ozzy

We have GroupShield running on our Exchange servers. So far, it has always discovered and removed infected e-mails.

The amount of calls we get about suspect e-mails, that have already been disinfected is ridiculous and no amount of user training appears to be working.

What I want to do is have any e-mails deleted completely and only the administrator user told of the action.

I've already set this up for On-Demand and On-Access, but it still sends the original message (albeit disinfected) to the end-user.

Am I missing something in the config?

Stefan

JackClark

Best place to ask http://groups.yahoo.com/group/tvdug/

ozzy

Thanks Jack

ChrisB

Did you find any solutions Ozzy?

Is GS 6.0 able to do this?

ajm

I'm having the same issues...

Them: "I've got a virus!!!"
Me: "warning.htm?"
Them: "Yes!"
Me: "Delete it and read my email"

We are using Groupshield 6 and I can't see any way to configure it to delete the entire message. The choices are:-

- Delete Item
- Replace Item with warning message
- Allow item through

by "Item" it means attachement, there doesn't appear to be an option to remove the entire email - that I can see anyway

ChrisB

http://www.noid.be/pictures/mcafee.gif would suggest 6.0 can do it

See here : http://forums.mcafeehelp.com/viewtop...18&highlight=r

ajm

yeah, but in our case, like the author of that message, the Delete Message choice on the drop down doesn't exist! Very annoying!

ChrisB

That's consistant

Quality product Jack

ajm

On the phone to McAfee as I type....

ajm

The plot thickens....

From the manual:

Specifying the action to take when the rule is triggered

You can take several actions against any item that triggers a rule. The available range of actions include:

• Replace the item with an alert message — The item is automatically replaced by an alert in the e-mail message body or attachments, explaining why the original was replaced.
• Delete the item — The item is deleted when it is detected.
• Allow the item through — The item is not changed, and is allowed through to the intended recipients.

In addition, one or more of the following secondary actions can be specified:

• Log the item — Your primary action is carried out, but, in addition, GroupShield 6.0 logs the rule violation.
• Quarantine the item— GroupShield places the item in a quarantine area — the Detected Items Database — where you can examine the item and decide how to handle it.
• Notify Administrator — Your primary action is carried out, but, in addition, GroupShield 6.0 sends a notification message to the administrator.
• Notify Sender — Your primary action is carried out, but, in addition, GroupShield 6.0 sends a notification message to the sender.
• Notify Recipients — Your primary action is carried out, but, in addition, GroupShield 6.0 also attempts to send a notification message to the recipients of the message.

No mention of the elusive option....

ChrisB

On the thread I linked to, it mentions Transport and VSAPI modes?

Which are running?

Very though!

JackClark

It's developed here in Aylesbury, if things get really tough I can have a word.

ajm

I'm running VSAPI but have tried with both.

I'm wondering if it comes as part of the antispam part of the software, because we are not running that.....

Jack, thanks for that - I have logged a call via our re-seller so I'll let you know the outcome!

ozzy

God, I forgot all about this one. I really should subscribe to my own posts

No, the forums were of no use at all as it would appear from others having the same problem.

Have yet to install 6.0, but on 5.2 the option just isn't available with On-Access triggers. It is available for On-Demand triggers i.e. you run a scheduled mailbox scan.

From the looks of things, it's the same on the latest version Let's you deal with the infected item, but not the whole message.

Like most administrators, I want infected e-mails to be logged but I want the original e-mail to get vaped rather than worrying the user with the original e-mail.

Stefan

JackClark

Here's the answer from Rod the God here in Sunny Aylesbury.

This is GroupShield for Exchange 5.2 and 6.0, right?

These versions of GroupShield use Microsoft's VSAPI transport in order to scan items that get submitted to the Exchange Store. Unfortunately, VSAPI only doesn't support removal of entire mail messages which is what you'd need to do to achieve what the customer wants.

VSAPI will allow us to remove the infected attachments, etc. so the original mail will get to the intended recipient - albeit cleaned and with a 'warning message.

