McAfee GSSCDE-AA-DA, GroupShield 7.0 User Manual

User Guide
revision 1.0
McAfee® GroupShield
version 7.0
For Microsoft® Exchange
COPYRIGHT
Copyright © 2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system or translated into any language in any form or by any means
without the written permission of McAfee, Inc. or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD or A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
Attributions
This product includes or may include:
• Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). • Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. • Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. • Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.
• Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. • Software written by Douglas W. Sauder. • Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt.
• International Components for Unicode ("ICU") Copyright ©1995-2002 International Business Machines Corporation and others. • Software developed by CrystalClear Software, Inc., Copyright ©2000 CrystalClear Software, Inc. • FEAD® Optimizer® technology, Copyright Netopsystems AG, Berlin, Germany. • Outside In® Viewer Technology ©1992-2001 Stellent Chicago, Inc. and/or Outside In® HTML Export, © 2001 Stellent Chicago, Inc. • Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000. • Software copyrighted by Expat maintainers. • Software copyrighted by The Regents of the University of California, © 1996, 1989, 1998-2000. • Software copyrighted by Gunnar Ritter. • Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., © 2003. • Software copyrighted by Gisle Aas. © 1995-2003. • Software copyrighted by Michael A. Chase, © 1999-2000.
• Software copyrighted by Neil Winton, ©1995-1996. • Software copyrighted by RSA Data Security, Inc., © 1990-1992. • Software copyrighted by Sean M. Burke, © 1999, 2000. • Software copyrighted by Martijn Koster, © 1995. • Software copyrighted by Brad Appleton, © 1996-1999. • Software copyrighted by Michael G. Schwern, ©2001. • Software copyrighted by Graham Barr, © 1998. • Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. • Software copyrighted by Frodo Looijaard, © 1997. • Software copyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. • Software copyrighted by Beman Dawes, © 1994-1999, 2002. • Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek © 1997-2000 University of Notre Dame. • Software copyrighted by Simone Bordet & Marco Cravero, © 2002. • Software copyrighted by Stephen Purcell, © 2001. • Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). • Software copyrighted by International Business Machines Corporation and others, © 1995-2003. • Software developed by the University of California, Berkeley and its contributors. • Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). • Software copyrighted by Kevlin Henney, © 2000-2002.
• Software copyrighted by Peter Dimov and Multi Media Ltd. © 2001, 2002. • Software copyrighted by David Abrahams, © 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. • Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000.
• Software copyrighted by Boost.org, © 1999-2002. • Software copyrighted by Nicolai M. Josuttis, © 1999. • Software copyrighted by Jeremy Siek, © 1999-2001.
• Software copyrighted by Daryle Walker, © 2001. • Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. • Software copyrighted by Samuel Krempp, © 2001. See http://www.boost.org for updates, documentation, and revision history. • Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), © 2001,
2002. • Software copyrighted by Cadenza New Zealand Ltd., © 2000. • Software copyrighted by Jens Maurer, ©2000, 2001. • Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), ©1999, 2000. • Software copyrighted by Ronald Garcia, © 2002. • Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, ©1999-2001. • Software copyrighted by Stephen Cleary (shammah@voyager.net), ©2000. • Software copyrighted by Housemarque Oy <http://www.housemarque.com>, © 2001. • Software copyrighted by Paul Moore, © 1999. • Software copyrighted by Dr. John Maddock, © 1998-2002.
• Software copyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. • Software copyrighted by Peter Dimov, © 2001, 2002. • Software copyrighted by Jeremy Siek and John R. Bandela, © 2001. • Software copyrighted by Joerg Walter and Mathias Koch, © 2000-2002. • Software copyrighted by Carnegie Mellon University © 1989, 1991, 1992. • Software copyrighted by Cambridge Broadband Ltd., © 2001-2003. • Software copyrighted by Sparta, Inc., © 2003-2004.
• Software copyrighted by Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. • Software copyrighted by Simon Josefsson, © 2003. • Software copyrighted by Thomas Jacob, © 2003-2004. • Software copyrighted by Advanced Software Engineering Limited, © 2004.
• Software copyrighted by Todd C. Miller, © 1998. • Software copyrighted by The Regents of the University of California, © 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Issued September 2007 / GroupShield™ software version 7.0
DBN-001-EN
3
Contents
1 Introduction 7
About GroupShield for Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
What is GroupShield? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How does GroupShield work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How GroupShield protects Exchange? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
How does scanning work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Other areas to protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
GroupShield Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
What is New? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Features not supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Using this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Getting product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Standard documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Pre-Installation 21
Pre-Installation scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Types of installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3 Installing the Software 25
Accessing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
What is included with the software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Installing GroupShield for Microsoft
®
Exchange Server 2003/2007 . . . . . . . . . . . 26
Installing additional components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Buffer Overflow Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Installing McAfee Anti-Spam for GroupShield . . . . . . . . . . . . . . . . . . . . . . . . 31
Silent installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring GroupShield in a cluster environment . . . . . . . . . . . . . . . . . . . . . . . . 33
Upgrading GroupShield from v6.0.2 or higher . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4 Post-Installation Tasks and Maintenance 39
Testing your GroupShield installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Testing the anti-virus component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Testing the McAfee Anti-Spam component . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4
McAfee® GroupShield™ 7.0 User Guide Contents
Testing GroupShield installation using McAfee Virtual Technician . . . . . . . . . 40
Quarantining using McAfee Quarantine Manager 4.1 . . . . . . . . . . . . . . . . . . . . . 41
Upgrading Blacklists and Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Maintaining your GroupShield application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Modifying the GroupShield installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Repairing the GroupShield installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Restoring original out-of-box configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Uninstalling GroupShield for Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5 Integrating with ePolicy Orchestrator 3.6 47
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Pre-requisites for using ePolicy Orchestrator 3.6 . . . . . . . . . . . . . . . . . . . . . . 47
Introducing ePolicy Orchestrator console . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Upgrading from GroupShield for Exchange version 6.0.x NAP settings . . . . . 52
Configuring GroupShield Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Scheduling tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6 Integrating with ePolicy Orchestrator 4.0 63
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Pre-requisites for installing ePolicy Orchestrator 4.0 . . . . . . . . . . . . . . . . . . . 63
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
ePolicy Orchestrator agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Checking-in the McAfee GroupShield for Microsoft Exchange Server 2003/2007
package to the ePolicy Orchestrator server . . . . . . . . . . . . . . . . . . . . . . . . 65
Installing GroupShield for Exchange on the client computer . . . . . . . . . . . . . 66
Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Introducing ePolicy Orchestrator 4.0 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . 68
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
7 Integrating with ProtectionPilot 1.5 77
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Pre-requisites for using ProtectionPilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Introducing ProtectionPilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring GroupShield policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Setting and enforcing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Scheduling tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5
McAfee® GroupShield™ 7.0 User Guide Contents
Creating a new on-demand scan task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Creating a new AutoUpdate task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8 Getting Started with the User Interface 87
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Statistics & information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
On-demand scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Status report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Graphical reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
9 Detected Items 97
Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Phish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Potentially unwanted programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Unwanted content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Banned file types/messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
All items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
10 Policy Manager 105
Policy manager views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Inheritance view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Advanced view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Creating a subpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
List all scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
View settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Specify users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Scanners and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Core scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Shared resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Scanners and alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Time slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
11 Settings & Diagnostics 163
On-access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Anti spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
McAfee Quarantine Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Local database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
User interface preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Dashboard settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Graph and chart settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
6
McAfee® GroupShield™ 7.0 User Guide Contents
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Error reporting service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Event logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Product log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Product log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
DAT settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Import and export configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Index 177
7
1
Introduction
About GroupShield for Exchange
This section introduces McAfee® GroupShield™ 7.0 and describes how it protects your Microsoft
®
Exchange Server 2003 and Microsoft® Exchange Server 2007 from
potentially harmful, unwanted, and undesirable content.
Topics covered are:
What is GroupShield?
How does GroupShield work?
How GroupShield protects Exchange?
Where GroupShield sits on your network?
Other areas to protect
GroupShield Features
What is New?
Features not supported
What is GroupShield?
McAfee® GroupShield™ 7.0 software protects Microsoft
®
Exchange Server 2003 and
Microsoft
®
Exchange Server 2007 from virus, phish, spam, unwanted content,
potentially unwanted programs, and banned file types/messages. It also supports content filtering within the email messages.
How does GroupShield work?
The GroupShield software integrates with Microsoft
®
Exchange Server 2003/2007 to
scan email messages for detections.
8
McAfee® GroupShield™ 7.0 User Guide Introduction
About GroupShield for Exchange
1
Each time, an email message is sent to or received from a source, GroupShield scans it comparing it with a list of known viruses and suspected virus-like behavior. GroupShield can also scan for content within the email message using rules and policies defined within the GroupShield software.
How GroupShield protects Exchange?
GroupShield uses McAfee® Transport Scanner and Microsoft® Virus Scanning API (VSAPI) to scan all email messages.
The anti-spam, anti-virus, and the content management engine scan the messages and provide the result to GroupShield 7.0 before being written to the file system or being read by the Microsoft
®
Exchange 2003/2007 users.
The anti-virus scanning engine and the anti-spam scanning engine compare the email message with all the known signatures stored within the currently installed virus definition (
DAT) files and anti-spam rules. The anti-virus engine also checks the message
using the selected heuristic detection methods.
The content management engine searches the email message for banned content as specified in the content management policies running within the GroupShield software.
If there are no viruses, banned/unwanted content in the email message, GroupShield passes the information back to Microsoft
®
Exchange 2003/2007.
In case of a detection, GroupShield takes actions that are defined within its configuration settings.
Email server protection — McAfee GroupShield
McAfee GroupShield 7.0 integrates with Microsoft
®
Exchange Server 2003/2007 to
protect against viruses that may be transmitted using your corporate email system.
Due to the close integration between your email server and GroupShield anti-virus solution, GroupShield can do more than just protecting your email server from viruses. It can:
Note
For Microsoft® Exchange Server 2003 (used as a Bridgehead Server) and Microsoft® Exchange Server 2007 (with Edge Transport or Hub Transport-only role), GroupShield uses McAfee
®
Transport Scanner (and not Microsoft® Transport Scanner) to protect the server. However, for Exchange Server 2003 Mailbox Server and Exchange 2007 MailBox Role, GroupShield provides additional scanning option using Microsoft VSAPI.
Note
The default actions may differ, depending on the installed version of Microsoft
®
Exchange and, where applicable, the chosen scanning method.
9
McAfee® GroupShield™ 7.0 User Guide Introduction
About GroupShield for Exchange
1
protect the email server from harmful scripts sent within the email system.
block messages with specific attachments.
block messages based on words that appear either within the subject line/body of
the message.
block messages from specific addresses.
How does scanning work?
Central to your GroupShield software is the McAfee® Security scanning engine and the virus definition (DAT) files. The engine is a complex data analyzer. The DAT files contain a great deal of information including thousands of different drivers, each of which contains detailed instructions on how to identify a virus or a type of virus.
The McAfee
®
Security scanning engine works with the DAT files. It identifies the type of the item being scanned and decodes the contents of that object, so that it understands what the item is. It then uses the information in the DAT files to search and locate known viruses. Many viruses have a distinctive signature. There is a sequence of characters unique to a virus and the engine searches for that signature.
The engine uses a technique called heuristic analysis to search for unknown viruses. This involves analysis of the object’s program code and searching for distinctive features typically found in viruses.
Once the engine has confirmed the identity of a virus, it cleans the object as far as possible. For example, by removing an infected macro from the attachment in which it is found or by deleting the virus code in an executable file. In some instances, if the virus has destroyed data, the file cannot be fixed and the engine must make the file safe so that it cannot be activated and infect other files.
Other areas to protect
The following key areas of your network can be protected by McAfee® Security products as a part of your integrated virus defense solution:
Internet gateway protection — Secure Content Management Appliances
The major source of threats to your corporate network comes from Internet traffic, either through email or by connecting to websites that might contain potentially harmful code. Secure Content Management Appliances protects the gateway between your internal networks and the Internet. It prevents infected items from entering your network through the Internet by scanning all inbound and outbound traffic between your network and the Internet.
10
McAfee® GroupShield™ 7.0 User Guide Introduction
About GroupShield for Exchange
1
Document repository protection — McAfee PortalShield
Using computers within corporate environment has made it easy to create documents that might contain mission-critical information. Several software vendors produce portal servers to store, index and control your critical documents in a way that enables them to be easily located when needed. Because these portal servers are set up to store your critical information, it is important that this information is also protected. McAfee
®
PortalShield™ integrates with the stores of these products to provide scanning of such documents each time they are accessed from, or saved to the store.
Desktop and file server protection — McAfee VirusScan Enterprise
Not all viruses are transmitted via email. Many can be spread by reading from physical media, such as diskettes or CDs. Others can spread by using network shares to copy themselves from one computer to another across your network.
From the viewpoint of somebody trying to attack your corporate network, your file servers are a good target because many other computers connect to the file servers. Infecting the file server is more likely to have serious consequences than infecting a single desktop computer.
The McAfee
®
VirusScan products protect desktop computers and file servers within your network. As part of your integrated response to virus threats, VirusScan can be viewed as your last line of defense, protecting each desktop computer and file server from viruses that might spread using network shares or physical media.
VirusScan is available in versions to protect Microsoft
®
Windows, Unix, Apple Macintosh computers, as well as all the leading wireless devices that might connect to your PCs and network.
Management solution — McAfee
®
ePolicy Orchestrator
With ePolicy Orchestrator, you can manage and update all your McAfee anti-virus solutions across your network from a single point, ensuring that the engines and the virus definition (DAT) files are up-to-date and that the suitable policies are in place to deal with any attacks to your network.
11
McAfee® GroupShield™ 7.0 User Guide Introduction
GroupShield Features
1
GroupShield Features
GroupShield includes these major features on Exchange Server 2003 and 2007:
Anti-virus scanning — GroupShield provides the ability to scan for viruses contained
in email messages that are transmitted over Microsoft
®
Exchange SMTP or held
within the Microsoft
®
Exchange Server store.
Anti-spam scanning — Spam is increasingly becoming an issue within the
workplace. Spam consumes system resources by taking up bandwidth and storage within your corporate systems and distracts staff from their key job functions because they have to deal with the unwanted email within their mailboxes. GroupShield helps you save bandwidth and the storage required by your Microsoft
®
Exchange servers by assigning spam scores to each email messages while scanning them and by taking the configured action on those messages.
