Group Shield 7 Best Practices

Protect what you value.

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices

McAfee GroupShield 7.0.1 for Microsoft Exchange Best Practices www.mcafee.com

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Scanning in GroupShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

McAfee Transport Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Scanning with VSAPI v2.5 and v2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Exchange Server Versions and Roles supported by GSE 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

GroupShield Installation and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Buffer Overflow Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Blocking Unsolicited Bulk Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Installation and Configuration (Best Practices) Based on Exchange Version and Role . . . . . . . . . . . . . . . . . . . . . . . . 3

Exchange 2003 Server in Bridge Head Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Settings and Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Exchange 2003 Mailbox Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4


Exchange 2007 Mailbox + Hub Role (Typical setup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4


Exchange 2007 Mailbox Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Exchange 2007 Hub Transport Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Exchange 2007 Edge Server Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Clustering on Exchange 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Clustering on Exchange 2007 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Scheduling Tasks in GSE 7.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

On-Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Common Settings Applicable to All Exchange Versions and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8User Interface Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9


1

www.mcafee.com

1

McAfee GroupShield 7.0.1 Best PracticesMcAfee® GroupShield 7.0.1 (GSE 7.0.1) software provides protection against viruses, Trojans, malware, spywares, mass mailers, packers and potentially unwanted programs (PUP). GSE 7.0.1 also contains filters for many non-virus contents like spam, phishing, banned content, banned file types, signed content, and invalid MIME types. GSE 7.0.1 also protects the following 2 versions of Microsoft Exchange servers:

• MicrosoftExchange2003

• MicrosoftExchange2007(MailBoxOnly,HubOnly,MailBox+HubandEdgeRoles)

Scanning in GroupShield

GSE 7.0.1 has the capability to scan at the transport level (gateway) as well as at the exchange store level. By default, it uses McAfee Transport Scan to scan inbound, outbound and internal messages.

McAfee Transport ScanningOn MS Exchange 2003, McAfee Transport Scan scans the SMTP messages at the submit and Post Cat levels. Where as on Exchange 2007 (Hub or Edge role), McAfee registers their own .NET agents with the exchange transport service used by Exchange 2007.

GSE 7.0.1 contains 2 agents that are registered with Exchange Transport service in Exchange 2007. McAfeeTxAgent registered to handle OnEndOfData event and McAfeeTxRoutingAgent registered to handle OnRoutedMessage event.

Scanning with VSAPI v2.5 and v2.6In Exchange 2003, McAfee makes use of virus scan application programming interface (VSAPI) version 2.5 by Microsoft for store level scanning, whereas in the Exchange 2007 Mailbox role, we use VSAPI version 2.6.

Using VSAPI, every time a message is written to or read from the store, the GroupShield software scans it, comparing it with a list of known viruses and suspected virus-like behavior. GroupShield can also scan for content within the message, using rules and policies defined within the software.

New Features

• NewDHTMLbased(non-java)webuserinterface

• IntegrationwithV2APIscanningDATsandengine

• CapabilityofdetectingmorerecentthreatslikePUPs and packers

• Supportsmicro-incrementalAVVDATupdate,incrementalAVVDATupdateandcomponentbasedAVengineupdate

• Livestreamingupdateformoreaccuratespamdetection

• IntegrationwithSpamAssassinSDK2.1forphishingdetection

• ImprovedlocalquarantinemanagementusingPostgresdatabase

• Newcentralizedquarantinemanagementusing McAfee Quarantine Manager v5.0

• Graphicalreportingfordetections

• Dashboardgraphsanddetectioncounters

• NewdetectiontypebasedsegregationinDetectedItemsDatabase

• OptiontosubmitsamplestoMcAfeeAvert®Labs

• Centralizedalert,rulesandscannersettings

• Filterfordetectingprotectedcontent(password protected MS Office files)


2

www.mcafee.com

2

• Filterfordetectingpasswordprotectedarchivefiles (ZIP, tar and Rar files)

• FilterforremovingunwantedscriptsandActiveXcomponentsinaHTMLfile

• FilterfordetectingandmanagingpartialandbrokenMIME messages. Handling different encodings for MIME messages