Don't think it's the answer you all want, but it's an answer anyhow.

ozzy

So, is this a limitation in the Groupshield design or something forced upon by Exchange?

And no, it's not the answer I wanted

To be very honest, it's extremely frustrating nd if I worked in a larger site, I would be seriously considering another solution.

Stefan

JackClark

It's a limitation of VSAPI, I think you'll find most vendors use it as it has its benefits. Rather than look at other vendors how about other solutions, the appliances have come on leaps and bounds over the years and are doing a great job with Viruses and Spam. It's what we use here. Or what about Webshield SMTP, you may already be licensed http://www.nai.com/us/products/mcafe...y/category.htm

ozzy

Thanks for the info Jack.

WebShield looks interesting; I'll do some digging around.

Stefan

ChrisB

Rod the God Thanks for taking time to ask Jack.

End result it's a case of pre-scanning the traffic before it reaches the Exchange Server ie WebShield SMTP, GFI Mail Essentials etc. I wonder if WebShield will co-exist on the Exchange Server?

Actually, I wonder if VSAPI 2.5 on Exchange 2003 better?

I'm wondering if the person on the forum link I found who has the delete option is running Ex 2003? Could be barking up the wrong tree completely though...

ChrisB

Sounds I am indeed going up the wrong tree?

http://www.msexchange.org/tutorials/...echnology.html

Interesting read without being too heavy for a Friday afternoon.

ozzy

Thanks for the links Chris. I'll read those after the weekend I think

I'd much rather deal with the problem as close to the source as possible rather than waiting until it hits the server or client. The server and client I see as backups if something manages to get through the first line of defense.

The Web browsing scan function looks interesting to on the WebShield appliance.

Stefan

ChrisB

Certainly agree it's best to deal with these things away from the Exchange.

The bigger networks I look after have something GFI Mail Essentials & Mail Security in front of the Exchange Server for AV and anti-spam (like the WebShield appliance).

Just on smaller sites it's not always possible to get them to sign up for a gateway device and hence you get scenarios like this.

ajm

Jack, many thanks for the info.

Its still a mystery where that bloke found the option though.... surely he wouldn't do a photoshop job on a screen shot!

ajm

Update:

After reverting back to GPS 5.2 SP1 (see other thread) I thought I may aswell try and solve the initial problem of deleting the entire mail. To this end I decided to try Webshield SMTP since the server has been going up and down all day anyway! If you have an Active Virus Defence license you can download it with your grant number

Anyway, I installed it on our exchange server (didn't have a spare server) so it receives SMTP mail on port 25 then sends it to exchange at localhost on port 2225 (you need to configure Exchange's SMTP server to receive mail on 2225 for this to work).

On Webshield SMTP you have an option to delete the mail entirely which is now happening, no more annoying cleaned Netsky emails! (and hopefully a stable server! )

JackClark

Good to hear. I'm a Webshield fan, we use it here.

ozzy

Cool, thanks for that. I'll download it tomorrow and try it out on our server.

Stefan

ajm

Since this saga earlier in the year I have migrated to Exchange 2003 on a new server, and just for laughs I thought I'd give Groupshield 6 another go (before moving over the users and going live).

Amazingly the elusive Delete Message option is now present!!! So maybe it is dependent on Exchange 2003?

I had a few problems initially with the dreaded CPU usage going up again, although it was nowhere near 100%. I guess this is because the new server is much more powerful than the one that was running Ex2000.

I have disabled a lot of the error logging in GS6 as it seems to want to report a lot of spurious and random messages by default but now it is live and all seems to be running rather nicely and is deleting all messages containing bulk email virii.

ozzy

Thanks for the PM; I did spot this earlier today

We did try GP6, but removed it after the high CPU utilisation. Have you tried GP6 SP1 on your new server?

Stefan

ajm

Not sure, it was whatever was the latest version when I downloaded it from NAI, although I don't remember it saying SP1.

ChrisB

There's some Hotfixes for GS v6 floating around - I saw something about them mentioned on the TVD Yahoo Group the other day.