Anti-phishing — GroupShield is capable of detecting email messages containing
phish that fraudulently tries to obtain personal information. Typically such email messages request the recipients to click on a link in the email to verify or update contact details, credit card details or other personal information.
Content filtering — GroupShield provides the ability to scan for content/text in an:
email message subject line
email message body
email attachment
File filtering — GroupShield scans an email attachment depending on the file name,
file type, and the file size of that attachment.
Enterprise rollout, administration, updating and reporting using McAfee
®
ePolicy
Orchestrator and McAfee
®
ProtectionPilot — GroupShield integrates with McAfee®
ePolicy Orchestrator and McAfee
®
ProtectionPilot to provide a centralized method for rolling out, administering and updating the GroupShield software across your Microsoft
®
Exchange system. The ability to centrally manage an organization-wide implementation of the GroupShield software reduces the time required to administer and update the system.
12
McAfee® GroupShield™ 7.0 User Guide Introduction
GroupShield Features
1
What is New?
New Web Based User Interface GroupShield for Exchange provides a user
friendly web-based interface based on DHTML. To access this, click
Start | Programs
|
McAfee | GroupShield for Exchange | GroupShield for Exchange (Web).
Policy Management The Policy Manager menu option lists different policies that
you can set up/manage in GroupShield. You can specify various policies/actions that determine how different types of threats are treated when detected. For detailed information on the policy management, refer to the chapter Policy Manager on
page 105.
Anti-Phishing Capability GroupShield for Exchange is capable of detecting email
messages containing phish that fraudulently tries to obtain personal information.
Capability to detect Packers and Potentially Unwanted Programs — GroupShield for
Exchange is capable of detecting packers that compresses and encrypts the original code of an executable file. It also detects Potentially Unwanted Programs that are software programs written by legitimate companies which may alter the security state or the privacy posture of a computer on which they are installed.
Enhanced Anti-Spam Capability GroupShield for Exchange is capable of detecting
spam or unsolicited bulk email messages sent to multiple recipients, who did not ask to receive it. It assigns a “spam score” to every email message. You can then choose to block those messages if they are above a certain score.
Enhanced Background Scanning options — For Exchange Server 2007, GroupShield
provides enhanced background scanning options. During this type of scanning, not all the email messages are scanned when accessed. This reduces the workload of the scanner. For more information, refer to the sub topic For Exchange Server 2007
on page 165.
Centralized Scanner, Filter Rules and Enhanced Alert Settings Using Scanners,
you can configure the scanner-related settings that a policy can apply when scanning items. In File Filtering Rules, you can set up rules that apply to file name, file type, and file size. You can use the alert editor to customize the text of an alert message using the Style, Font, Size, and Token menus.
Time based scanning and actions GroupShield for Exchange enables scanning
emails at convenient times or at regular intervals. You can schedule regular scan operations when the server activities are comparatively low and when they do not interfere with your work.
Content Scanning and True Type File Filtering of Microsoft® Office 2007 file
formats
13
McAfee® GroupShield™ 7.0 User Guide Introduction
GroupShield Features
1
Filter for Password Protected ZIP Files For more information about this filter,
refer to Password-protected files on page 140.
Filter for Protected Content (Password protected Microsoft
®
Office files) — For
more information about this filter, refer to Protected content on page 137.
Support for N+1 cluster — For more information, refer to Single Copy Cluster (SCC,
N+1 cluster configuration) on Exchange Server 2003 and 2007 on page 34.
Enhanced MIME Scanning MIME (Multipurpose Internet Mail Extensions) is a
communications standard that enables the transfer of non-ASCII formats over protocols (like SMTP) that supports only 7-bit ASCII characters. GroupShield enables you to specify how such MIME messages are handled.
Buffer Overflow protection using VirusScan Enterprise version 8.5i A buffer
overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. This results in extra data, overwriting the adjacent memory locations. Enabling Buffer Overflow Protection prevents this condition. GroupShield has the provision of buffer overflow protection. For more information, refer to Buffer Overflow Protection on page 30.
Enhanced Quarantine Management
Local Quarantine Management Detected Items can be quarantined. You can
specify the local database to be used as a repository for quarantining email messages. You can also configure maintenance settings for the local quarantine database.
Quarantining using McAfee Quarantine Manager version 4.1 or 4.1.1 — You can
specify McAfee Quarantine Manager in a different server as a repository for quarantining infected email messages. This keeps your Exchange Server safe from viruses.
Integration with:
McAfee ePolicy Orchestrator version 3.6 and 4.0 to provide a single point of
control for your McAfee anti-virus products, to manage anti-virus policies and view reports of anti-virus events and virus activity in an enterprise environment. For more information, refer to the chapters Integrating with ePolicy Orchestrator
3.6 on page 47 and Integrating with ePolicy Orchestrator 4.0 on page 63.
Note
Buffer over flow protection is available only on 32 -bit platforms (and not on 64-bit platforms) with Exchange Server 2003.
14
McAfee® GroupShield™ 7.0 User Guide Introduction
GroupShield Features
1
McAfee ProtectionPilot version 1.5 and above to provide security
management that simplifies anti-virus management tasks for network administrators who manage up to 500 computers. Management consists of deploying (sending and installing) anti-virus products, configuring product settings, and keeping those products up-to-date. For more information, refer to the chapter Integrating with ProtectionPilot 1.5 on page 77.
Anti-virus Engine 5200 to provide improved and latest detections like Packers
and Potentially Unwanted Programs, improved emulator with agile methodology.
Co-existence with:
McAfee VirusScan Enterprise v 8.0 and above.
McAfee Host Intrusion Prevention Agent.
Auto-update of Virus Definitions (V2API DATs), ExtraDATs, Anti-Virus engine, Spam
engine and Spam rules McAfee Security regularly provides updated Virus Definition (DAT) files and virus-scanning engine, spam engine and rules to detect and clean the latest threats.
Product Update using SuperDAT v 2.2 executable GroupShield helps you keep
your server free from viruses, Trojans, spams, phish, PUPs by regularly updating the product using SuperDAT executable.
In-product Reports GroupShield generates status reports and graphical reports to
view information about the detected items.
Anti-Virus Stamping mechanism on a Microsoft® Exchange Server 2007 with Edge
or Hub server role — McAfee
®
Transport Scanner assigns a stamp to the header of an email message after scanning. This prevents the message from being re-scanned by VSAPI.
Direction Based Scanning GroupShield supports direction-based scanning. It
scans inbound, outbound, and internal email messages using McAfee
®
Transport
Scanner.
User and Server level blacklist and whitelist using McAfee Quarantine Manager
version 4.1 — For more information, refer to Upgrading Blacklists and Whitelists on
page 42.
Integration with SuperDAT Manager version 2.2 SuperDAT Manager 2.2
supports updating of the DAT and Engine for the GroupShield software.
Note
GroupShield uses new version of anti-virus DATs and engine (V2API). This provides improved detections of the latest viruses and threats.
15
McAfee® GroupShield™ 7.0 User Guide Introduction
GroupShield Features
1
Integration with McAfee Common Management Agent (CMA) version 3.6 and
above You can use the CMA component to manage GroupShield and perform product updates, scheduled tasks, and events reporting as a part of the core installation.
Features not supported
Integration with black and whitelist server application installed along with
GroupShield for Exchange version 6.x.
Integration with Outbreak Manager (OBM).
Integration with Alert Manager (AM).
Integration with ProtectionPilot 1.1.
Integration with ePolicy Orchestrator 3.5.x.
Integration with Exchange Server 2000.
Integration with Common Management Agent 3.5.x.
Integration with McAfee AutoUpdate Architect 1.x.
16
McAfee® GroupShield™ 7.0 User Guide Introduction
Using this Guide
1
Using this Guide
This guide describes the sequential process of installing McAfee GroupShield™ 7.0 for Microsoft
®
Exchange 2003 and 2007. It also gives a detailed description of the software
usage. Topics covered are:
Pre-Installation Pre-installation scenarios and system requirements.
Installing the Software Accessing and installing GroupShield.
Post-Installation Tasks and Maintenance Testing the GroupShield installation,
anti-virus component, anti-spam component and testing using the McAfee Virtual Technician. Quarantining using McAfee Quarantine Manager, modifying, repairing, restoring and uninstalling the software.
Integrating with ePolicy Orchestrator 3.6 Testing the GroupShield integration
with ePolicy Orchestrator version 3.6.
Integrating with ePolicy Orchestrator 4.0 Testing the GroupShield integration
with ePolicy Orchestrator version 4.0.
Integrating with ProtectionPilot 1.5 Testing the GroupShield integration with
ProtectionPilot.
Getting Started with the User Interface Using GroupShield for Microsoft
®
Exchange Server 2003/2007, getting detailed information about the dashboard, detected items, policy manager and settings & diagnostics.
Audience
This information is intended for network administrators who are responsible for their company’s anti-virus and security program.
17
McAfee® GroupShield™ 7.0 User Guide Introduction
Using this Guide
1
Conventions
This guide uses the following conventions:
Bold Condensed
All words from the interface, including options, menus, buttons, and dialog box names.
Example:
Type the
User name and Password of the appropriate account.
Courier The path of a folder or program; text that represents something the user
types exactly (for example, a command at the system prompt).
Examples:
The default location for the program is:
C:\Program Files\McAfee\EPO\3.6.0
Run this command on the client computer: scan --help
Italic For emphasis or when introducing a new term; for names of product
documentation and topics (headings) within the material.
Example: Refer to the VirusScan Enterprise Product Guide for more information.
Blue A web address (
URL) and/or a live link.
Example: Visit the McAfee web site at:
http://www.mcafee.com
<TERM> Angle brackets enclose a generic term.
Example: In the console tree, right-click <
SERVER>.
Note
Note: Supplemental information; for example, another method of
executing the same command.
Tip
Tip: Suggestions for best practices and recommendations from McAfee for
threat prevention, performance and efficiency.
Caution
Caution: Important advice to protect your computer system, enterprise,
software installation or data.
Warning
Warning: Important advice to protect a user from bodily harm when using
a hardware product.
18
McAfee® GroupShield™ 7.0 User Guide Introduction
Getting product information
1
Getting product information
Unless otherwise noted, product documentation comes as Adobe Acrobat .PDF files, available on the product CD or from the McAfee download site.
Standard documentation
User Guide System requirements and instructions for installing and starting the
software. Getting started with the product and its features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures.
Help — High-level and detailed information accessed from the software application:
Help menu and/or Help button for page-level help; right-click option for What’s This?
help.
Release Notes ReadMe. Product information, resolved issues, any known issues,
and last-minute additions or changes to the product or its documentation.
19
McAfee® GroupShield™ 7.0 User Guide Introduction
Contact information
1
Contact information
Threat Center: McAfee Avert® Labs http://www.mcafee.com/us/threat_center/default.asp
Avert Labs Threat Library
http://vil.nai.com
Avert Labs WebImmune & Submit a Sample (Logon credentials required)
https://www.webimmune.net/default.asp
Avert Labs DAT Notification Service
http://vil.nai.com/vil/signup_DAT_notification.aspx
Download Site http://www.mcafee.com/us/downloads/
Product Upgrades (Valid grant number required)
Security Updates (DATs, engine)
HotFix and Patch Releases
For Security Vulnerabilities (Available to the public)
For Products (ServicePortal account and valid grant number required)
Product Evaluation
McAfee Beta Program
Technical Support http://www.mcafee.com/us/support/
KnowledgeBase Search
http://knowledge.mcafee.com/
McAfee Technical Support ServicePortal (Logon credentials required)
https://mysupport.mcafee.com/eservice_enu/start.swe
Customer Service
Web
http://www.mcafee.com/us/support/index.html http://www.mcafee.com/us/about/contact/index.html
Phone
US, Canada, and Latin America toll-free:
+1-888-VIRUS NO or +1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time
Professional Services
Enterprise: http://www.mcafee.com/us/enterprise/services/index.html
Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html
20
McAfee® GroupShield™ 7.0 User Guide Introduction
Contact information
1
21
2
Pre-Installation
This chapter provides information that is important to consider before installing GroupShield for Exchange 7.0. Topics covered are:
Pre-Installation scenarios
System requirements
Pre-Installation scenarios
You MUST log on to Microsoft® Windows as a domain administrator. This gives you relevant rights and permissions to install GroupShield.
Before installing GroupShield:
Make sure Microsoft
®
Exchange Server 2003/2007 is installed on the installation
server.
Manually uninstall GroupShield software older than version 6.0.2.
Uninstall SpamKilller for Exchange using the Windows Add/Remove Programs feature.
Note
GroupShield for Exchange 7.0 supports automatic upgrading of the software from version 6.0.2 and above.
Caution
GroupShield for Exchange 7.0 does not support upgrading of SpamKiller software.
22
McAfee® GroupShield™ 7.0 User Guide Pre-Installation
Pre-Installation scenarios
2
Types of installation
GroupShield can be installed on Microsoft® Exchange Server 2003/2007 in these ways:
Standard installation
Silent installation
Cluster installation
Standard installation
You can install McAfee® GroupShield software on Microsoft® Exchange Server 2003/2007. Refer to Installing GroupShield for Microsoft® Exchange Server 2003/2007
on page 26 for step-by-step instructions.
Silent installation
You can install McAfee® GroupShield software on Microsoft® Exchange Server 2003/2007 without user interaction. This is also known as unattended installation. Refer to Silent installation on page 32 for step-by-step instructions.
Cluster installation
You can install McAfee® GroupShield software on Microsoft® Exchange Server 2003/2007 on a cluster environment. Refer to Configuring GroupShield in a cluster
environment on page 33 for step-by-step instructions.
23
McAfee® GroupShield™ 7.0 User Guide Pre-Installation
System requirements
2
System requirements
Before you install GroupShield, ensure that your server meets these requirements:
Table 2-1 System Requirements
Processor Intel x64 architecture-based processor that supports Intel
Extended Memory 64 Technology (Intel EM64T)
AMD x64 architecture-based processor with AMD 64-bit
technology
Intel x86 architecture-based processor (only on Exchange Server
2003)
Memory
Minimum: 512 MB
Recommended: 1 GB
Available Hard disk space
Minimum: 740MB
Operating system
Windows 2000 Advanced Server with Service Pack 4
Windows 2003 Standard/Enterprise Server (32-bit)
Windows 2003 Standard/Enterprise Server R2 (32-bit)
Windows 2003 Standard/Enterprise Server (64-bit)
Windows 2003 Small Business Server (32-bit)
Windows 2003 Datacenter Server (32-bit)
Windows 2003 Datacenter Server (64-bit)
Note: Refer Windows service pack requirements Release Notes for Service Pack information.