• Separatefilterfordetectingencryptedandcorruptedattachments

• Timebasedscanningforallscannersandfilters

• Sub-policycreationandeditingthepolicypriorities

• SupportforExchange2007serverinMailbox,Mailbox+Hub, Hub Transport, and Edge Transport roles

• ScanningusingVSAPIversion2.6forExchange2007server mailboxes

• ImprovedbackgroundscanningoptionsforExchange2007 server

• Schedulingbackgroundscanning

• OptiontohavebothVSAPIandMcAfee Transport Scanning enabled

• Direction-basedTransport Scanning—option to scan inbound, outbound and/or internal mails

• Optiontopurgeandoptimizedetecteditemdatabase

• OptiontopurgeDATsfolder

• Optiontopersonalizedashboardsettingsand graphical reports

• Optiontoresettheproductconfigurationsettings

• UsageofAVstampingfeaturebetweenGSEinstalledon Edge Transport, Hub Transport, and Mailbox roles to prevent re-scan of already scanned mails by a specific DATversion

• IPV6integration:scheduledstatusand configuration report

Exchange Server Versions and Roles supported by GSE 7.0.1

GroupShield 7.0.1 supports Exchange 2003 and Exchange 2007 servers. Based on the Exchange version and role, behavior, features, the recommended settings and configuration of GroupShield varies.

Exchange 2003 server can be installed as a mailbox server and as a bridge head server (routing server without mailbox).

Exchange2007servercanbeinstalledas:

• Mailboxrole

• Mailbox+Hubtransportrole

• Hubtransportrole

• Edgerole

GroupShield Installation and optionsGroupShield can be installed as a single product using GroupShield.msi as well as using the wrapper installation package using setup.exe. When user runs the GroupShield.msi directly by double clicking on it, then only the GroupShield product is installed (without optional features). With setup.exe, the user can install GroupShield along with twoadd-onoptionalfeatures.Theyare:

• BufferOverflowProtectionusingMcAfee® VirusScan® 87i

• McAfee® Anti-Spam for GroupShield (Evaluation)

Abufferoverflowexploitisanattacktechniquethatexploits a software design defect in an application or process to force it to execute code on the computer. Applicationshavefixed-sizebuffersthatholddata.Ifanattacker sends too much data or code into one of these buffers, the buffer overflows. The computer then executes the code that overflowed as a program.

Buffer Overflow ProtectionMcAfee VirusScan prevents exploited buffer overflows from executing arbitrary code on your computer. It monitors usermodeAPIcallsandrecognizeswhentheyarecalledas a result of buffer overflow. When detection occurs, information is logged in the activity log and also displays in the On-Access Scan message dialog box if you configured, those options to do so. VirusScan Enterprise protects approximately 20 applications.


3

www.mcafee.com

3

So,toutilizethisfeaturefromGSE7.0.1theusermusthaveMcAfee VirusScan Enterprise (VSE) version 8.5i installed before running the setup. After VSE is installed when user selects the buffer overflow option during the setup, the installer will add the important GSE 7.0.1 processes to VirusScan’s registry key value AdditionalBOPProcesses underHKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\OnAccessScanner\BehaviourBlocking.

As of now the following GSE 7.0.1 specific processes are protectedfrombufferoverflowattack:

• RPCServ.exe

• PrfCtrs.exe

• RunScheduled.exe

• SAFeService.exe

• SDEDIT.exe

• StandaloneUI.exe.

For a customer who has VirusScan installed on the exchange server, it is recommended to select the buffer overflow protection during the installation. It has to be noted that Buffer overflow protection is not available on 64-bit servers.

Blocking Unsolicited Bulk MailsMcAfee Anti-Spam for GroupShield is an optional feature with which GSE 7.0.1 can also block unsolicited bulk mails (spam,includingphishingmail,alongwithviruses,Trojans,PUPs and packers).

Going forward with the installation, a user has to select one of the three types of installation the GSE 7.0.1 installer supports:

Typical—This option can install all the features of GSE 7.0.1 with only one standalone user interface. This is a MMC kind ofaninterfacethatusesMozillacomponentsforparsinginformationfromUItoXML.

