphs and detection counters

McAfee Transport Scanning

On MS Exchange 2003, McAfee Transport Scan scans the SMTP messages at the submit and Post Cat levels. Where as on Exchange 2007 (Hub or Edge role), McAfee registers their own .NET agents with the exchange transport service used by Exchange 2007. GSE 7.0.1 contains 2 agents that are registered with Exchange Transport service in Exchange 2007. McAfeeTxAgent registered to handle OnEndOfData event and McAfeeTxRoutingAgent registered to handle OnRoutedMessage event.

Scanning with VSAPI v2.5 and v2.6

In Exchange 2003, McAfee makes use of virus scan application programming interface (VSAPI) version 2.5 by Microsoft for store level scanning, whereas in the Exchange 2007 Mailbox role, we use VSAPI version 2.6. Using VSAPI, every time a message is written to or read from the store, the GroupShield software scans it, comparing it with a list of known viruses and suspected virus-like behavior. GroupShield can also scan for content within the message, using rules and policies defined within the software.

New detection type based segregation in Detected Items Database Option to submit samples to McAfee Avert Labs Centralized alert, rules and scanner settings Filter for detecting protected content (password protected MS Office files)

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

Filter for detecting password protected archive files (ZIP, tar and Rar files) Filter for removing unwanted scripts and ActiveX components in a HTML file Filter for detecting and managing partial and broken MIME messages. Handling different encodings for MIME messages Separate filter for detecting encrypted and corrupted attachments Time based scanning for all scanners and filters Sub-policy creation and editing the policy priorities Support for Exchange 2007 server in Mailbox, Mailbox+Hub, Hub Transport, and Edge Transport roles Scanning using VSAPI version 2.6 for Exchange 2007 server mailboxes Improved background scanning options for Exchange 2007 server Scheduling background scanning Option to have both VSAPI and McAfee Transport Scanning enabled Direction-based Transport Scanningoption to scan inbound, outbound and/or internal mails Option to purge and optimize detected item database Option to purge DATs folder Option to personalize dashboard settings and graphical reports Option to reset the product configuration settings Usage of AV stamping feature between GSE installed on Edge Transport, Hub Transport, and Mailbox roles to prevent re-scan of already scanned mails by a specific DAT version IPV6 integration: scheduled status and configuration report

Exchange Server Versions and Roles supported by GSE 7.0.1

GroupShield 7.0.1 supports Exchange 2003 and Exchange 2007 servers. Based on the Exchange version and role, behavior, features, the recommended settings and configuration of GroupShield varies. Exchange 2003 server can be installed as a mailbox server and as a bridge head server (routing server without mailbox). Exchange 2007 server can be installed as: Mailbox role Mailbox + Hub transport role Hub transport role Edge role

GroupShield Installation and options

GroupShield can be installed as a single product using GroupShield.msi as well as using the wrapper installation package using setup.exe. When user runs the GroupShield. msi directly by double clicking on it, then only the GroupShield product is installed (without optional features). With setup.exe, the user can install GroupShield along with two add-on optional features. They are: Buffer Overflow Protection using McAfee VirusScan 87i McAfee Anti-Spam for GroupShield (Evaluation) A buffer overflow exploit is an attack technique that exploits a software design defect in an application or process to force it to execute code on the computer. Applications have fixed-size buffers that hold data. If an attacker sends too much data or code into one of these buffers, the buffer overflows. The computer then executes the code that overflowed as a program.

Buffer Overflow Protection

McAfee VirusScan prevents exploited buffer overflows from executing arbitrary code on your computer. It monitors user mode API calls and recognizes when they are called as a result of buffer overflow. When detection occurs, information is logged in the activity log and also displays in the On-Access Scan message dialog box if you configured, those options to do so. VirusScan Enterprise protects approximately 20 applications.