Exchange Servers Supported
Microsoft
®
Exchange Server 2003 with Service Pack 2
Microsoft
®
Exchange Server 2007
Browsers Supported
Microsoft
®
Internet Explorer version 6 and above
Netscape Navigator version 9.0
Mozilla version 2.0
Screen Resolution 1024 x 768
For the best display, set the color resolution to 24-bit or higher
General A CD-ROM drive (if installing from a CD) or an Internet connection (if
installing from the McAfee download site)
24
McAfee® GroupShield™ 7.0 User Guide Pre-Installation
System requirements
2
25
3
Installing the Software
Installing GroupShield software consists of these topics:
Accessing the software
What is included with the software?
Installing GroupShield for Microsoft
®
Exchange Server 2003/2007
Installing additional components
Silent installation
Configuring GroupShield in a cluster environment
Upgrading GroupShield from v6.0.2 or higher
Accessing the software
McAfee distributes GroupShield for Exchange in two ways:
As an archived file that you download from the McAfee website or from other
electronic services.
On the Total Virus Defense (TVD), the Active Virus Defense (AVD) or the suite CDs.
Once you have downloaded the archive file or placed the TVD or AVD installation CD in your CD-ROM drive, the installation steps you follow are the same for each type of distribution.
Note
To install, manage, remove or upgrade GroupShield for Microsoft® Exchange Server 2003/2007, you must have a user account with administrative rights.
26
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Installing GroupShield for Microsoft® Exchange Server 2003/2007
3
What is included with the software?
GroupShield for Exchange has these components in the installer that you can install separately.
McAfee GroupShield for Exchange 7.0
Buffer Overflow Protection
McAfee Anti-Spam for GroupShield
The McAfee GroupShield for Exchange 7.0 option is selected by default. If you want to install the additional software components, you must select them in the installer.
Installing GroupShield for Microsoft® Exchange Server 2003/2007
1 Using an administrative account, log on to the Microsoft® Exchange Server
2003/2007.
2 Create a temporary directory on the network or your local drive.
3 To install, do one of the following depending on how you obtained the software:
Insert the CD into the computers drive and copy the installation files to the
temporary directory you created.
Download the .ZIP archive and extract the files to the temporary directory.
Caution
McAfee® GroupShield™ for Microsoft® Exchange Server 2003/2007 does not upgrade McAfee
®
SpamKiller for Exchange installation. You should uninstall McAfee® SpamKiller
for Exchange manually before installing GroupShield for Exchange 7.0.
27
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Installing GroupShield for Microsoft® Exchange Server 2003/2007
3
4 Using Windows Explorer, navigate to the folder where you copied the installation
files and double-click
SETUP.EXE. The GroupShield for Exchange setup dialog box
appears.
5 Click
Next. The Component Selection dialog box displays the software components you
can install.
McAfee GroupShield for Exchange 7.0 is selected by default.
Buffer Overflow Protection provides buffer overflow protection through host
intrusion prevention using McAfee VirusScan Enterprise version 8.5i.
Figure 3-1 McAfee GroupShield for Exchange - Welcome
Figure 3-2 McAfee GroupShield for Exchange - Component selection
Note
Buffer overflow protection is not supported on 64-bit platforms.
28
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Installing GroupShield for Microsoft® Exchange Server 2003/2007
3
McAfee Anti-Spam for GroupShield (Evaluation) provides filters to block spam and phish
emails.
6 Select the software components to install and click
Next.
7 When the
End User License Agreement dialog box appears, select the License expiry type
and
Select country where purchased and used from the drop-down menus.
8 Click I accept the terms in the license agreement, then OK to display the Destination Folder
dialog box.
9 Click
Browse to select a different folder or Next to install the software in the default
directory. The
Select Installation type dialog box appears.
10 Select the desired installation type from these options:
Typical - installs the most common application features and is recommended for
most users.
Complete - installs all the application features.
Custom - installs the application features you want and is recommended for
advanced users.
11 Click
Next. The Ready to Install the Application dialog box appears. Select Create Desktop
Shortcut
to create a shortcut icon on the desktop.
Note
Anti-Spam and Anti-Phish feature is available only if you install McAfee Anti-Spam for
GroupShield
component during installation. McAfee Anti-Spam for GroupShield requires
activation to enable it to work in licensed mode.
Note
When preparing your computer for installation, if the wizard finds any programs running on your computer, an
Installation Wizard dialog box appears recommending you to exit
any programs running, before continuing with installation.
Figure 3-3 McAfee GroupShield for Exchange - Select Installation type
29
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Installing GroupShield for Microsoft® Exchange Server 2003/2007
3
12 Click Next to display the Updating System dialog box. A progress bar indicates the
features being copied and installed. Once the installation process completes, click
Finish to complete the GroupShield for Exchange installation process.
13 Upon successful completion of the installation, these menus are available from the
Start | Programs | McAfee | GroupShield for Exchange menu:
GroupShield for Exchange (Web)
SiteList Editor
GroupShield for Exchange
GroupShield for Exchange Access Control
SiteList editor
This is a new functionality in the software, where you can see the list of sites configured for update. The user interface is similar to that of McAfee VirusScan Enterprise.
This application modifies the
sitelist.xml file of the current machine. EditSiteList.exe is the
tool used for editing the sitelist.xml file.
GroupShield for Exchange Access Control
Access control is used to restrict user access to the GroupShield software. You can simplify the administration of access control by using one or more administrative user groups and then setting the appropriate permissions to each group. Then simply add individual users to the user group to grant them those permissions.
Note
The GroupShield for Exchange (Web) option appears in the menu, only if you choose the
Complete installation type.
Figure 3-4 SiteList Editor
30
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Installing additional components
3
Permissions can be applied to any object in directory or on the local computer, but majority of permissions should be applied to groups, rather than individual users. This eases the task of managing permissions on the software.
Installing additional components
After the wizard completes the installation of GroupShield for Exchange, the installation process continues if you had selected any of these additional components:
Buffer Overflow Protection
McAfee Anti-Spam for GroupShield
Buffer Overflow Protection
Buffer overflow is an attack technique that exploits a software design defect in an application or process to force it to execute code on the computer. Applications have fixed-size buffers that hold data. If an attacker sends too much data or code into one of these buffers, the buffer overflows. The computer then executes the code that overflowed as a program. As the code execution occurs in the security content of the application (which is often at a highly-privileged or administrative level), intruders gain access to execute commands not usually accessible to them. An attacker can use this vulnerability to execute custom hacking code on the computer and compromise its security and data integrity.
Figure 3-5 Access Control
Note
The McAfee GroupShield for Exchange 7.0 component is selected by default. If you want to install additional software components, you must select them in the installer. McAfee Anti-Spam for GroupShield component requires a license key for activation.
31
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Installing additional components
3
Buffer overflow protection prevents exploited buffer overflows from executing arbitrary code on your computer. It monitors usermode API calls and recognizes when they are called as a result of buffer overflow.
GroupShield for Exchange uses the buffer overflow protection of VirusScan Enterprise to protect these processes:
RPCServ.exe
PrfCtrs.exe
RunScheduled.exe
SAFeService.exe
SDEDIT.exe
StandaloneUI.exe
Enabling buffer overflow protection:
Using Windows Explorer, navigate to the folder where you copied the installation files and double-click
BOPActivation.EXE.
Installing McAfee Anti-Spam for GroupShield
Anti-Spam and Anti-Phish feature is available only if you install McAfee Anti-Spam for GroupShield component during installation. McAfee Anti-Spam for GroupShield requires activation to enable it to work in licensed mode.
1 If you have selected
McAfee Anti-Spam for GroupShield in the Component selection dialog
box, the
Add-on Package dialog box appears.
2 Click Next. When the End User License Agreement dialog box appears, choose Select the
location
where purchased and used from the drop-down menu.
3 Click Next to install the Anti-Spam feature, then click Finish to complete the
installation.
Note
For more information on buffer overflow protection, refer to VirusScan Enterprise v 8.5 User Guide.
32
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Silent installation
3
Silent installation
The GroupShield for Exchange installation is performed by MSI. You can set the properties used by the MSI either by editing the
SILENT.INI file or by passing the
properties directly to the MSI via the command line.
Silent installation allows you to choose the most convenient time to install GroupShield for Exchange on Microsoft
®
Windows. Another advantage of silent installation is that it
requires little involvement compared to a manual installation.
Before installation, please ensure that the Windows Net Logon Service is running on the Windows server using domain controllers.
Installing GroupShield for Exchange in silent mode
1 Using an administrative account, log on to the computer containing Microsoft®
Exchange Server 2003/2007.
2 Create a temporary directory on the network or your local drive.
3 To install, do one of the following depending on how you obtained the software:
Insert the CD into the computer’s drive and copy the installation files into the
temporary directory you created.
Download the .ZIP archive and extract the file to the temporary directory.
4 From the command prompt, change the directory to the temporary folder where you
have extracted the installation files.
5 Ensure that the GROUPSHIELD.MSI file is located in the temporary folder.
6 Type MSIEXEC /I <Full Path of the MSI> /QN and press ENTER.
7 To install directory to a
Custom folder and enable installation logs, type:
Note
You cannot use silent installation to add or remove components or to do a repair.
Note
Temporary directory = C:\GSE7
MSIEXEC /I C:\GSE7\GROUPSHIELD.MSI /QN
33
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Configuring GroupShield in a cluster environment
3
MSIEXEC /I <MSI path> INSTALLDIR=<Install Directory> and press ENTER.
Upon successful completion of the installation process, these menu appears under
Start | Programs | McAfee | GroupShield for Exchange
GroupShield for Exchange
GroupShield for Exchange Access Control
SiteList Editor
Configuring GroupShield in a cluster environment
This section describes the steps to configure GroupShield in a cluster environment.
GroupShield 7.0 is supported on a Microsoft
®
Cluster Service (MSCS) that is bundled
with Microsoft
®
Windows 2003 in an Active-Passive configuration.You must install
GroupShield 7.0 on the same drive and path on all the nodes of the cluster.
Note
Install folder = C:\GSE7INSTALL
MSIEXEC /I C:\GSE7\GROUPSHIELD.MSI INSTALLDIR=C:\GSE7INSTALL /QN
MSIEXEC /I <MSI path> INSTALLDIR=<Install Directory> /l* <log filename and path>
MSIEXEC /I C:\GSE7\GROUPSHIELD.MSI INSTALLDIR=C:\GSE7INSTALL /l* C:\GSE7\GSELOG.TXT /QN
Note
If silent installation is used, only GroupShield software is installed on the server. To have additional components like Anti-spam for GroupShield, and buffer overflow protection, you should manually execute the respective setup files.
Note
GroupShield 7.0 does not support Active-Active cluster configuration. To implement GroupShield in an Active-Active configuration:
GroupShield 7.0 must be installed on both the nodes of the cluster.
From the Services MMC, change the Startup type of the GroupShield Exchange
service to
Automatic.
GroupShield should not be managed using the Cluster Administrator. A resource of
type
McAfee Cluster Framework should not be added in the cluster administrator to
any of the cluster groups.
GroupShield 7.0 should be managed individually on each of the cluster nodes.
34
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Configuring GroupShield in a cluster environment
3
Local Continuous Replication (LCR) on Exchange Server 2007
Local Continuous Replication (LCR) is a single-server solution that uses built-in asynchronous log shipping technology to create and maintain a copy of a storage group on a second set of disks that are connected to the same server as the production storage group.
LCR is not a failover implementation. So GroupShield 7.0 can be installed and used in a similar way to that of a standalone mailbox server installation.
Clustered Continuous Replication (CCR) on Exchange Server 2007
Cluster Continuous Replication (CCR) is a high availability feature of Microsoft® Exchange Server 2007. It combines the asynchronous log shipping and replay technology built into Microsoft
®
Exchange Server 2007 with the failover and
management features provided by the Microsoft
®
Cluster service.
Install GroupShield 7.0 on all the nodes of the cluster following the standard installation steps.
Single Copy Cluster (SCC, N+1 cluster configuration) on Exchange Server 2003 and 2007
A Single Copy Cluster (SCC) is a clustered mailbox server that uses shared storage in a failover cluster configuration to allow multiple servers to manage a single copy of the storage groups. This is built on the failover and management features provided by the Microsoft
®
Cluster service. The Exchange Virtual Server uses its own network identity and not the identity of any node in the cluster. This network identity is referred to as a clustered mailbox server.
Both Exchange 2007 Mailbox server and Exchange 2003 can be deployed in this type of cluster.
Install GroupShield 7.0 on all the nodes of the cluster following the steps of standard installation.
Note
On an Exchange 2007 CCR Cluster, GroupShield for Exchange 7.0 will not be cluster aware application. A resource type for GroupShield for Exchange 7.0 will not be available in the
Cluster Administrator and cannot be added to the Exchange Virtual
Server. GroupShield for Exchange 7.0 on all nodes of the cluster must be configured independently and will work as standalone instances.
Note
GroupShield for Exchange 7.0 should be added to the Cluster groups where the Exchange virtual server is present after the installation on the nodes of the cluster.
35
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Configuring GroupShield in a cluster environment
3
Adding GroupShield for Exchange as a resource to the Cluster group
In Cluster Administrator, select the Exchange cluster group to which the GroupShield for Exchange resource needs to be added.
1 From the File menu, select New | Resource. The New Resource wizard appears.
2 Type a suitable Name and Description for the Resource.
3 From the
Resource type drop-down list, select McAfee Cluster Framework.
4 From the Group drop-down list, select the Cluster group to which the GroupShield for
Exchange resource needs to be added.
5 Click
Next. The Possible Owners screen appears. Ensure that the nodes of the cluster
on which GroupShield for Exchange is installed, are listed in the
Possible Owners list.
6 Click
Next. The Dependencies screen appears.
Make the current resource of type
McAfee Cluster Framework dependent on a resource
of type
Physical Disk.
Figure 3-6 New Resource
Figure 3-7 Dependencies
36
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Configuring GroupShield in a cluster environment
3
7 Click Next. The Parameters screen appears. In the Shared Data Drive section, verify if the
disk (selected from the
Dependencies screen) is displayed.