Complete—This option can install the complete features of GSE 7.0.1 with two user interfaces. One is the standalone UI and the second is the web-based UI that opens with InternetExplorerbydefault.Note:whenyouintendtousea web-based user interface, you need to have an IIS server installed and running on the exchange server.

Custom—Thisoptionisfortheadvancedandcustomizedinstallation. The user can choose to install GSE 7.0.1 with standaloneUIand/orwebbasedUI.Youcanalsochooseto install only the UI part of the GSE 7.0.1 product without installing scanning components of GSE7. With only the UI installed, the user can have the interface frame connect to another GSE 7.0.1 server installed and available in your network.

After installing GSE 7.0.1 successfully, the installer prompts threeoptionsfortheuser:

• OpentheReadme/UserGuide

• RunProductupdate

• LaunchtheProductUserInterface.

Select all three options to ensure you read the user guide, you update the product with the latest virus and spam definitions, and you can launch the user interface.

Installation and Configuration (Best Practices) Based on Exchange Version and Role

Exchange 2003 Server in Bridge Head Server RoleAs we know bridge head servers are typically used as a mail routing server that delivers the inbound messages to the respective mailbox servers.

If the server has VirusScan 8.5i installed in it, we recommend choosing the buffer overflow protection option during installation.

Select Anti-Spam for GroupShield add-on, this enables GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway and hence avoids unwanted messages reaching the mail box server.

The bridge head server is directly exposed to all types of inbound and outbound messages in the network. Hence, administrators may not prefer to have the web component of IIS installed on the bridge head servers. While installing GSE 7.0.1 on the exchange server without IIS installed, select the Typical installation option that installs only standalone UI.

Settings and DiagnosticsTransport Scan SettingsAs the user can only use McAfee Transport Scanner on the bridge head server, it is very important that Transport Scan Settings must be enabled all the time.


4

www.mcafee.com

4

VSAPI Scan SettingsVSAPI settings can be disabled on a bridge head server.

Exchange 2003 Mailbox Server RoleThe mailbox server role is the most widely used Exchange 2003 role. In small and medium business companies may not be able to afford the hardware to have a bridge head and mailbox server separately installed. Exchange 2003 Mailbox role alone can be configured to receive and send mails to the outside domain recipients. Mailbox role contains user mail boxes and the information store service would be running on the server.

DuringGSE7.0.1wrapperinstallation,ifthemailboxserverhas VirusScan 8.5i installed in it, we recommend choosing the buffer overflow protection option.

Select Anti-Spam for GroupShield add-on. This allows GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway, thereby preventing unwanted messages from reaching the mailbox server. Select this option if you don’t have a bridge head server configured and there is no anti-spam installed on it.

Choose the Complete type of installation for this role. This will install all the GSE features, along with two user interfaces. They are standalone UI and web UI.

Settings and DiagnosticsTransport Scan Settings Both McAfee Transport Scanner and VSAPI Scanner can be used for scanning on the mail box server. Administrators can disable the direction based scanning feature of McAfee Transport Scanner option but can leave transport scanning enabled.Doingthisturnsofftheanti-virusandfilterscanning at the transport level but allows the gateway policy settings to still be enabled, if they do not have a bridge head server in the network with GroupShield installed. If you have a bridge head server with transport scanning enabled, then it is better to disable the transport scanning option on the mailbox server to avoid double scanning.

Direction Based Scanning—A feature of McAfee Transport Scanner implemented for GSE version 7.0.1, direction based scanning is applicable only to scanners and filters under the On-Access scanner policy and not applicable to gateway scanners and filters. With this option, a user can select to scan only inbound mail, outbound mail, internal mail, or all of them.

VSAPI Scan SettingsExchange 2003 uses VSAPI (Virus Scanning API) version 2.5. It is a virus scanning API provided by Microsoft to enable third party anti-virus vendors to write virus scanning applications for Microsoft Exchange.

When a new message reaches the information store, VSAPI will notify GroupShield to scan this message. The email message (MIME) will be decomposed into different MIME parts(Header,Subject,MailbodyandAttachment)andhanded over to GroupShield for scanning. Unlike McAfee Transport Scanner where GroupShield acts on the entire MIME message, in VSAPI the scanning is done on each mime parts or item.