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

So, to utilize this feature from GSE 7.0.1 the user must have McAfee VirusScan Enterprise (VSE) version 8.5i installed before running the setup. After VSE is installed when user selects the buffer overflow option during the setup, the installer will add the important GSE 7.0.1 processes to VirusScans registry key value AdditionalBOPProcesses under HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\ On Access Scanner\BehaviourBlocking. As of now the following GSE 7.0.1 specific processes are protected from buffer overflow attack: RPCServ.exe PrfCtrs.exe RunScheduled.exe SAFeService.exe SDEDIT.exe StandaloneUI.exe. For a customer who has VirusScan installed on the exchange server, it is recommended to select the buffer overflow protection during the installation. It has to be noted that Buffer overflow protection is not available on 64-bit servers.

CustomThis option is for the advanced and customized installation. The user can choose to install GSE 7.0.1 with standalone UI and/or web based UI. You can also choose to install only the UI part of the GSE 7.0.1 product without installing scanning components of GSE7. With only the UI installed, the user can have the interface frame connect to another GSE 7.0.1 server installed and available in your network. After installing GSE 7.0.1 successfully, the installer prompts three options for the user: Open the Readme/User Guide Run Product update Launch the Product User Interface. Select all three options to ensure you read the user guide, you update the product with the latest virus and spam definitions, and you can launch the user interface.

Installation and Configuration (Best Practices) Based on Exchange Version and Role
Exchange 2003 Server in Bridge Head Server Role
As we know bridge head servers are typically used as a mail routing server that delivers the inbound messages to the respective mailbox servers. If the server has VirusScan 8.5i installed in it, we recommend choosing the buffer overflow protection option during installation. Select Anti-Spam for GroupShield add-on, this enables GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway and hence avoids unwanted messages reaching the mail box server. The bridge head server is directly exposed to all types of inbound and outbound messages in the network. Hence, administrators may not prefer to have the web component of IIS installed on the bridge head servers. While installing GSE 7.0.1 on the exchange server without IIS installed, select the Typical installation option that installs only standalone UI.

Blocking Unsolicited Bulk Mails

McAfee Anti-Spam for GroupShield is an optional feature with which GSE 7.0.1 can also block unsolicited bulk mails (spam, including phishing mail, along with viruses, Trojans, PUPs and packers). Going forward with the installation, a user has to select one of the three types of installation the GSE 7.0.1 installer supports: TypicalThis option can install all the features of GSE 7.0.1 with only one standalone user interface. This is a MMC kind of an interface that uses Mozilla components for parsing information from UI to XML. CompleteThis option can install the complete features of GSE 7.0.1 with two user interfaces. One is the standalone UI and the second is the web-based UI that opens with Internet Explorer by default. Note: when you intend to use a web-based user interface, you need to have an IIS server installed and running on the exchange server.

Settings and Diagnostics

Transport Scan Settings As the user can only use McAfee Transport Scanner on the bridge head server, it is very important that Transport Scan Settings must be enabled all the time.

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

VSAPI Scan Settings VSAPI settings can be disabled on a bridge head server.

Exchange 2003 Mailbox Server Role

The mailbox server role is the most widely used Exchange 2003 role. In small and medium business companies may not be able to afford the hardware to have a bridge head and mailbox server separately installed. Exchange 2003 Mailbox role alone can be configured to receive and send mails to the outside domain recipients. Mailbox role contains user mail boxes and the information store service would be running on the server. During GSE 7.0.1 wrapper installation, if the mail box server has VirusScan 8.5i installed in it, we recommend choosing the buffer overflow protection option. Select Anti-Spam for GroupShield add-on. This allows GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway, thereby preventing unwanted messages from reaching the mailbox server. Select this option if you dont have a bridge head server configured and there is no anti-spam installed on it. Choose the Complete type of installation for this role. This will install all the GSE features, along with two user interfaces. They are standalone UI and web UI.