8 Click
Finish. A confirmation dialog box appears.
9 Click OK. The cluster resource is successfully created.
10 In Cluster Administrator, right-click on the newly created resource and from the context
menu, select
Bring Online to start the GroupShield for Exchange 7.0 resource.
Repeat the above mentioned steps for every Exchange group on which GroupShield for Exchange is to be added.
Note
For an existing resource of type McAfee Cluster FrameWork, the Physical Disk resource dependency added at the time of creation should NOT be modified under the
Dependency tab from the <McAfee Cluster Framework resource> Properties dialog box.
If the dependency on the physical disk has to be changed, it is recommended to delete the existing resource of type
McAfee Cluster Framework and then re-create the resource
with the required
Physical Disk dependency.
Figure 3-8 Cluster Dependencies
Note
Administration (deployment, configuration and pushing product updates) of GroupShield for Exchange 7.0 on a (n+1) cluster from ePolicy Orchestrator server is not supported.
Note
Product update is specific to a GroupShield for Exchange 7.0 instance in an Exchange Virtual Server. When a product update happens, the node on which the Exchange Virtual Server with GroupShield for Exchange 7.0 is active gets updated. At the time of a failover, the updates are copied to the other node automatically by GroupShield for Exchange 7.0.
37
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Upgrading GroupShield from v6.0.2 or higher
3
Cluster Uninstallation
1 Open the Cluster Administrator.
2 Make all the resources of type McAfee Cluster Framework offline.
3 Delete all the resources of type McAfee Cluster Framework.
4 Close the
Cluster Administrator.
Make the nodes of the cluster as passive and uninstall GroupShield for Exchange version 7.0 as mentioned in the topic Uninstalling GroupShield for Exchange on
page 45 of this guide. Repeat this on all nodes of the cluster.
Upgrading GroupShield from v6.0.2 or higher
McAfee® GroupShield for Exchange version 7.0 supports upgrading your configuration settings from the previous version of the product. When upgrading to a new version of GroupShield for Exchange, you do not need to uninstall the existing version. The installation program successfully updates your installation to the new version.
The product upgrades supported are:
GroupShield for Exchange version 6.0.2
GroupShield for Exchange version 6.0.2 + Patch1
GroupShield for Exchange version 6.0.3
GroupShield for Exchange version 6.0.3 + Patch1
1 Run the setup wrapper of GroupShield for Exchange version 7.0 on GroupShield for
Exchange version 6.0.2 / 6.0.2+Patch1 / 6.0.3 / 6.0.3+Patch1 to upgrade to GroupShield for Exchange version 7.0.
2 Select the Add-Ons which you want to install.
Note
Uninstalling the software from the cluster does not delete the McAfee folder on the shared drive. You may delete this folder manually after uninstalling the software.
Note
Upgrade from McAfee® SpamKiller version 2.1.x is not supported. User should uninstall McAfee
®
SpamKiller from the Add/Remove Programs feature before running
GroupShield for Exchange 7.0 installation.
Note
Upgrading to GroupShield for Exchange version 7.0 works only on a licensed version of the products mentioned above.
38
McAfee® GroupShield™ 7.0 User Guide Installing the Software
Upgrading GroupShield from v6.0.2 or higher
3
3 When the installation is completed successfully, your system is upgraded to
GroupShield for Exchange version 7.0.
Note
After the upgrade, policies, scheduled tasks, rules, and configuration settings are carried forward to GroupShield 7.0
39
4
Post-Installation Tasks and Maintenance
This chapter includes information that is important to consider when performing post installation and maintenance tasks:
Testing your GroupShield installation
Quarantining using McAfee Quarantine Manager
Maintaining your GroupShield application
Uninstalling the GroupShield for Exchange software
Testing your GroupShield installation
When you have completed installation of GroupShield for Exchange, we recommend that you test the installation to ensure that the software is installed properly and can detect viruses and spam within the email messages.
Testing the anti-virus component
The recommended method to test an anti-virus product is to attach an EICAR anti-virus test file to an email message, and to send the message through the Microsoft
®
Exchange Server 2003/2007 where you have just installed GroupShield for Exchange.
The EICAR standard anti-virus test file was created jointly by several anti-virus vendors throughout the world to implement a standard by which customers can verify their anti-virus installations.
Note
This file is not a virus, Ensure that you delete the file when you have finished testing your installation to avoid alarming unsuspecting users.
40
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Testing your GroupShield installation
4
1 Copy the following line into its own file, then save the file with the name
EICAR.COM:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TESTFILE!$H+H*
The file size will be 68 or 70 bytes.
2 Send an email message through the Exchange Server 2003/2007 with the EICAR
test file as an attachment. When GroupShield for Exchange on the Microsoft® Windows examines the email message, it reports finding the EICAR test file but will be unable to clean or repair the EICAR file because it is a test file.
3 GroupShield replaces the EICAR test file with an alert message.
Testing the McAfee Anti-Spam component
You can test the operation of the software by running the GTUBE (General Test mail for Unsolicited Bulk Email) test. The test email message must be sent from an external email account (a different domain).
1 Create a new Internet (external) email message.
2 In the body of the message, copy the following text:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Ensure that you enter this with no extra spaces or line breaks.
3 Send the new email message to a mailbox address on the server where you have
installed Anti-Spam. Anti-Spam for Exchange scans the message, recognizes it as a junk email message, and deals with it accordingly (as specified in the configuration settings).
Testing GroupShield installation using McAfee Virtual Technician
You can test if GroupShield for Exchange is installed correctly by running McAfee Virtual Technician. McAfee Virtual Technician automatically checks for common deviations that may have occurred since the time you installed the product.
To download McAfee
®
Virtual Technician, please visit
http://mvt.mcafee.com/mvt/index.asp
Note
You must have McAfee Anti-Spam for GroupShield component installed to test this feature.
Note
The GTUBE test overrides blacklists and whitelists. For more information on the GTUBE test file, visit:
http://spamassassin.apache.org/
41
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Quarantining using McAfee Quarantine Manager 4.1
4
Quarantining using McAfee Quarantine Manager 4.1
McAfee® Quarantine Manager (MQM) can be used as a repository for quarantining infected email messages. McAfee products (like GroupShield for Exchange) uses a pre-assigned port number to send the detection information to MQM.
McAfee
®
Quarantine Manager in turn uses the same port number by default, to release or send configuration information of the detected email messages to the McAfee product. The communication ports mentioned in GroupShield and in the McAfee
®
Quarantine Manager user interface should be the same.
You can use McAfee
®
Quarantine Manager to consolidate the quarantine and anti-spam management functionality. It gives you a central point from which you can analyze and act upon emails and files that have been quarantined. Items are quarantined because they are spam, phish, contain viruses, potentially unwanted software or other undesirable content. McAfee Quarantine Manager is particularly effective in managing unsolicited bulk email or spam.
1 Install GroupShield for Exchange on <Server 1>.
2 Install McAfee Quarantine Manager version 4.1 on <Server 2>.
3 Launch GroupShield for Exchange user interface from the <Server 1>.
4 Click
Settings & Diagnostics | Detected Items page.
5 Under
McAfee Quarantine Manager, select Enabled.
6 Type the IP address of the <Server 2> server, where you have installed McAfee
Quarantine Manager.
7 Use the default values for
Port and Callback port or modify them as configured on
McAfee Quarantine Manager Server.
Note
This guide does not provide detailed information about installing or using McAfee® Quarantine Manager software. See McAfee Quarantine Manager v 4.1 Product Guide for more information.
42
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Quarantining using McAfee Quarantine Manager 4.1
4
8 Click Apply, to save the changes.
Upgrading Blacklists and Whitelists
The blacklist and whitelist command line upgrade tool can be used to upgrade the user blacklists and whitelists existing in GroupShield version 6.0.x to 7.0. The command line parameters are not case sensitive and you can also use UNC paths when using the upgrade tool.
1 Using an administrative account, log on to the computer containing GroupShield for
Exchange version 6.0.x user blacklists and whitelists.
2 Create a temporary directory on your local drive.
3 Download the
UserBWListUpgrade.ZIP archive and extract the files to the temporary
directory.
4 From the command prompt execute the command shown below:
bwl -m <SrcPath> <DestPath> [-d] [value]
Parameters:
-m: to upgrade the user blacklists and whitelists.
<SrcPath>: to specify the directory path to the existing GroupShield 6.x user
blacklists and whitelists.
<DesPath>: to specify the directory path to where the generated BWLIST.XML file is to be stored. The output XML file generated can be imported into the McAfee Quarantine Manager’s database using its
Import Export tool.
-d: to enable debugging. The debug log file DEBUG.TXT is generated in the current directory.
[value]: “1” enables debugging, any other value passed to this parameter disables debugging and is FALSE. The default value is set as FALSE.
Note
Once you have completed the above setup, GroupShield starts to quarantine detected items on McAfee Quarantine Manager Server; however it also logs them in the local database.
You must install McAfee Quarantine Manager version 4.1 Patch1 and HotFix 285970 on the McAfee Quarantine Manager Server. Installing this Patch and HotFix will enable you to release Quarantined items from the server.
You cannot release quarantined items that are detected as viruses.
To disable quarantining on McAfee Quarantine Manager, go to
Settings & Diagnostics |
Detected Items page, deselect Enabled, then click Apply. This makes GroupShield to
continue quarantining on the local database.
43
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Maintaining your GroupShield application
4
-h: help
Syntax examples:
To upgrade GroupShield 6.x user blacklists and whitelists to version 7.0:
bwl -m “c:\GSE_60_BWL_Path\” “c:\GSE_70_BWL_Path”
To upgrade GroupShield 6.x user blacklists and whitelists to version 7.0 with debug
logs:
bwl -m “c:\GSE_60_BWL_Path\” “c:\GSE_70_BWL_Path” -d 1
To upgrade GroupShield 6.x user blacklists and whitelists to version 7.0 with debug
logs using an UNC path:
bwl -m “c:“\\server-name\shared-resource-pathname\” “c:\GSE_70_BWL_Path” -d 1
Maintaining your GroupShield application
The GroupShield for Exchange software provides tools to help you maintain your installation. Refer to these topics for detailed instructions:
Modifying the GroupShield installation
Repairing the GroupShield installation
Restoring original out-of-box configuration
Modifying the GroupShield installation
To modify application features installed for GroupShield for Exchange, you can use the Windows
Add/Remove Programs feature by running the McAfee GroupShield for Exchange
setup program.
Modifying GroupShield
1 Using administrative account, log on to the computer where Microsoft® Exchange
Server 2003/2007 is installed.
Note
you can also substitute the parameters:
- m with /m
-d with /d
-h with /h
44
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Maintaining your GroupShield application
4
2 Ensure that the server and clients are shut down.
3 From the
Start menu, click Settings, then Control Panel. The Control Panel window
appears.
4 Double-click
Add/Remove Programs. The Add/Remove Programs dialog box appears.
5 Select McAfee GroupShield for Exchange from the list.
6 Click
Change. The Application Maintenance dialog is displayed.
7 Select Modify, then click Next.
8 When the McAfee GroupShield for Exchange features dialog box appears, modify the
required features and click Next. Once the software is updated, a confirmation message is displayed.
9 Click
Finish to close the dialog box.
Repairing the GroupShield installation
To repair GroupShield for Exchange, we recommend using the Windows Add/Remove
Programs
feature, although you can also modify GroupShield from the GroupShield for
Exchange setup program.
Repairing GroupShield
1 Using administrative account, log on to the computer where Microsoft® Exchange
Server 2003/2007 is installed.
2 Ensure that the server and clients are shut down.
3 From the Start menu, click Settings, then Control Panel. The Control Panel window
appears.
4 Double-click
Add/Remove Programs. The Add/Remove Programs dialog box appears.
5 Select McAfee GroupShield for Exchange from the list.
6 Click
Change. The Application Maintenance dialog is displayed.
7 Choose Repair, then click Next.
The
McAfee GroupShield for Exchange features dialog box appears. Once the software
is updated, a confirmation message is displayed.
Note
If GroupShield related files are found to be corrupt or deleted, the repair process will replace them with proper files. However, no configuration settings are changed or modified.
45
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Uninstalling GroupShield for Exchange
4
8 Click Finish to close the dialog box.
Restoring original out-of-box configuration
To restore default settings and values from the user interface, click Settings & Diagnostics |
Import and Export Configuration | Restore Default.
Uninstalling GroupShield for Exchange
To remove GroupShield for Exchange, we recommend using the Windows Add/Remove
Programs
feature, although you can also uninstall GroupShield from the GroupShield for
Exchange setup program.
Removing GroupShield for Exchange
1 Using administrative account, log on to the computer where Microsoft® Exchange
Server 2003/2007 is installed.
2 Ensure that the GroupShield for Exchange services on the server and clients are
shut down.
3 From the
Start menu, click Settings, then Control Panel. The Control Panel window
appears.
4 Double-click Add/Remove Programs. The Add/Remove Program Properties dialog box
appears.
5 Select
McAfee GroupShield for Exchange from the list.
6 Click Change. The Application Maintenance dialog is displayed.
7 Select
Remove, then click Next.
8 The McAfee GroupShield for Exchange Uninstall dialog box appears, click Next.
Note
Alternatively, you can follow the manual steps given below to restore the default settings and values:
1 Stop all Exchange Servers and GroupShield for Exchange services on the host.
2 Copy and replace the McAfeeConfig.XML from
<Install_path>\Config\Default\McAfeeConfig.XML
3 Copy and replace cs_rules_en.XML from
<Install_path>\Config\Default\<0409>\cs_rules_en.XML <for English language>
4 Start GroupShield for Exchange services on the host.
5 Start Exchange Servers on the host.
46
McAfee® GroupShield™ 7.0 User Guide Post-Installation Tasks and Maintenance
Uninstalling GroupShield for Exchange
4
9 Once the software is removed, a message is displayed. Click Finish to close the
dialog box.
47
5
Integrating with ePolicy Orchestrator 3.6
Introduction
This chapter describes how to configure GroupShield for Exchange using McAfee ePolicy Orchestrator management software version 3.6. To use this guide effectively, you need to be familiar with ePolicy Orchestrator. See the ePolicy Orchestrator v3.6 Product Guide for more information.