VSAPI gives few more useful scanning options like proactive scanning and background scanning. It can also scan the outbound messages in Outbox and Sent Items folders.

Proactive Scanning—Puts the unscanned and modified messagesinthescanningqueuesbasedonapriority.Messageattachmentisputinthepriorityonequeue and message body in the priority 2.

Background Scanning—Scans the messages in the user mail box and public folders whenever there is a new versionofDATs(virusdefinitions)updatedonGroupShieldand whenever exchange information store is dismounted and mounted. It is recommended that the administrator enables the background scanning option to make it scan the messages.

For GroupShield version 7.0.1, there is an additional option given in the user interface to Start and Stop the background scan at a scheduled time and date using the option Enable At and Disable At. The background scan should be scheduled during a non-peak hour of the day or during the weekend.

Note: GroupShield installed on Exchange 2003 does not have a scan stamping mechanism, so the VSAPI scanner will always scan all the messages reaching information store, despite it being scanned by McAfee Transport Scanner.

Exchange 2007 Mailbox + Hub Role (Typical setup) Exchange2007(E2K7)hasamajorchangeinarchitecturecomparedtoExchange2003.E2K7wasdevelopedstressingthesecurityandperformanceoftheExchangeserver.E2K7can be installed into 6 different roles. GroupShield version 7.0.1supportsthefollowingfourroles:Mailbox+Hub,Mailbox, Hub only, and Edge.


5

www.mcafee.com

5

Though implementation of VSAPI scanning is same in the Exchange 2007 server, implementation of McAfee Transport Scanning is entirely different.

With Exchange 2003, GSE 7.0.1 uses the SMTP protocol integrated with the Microsoft IIS server and registers the McAfee Transport within IIS service.

With Exchange 2007, SMTP protocol comes along with Exchange server installation and does not use the SMTP protocol from IIS server. So when GSE 7.0.1 is installed on Exchange 2007, the Mailbox + Hub role registers McAfee’s Transport agents with Exchange 2007 SMTP transport events.

In the Exchange 2007 Mailbox + Hub role, both VSAPI and McAfee Transport Scanner are available. So, administrators can disable the McAfee Transport Scanner if the organizationcontainsmorethanonehubserverand/or an edge server with GSE 7.0.1 installed.

In Exchange 2007, any mail (inbound, outbound, and internal) has to pass through a hub transport server. An organizationshouldhaveatleastonehubtransportserverand can have multiple hub transport servers based on the number of mail box servers.

It has to be noted that if they have VirusScan 8.5i installed then the buffer overflow protection will not be available on 64-bit servers.

Select the Anti-Spam for GroupShield add-on, this enables GSE 7.0.1 to block unsolicited mails and phishing attacks at the gateway and prevent unwanted messages from reaching the user’s mail box. Select this option if you don’t have another hub server or edge server configured and there is no GSE 7.0.1 installed on it.

Choose Complete type of installation for this role. This will install complete GSE 7.0.1 feature along with two user interfaces. They are standalone UI and web UI.

Settings and DiagnosticsTransport Scan Settings In Exchange 2007, McAfee Transport Scanner settings has the same options as the Exchange 2003. Administrators can enable or disable the whole transport scanning feature by de-selecting a check-box on the Settings and Diagnostics page.

Direction Based Scanning—This is a McAfee Transport Scanner feature and is the same as the Exchange 2003. Administrators can choose to scan inbound and/or outbound and/or internal messages.

VSAPI Scanner SettingsExchange 2007 comes with VSAPI version 2.6 to scan messages at the information store level. Compared to the VSAPI version 2.5 in Exchange 2003, this version has more granular control and options in the background scanning feature. It also gives an option to scan or not to scan the “Outbox.”

Proactive Scanning—This feature remains the same as in the Exchange 2003 version and is used to scan the unread and modified messages in the user inbox with itsownpriorityqueue.Thisoptionisenabledbydefault.

Outbox Scanning—This option enables GSE to scan the outbound messages in the outbox folder. By default, this option is disabled. To use this feature, administrators have to enable Proactive Scanning along with enabling Outbox Scanning option. It is recommended to have this option enabled if you don’t have GSE 7.0.1 installed on hub or edge servers.