VSAPI Scan Settings Exchange 2003 uses VSAPI (Virus Scanning API) version 2.5. It is a virus scanning API provided by Microsoft to enable third party anti-virus vendors to write virus scanning applications for Microsoft Exchange. When a new message reaches the information store, VSAPI will notify GroupShield to scan this message. The email message (MIME) will be decomposed into different MIME parts (Header, Subject, Mail body and Attachment) and handed over to GroupShield for scanning. Unlike McAfee Transport Scanner where GroupShield acts on the entire MIME message, in VSAPI the scanning is done on each mime parts or item. VSAPI gives few more useful scanning options like proactive scanning and background scanning. It can also scan the outbound messages in Outbox and Sent Items folders. Proactive ScanningPuts the unscanned and modified messages in the scanning queues based on a priority. Message attachment is put in the priority one queue and message body in the priority 2. Background ScanningScans the messages in the user mail box and public folders whenever there is a new version of DATs (virus definitions) updated on GroupShield and whenever exchange information store is dismounted and mounted. It is recommended that the administrator enables the background scanning option to make it scan the messages. For GroupShield version 7.0.1, there is an additional option given in the user interface to Start and Stop the background scan at a scheduled time and date using the option Enable At and Disable At. The background scan should be scheduled during a non-peak hour of the day or during the weekend. Note: GroupShield installed on Exchange 2003 does not have a scan stamping mechanism, so the VSAPI scanner will always scan all the messages reaching information store, despite it being scanned by McAfee Transport Scanner.

Settings and Diagnostics

Transport Scan Settings Both McAfee Transport Scanner and VSAPI Scanner can be used for scanning on the mail box server. Administrators can disable the direction based scanning feature of McAfee Transport Scanner option but can leave transport scanning enabled. Doing this turns off the anti-virus and filter scanning at the transport level but allows the gateway policy settings to still be enabled, if they do not have a bridge head server in the network with GroupShield installed. If you have a bridge head server with transport scanning enabled, then it is better to disable the transport scanning option on the mailbox server to avoid double scanning. Direction Based ScanningA feature of McAfee Transport Scanner implemented for GSE version 7.0.1, direction based scanning is applicable only to scanners and filters under the On-Access scanner policy and not applicable to gateway scanners and filters. With this option, a user can select to scan only inbound mail, outbound mail, internal mail, or all of them.

Exchange 2007 Mailbox + Hub Role (Typical setup)

Exchange 2007 (E2K7) has a major change in architecture compared to Exchange 2003. E2K7 was developed stressing the security and performance of the Exchange server. E2K7 can be installed into 6 different roles. GroupShield version 7 .0.1 supports the following four roles: Mailbox + Hub, Mailbox, Hub only, and Edge.

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

Though implementation of VSAPI scanning is same in the Exchange 2007 server, implementation of McAfee Transport Scanning is entirely different. With Exchange 2003, GSE 7.0.1 uses the SMTP protocol integrated with the Microsoft IIS server and registers the McAfee Transport within IIS service. With Exchange 2007, SMTP protocol comes along with Exchange server installation and does not use the SMTP protocol from IIS server. So when GSE 7.0.1 is installed on Exchange 2007, the Mailbox + Hub role registers McAfees Transport agents with Exchange 2007 SMTP transport events. In the Exchange 2007 Mailbox + Hub role, both VSAPI and McAfee Transport Scanner are available. So, administrators can disable the McAfee Transport Scanner if the organization contains more than one hub server and/or an edge server with GSE 7.0.1 installed. In Exchange 2007, any mail (inbound, outbound, and internal) has to pass through a hub transport server. An organization should have at least one hub transport server and can have multiple hub transport servers based on the number of mail box servers. It has to be noted that if they have VirusScan 8.5i installed then the buffer overflow protection will not be available on 64-bit servers. Select the Anti-Spam for GroupShield add-on, this enables GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway and prevent unwanted messages from reaching the users mail box. Select this option if you dont have another hub server or edge server configured and there is no GSE 7.0.1 installed on it. Choose Complete type of installation for this role. This will install complete GSE 7.0.1 feature along with two user interfaces. They are standalone UI and web UI.