The ePolicy Orchestrator software provides a single point of control for your McAfee anti-virus products, to manage anti-virus policies, view reports of anti-virus events and virus activity in an enterprise environment. Using ePolicy Orchestrator, you can configure GroupShield for Exchange on the target computers across your network; you do not need to configure them individually.
This chapter includes how to:
Check-in the ePolicy Orchestrator agent to the ePolicy Orchestrator repository.
Check-in the package and NAP files of GroupShield for Exchange to the ePolicy
Orchestrator repository.
Configure ePolicy Orchestrator agent features.
Set and enforce anti-virus policies on the target systems.
Pre-requisites for using ePolicy Orchestrator 3.6
Before you can use the ePolicy Orchestrator software to manage GroupShield for Exchange, install the ePolicy Orchestrator agent on the computer.
Note
This guide does not provide detailed information about installing or using ePolicy Orchestrator software. See ePolicy Orchestrator v3.6 Product Guide.
48
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Introduction
5
Introducing ePolicy Orchestrator console
The Microsoft® Management Console (MMC) is your interface to the ePolicy Orchestrator product and its features. Here you register and configure the GroupShield for Exchange products that are managed through ePolicy Orchestrator. The console uses standard MMC features.
The console is divided into two panes. When you first log on to the server, the console appears with the Console Root highlighted in the left pane.
The console tree is the navigation pane of the console. It shows the servers,
workstation, and appliances that you can administer using ePolicy Orchestrator.
The details pane is to the right of the console. Depending on the item selected in
the console tree, the details pane might have an upper details pane and lower details pane.
The console’s appearance changes to reflect the items you have selected in the console tree or in the details pane.
The Agent is a distributed component of ePolicy Orchestrator that must be installed on each computer on the network. The agent collects and sends information between the ePolicy Orchestrator server, repositories and manages GroupShield for Exchange installations across the network. How you configure the agent and its policy settings determines how it facilitates communication and updating in your environment.
Figure 5-1 ePolicy Orchestrator Console
49
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Installation
5
Assumptions:
Computer 1: ePolicy Orchestrator version 3.6 is installed and configured on a
supported operating system.
Computer 2: Microsoft
®
Exchange Server 2003/2007 is installed and configured on
the server.
Exchange Server is added into the ePolicy Orchestrator’s managed server list under
the “Directory” branch.
McAfee Common Agent version installed on the ePolicy Orchestrator server should
be upgraded from version 3.6.0.444 to 3.6.0.453 or above.
From ePolicy Orchestrator server console, ePolicy Orchestrator agent is installed or
pushed on the Exchange Server.
Before you begin
1 Create a temporary directory on the network or your local drive.
2 To install, do one of the following depending on how you obtained the software:
Insert the CD into the computer’s drive and copy the installation files into the
temporary directory you created.
Download the NAP and package .ZIP archive and extract the file to the temporary
directory.
Installation
1 Using an administrative account, log on to the ePolicy Orchestrator server. The
ePolicy Orchestrator console appears.
Creating a new site
2 Right-click Directory | New | Site. The Add Sites dialog box appears.
Note
Anti-Spam and Anti-Phish feature is only available if you install McAfee Anti-Spam for GroupShield component after installation. To install and deploy Anti-Spam and Anti-Phish, you need to check-in the required package into the repository and then deploy. If you have deployed the evaluation package, and want to upgrade to the licensed version, you must check-in the licensed package and then deploy.
50
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Installation
5
3 Click Add. The New Site dialog box appears.
4 Type the
Name for the new site. If the new site is a domain and you want to include
all the computers under the domain, select
Domain and Include computers as child nodes.
5 Click
OK to add the new site. The Add Site dialog box appears.
6 Deselect Send agent package, then click OK to add the new site <Site name> to the left
pane.
Adding a computer to the site
7 Right-click Directory | <Site name> | New | Computer. The Add Computers dialog box
appears.
8 Click
Browse to select the computer from the network, then click OK. The Add
Computers
dialog box appears.
9 Select Send agent package, enter the required Credentials for Agent Push Installation, and
click
OK to send the agent to the new computer added.
Sending an Agent Wakeup call
10 From the ePolicy Orchestrator console, right-click the Site or the Exchange Server
on which you intend to install
GroupShield for Exchange.
11 Click
Agent Wakeup Call. The Agent Wakeup Call dialog box appears.
12 In the Agent Wakeup Call dialog box, change the Agent randomization to 0 (zero) minutes.
13 Select Get full product properties and click OK to complete the installation.
Note
You can create a new site to administer specific group of computers.
Note
If you deselect Suppress agent installation GUI, the agent installation user interface will not appear on the client computer during installation.
Tip
To enable ePolicy Orchestrator agent icon in the system tray of the client computer:
a Click
ePO Agent link on the right pane.
b Click
McAfee Default link for ePolicy Orchestrator agent, the ePolicy Orchestrator
Agent
page appears.
cSelect
Show Agent tray icon.
d Click
Apply All.
51
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Installation
5
Adding GroupShield Installation Package files to the ePolicy repository
14 Click Repository. The Repository page appears.
15 Click
Check in Package. The Check in package wizard appears.
16 Click Next. The select package type wizard appears.
17 Select Products or updates, then click Next. The Check in package - Browse dialog box
appears.
18 Click Browse and navigate to the temporary folder where you have extracted the
installation package.
19 Select the
PkgCatalog.z file, click Open and then click Next. The Check in package wizard
displays
Product Name, Version, Package type and Language.
20 Click
Finish to check-in the package file.
21 Once the check-in process completes, click Close.
Adding GroupShield software NAP file to the repository
1 Click Repository. The Repository page appears.
2 Click
Check-in NAP. The Software Repository Configuration Wizard appears.
3 Select Add new software to be managed and click Next. The Select a software package dialog
box appears.
4 Select the product NAP file from the temporary folder and click
Open.
The NAP file is extracted and copied to the ePolicy Orchestrator repository. A message dialog box appears upon successful completion.
5 Click
OK.
Adding GroupShield Reports NAP to the repository
1 Click Repository. The Repository page appears.
2 Click Check in NAP. The Software Repository Configuration Wizard appears.
3 Select
Add new reports and click Next. The Select a software package dialog box appears.
4 Select the report NAP file from the temporary folder and click Open.
The report NAP file is extracted and copied to the ePolicy Orchestrator repository. A message dialog box appears upon successful completion.
5 Click
OK.
52
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Installation
5
Installing GroupShield on the client computer
1 From the ePolicy Orchestrator console, select the Site or the Exchange Server on which
you intend to install GroupShield, then click the
Tasks tab. The deployment task page
appears.
2 Double-click the Deployment task. The ePolicy Orchestrator Scheduler dialog box appears.
3 Deselect Inherit under the Tasks tab and select Enable (scheduled task runs at specified
time)
.
4 Click Settings under the Tasks tab. The Task Settings page appears.
5 Deselect
Inherit. From the listed products, select Install from the list item given
against
GroupShield for Exchange.
6 Deselect Run this task at every policy enforcement interval.
7 Click
OK.
8 Click the Schedule tab. Deselect Inherit.
9 From the Schedule Task list item, select Run Immediately and click Apply.
10 Click
OK to complete the deployment task scheduling.
11 Send an agent wakeup call.
Upgrading from GroupShield for Exchange version 6.0.x NAP settings
Assumptions:
ePolicy Orchestrator version 3.6 is installed on the server.
NAP files for GroupShield for Exchange version 6.0.2 or version 6.0.3 is
checked-in.
NAP file for GroupShield for Exchange version 7.0 is checked-in.
You have not created any new policies in the GroupShield for Exchange version
7.0 NAP settings.
Note
For information on sending an agent wakeup call, refer to Sending an Agent Wakeup
call on page 50.
53
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Configuring GroupShield Policies
5
Importing the GroupShield for Exchange version 6.x NAP settings
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 Create a temporary directory on the network or your local drive.
3 To install, do one of the following depending on how you obtained the software:
Insert the CD into the computer’s drive and copy the installation files into the
temporary directory you created.
Download the ePOGSENPUpgrade.ZIP archive and extract the file to the temporary
directory.
4 Using Windows Explorer, navigate to the folder where you copied the installation
files and double-click
EPOGSEUPGRADE.EXE.
5 Upon the successful upgrade, the installer prompts a message
EPOUpgrade from
GSE6.0 to GSE7.0 is completed Successfully…
. Please follow the on-screen instructions,
if upgrading fails.
Configuring GroupShield Policies
This section explains how you enforce policies from ePolicy Orchestrator. There are two main steps:
1 Within ePolicy Orchestrator, you select the names of the target computer or the site
on the network and the policies that will apply to those selected computers.
2 You can enforce all the policies to the Exchange Server using the ePolicy
Orchestrator agent. Each computer then observes your new policy, ignoring any polices that were previously configured at GroupShield for Exchange.
Note
This tool exports only the configurations saved under the GroupShield for Exchange version 6.0.2 or version 6.0.3 NAP file to GroupShield for Exchange 7.0 NAP. You can continue to manage all the versions of GroupShield (6.0.x and 7.0) from the ePolicy Orchestrator server.
Note
Errors or Exceptions during the upgrade are logged in the file EPODEBUGTRACE.TXT.
54
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Configuring GroupShield Policies
5
Managing Policies
The ePolicy Orchestrator console allows you to manage policies across groups of computers or on a single computer. These policies override configurations set on individual computers. For information regarding policies and how they are enforced, see the ePolicy Orchestrator Product Guide.
Before configuring any policies, select the group of computers for which you want to modify GroupShield policies. You can modify GroupShield policies from the pages and tabs that are available in the details pane of the ePolicy Orchestrator console. These pages are identical to those you can access directly from the GroupShield user interface.
After you have modified the appropriate polices and saved the changes for the intended computer or group of computers, you are ready to deploy the new settings via the ePolicy Orchestrator agent.
Modifying policies for GroupShield in ePolicy Orchestrator
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 In the console tree under ePolicy Orchestrator | <SERVER> | Directory, select the site,
group, single computer or the entire directory to which these policies are to apply.
3 The
Policies, Properties, and Tasks tabs appear in the details pane.
4 In the Policies tab, under GroupShield for Exchange, click McAfee Default for a Category to
view the default policy settings. The Policy Settings dialog box appears.
5 Click Duplicate to create and save a copy of the policy settings. The Duplicate Policy
dialog box appears.
6 Choose to
Duplicate the curent policy or Create a policy in which all tabs inherit as required.
7 Enter a New policy name.
8 Select or deselect
Assign this new policy to the current node (breaks inheritance) as desired,
then click
OK.
Creating a New policy for a Category
1 Click Edit for a Category in the GroupShield for Exchange entry in the ePolicy Orchestrator
details pane.
55
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Scheduling tasks
5
2 Click the Policy Name drop-down list and select New Policy. The Create a new policy dialog
box appears.
3 Configure the required options from the original policy, then click OK to create the
new policy.
4 Click
Apply to save these settings.
Editing an existing policy (Non-default)
1 Click for the selected Category in the GroupShield for Exchange entry in ePolicy
Orchestrator
details pane.
2 Configured the required options, then click Apply to save the policy.
Scheduling tasks
When GroupShield scans for viruses, spam or phish, it uses information in the DAT and Rule files to find them. Many new threats are discovered daily and McAfee regularly creates new DAT files to provide protection from these viruses. To ensure the best protection, you can use ePolicy Orchestrator to inform where to access the latest update files and create schedules for replacing earlier DAT and Rule files and running on-demand scans.
Using ePolicy Orchestrator 3.6, you can create these types of scheduled tasks for the GroupShield for Exchange software:
AutoUpdate
Note
You cannot configure the McAfee Default policy settings for a selected Category. To configure a selected category, you must create a new policy or a duplicate copy of the policy for the selected
Category.
Table 5-1 Policy Options
New Policy name
Type the new policy name for the Category you want to create.
Duplicate the following policy
Creates a duplicate policy for the selected Category. Select the policy from the drop-down list.
Create a policy in which all tabs inherit
Creates a new policy in which all the policy tab settings are inherited.
Note
To stop a policy enforcement, click Edit for Enforce Policies in the GroupShield for
Exchange
entry in ePolicy Orchestrator and select (No) from the Policy Name drop-down.
56
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Scheduling tasks
5
On-Demand scan
Scheduled tasks for a computer can be set to execute based on the local time or GMT (Greenwich Mean Time). However, ePolicy Orchestrator cannot monitor the progress of a scheduled task. So we recommend you to view the log file in the server periodically to check if the scheduled task was executed successfully.
AutoUpdate task
GroupShield 7.0 software can only provide full protection if you keep it up-to-date with the latest anti-virus definitions (DATs), anti-spam rules, spam engine, and virus-scanning engine. We recommend that you update DAT files daily and regularly check the McAfee AVERT (Anti-Virus Emergency Response Team) website for new DAT files. If you have multiple servers in the current domain, you can use one server to download the latest DAT files, then configure the others to copy the files from that server. Your servers can download files for a number of operating systems, regardless of the operating systems that are in use.
Creating an AutoUpdate task
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 In the console tree under
ePolicy Orchestrator, right-click Directory or the site, group or
host, then select
Schedule Task.
Alternatively, you click the
Tasks tab in the upper details pane. Right-click in the pane,
and select
Schedule Tasks
The Schedule Task dialog box appears.
3 Type in a
New Task Name.
4 In the Task Type drop-down list, select GroupShield for Exchange 7.0 AutoUpdate Task.
5 Click OK. The created task is listed in the Tasks tab.
6 Send an agent wakeup call.
Configuring an AutoUpdate task
After you have created a new AutoUpdate task, you can configure the task as required.
1 On the
Tasks tab in the upper details pane, right-click the task, then select Edit Task.
The
ePolicy Orchestrator Scheduler dialog box appears.
Note
For information on sending an agent wakeup call, refer to Sending an Agent Wakeup
call on page 50.
57
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Scheduling tasks
5
2 Click Settings, edit the required options in both the Task and Schedule tabs. The Update
Task
page appears with message No additional settings are required for this task.
On-Demand scan task
GroupShield for Exchange can perform on-demand scanning of your mails, so that all mails on your computer are checked for viruses, Trojan horses and other malicious code. You can create any number of on-demand scan schedules. The scan schedules can be configured to run at set intervals, and can be run at any time by the user. You can also disable schedules that you do not want to run automatically.
Creating a new task
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 In the console tree under
ePolicy Orchestrator, right-click Directory or the site, group or
host, then select
Schedule Task.