Background Scanning—By default, background scanning is disabled in Exchange 2007. Administrators have to enable the background scan and schedule it to Start and Stop at specified times, using Enable At and Disable At options. It is recommended that a background scan is scheduled to run during non-peak hours, ensuring performance of the mailbox server does not degrade.

VSAPI version 2.6 gives the following options for backgroundscanning:

• Toscanonlyun-scannedmessages

• Toscanmessagesonlywithattachments

• Toscan

Administrators can also specify an upper and lower age limits for background scanning to scan messages based on the time stamp of the message.

Exchange 2007 Mailbox Only RoleThe Exchange 2007 Mailbox role contains only VSAPI scanning abilities. So, any scanning done on this server role will be at the exchange information store level. To send messages and receive messages, the mail box server has to have a Send and Receive connector to the Hub transport server in the domain.

While installing GSE 7.0.1 on this role, there is no need to select the Anti-Spam for GroupShield add-on component. Administrators can use the Typical or Complete type of installation with buffer overflow protection selected.


6

www.mcafee.com

6

Administrators should ensure that VSAPI scanning is always enabled under the Settings and Diagnostics page of GSE 7.0.1.

Other VSAPI version 2.6 features (like proactive scanning and background scanning) and its recommended settings will remain same as given in the Mailbox + Hub server role.

Exchange 2007 Hub Transport RoleIn Hub Transport role, Exchange will only have SMTP Transport agents registered and there will not be information store service running. So administrators can use only McAfee Transport Scanner to scan messages at the hub transport level. None of the VSAPI scanner settings are used on this role.

So, administrators should ensure that he has enabled McAfee Transport Scanner and its sub-options to scan inbound, outbound and internal messages.

Exchange 2007 Edge Server RoleTheedgeserverinanorganizationtypicallywillresideoutsidetheActiveDirectory(AD)domain.ThisisastandaloneserverinaworkgroupwithadummyDNS suffixname(DomainName.Com)tohaveacomplete FQDNnamingconvention(myedge.mcafee.com).

SincethisresidesoutsidetheADdomain,itwillnothaveanyADuserinformationofthedomaintowhichthisserveris going to route (send) and receive the messages. So the administrators have to configure a Send Connector to the hub transport server and a Receive Connector from the same hub transport server to enable the edge server toperformtherequiredmailtransferring.Ifthereisanedge subscription between the edge and hub servers, then the user does not have to configure separate send/receive connectors.

The Exchange 2007 installed in the edge role contains only SMTP transport agents. GSE is installed on this role and can perform only transport scanning using the McAfee Transport Scanner. So, it is recommended and a must for an administrator to keep the transport scanning option enabled.

Clustering on Exchange 2003Exchange 2003 supports single copy cluster (SCC).

With Exchange 2003 in an Active-Passive configuration, makesure:

• GSE7.0.1isinstalledonallthenodes

• ThestartuptypeofGSEserviceissettomanualandisstopped by default

• GSE7.0.1isinstalledonthesamedriveandpathof all the nodes

• TheGSE7.0.1serviceisrestartedmanuallyatleastoncebefore creating the resource

To install GSE 7.0.1 on Exchange 2003 in Active-Active configuration,makesure:

• GSE7.0.1shouldbeinstalledonallthenodes

• ThestartuptypeofGSEserviceshouldbechangedtoAutomatic so that the service starts at boot

• GSE7.0.1shouldbemanagedindividuallyonallthenodes of the cluster

Note: Before installing GSE 7.0.1 on a cluster, make sure that the fail over of all resources happens without errors.

Clustering on Exchange 2007Exchange2007supports:

• Singlecopycluster(SCC)

• Localcontinuousreplication(LCR)

• Clustercontinuousreplication(CCR)

Exchange 2007 SP1 supports standby continuous replication (SCR) in addition to the above mentioned cluster types.

However, managing GSE 7.0.1 as a cluster resource is supported only by a SCC Active-Passive cluster configuration.

To install GSE 7.0.1 on an Exchange 2007 Active-Passive or Active-Active-Active-Passive cluster, the same checklist needs to be followed as listed in Clustering on Exchange 2003 (see above).