VSAPI Scanner Settings Exchange 2007 comes with VSAPI version 2.6 to scan messages at the information store level. Compared to the VSAPI version 2.5 in Exchange 2003, this version has more granular control and options in the background scanning feature. It also gives an option to scan or not to scan the Outbox. Proactive ScanningThis feature remains the same as in the Exchange 2003 version and is used to scan the unread and modified messages in the user inbox with its own priority queue. This option is enabled by default. Outbox ScanningThis option enables GSE to scan the outbound messages in the outbox folder. By default, this option is disabled. To use this feature, administrators have to enable Proactive Scanning along with enabling Outbox Scanning option. It is recommended to have this option enabled if you dont have GSE 7.0.1 installed on hub or edge servers. Background ScanningBy default, background scanning is disabled in Exchange 2007. Administrators have to enable the background scan and schedule it to Start and Stop at specified times, using Enable At and Disable At options. It is recommended that a background scan is scheduled to run during non-peak hours, ensuring performance of the mailbox server does not degrade. VSAPI version 2.6 gives the following options for background scanning: To scan only un-scanned messages To scan messages only with attachments To scan Administrators can also specify an upper and lower age limits for background scanning to scan messages based on the time stamp of the message.

Settings and Diagnostics

Transport Scan Settings In Exchange 2007, McAfee Transport Scanner settings has the same options as the Exchange 2003. Administrators can enable or disable the whole transport scanning feature by de-selecting a check-box on the Settings and Diagnostics page. Direction Based ScanningThis is a McAfee Transport Scanner feature and is the same as the Exchange 2003. Administrators can choose to scan inbound and/or outbound and/or internal messages.

Exchange 2007 Mailbox Only Role

The Exchange 2007 Mailbox role contains only VSAPI scanning abilities. So, any scanning done on this server role will be at the exchange information store level. To send messages and receive messages, the mail box server has to have a Send and Receive connector to the Hub transport server in the domain. While installing GSE 7.0.1 on this role, there is no need to select the Anti-Spam for GroupShield add-on component. Administrators can use the Typical or Complete type of installation with buffer overflow protection selected.
5

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

Administrators should ensure that VSAPI scanning is always enabled under the Settings and Diagnostics page of GSE 7.0.1. Other VSAPI version 2.6 features (like proactive scanning and background scanning) and its recommended settings will remain same as given in the Mailbox + Hub server role.

With Exchange 2003 in an Active-Passive configuration, make sure: GSE 7.0.1 is installed on all the nodes The startup type of GSE service is set to manual and is stopped by default GSE 7.0.1 is installed on the same drive and path of all the nodes The GSE 7.0.1 service is restarted manually at least once before creating the resource To install GSE 7.0.1 on Exchange 2003 in Active-Active configuration, make sure: GSE 7.0.1 should be installed on all the nodes The startup type of GSE service should be changed to Automatic so that the service starts at boot GSE 7.0.1 should be managed individually on all the nodes of the cluster Note: Before installing GSE 7.0.1 on a cluster, make sure that the fail over of all resources happens without errors.

Exchange 2007 Hub Transport Role

In Hub Transport role, Exchange will only have SMTP Transport agents registered and there will not be information store service running. So administrators can use only McAfee Transport Scanner to scan messages at the hub transport level. None of the VSAPI scanner settings are used on this role. So, administrators should ensure that he has enabled McAfee Transport Scanner and its sub-options to scan inbound, outbound and internal messages.

Exchange 2007 Edge Server Role

The edge server in an organization typically will reside outside the Active Directory (AD) domain. This is a standalone server in a workgroup with a dummy DNS suffix name (Domain Name.Com) to have a complete FQDN naming convention (myedge.mcafee.com). Since this resides outside the AD domain, it will not have any AD user information of the domain to which this server is going to route (send) and receive the messages. So the administrators have to configure a Send Connector to the hub transport server and a Receive Connector from the same hub transport server to enable the edge server to perform the required mail transferring. If there is an edge subscription between the edge and hub servers, then the user does not have to configure separate send/receive connectors. The Exchange 2007 installed in the edge role contains only SMTP transport agents. GSE is installed on this role and can perform only transport scanning using the McAfee Transport Scanner. So, it is recommended and a must for an administrator to keep the transport scanning option enabled.