Alternatively, you click the
Tasks tab in the upper details pane. Right-click in the pane,
and select
Schedule Tasks
The Schedule Task dialog box appears.
3 Type a New Task Name.
4 In the
Task Type drop-down list, select GroupShield for Exchange 7.0 On-Demand Task.
5 Click OK. The created task is listed in the Tasks tab.
6 Send an agent wakeup call.
Editing a task
1 Right-click the task and select the Edit Task option. The ePolicy Orchestrator Scheduler
appears.
2 Click Settings. The On-Demand Scan Configuration page appears.
Note
AutoUpdate is configured to update the product with latest DATs, spam rules, spam and anti-virus engines from McAfee http/ftp website.
Note
You can also schedule the autoupdate task from the ePolicy Orchestrator Agent Update option in the
Schedule Task dialog box.
Note
For information on sending an agent wakeup call, refer to Sending an Agent Wakeup
call on page 50.
58
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Scheduling tasks
5
3 Deselect Inherit.
4 Select the desired on-demand policy from the list:
5 Click
OK.
Scheduling settings
6 Click the Schedule tab.
Table 5-2 Schedule Options
Schedule Task
Select one of the available task type from the drop-down list.
Daily
Weekly
Monthly
Once
At System Startup
At Logon
When Idle
Run Immediately
Run on Dialup
Start Time
UTC Time
Local Time
Specify the start time for the scheduled task. Select the local
time option to run the task using the scheduled interval at the client computer system time. This is useful for scheduling processor-intensive tasks (such as on-demand scans) to run during non-business hours.
Selecting the UTC Time option uses the Universal Time
Conversion (also known as Greenwich Mean Time or GMT) to run the task. This option causes the task to run at the same time for all your clients regardless of the local system time on the client computers.
Enable randomization
The task does not run at exactly the specified start time. Instead, it starts after a random specified time. Specify the hours and minutes to enable randomization.
Run missed task
Ensures that the task is started if the computer is shutdown or otherwise not available at the scheduled start time. Selecting this option ensures that the task is run, the next time the computer becomes available.
Delay missed task by Click Advanced on the Advanced Schedule Options dialog box.
When running missed tasks, selecting this option sets a delay after the computer becomes available before the missed tasks runs.
Start Date / End Date Click Advanced on the Advanced Schedule Options dialog box.
Type the start and end dates if you only want the task to run for a specified period (such as for few days or weeks).
59
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Reports
5
Reports
From the ePolicy Orchestrator console, you can view reports which show how the GroupShield for Exchange installed on client computers is handling infections. You can check the configurations that have been set up on the hosts. You can save the selections you make in the
Report Data Filter dialog box for future use.
ePolicy Orchestrator reports allow you to:
Set a directory filter to gather only the information that you want to view. When setting this filter, you can choose which part of the ePolicy Orchestrator console tree is included in the report.
Set a data filter by using logical operators, to define precise filters on the data
returned by the report.
Generate graphical reports from the information in the database and filter the
reports as desired. You can print the reports and export them for use in other software.
Running a report
1 Log on to the ePolicy Orchestrator database server under the Reporting section.
2 Select the desired GroupShield for Exchange 7.0 report under Reporting | ePO Databases |
<database server> | Reports | <Product name> in the console tree. The Set Report Data filter
dialog box appears.
If Yes is selected, the Report Data filter dialog box appears for that category.
Select the report (Agent Versions) you want to generate, then set the data filter in the
Report Data Filter dialog box. Click OK.
Repeat Task Click Advanced on the Advanced Scheduled Options dialog box.
Use this option to run a task multiple times in the same day. To do this, select
Repeat Task and then set the repeat interval
appropriately.
Typically, you might do this to run a client update task several times a day, especially if there are a lot of new viruses. You can also schedule the task to repeat during other intervals, such as weekly or monthly.
Schedule Task Daily
Specify the interval to execute the schedule task; this could be an interval of 1 or several days. If you select 1, the schedule task is executed every other day.
Table 5-2 Schedule Options
60
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Uninstallation
5
If No is selected, the complete report is shown.
Configuring reports
There are several ways in which you can control what data appears on reports. You can define the version number of virus definition files, scanning engines, and supported products that need to be installed on the client computers for them to be considered compliant based on your company’s anti-virus and security program. You can also limit the results of reports by selected product criteria. (For example, computer name, operating system, virus name or action taken on infected files.) Once the results of a report appear, you can then perform a number of tasks on the data. You can view details on required report data. (For example, to determine which client computers do not have a compliant version of GroupShield). Some reports even provide links to other reports called sub-reports that provide data related to the current report. You can also print reports or export report data into a variety of file formats (including HTML and Microsoft
®
Excel).
Uninstallation
Removing GroupShield for Exchange from Client Computer
Using the ePolicy Orchestrator server, you can uninstall the GroupShield software installed on a client computer.
Removing the GroupShield software from the client computer
1 From the ePolicy Orchestrator console, select the Site or the Exchange Server on which
you intend to remove GroupShield and click the
Tasks tab. The Deployment Task page
appears.
2 Double-click the
Deployment task. The ePolicy Orchestrator Scheduler dialog box appears.
3 Deselect Inherit under the Tasks tab and select Enable (scheduled task runs at specified
time)
.
4 Click
Settings under the Tasks tab. The Task Settings page appears.
Note
Tabs may vary based on which report is selected. See ePolicy Orchestrator Product Guide v 3.6 for more details on all the available settings tabs.
Note
See the ePolicy Orchestrator v 3.6 Product Guide for more details on configuring reports.
61
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Uninstallation
5
5 Deselect Inherit. From the listed products, select Remove from the list item given
against
GroupShield for Exchange.
6 Deselect
Run this task at every policy enforcement interval.
7 Click OK.
8 Click Schedule tab. Deselect Inherit.
9 From the
Schedule Task list item, select Run Immediately and click Apply.
10 Send an agent wakeup call.
Removing GroupShield for Exchange from ePolicy Orchestrator
Removing the deployment package from ePolicy Orchestrator server
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 Select
Repository | Software repositories | Master in the console tree.
3 Select GroupShield for Exchange and click Delete. A confirmation dialog box appears.
Click
OK to remove GroupShield for Exchange from the ePolicy Orchestrator server.
Removing the product NAP file
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 Select
Repository | Managed Products | Windows | GroupShield for Exchange in the console
tree.
3 Right-click
7.0 and select Remove to uninstall GroupShield NAP from the ePolicy
Orchestrator server.
Removing the report NAP
1 Using an administrative account, log on to the computer containing ePolicy
Orchestrator Server.
2 Select
Reporting | Repot Repository | groupshield7.0 in the console tree.
Note
For information on sending an agent wakeup call, refer to Sending an Agent Wakeup
call on page 50.
62
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 3.6
Uninstallation
5
3 Right-click groupshield7.0 and select Remove to uninstall the report file from the
ePolicy Orchestrator server.
63
6
Integrating with ePolicy Orchestrator 4.0
Introduction
This chapter describes how to configure GroupShield for Exchange using McAfee ePolicy Orchestrator management software version 4.0. To use this chapter effectively, you need to be familiar with ePolicy Orchestrator 4.0.
ePolicy Orchestrator 4.0 provides a scalable platform for centralized policy management and enforcement on your security products and systems on which they reside. It also provides comprehensive reporting and product deployment capabilities, all through a single point of control.
Pre-requisites for installing ePolicy Orchestrator 4.0
For Microsoft® Windows 2000 platform, install these files on your system:
dotnetfx.exe
msxml6-KB925673-enu-x86.exe
WindowsInstaller-KB893803-v2-x86.exe
For Microsoft® Windows 2003 platform, install these files on your system:
dotnetfx.exe
msxml6-KB925673-enu-x86.exe
Before you begin
1 Create a temporary directory on the network or your local drive.
2 To install, do one of the following depending on how you obtained the software:
Note
This guide does not provide detailed information about installing or using ePolicy Orchestrator software. See ePolicy Orchestrator v4.0 Product Guide.
64
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Introduction
6
Insert the CD into the computer’s drive and copy the installation .ZIP files into the
temporary directory you created.
Download the ZIP files to the temporary directory
ePolicy Orchestrator agent
ePolicy Orchestrator agent is a distributed component of ePolicy Orchestrator that must be installed on each computer on the network. The agent collects and sends information between the ePolicy Orchestrator server, repositories and manages GroupShield for Exchange installations across the network.
Pre-requisites for using ePolicy Orchestrator 4.0
Before you can use the ePolicy Orchestrator software to manage GroupShield for Exchange, install the ePolicy Orchestrator agent on the computer.
Adding systems and deploying agents to the ePolicy Orchestrator server
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
New Systems. The New Systems page appears.
3 In How to add systems, choose Deploy agents and add systems to the current group (My
Organization)
.
4 In
Systems to add, click Browse to locate the system(s) you wish to add. The Browse for
Systems
page appears.
5 Select a Domain from the drop-down, which has the system(s) you want to add.
6 Under Systems in Selected Domain, select the desired system(s).
7 Click
OK to return to the New Systems page.
8 Choose an appropriate
Agent version from the drop-down and specify the Installation
options
and Installation path as required.
Note
To add systems without deploying agents, choose the Add systems to the current group
(My Organization), but do not deploy agents
option. To deploy agent at a later time,
perform steps given under the topic Deploying an ePolicy Orchestrator agent on
page 65.
Note
To select all the systems in the chosen domain, click Select all in this page.
65
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Installation
6
9 Enter the credentials (Domain, User, and Password) for agent installation, then click OK.
Deploying an ePolicy Orchestrator agent
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Systems.
3 Choose a group in the System Tree.
4 Select the desired
Computer Name(s) of that group.
5 Click Deploy Agents. The Deploy McAfee Security Agent page appears showing the Target
systems
.
6 Choose an
Agent version to be installed on the selected systems.
7 Choose the desired
Installation options and an Installation path where you want to install
the agent.
8 In
Credentials for agent installation, specify Domain, User, Password of the user account
with which you want to install the agent on selected systems and click
OK.
Installation
Checking-in the McAfee GroupShield for Microsoft Exchange Server 2003/2007 package to the ePolicy Orchestrator server
You can check-in the GroupShield for Exchange software package from the Master
Repository
page. Master Repository is the central location for all McAfee updates residing on the ePolicy Orchestrator server. It retrieves user-specified updates from McAfee site or user-defined source sites.
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Software | Check In Package. The Package page appears.
3 Choose the Package type as Product or Update (.ZIP) and browse in File path to locate
GroupShield7_ePO4.zip saved in a temporary folder.
4 Click Next. The Package Options page appears with the Package info.
Note
Agent versions available in the drop-down, depend on which agent, the installation packages are checked-in.
66
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Installation
6
5 Choose the Branch as Current.
6 Click
Save.
Installing GroupShield for Exchange on the client computer
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Systems | System Tree and choose a desired group.
3 From the Client Tasks tab, click Create Task.
4 Type a
Name, Notes for the task and choose the Type as Product Deployment (McAfee
Agent 4.0.0)
.
5 Click Next. The Client Task Builder page appears.
6 Under
Description, select the Target Platforms as Windows to install the package.
7 Choose an appropriate Language from the drop-down.
8 In Products to deploy, select GroupShield for Exchange 7.0.0 from the drop-down and
choose the
Action as Install.
9 In
Options, select or deselect these options as required:
Run this task at every policy enforcement interval (Windows only)
Run update after successful product deployment (4.0 or above)
10 Click Next to schedule this task as desired.
11 Click
Next to view a summary of the task, then click Save.
12 In the Systems tab, select a group and a computer where you want to install
GroupShield 7.0.
13 Send an agent wake-up call.
Note
You can select all the computers in a group to install GroupShield 7.0 by clicking Select
all in the page
.
Note
For instructions on sending an agent wake-up call, please refer to Sending an Agent
Wakeup Call on page 70.
67
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Installation
6
Extensions
You can install, remove and manage the GroupShield for Exchange extension files. Extension files are in ZIP file format and must be installed before that product or component can be managed by ePolicy Orchestrator 4.0. The two extension files for GroupShield for Exchange are:
GROUPSHD7000.ZIP
GSE7REPORTS.ZIP
To install the GroupShield for Exchange policy extension files
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Configuration | Extensions | Install Extension. The Install Extension dialog box appears.
3 Click Browse, select the extension file GROUPSHD7000.ZIP and click OK.
To install the GroupShield for Exchange report extension files
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Configuration | Extensions | Install Extension. The Install Extension dialog box appears.
3 Click Browse, select the extension file GSE7REPORTS.ZIP and click OK.
68
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Introducing ePolicy Orchestrator 4.0 Dashboard
6
Introducing ePolicy Orchestrator 4.0 Dashboard
Dashboards are a collection of pre-configured and/or user-selected monitors that provide current data about your detections.
The ePolicy Orchestrator dashboard consists of a collection of named dashboard monitors. Depending on the permissions assigned to your user account, you can create a new dashboard, manage existing dashboards, select active dashboards, and edit dashboard preferences
Creating a new dashboard
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Dashboards | Options | New DashBoard. The New DashBoard page appears.
3 Enter a Dashboard Name and choose a desired Dashboard Size from the drop-down.
4 Click New Monitor.
5 Choose the
Category as Queries and a desired GroupShield for Exchange related query
from the
Monitor drop-down menu.
6 Click OK.
7 Repeat step 4 and 5 for the remaining monitors.
8 Click
Save. The Make Active dialog box appears.
9 Click Yes to add this new dashboard to your active set.
Table 6-1 Dashboard Options
Options Description
Dashboard Name Specifies the name of the dashboard you select.
Dashboard Size Specifies the dimensions (by number of dashboard
monitors) of the selected dashboard.
Created by Specifies the user name who created the selected
dashboard.
Last modified by Specifies the user name, date and time stamp of the last
modification made to the selected dashboard.
Edit
Takes you to the Edit Dashboard page where you can make changes to the dashboard’s name and size.
Delete Deletes the selected dashboard.
Duplicate Creates and saves a copy of the selected dashboard. This
allows you to create and edit similar dashboards without having to create one from scratch.
69
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Reporting
6
Reporting
Reports are pre-defined queries which queries the ePolicy Orchestrator database and generates a graphical output.
ePolicy Orchestrator 4.0 has its own querying and reporting capabilities. McAfee includes a set of default queries on the left pane. However, you can create a new query, edit, and manage all the queries.