7

www.mcafee.com

7

ToinstallGSE7.0.1onLCRorCCRorSCR:

• GSE7.0.1isinstalledonallthenodes

• StartuptypeofGSE7.0.1serviceshouldbeAutomatic so that the service starts at boot

• GSE7.0.1shouldbemanagedindividuallyonallthe nodes of the cluster

Scheduling Tasks in GSE 7.0.1

Administrators can schedule few tasks in GSE 7.0.1 for different purposes. The following are the GSE 7.0.1 tasksthatcanbescheduledbytheadministrator:

• On-demandscanning

• Auto-update

• Statusreporting

• Purgeofolditemsfrequency

• Optimizationfrequency

On-demand scanning is a feature that administrators can use to schedule a scan on the user mailboxes. This scan is used to ensure that old and existing messages in the public folders and user mailboxes are scanned by GSE using the latest virus definitions.

By default GSE 7.0.1 will have one on-demand scan that is in Not Scheduled status. This is configured to scan all mailboxes and public folders of the server and uses On-Demand Default policy settings given under Policy Manager.

Administrators can schedule any number of on-demand scans and schedule multiple scans to run at the same time. However, it is recommended to run only one on-demand scan at the given time per user mailbox. Running an on-demand scan will execute RunScheduled.exe process in the Task Manager. This process will get terminated once the on-demandscaniscompleted.Itisdesignedtoutilizethemaximum available resources on the server and complete thetaskasquickasitcan.On-demandscansthattakeup60 to 80 percent of the CPU is considered normal behavior when it is running on huge mailboxes.

We recommend running an on-demand scan during non-peak hours of the day or during the weekend.

GSE7.0.1hassixdifferenton-demandscanpolicies:

• On-DemandDefault

• On-DemandFullScan

• On-DemandFindBannedContent

• On-DemandRemoveBannedContent

• On-DemandFindViruses

• On-DemandRemoveViruses

Each of these policies contains pre-configured settings and is used for different purposes as stated in the policy name. Administrators can alter these settings as per the requirementsorusethepolicywithoutanychange.Whilescheduling on-demand scans, administrators can choose any of these policies to scan the messages.

•Auto-updateisusedtogetthelatestDATs,AVengine,spam rules and spam engine updates from the master update repository. If GSE 7.0.1 is in not McAfee ePolicy Orchestrator® (ePO™) managed, then by default GSE 7.0.1 will get product updates from www.mcafee.com. There is a fallback NAIFTP repository as well that a user canaccess,ifrequired.ThisrepositoryinformationwillbepresentinSITELIST.XMLthatisfoundunder\docsettings\allusers\appdata\McAfee\CommonFrameworkfolder.

• Bydefault,auto-updateisscheduledeverymidnight.Administratorscanchangetheupdatefrequencythroughthe Edit Schedule option given in the dashboard. We recommend configuring the auto-update task to run every eight hours.

• Status Report is an option for the administrators to obtain the GSE 7.0.1 detection and scanning information over an email at a scheduled interval of time. Administrators can schedule this task to run once, daily, weekly, and monthly by specifying the SMTP email address of the administrator. This task is not scheduled by default and should be exclusively scheduled by the administrator as needed.

• Purging of Old Items Frequency is not scheduled by default. Administrators have to schedule this task to delete the records from the detected items database leaving only the recent detections.

•Optimization Frequency is not scheduled by default. This task can be scheduled to improve the database performance by recovering the empty spaces created due to deletion of records.


8

www.mcafee.com

8

Policy Manager

On-Access Settings

Anti-Virus Scanner—The anti-virus scanner settings are used by both VSAPI (at store level) and McAfee Transport Scanner (at post cat level). GSE 7.0.1 uses the new virus scanning engine version 5200 and has the capability to detectviruses,Trojans,malware,PUPsandpackers.

By default GSE 7.0.1 is configured to clean every infected message. If cleaning fails, then the infected item will be replaced with an alert text Warning.txt and the original infecteditemwillgetquarantinedinthepostgresdatabase.

We recommend using the default settings provided by GSE 7.0.1 for the anti-virus scanner. If needed, administrators can select the secondary action Notify Administrator to have an email notification about the infection detection sent.