Clustering on Exchange 2007

Exchange 2007 supports: Single copy cluster (SCC) Local continuous replication (LCR) Cluster continuous replication (CCR) Exchange 2007 SP1 supports standby continuous replication (SCR) in addition to the above mentioned cluster types. However, managing GSE 7.0.1 as a cluster resource is supported only by a SCC Active-Passive cluster configuration. To install GSE 7.0.1 on an Exchange 2007 Active-Passive or Active-Active-Active-Passive cluster, the same checklist needs to be followed as listed in Clustering on Exchange 2003 (see above).

Clustering on Exchange 2003

Exchange 2003 supports single copy cluster (SCC).

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

To install GSE 7.0.1 on LCR or CCR or SCR: GSE 7.0.1 is installed on all the nodes Startup type of GSE 7.0.1 service should be Automatic so that the service starts at boot GSE 7.0.1 should be managed individually on all the nodes of the cluster

GSE 7.0.1 has six different on-demand scan policies: On-Demand Default On-Demand Full Scan On-Demand Find Banned Content On-Demand Remove Banned Content On-Demand Find Viruses On-Demand Remove Viruses Each of these policies contains pre-configured settings and is used for different purposes as stated in the policy name. Administrators can alter these settings as per the requirements or use the policy without any change. While scheduling on-demand scans, administrators can choose any of these policies to scan the messages. Auto-update is used to get the latest DATs, AV engine, spam rules and spam engine updates from the master update repository. If GSE 7.0.1 is in not McAfee ePolicy Orchestrator (ePO) managed, then by default GSE 7.0.1 will get product updates from www.mcafee.com. There is a fallback NAIFTP repository as well that a user can access, if required. This repository information will be present in SITELIST.XML that is found under \doc settings\ all users\app data\McAfee\Common Framework folder. By default, auto-update is scheduled every midnight. Administrators can change the update frequency through the Edit Schedule option given in the dashboard. We recommend configuring the auto-update task to run every eight hours. Status Report is an option for the administrators to obtain the GSE 7.0.1 detection and scanning information over an email at a scheduled interval of time. Administrators can schedule this task to run once, daily, weekly, and monthly by specifying the SMTP email address of the administrator. This task is not scheduled by default and should be exclusively scheduled by the administrator as needed. Purging of Old Items Frequency is not scheduled by default. Administrators have to schedule this task to delete the records from the detected items database leaving only the recent detections. Optimization Frequency is not scheduled by default. This task can be scheduled to improve the database performance by recovering the empty spaces created due to deletion of records.
7

Scheduling Tasks in GSE 7.0.1

Administrators can schedule few tasks in GSE 7.0.1 for different purposes. The following are the GSE 7.0.1 tasks that can be scheduled by the administrator: On-demand scanning Auto-update Status reporting Purge of old items frequency Optimization frequency On-demand scanning is a feature that administrators can use to schedule a scan on the user mailboxes. This scan is used to ensure that old and existing messages in the public folders and user mailboxes are scanned by GSE using the latest virus definitions. By default GSE 7.0.1 will have one on-demand scan that is in Not Scheduled status. This is configured to scan all mailboxes and public folders of the server and uses On-Demand Default policy settings given under Policy Manager. Administrators can schedule any number of on-demand scans and schedule multiple scans to run at the same time. However, it is recommended to run only one on-demand scan at the given time per user mailbox. Running an on-demand scan will execute RunScheduled.exe process in the Task Manager. This process will get terminated once the on-demand scan is completed. It is designed to utilize the maximum available resources on the server and complete the task as quick as it can. On-demand scans that take up 60 to 80 percent of the CPU is considered normal behavior when it is running on huge mailboxes. We recommend running an on-demand scan during non-peak hours of the day or during the weekend.