Running a query
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Reporting. A list of queries appears on the left pane.
3 Choose a GroupShield for Exchange related query from the list.
4 Click
Run. The graphical output is displayed.
Creating a new query
If the pre-defined queries on the left side does not serve your purpose, ePolicy Orchestrator enables you to create your own queries.
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Reporting | New Query. The Result Type page appears.
3 On the left pane, choose a desired data type that the query should retrieve and click
Next. The Chart page appears.
4 Choose and accordingly configure a display chart/table and click
Next.
5 The Columns page appears allowing you to select columns for the chart/table.
6 Select a columns from the Available Columns pane and click Next.
Make Public Adds the selected private dashboard to the Public
Dashboards list, making it available to all users with permissions, to use public dashboards.
Make Active Adds the selected dashboard to the Dashboards tab for
easy access.
Table 6-1 Dashboard Options
Options Description
70
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Systems
6
7 The Filter page appears. Specify criteria by selecting properties and operators to limit
the data retrieved by the query.
8 Click Run, then Save. The Save Query page appears.
9 Enter a Name and Notes (if required) for the query, then click Save.
Systems
All the systems in the network are managed in the Systems tab. The System Tree contains all systems that are managed by the ePolicy Orchestrator. It is the primary interface for managing policies and tasks on these systems. You can organize or sort these systems into logical groups in the
System Tree.
My Organization is the root of the System Tree. It includes a Lost&Found group that stores
systems whose locations cannot be determined by the server. Depending on the methods you use to create and maintain the
System Tree segments (systems), the
server uses different characteristics to place the systems in the
System Tree.
Sending an Agent Wakeup Call
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Systems.
Table 6-2 Reporting Options
Options Description
Delete Deletes a selected query.
Edit
Launches the
Query Builder page loaded with the details of the selected
query, where you can edit any details of the selected query.
Make Public
Moves the selected query from My Queries list to the Public Queries list, making it available to all users with permissions.
Duplicate Creates and saves a copy of the selected query.
Export Exports the selected query to an XML file that can be imported to any
ePolicy Orchestrator server.
Run Runs the selected query and displays its result.
More Actions | View Query SQL
Takes you to the View Query SQL page, where you can view and copy the SQL script of the selected query.
Import Query Launches a dialog box that allows you to browse to an exported query
file. When you import a query file, the server adds it to
My Queries list.
Note
For information on adding a new system, refer to the ePolicy Orchestrator 4.0 Product Guide.
71
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Systems
6
3 Choose a group in the System Tree.
4 Select the desired
Computer Name(s) of that group.
5 Click More Actions | Wake Up Agent. The Wake Up Agents page appears.
6 Choose a Wake-up call type and a Randomization period (0-60 minutes) during which the
system(s) respond to the wakeup call sent by the ePolicy Orchestrator server.
7 Select Get full product properties for the agent(s) to send complete properties instead
of sending only those that have changed since the last agent-to-server communication.
8 Click
OK.
Policies
You can create, edit, delete or assign a policy to a specific group/system in the System
Tree
.
Creating a new policy
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Systems | System Tree and choose a desired group.
3 From Policies, select the desired Product from the drop-down. A list of policies
managed by the chosen point product appears in the lower pane.
4 Locate a desired policy category, then click Edit Assignment. The Policy assignment for:
My Organization
| Lost& Found | (chosen group) page appears.
5 Click Create new policy. The Create a new policy dialog box appears.
6 Choose McAfee Default or My Default as desired.
7 Enter a
New policy name.
8 Click
OK, then Save.
Note
Navigate to Server Task Log to see the status of the agent wakeup call.
Note
The McAfee Default policies are read-only and cannot be edited, renamed, or deleted.
72
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Systems
6
Enforcing Policies
You can enforce a policy to multiple managed systems within a group.
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Systems | System Tree and choose a desired group.
3 Select the desired system(s).
4 Click
Assign Policy. The Assigning Policy for <n> system page appears.
5 Select the desired Product, Category, and Policy from the drop-down, then click Save.
6 Select the systems again.
7 Send an agent wakeup call.
Client tasks
ePolicy Orchestrator allows you to create, schedule and maintain client tasks that run on the managed systems. You can define client tasks for the entire
System Tree, a
specific group, or an individual system.
Using ePolicy Orchestrator 4.0, you can create these types of scheduled tasks for the GroupShield for Exchange software:
AutoUpdate
OnDemand scan
AutoUpdate task
Your software can only provide full protection if you keep it up-to-date with the latest anti-virus definitions (DATs), anti-spam rules, spam engine and virus-scanning engine. We recommend that you update DAT files daily and regularly check the McAfee AVERT (Anti-Virus Emergency Response Team) website for new DAT files.
Note
For instructions on sending an agent wake-up call, please refer to Sending an Agent
Wakeup Call on page 70.
Note
You can create and enforce GroupShield policies and view reports only after adding the GroupShield extension files.
Note
The client tasks available in the drop-down depend on the extension files installed.
73
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Systems
6
Creating a new autoupdate task
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Systems | System Tree and choose a desired group.
3 From the Client Tasks, select the desired group in the System Tree for which you want
to create the autoupdate task.
4 Click
Create Task. The Client Task Builder page appears.
5 Under
Description, type a Name and Notes (if required) for the autoupdate task.
6 Choose AutoUpdate Task (GroupShield for Exchange 7.0.0) as the Type of the task and click
Next.
7 Schedule the task as desired and click
Next to view the Summary of the autoupdate
task, which includes the
Name, Notes, Product, Type of the task, and the Schedule
information.
8 Click
Save.
9 Send an agent wake-up call.
On-Demand scan task
You can create any number of on-demand scan schedules. The scan schedules can be configured to run at set intervals or can be run at any time by the user.
Creating an on-demand scan task
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Systems | System Tree | Client Tasks.
3 Select the desired group in the System Tree for which you want to create the
on-demand scan task.
4 Click
Create Task. The Client Task Builder page appears.
5 Under
Description, type a Name and Notes (if required) for the on-demand scan task.
Note
For instructions on sending an agent wake-up call, please refer to Sending an Agent
Wakeup Call on page 70.
Note
Click Edit to change the description/schedule of an autoupdate task or Delete to remove it.
74
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Uninstallation
6
6 Choose On Demand Scan (GroupShield for Exchange 7.0.0) as the Type of the task and click
Next.
7 Under
Configuration, choose a policy from the drop-down.
8 Click Next and schedule the task as desired.
9 Click Next to view the Summary of the on-demand scan task, which includes the Name,
Notes, Product, Type of the task, and the Schedule information.
10 Click
Save.
11 Send an agent wakeup call.
Uninstallation
Removing GroupShield for Exchange from the client computer
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Systems | System Tree and choose a desired group.
3 From the Client Tasks tab, click Create Task.
4 Type a Name, Notes for the task and choose the Type as Product Deployment (McAfee
Agent 4.0.0)
.
5 Click
Next. The Client Task Builder page appears.
6 Under Description, select the Target Platforms as Windows to uninstall the package.
7 Choose an appropriate Language from the drop-down.
8 In
Products to deploy, select GroupShield for Exchange 7.0.0 from the drop-down and
choose the
Action as Remove.
9 In Options, select or deselect these options as required:
Run this task at every policy enforcement interval (Windows only)
Note
For instructions on sending an agent wake-up call, please refer to Sending an Agent
Wakeup Call on page 70.
Note
Click Edit to change the description/schedule of an on-demand scan task or Delete to remove it.
75
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Uninstallation
6
Run update after successful product deployment (4.0 or above)
10 Click Next to schedule this task as desired.
11 Click Next to view a summary of the task, then click Save.
12 In the
Systems tab, select a group and a computer where you want to install
GroupShield 7.0.
13 Send an agent wake-up call.
Removing GroupShield for Exchange from the ePolicy Orchestrator server
Removing the deployment package from ePolicy Orchestrator
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Software | Master Repository.
3 Click the Delete link of the GroupShield for Exchange package.
Removing the product extension
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click
Configuration.
3 Choose the extension file GroupShield for Exchange, click Remove.
4 Select the option Force removal, bypassing any checks or errors.
5 Click
OK.
Removing the report extension
1 Using an administrative account, log on to the ePolicy Orchestrator server.
2 Click Configuration.
3 Choose the extension file GroupShield for Exchange Reports, click
Remove.
Note
You can select all the computers in a group to install GroupShield 7.0 by clicking Select
all in the page
.
Note
For instructions on sending an agent wake-up call, please refer to Sending an Agent
Wakeup Call on page 70.
76
McAfee® GroupShield™ 7.0 User Guide Integrating with ePolicy Orchestrator 4.0
Uninstallation
6
4 Select the option Force removal, bypassing any checks or errors.
5 Click
OK.
77
7
Integrating with ProtectionPilot
1.5
Introduction
ProtectionPilot software is a security management system that simplifies anti-virus management tasks for network administrators who manage up to 500 computers. Management consists of deploying (sending and installing) anti-virus products, configuring product settings, and keeping those products up-to-date. Here you register and configure GroupShield for Exchange to be managed through ProtectionPilot. When you first log on to the server, the console displays the current level of protection. This guide describes how to configure GroupShield for Exchange using McAfee ProtectionPilot software version 1.5. To use this guide effectively, you need to be familiar with ProtectionPilot.
Pre-requisites for using ProtectionPilot
Before you can use the ProtectionPilot software to manage GroupShield for Exchange:
Check-in the appropriate package and NAP file for GroupShield for Exchange to the
ProtectionPilot repository.
Install the ProtectionPilot agent on your computer.
Introducing ProtectionPilot
The Microsoft® Management Console (MMC) is your interface to the ProtectionPilot product and its features. Here you register and configure your GroupShield for Exchange products that are managed through ProtectionPilot. The console uses the standard MMC features.
The console is divided into two panes. When you first log on to the server, the console appears with the Console Root highlighted in the left pane.
Note
This guide does not provide detailed information about installing or using ProtectionPilot software. See ProtectionPilot v1.5 Product Guide.
78
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Introduction
7
The console tree is the navigation pane of the console. It shows the servers,
workstation, and appliances that you can administer using ProtectionPilot.
The details pane is to the right of the console. Depending on the item selected in
the console tree, the details pane might have an upper details pane and lower details pane.
The console’s appearance changes to reflect the items you have selected in the console tree or in the details pane.
The McAfee Common Agent is the key to remotely managing products. Installed on each computer, it deploys products, updates virus definition (DAT) files and the virus-scanning engine, upgrades existing products with service pack and patch releases. It also gathers data about installed anti-virus products, the computer, and infection and system activity. In addition, it ensures that requests from the server are executed and re-executed or enforced as needed. For example, if a user removes the anti-virus product you have defined for the computer, the agent will reinstall the product automatically.
Assumptions:
Computer 1: ProtectionPilot is installed and configured on a supported operating
system.
Computer 2: Microsoft
®
Exchange Server 2003 or 2007 is installed and configured
on the server.
Figure 7-1 ProtectionPilot console
79
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Installation
7
Exchange Server is added into the ProtectionPilot’s managed server list under the
“Directory” branch.
McAfee Common Agent installed on the ProtectionPilot server.
From ProtectionPilot server console, ProtectionPilot agent is installed or pushed on
the Exchange Server.
Before you begin
1 Create a temporary directory on the network or your local drive.
2 To install, do one of the following depending on how you obtained the software:
Insert the CD into the computer’s drive and copy the installation files into the
temporary directory you created.
Download the NAP and pkgCatalog.z archive and extract the file to the temporary
directory.
Installation
Adding McAfee GroupShield for Exchange pkgCatalog.z file to the ProtectionPilot server:
1 Locate the pkgCatalog.z file.
2 Log on to the ProtectionPilot server with administrative rights.
3 From the
Server page, select Repository tab. In Management Tasks, click Check In Package.
The
Check in Package Wizard appears.
4 Select Products and Updates and click Next. Browse and select the McAfee
GroupShield for Exchange
pkgCatalog.z file you saved to a temporary folder in Step 1.
5 Click
Open to enable ProtectionPilot to load package file.
6 Click Finish to enable ProtectionPilot to load the pkgCatalog.z file.
Note
Anti-Spam and Anti-Phish feature is only available if you install McAfee Anti-Spam for GroupShield component after installation. To install and deploy Anti-Spam and Anti-Phish, you need to check-in the required package into the repository and then deploy. If you have deployed the evaluation package and want to upgrade to the licensed version, you must check-in the licensed package and then deploy.
80
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Configuring GroupShield policies
7
Adding McAfee GroupShield for Exchange NAP file to the ProtectionPilot server:
1 Locate the NAP file, on the product CD or in the installation .ZIP file downloaded
from the McAfee website, and save it to a temporary folder accessible from the ProtectionPilot server.
2 Log on to the ProtectionPilot server with administrative rights.
3 From the
Server page, select the Repository tab. In Management Tasks, click Check In
Package
. The Check in Package wizard appears.
4 Select
Management NAP and click Next. Browse and select McAfee GroupShield
GSEWIN70.nap file you saved to a temporary folder in Step 1.
5 Click
Finish to enable ProtectionPilot to load the NAP file.
Deploying McAfee GroupShield using ProtectionPilot server:
1 Select the required Site, Group or Computer in the ProtectionPilot directory and select
the
Tasks tab.
2 Modify the Deployment task to deploy and install McAfee GroupShield for Exchange.
Configuring GroupShield policies
This section explains how you enforce policies from ProtectionPilot. There are two main steps:
1 Within ProtectionPilot, you select the names of the target computers on the
network and the policies that will apply to those selected computers. The ProtectionPilot Agent installed on all those target computers and you can set up a number of different policies that will apply to many individual computers or groups of computers.
2 You set ProtectionPilot to enforce those policies on computers. The agent
communicates with the server to check for new policies. Each computer then observes your new policy, ignoring any polices that were previously configured at GroupShield for Exchange.
81
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Configuring GroupShield policies
7
Setting and enforcing policies
The ProtectionPilot console allows you to enforce policies across groups of computers or on a single computer. These policies override configurations set on individual computers. For information regarding policies and how they are enforced, see the ProtectionPilot Product Guide.
Before configuring any policies, select the group of computers for which you want to modify GroupShield policies. You can modify GroupShield policies from the pages and tabs that are available in the details pane of the ProtectionPilot console. These pages are nearly identical to those you can access directly from the GroupShield user interface.