Content Scanning—This filter is used to block unwanted bad content to reach the user inbox. By default, content scanning is disabled. We recommend enabling the content scanning by assigning default or custom (newly created) content rules assigned to the content scanner.

On Content Scanning page, users can select the two options:Include documents and database formats or Extend scan to all attachments to make GSE 7.0.1 scan for banned content in all types of attachments including documents,PDFfiles,databaseandMSExcelfiles.

While assigning a content rule to the scanner, the user has the option to apply the content rule to Everything or to selected file formats. We recommend assigning the content ruletoscanonlyDocuments,Messages,andHTMLFiles.

File Filter—Using this filter, administrators can block the unwanted files from user mailboxes. This filter is disabled by default. Administrators need to create new file filter rules and apply them to the filter. File filter rules can be created based on filename or extensions, True filetype detection,andfilesize.Therearenorecommendedsettings for this filter. However, it is used mostly to block executables, packed files and archives based on extensions and true type file filtering.

For other filters (Corrupted Content, Encrypted Content, Password Protected Files, Protected Content, Signed Content,HTMLFiles,MIMESettingsandScannerControl)under On-Access settings, administrators can configure specificactionsbasedoncompany’srequirementsorsimplyuse the default settings given by GSE 7.0.1.

Gateway Policy—All the scanners and filters under gateway policy are applied at the initial transport level (at SMTP submit level). So, it is recommended to block the unwanted bulk messages and phishing messages at the gateway level.

Anti-Spam settings—The Anti-Spam GroupShield add-on scanner is used to block unsolicited bulk mails from enteringtheorganization.Itappliesrulesandrespectivescores to each MIME component of a message and takes action based on the total spam score. By default, GSE has three levels of spam scores. The messages with scores between 5 and 10 are called Low, messages with scores between 11 and 15 are called Medium and messages that score 16 and above are called High.

GSE 7.0.1 blocks (Delete Message) the high and medium level spam messages by default and allows the message with ****SPAM**** astheprefixinthesubjectline.It is recommended to have the default settings on for spam messages. This scanner is only applicable to inbound messages.

Anti-Phish Scanner—Administrators can block the phishing messages at the gateway, using the spam rules and engine. GSE 7.0.1 detects and takes action on the Phish messages. By default phishing messages are deleted and quarantined.Thisistherecommendedconfiguration.Thisisapplicable only to inbound messages.

Mail Size Filter—This is a very useful filter that administrators can use to block a message based on its size,anattachment’ssize,orthenumberofattachments.Blocking the message at the gateway level is recommended andpreferredbymanyorganizations.Basedonanorganizationpolicy,thisfiltercanblockanyunwantedmessages. This filter is applicable to both inbound and outbound messages.

Adding Disclaimers—This is an option to attach the company’s disclaimer text to all the outbound messages. This is not enabled by default. Administrators can attach a disclaimer to all messages with the following three options:beforethemessage,afterthemessage,orasanattachment.

Common Settings Applicable to All Exchange Versions and RolesNotifications—Under Notifications enter the correct SMTP email address of the administrator. Select the Enable Task Result Notifications check box. This will allow the administrator to get notification emails about the scheduled tasks status (on-demand scan, auto-update and status report).


9

www.mcafee.com

9

Anti-Spam Scanner—Enter the SMTP email address of the mailbox that is identified as System Junk Folder. Now, if administrators want to move bulk and spam mails to a different mailbox, they can do so by using Route to System Junk Folder primary action of anti-spam scanner.

Select the check box Enable Routing to the User Junk Folders on this server to route spam messages to the specificjunkfolder.

ThesesettingsareonlyrequiredonaGSE7.0.1servercontaining the Anti-Spam add-on. These settings can be ignored on servers where there is no Anti-Spam add-on installed and on Exchange 2003 and 2007 Mail Box only roles.

Quarantining Detected Items—If you want to use McAfee Quarantine Manager (MQM), then you need to select the Enabled check box found under the MQM heading and enter the correct IP Address of the server. After making these settings, GSE 7.0.1 will detect and quarantinemessagesontheMQMserver.