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

Policy Manager
On-Access Settings
Anti-Virus ScannerThe anti-virus scanner settings are used by both VSAPI (at store level) and McAfee Transport Scanner (at post cat level). GSE 7.0.1 uses the new virus scanning engine version 5200 and has the capability to detect viruses, Trojans, malware, PUPs and packers. By default GSE 7.0.1 is configured to clean every infected message. If cleaning fails, then the infected item will be replaced with an alert text Warning.txt and the original infected item will get quarantined in the postgres database. We recommend using the default settings provided by GSE 7.0.1 for the anti-virus scanner. If needed, administrators can select the secondary action Notify Administrator to have an email notification about the infection detection sent. Content ScanningThis filter is used to block unwanted bad content to reach the user inbox. By default, content scanning is disabled. We recommend enabling the content scanning by assigning default or custom (newly created) content rules assigned to the content scanner. On Content Scanning page, users can select the two options: Include documents and database formats or Extend scan to all attachments to make GSE 7.0.1 scan for banned content in all types of attachments including documents, PDF files, database and MS Excel files. While assigning a content rule to the scanner, the user has the option to apply the content rule to Everything or to selected file formats. We recommend assigning the content rule to scan only Documents, Messages, and HTML Files. File FilterUsing this filter, administrators can block the unwanted files from user mailboxes. This filter is disabled by default. Administrators need to create new file filter rules and apply them to the filter. File filter rules can be created based on filename or extensions, True filetype detection, and file size. There are no recommended settings for this filter. However, it is used mostly to block executables, packed files and archives based on extensions and true type file filtering. For other filters (Corrupted Content, Encrypted Content, Password Protected Files, Protected Content, Signed Content, HTML Files, MIME Settings and Scanner Control) under On-Access settings, administrators can configure specific actions based on companys requirements or simply use the default settings given by GSE 7.0.1.

Gateway PolicyAll the scanners and filters under gateway policy are applied at the initial transport level (at SMTP submit level). So, it is recommended to block the unwanted bulk messages and phishing messages at the gateway level. Anti-Spam settingsThe Anti-Spam GroupShield addon scanner is used to block unsolicited bulk mails from entering the organization. It applies rules and respective scores to each MIME component of a message and takes action based on the total spam score. By default, GSE has three levels of spam scores. The messages with scores between 5 and 10 are called Low, messages with scores between 11 and 15 are called Medium and messages that score 16 and above are called High. GSE 7.0.1 blocks (Delete Message) the high and medium level spam messages by default and allows the message with ****SPAM**** as the prefix in the subject line. It is recommended to have the default settings on for spam messages. This scanner is only applicable to inbound messages. Anti-Phish ScannerAdministrators can block the phishing messages at the gateway, using the spam rules and engine. GSE 7.0.1 detects and takes action on the Phish messages. By default phishing messages are deleted and quarantined. This is the recommended configuration. This is applicable only to inbound messages. Mail Size FilterThis is a very useful filter that administrators can use to block a message based on its size, an attachments size, or the number of attachments. Blocking the message at the gateway level is recommended and preferred by many organizations. Based on an organization policy, this filter can block any unwanted messages. This filter is applicable to both inbound and outbound messages. Adding DisclaimersThis is an option to attach the companys disclaimer text to all the outbound messages. This is not enabled by default. Administrators can attach a disclaimer to all messages with the following three options: before the message, after the message, or as an attachment.

Common Settings Applicable to All Exchange Versions and Roles

NotificationsUnder Notifications enter the correct SMTP email address of the administrator. Select the Enable Task Result Notifications check box. This will allow the administrator to get notification emails about the scheduled tasks status (on-demand scan, auto-update and status report).
8