Ifyouintendtostorequarantinedmessageslocally,then do not select any option under McAfee Quarantine Manager heading.

Scheduled reports—This feature enables GroupShield administrators to receive status and configuration update from GroupShield for Exchange via e-mail on a periodic basis.Thefrequencyofthisupdateisconfigurablebytheadministrator.

Databases—If you intend to change a database location, select the path and folder name for the database under LocalDatabases.Ifnochangeisdesired,itisgoodtohavethe database at the default location.

•Maximum item size (MB) is the option that allows the administratortolimitthelargestsizeoftheitemthatisallowedtobequarantinedandloggedintothedatabaseby GSE. The default value is 100 MB. It can be changed as therequirement/policyofanorganizationdemands.

•Maximum query size (records) is an option that allows the administrator to limit the number of records displayed on the Detected Items page. By default, it is set to 1000 but can be increased up to 20,000 records. This means that whatever may be the total detections in your database, GSE 7.0.1 can display only 20,000 records.

•Maximum Item Age (days) is the number of days that GSE7.0.1hastoretainthedetecteditemsintheDB.Thedefault value is 14. This means that the detected items that are more than 14 days old would be deleted from the database. The limit for this field is 365 days.

• Purge of old items frequency is an option to schedule to purging old items on a specified date and time. GSE 7.0.1 will purge the old detected items that are older than the number of days selected in Maximum Item Age (days). By default, this task is in Not Scheduled state.

•Optimization Frequency is a task that can be scheduled bytheadministratortooptimizethepostgresdatabaseatthe specified time and date. This task recovers disk space taken up by deleted database records. By default, this task is in Not Scheduled state.

User Interface Preferences

Options available on this page are only specific to the dashboard and graph settings. These can be changed if the user wishes.

Diagnostics—This page contains options that help the administratortaketherequireddiagnosticactionwhenthere is any issue found in GroupShield Exchange’s scanning behavior. We recommend changing these settings only if you need diagnostic information for analysis and/or if asked by the tech support representative for trouble shooting purposes.

•Debug logging can be enabled and set to High, Medium or Low,basedonrequirements.Thedefaultvalue is None.

• Error Reporting service is a built-in functionality of McAfee’s supportability tool. It enables a talk-back process to keep monitoring GSE 7.0.1 specific services. This tool comes by default with GSE 7.0.1 installation and it catches the exceptions and crashes found in GSE 7.0.1 services. It reports with dump files to McAfee’s web site for further trouble shooting. It is recommended not to change any settings here.

• Event Logging is an option for the administrator to log information, warnings, and error events to Event Log and Product Log. By default, all options are selected and it is recommended not to change these settings.

• Product Log is the option page where administrators canchangethelocation,filename,sizelimits,andtimeout value for GSE 7.0.1 to log events to the product log. Thesesettingscanbechangedifrequired.


10

www.mcafee.com

10

DAT Settings—ThispageistospecifythenumberofDATfolders that needs to be retained by the administrator. The maximum default value is 10 and minimum default value is 3. This can be changed if necessary.

Import and Export Configuration—Under Configuration tab, the user can import the configuration XML(McAfeeConfig.xml)fromadifferentGSE7.0.1serverto retain the same settings on the newly installed GSE server. The user can also export the present settings and keepitasaback-uporusetheexportedXMLonanotherGSE 7.0.1 server. Restore Default is an option using that administrators can always go back to default settings of GSE 7.0.1.

Under SiteList tab, the user can import or export the sitelist.xml file from Common Framework folder and use the same update repository settings on another GSE 7.0.1 server.SiteList.xmlisthefilewiththeinformationaboutthe product update repositories that GSE 7.0.1 can contact during product updates.

McAfee, Inc. 3965 Freedom Circle Santa Clara, CA 95054, 888.847.8766 www.mcafee.com

McAfee and/or additional marks herein are registered trademarks or

trademarks of McAfee, Inc. and/or its affiliates in the US and/or other

countries. McAfee Red in connection with security is distinctive of McAfee

brand products. All other registered and unregistered trademarks herein

are the sole property of their respective owners. © 2009 McAfee, Inc. All

rightsreserved. 5032wp_tops_sec-msft_best-prac_1108