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

Anti-Spam ScannerEnter the SMTP email address of the mailbox that is identified as System Junk Folder. Now, if administrators want to move bulk and spam mails to a different mailbox, they can do so by using Route to System Junk Folder primary action of anti-spam scanner. Select the check box Enable Routing to the User Junk Folders on this server to route spam messages to the specific junk folder. These settings are only required on a GSE 7.0.1 server containing the Anti-Spam add-on. These settings can be ignored on servers where there is no Anti-Spam add-on installed and on Exchange 2003 and 2007 Mail Box only roles. Quarantining Detected ItemsIf you want to use McAfee Quarantine Manager (MQM), then you need to select the Enabled check box found under the MQM heading and enter the correct IP Address of the server. After making these settings, GSE 7.0.1 will detect and quarantine messages on the MQM server. If you intend to store quarantined messages locally, then do not select any option under McAfee Quarantine Manager heading. Scheduled reportsThis feature enables GroupShield administrators to receive status and configuration update from GroupShield for Exchange via e-mail on a periodic basis. The frequency of this update is configurable by the administrator. DatabasesIf you intend to change a database location, select the path and folder name for the database under Local Databases. If no change is desired, it is good to have the database at the default location. Maximum item size (MB) is the option that allows the administrator to limit the largest size of the item that is allowed to be quarantined and logged into the database by GSE. The default value is 100 MB. It can be changed as the requirement/policy of an organization demands. Maximum query size (records) is an option that allows the administrator to limit the number of records displayed on the Detected Items page. By default, it is set to 1000 but can be increased up to 20,000 records. This means that whatever may be the total detections in your database, GSE 7.0.1 can display only 20,000 records.

Maximum Item Age (days) is the number of days that GSE 7.0.1 has to retain the detected items in the DB. The default value is 14. This means that the detected items that are more than 14 days old would be deleted from the database. The limit for this field is 365 days. Purge of old items frequency is an option to schedule to purging old items on a specified date and time. GSE 7.0.1 will purge the old detected items that are older than the number of days selected in Maximum Item Age (days). By default, this task is in Not Scheduled state. Optimization Frequency is a task that can be scheduled by the administrator to optimize the postgres database at the specified time and date. This task recovers disk space taken up by deleted database records. By default, this task is in Not Scheduled state.

User Interface Preferences

Options available on this page are only specific to the dashboard and graph settings. These can be changed if the user wishes. DiagnosticsThis page contains options that help the administrator take the required diagnostic action when there is any issue found in GroupShield Exchanges scanning behavior. We recommend changing these settings only if you need diagnostic information for analysis and/or if asked by the tech support representative for trouble shooting purposes. Debug logging can be enabled and set to High, Medium or Low, based on requirements. The default value is None. Error Reporting service is a built-in functionality of McAfees supportability tool. It enables a talk-back process to keep monitoring GSE 7.0.1 specific services. This tool comes by default with GSE 7.0.1 installation and it catches the exceptions and crashes found in GSE 7.0.1 services. It reports with dump files to McAfees web site for further trouble shooting. It is recommended not to change any settings here. Event Logging is an option for the administrator to log information, warnings, and error events to Event Log and Product Log. By default, all options are selected and it is recommended not to change these settings. Product Log is the option page where administrators can change the location, file name, size limits, and time out value for GSE 7.0.1 to log events to the product log. These settings can be changed if required.
9

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

www.mcafee.com

DAT SettingsThis page is to specify the number of DAT folders that needs to be retained by the administrator. The maximum default value is 10 and minimum default value is 3. This can be changed if necessary. Import and Export ConfigurationUnder Configuration tab, the user can import the configuration XML (McAfeeConfig.xml) from a different GSE 7.0.1 server to retain the same settings on the newly installed GSE server. The user can also export the present settings and keep it as a back-up or use the exported XML on another GSE 7.0.1 server. Restore Default is an option using that administrators can always go back to default settings of GSE 7.0.1. Under SiteList tab, the user can import or export the sitelist.xml file from Common Framework folder and use the same update repository settings on another GSE 7.0.1 server. SiteList.xml is the file with the information about the product update repositories that GSE 7.0.1 can contact during product updates.

McAfee and/or additional marks herein are registered trademarks or

McAfee, Inc. 3965 Freedom Circle Santa Clara, CA 95054, 888.847.8766 www.mcafee.com

trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2009 McAfee, Inc. All rights reserved. 5032wp_tops_sec-msft_best-prac_1108

10