After you have modified the appropriate policies and saved the changes for the intended computer or group of computers, you are ready to deploy the new settings via the ProtectionPilot agent.
Modifying policies for GroupShield in ProtectionPilot
1 Log on to the ProtectionPilot server.
2 In the console tree under
McAfee ProtectionPilot | <SERVER> | Directory, select the site,
group, single computer, or the entire directory to which these policies are to apply.
3 The
General, Policies, Scheduled Tasks, and Agent Log tabs appear in the details pane.
4 Click the Policies tab and then the GroupShield for Exchange link. The Policy Settings page
appears with
Scanner Settings as the default policy category.
5 Deselect
Inherited and modify the policy settings as required.
Setting debug logging
1 Log on to the ProtectionPilot server.
2 In the console tree under
McAfee ProtectionPilot | <SERVER> | Directory, select the site,
group, single computer, or the entire directory to which these policies are to apply.
3 The
General, Policies, Scheduled Tasks, and Agent Log tabs appear in the details pane.
4 Click the Policies tab and then the GroupShield for Exchange link.
5 Select
Diagnostics from the drop-down menu. The Diagnostics page appears.
6 Click Debug Logging tab.
Note
For more information on modifying the policy settings, refer to the chapter Policy
Manager on page 105.
82
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Configuring GroupShield policies
7
7 Select the debug logging Level. you can select:
High - to collect large number of log entries.
Medium - to collect medium number of log entries.
Low - to collect low number of log entries.
None - to disable debug logging.
8 Select Limit size of debug log files option to specify whether there should be a size limit
for debug log files. You can specify how large (in megabytes or kilobytes) the debug log files can be.
9 Select
Specify location for debug log files option to use the default location for debug
files, or use a different location. If you are specifying a new location, in the first field select the type of location, and in the second field enter the location details.
Setting error reporting service
1 Click Error Reporting Service tab.
2 Select Enable to enable or disable the error reporting service.
3 Select
Catch exceptions to capture information about exceptional events, such as
system crashes.
4 Select
Report exceptions to user to specify whether exceptions should be reported to
the administrator.
Setting event logging
1 Click Event Logging tab, you can specify which events should be included in the
Product Log and Event log.
2 Select
Write Information events, Write warning events, or Write errors events for inclusion into
the product log.
3 Select
Write Information events, Write warning events, or Write errors events for inclusion into
the event log.
Setting product log
1 Click the Product Log tab.
2 Select
Specify location of database to specify whether you want to use the default
location for the product log or specify a different location. If deselected, the default location is used.
83
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Scheduling tasks
7
3 Specify the Database location or specify a different location for the product log. Use
the first field to tell the software about the type of location you are going to specify in the second field. For example, if you select
Full Path in the first field, enter the full
path name in the second field. If you select a location, specify the file name, or sub-directory path and file name.
4 Select the
filename of database option to specify whether you want to use the default
file name, or specify a different name. If deselected, the default file name is used. The default file name is
productlog.bin or type the Database filename to specify a
different file name for the product log.
5 Select
Limit database size to limit the size of the product log database.
6 Type the
Maximum database size that the product log database can be. You can specify
the size in either megabytes or kilobytes.
7 Select
Limit age of entries, if you want the product log entries to be deleted after a set
period of time.
8 Type the
Maximum age of entry to specify how many days an entry should remain in
the database before it is deleted.
9 Select Specify a query timeout to limit the amount of time allowed for answering a
product log query.
10 Type the
Query timeout (seconds) to specify the maximum number of seconds allowed
when answering a product log query.
Scheduling tasks
This chapter explains how you enforce policies from ProtectionPilot. GroupShield can perform on-demand scanning for your Exchange Server.
Settings and actions can be specified in on-demand policies, which can be found under the
Policy Manager. There are three set of policies which can be used for an on-demand
task. These are:
On-Demand (Remove Viruses) - Policies in this set contain anti-virus settings and
filters. These policies provide an easy means to check against viral content in databases.
On-Demand (Remove Banned Content) - Policies in this set contain content scan
settings. These policies are particularly useful if you want to see the effect of newly created/assigned content scan rules.
84
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Scheduling tasks
7
On-Demand (Full Scan) - Policies in this set contain settings for all scanners and
filters. These policies will be the typically used for scanning at regular intervals.
Creating a new on-demand scan task
1 Log on to the ProtectionPilot server.
2 In the console tree under
McAfee ProtectionPilot | <SERVER> | Directory, select the site,
group, single computer, or the entire directory to which these policies are to apply.
3 The
General, Policies, Scheduled Tasks, and Agent Log tabs appear in the details pane.
4 Click the Scheduled Tasks tab. The Scheduled Tasks for Computer <computer name>
page appears.
5 Click Create Task. The Tasks Types page appears.
6 Click GroupShield for Exchange with the Task type as OnDemand Scan Task.
7 Click
Next. The Task Settings page appear.
8 Enter a Name for the task.
9 Under Schedule Settings, deselect Inherit.
10 Select the option
Enable (Schedule task that run at specified time) to enable the
on-demand scan task.
11 Select the next option if you want to stop the task after it has run for a certain time.
Specify the hours and minutes to stop the scan.
12 Select an interval from the drop-down to schedule the scan
Immediately, Once, Hourly,
Daily, Weekly, or Monthly and specify their appropriate options as you require.
13 Click
Apply Settings. The new task you have created appears in the Scheduled Tasks
page showing the task type as
OnDemand Scan Task.
Creating a new AutoUpdate task
1 Log on to the ProtectionPilot server.
2 In the console tree under McAfee ProtectionPilot | <SERVER> | Directory, select the site,
group, single computer, or the entire directory to which these policies are to apply.
3 The
General, Policies, Scheduled Tasks, and Agent Log tabs appear in the details pane.
Note
Select a desired task and click the Edit button to edit the settings of this task, or click
Delete to delete the task when it is no longer required.
85
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Uninstallation
7
4 Click the Scheduled Tasks tab. The Scheduled Tasks for Computer <computer name>
page appears.
5 Click Create Task. The Tasks Types page appears.
6 Click GroupShield 7.0 for Exchange with the Task type as AutoUpdate Task.
7 Click Next. The Task Settings page appear.
8 Enter a
Name for the task.
9 Under Schedule Settings, deselect Inherit.
10 Select the option Enable (Schedule task that run at specified time) to enable the
on-demand scan task.
11 Select the next option if you want to stop the task after it has run for a certain time.
Specify the hours and minutes to stop the scan.
12 Select an interval from the drop-down to schedule the scan
Immediately, Once, Hourly,
Daily, Weekly, or Monthly and specify their appropriate options as you require.
13 Click
Apply Settings. The new task you have created appears in the Scheduled Tasks
page showing the task type as
AutoUpdate Task.
Uninstallation
Removing McAfee GroupShield for Exchange from the client computer using ProtectionPilot server
1 Select the required Site, Group or Computer in the ProtectionPilot directory.
2 From
Management Tasks, click Uninstall Products, then Next. The Uninstall Products Wizard
appears, with the option to delete the
Product Name and Version from the
ProtectionPilot console. You can also uninstall GroupShield for Exchange from the client system by selecting
GroupShield for Exchange from the List.
3 Click Yes to remove the installation.
Removing the McAfee GroupShield for Exchange pkgCatalog.z package file from ProtectionPilot repository
1 Log on to the ProtectionPilot server with administrative rights.
Note
Select a desired task and click the Edit button to edit the settings of this task, or click
Delete to delete the task when it is no longer required.
86
McAfee® GroupShield™ 7.0 User Guide Integrating with ProtectionPilot 1.5
Uninstallation
7
2 Select the GroupShield for Exchange under Repository | View contents of Server
Repository
.
3 Select GroupShield for Exchange with the
Type as Install from the View contents of
server repository
list.
4 Click Delete to uninstall GroupShield for Exchange package file from the server.
Removing the McAfee GroupShield for Exchange NAP file from ProtectionPilot server
1 Log on to the ProtectionPilot server with administrative rights.
2 Select GroupShield for Exchange under Repository | View contents of server repository.
3 Select GroupShield for Exchange with the
Type as NAP from the View contents of server
repository
list.
4 Click Delete and then OK to uninstall GroupShield for Exchange NAP file from the
server.
87
8
Getting Started with the User Interface
The user interface provides critical function for GroupShield administrators. It is important for the administrators to know how well their server is being protected from viruses and banned content. Dashboard is your interface to the GroupShield for Exchange.
The left pane of the console has links namely
Dashboard, Detected Items, Policy Manager,
and
Settings and Diagnostics that you can administer. The right pane shows information
depending on the item you select in the left pane.
To start GroupShield for Exchange user interface:
1 Start
McAfee GroupShield for Exchange from the icon on the desktop.
2 You can also start GroupShield for Exchange by clicking on
Start | Programs | McAfee |
GroupShield for Exchange. Select either GroupShield for Exchange or GroupShield for Exchange (Web)
as desired.
88
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
Dashboard
The dashboard provides an overview of the scanning details, latest detections, graphical view of these detections, product updates and versions, a list of recently scanned items, anti-virus news, and security news.
Dashboard has four pages:
Statistics & Information
On-Demand Scans
Status Report
Graphical Reports
Statistics & information
The Statistics & Information page is further divided into three sections:
Statistics
Versions & Updates
Reports
Figure 8-1 Dashboard
89
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
Statistics
This section shows you the percentage and the number of clean items, detected spam, phish, viruses, PUPs, banned file types/messages and unwanted content. It also shows you the average scan time (in milliseconds) and the total number of email messages scanned.
Click
Reset to reset the statistics of detected items. From the Graph drop-down menu,
select one of these:
<Select Detections> — Select the counters in the Detections section by clicking on the
icon of an item. This enables you to view the statistics and graph of the selected
counters.
Spam Summary — View spam statistics and graph.
Phish Summary — View phish statistics and graph.
Click the
Display bar graph icon or Display pie chart icon as required, to view the
graphical display of detections. You can choose
Time Range from the drop-down menu
to view these graphs. The options for the time range are:
Last 24 Hours
Last 7 Days
Last 30 Days
Versions & updates
This section has three tabs:
Update Information: This tab shows the latest instant when the anti-virus engine and
DAT files were successfully updated. It shows how frequently this update was done. It also shows the version of anti-virus engine, DAT files, and anti-spam engine (if you have chosen to install the Anti-Spam for GroupShield). You can view the status of the last update (the
Show Status link) and schedule a new updating
frequency (the
Edit Schedule link).
McAfee Security regularly provides updated Virus Definition (DAT) files to detect and clean the latest virus threats. Click Update Now to update the most up-to-date virus protection available.
Product Information: This tab shows the product name and version, the Service Pack,
HotFix information and the condition of the buffer overflow protection.
Note
A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. This results in extra data overwriting the adjacent memory locations. Enabling
Buffer Overflow Protection prevents this condition.
90
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
Licenses: This tab gives the description of the installed product(s), the type of license,
expiry date (if the license type is Beta), and the number of day(s) remaining for the license to expire.
Reports
This section has three tabs:
Recently Scanned Items: This tab shows a list of recently scanned items. It also shows the
date and time of scan, sender’s and recipient’s details, the action taken after the scan, name of the document scanned, name of the detection, type of scan task, reason for the item being detected, and the policy name chosen.
Anti-Virus News: This tab shows a list of headlines containing the latest anti-virus news
published by a company on a particular date. This is to bring awareness about the latest virus threats and vulnerabilities. Click on the link of a headline to read the news in a web page.
Security News: This tab shows a list of headlines published on a particular date containing
the latest information about the IT security. Click on the link of a headline to view security information in a web page.
On-demand scans
On-demand scan is a method for scanning emails at convenient times or regular intervals. You can schedule regular scan operations when the server activities are comparatively low and when they do not interfere with your work.
GroupShield for Exchange enables you to create scheduled on-demand scans. You can create multiple schedules, each running automatically at predetermined intervals or times.
You may want to perform an on-demand scan for these reasons:
To check a specific file or files that have been uploaded or published.
To check if the documents within the Exchange Server are virus-free, possibly
following DAT update, in case new viruses can be detected.
If you have detected and cleaned a virus/spam/phish and want to check if your
computer is completely clean.
Scheduling a new on-demand scan
1 Click Dashboard | On-Demand Scans. The On-Demand Scans page appears.
2 Click New Scan. The Schedule an on-demand scan page appears.
91
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
3 In Choose when to scan, choose any of these options:
Not scheduled — Select the checkbox and specify the number of hours and
minutes after which the scanning has to stop.
Once — From the respective drop-down lists, choose a date, month, year and the
time when a scan has to start. You can select the checkbox and specify the number of hours and minutes after which the scanning has to stop.
Hours — Specify how frequently, the scan task should take place (in hours), and
at how many minutes past the hour. You can select the checkbox and specify the number of hours and minutes after which the scanning has to stop.
Days — Specify the time how frequently, in days, the task should take place and
at what time of the day. You can select the checkbox and specify the number of hours and minutes after which the scanning has to stop.
Weeks — Specify how frequently, in weeks, the task takes place. You can also
specify on which days and at what time of day the task should take place. You can select the checkbox and specify the number of hours and minutes after which the scanning has to stop.
Months — On either the first, second, third, fourth or a last day, select a checkbox
by clicking on desired month(s) and specify a time at which a scan has to start. You can select the checkbox and specify the number of hours and minutes after which the scanning has to stop.
4 Click
Next. In the Choose what to scan page, select the desired folder(s) and click
to move the folder(s) from
Available folders to Folders to scan.
5 Choose any of these options:
Scan all folders — All folders in Folders to scan will be scanned.
Scan selected folders — Selected folders in Folders to scan will be scanned.
Scan all except selected folders — Folders except the selected ones in Folders to scan
will be scanned.
6 Click
Next. In the Configure scan settings page, choose a Policy to use from the
drop-down list. The options are:
On Demand
Find Viruses
Note
Click to select a folder and all its subfolders.
92
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
Remove Viruses
Find Banned Content
Remove Banned Content
Full Scan
7 Select Resumable Scanning to enable Restart from last item.
8 Click
Next.
9
Enter a name for the task.
10 Click Finish, then Apply.
Modifying an existing on-demand scan
1 Click Dashboard | On-Demand Scans. The On-Demand Scans page lists all the on-demand
scans.
2 Click the
Modify link of the scan task you wish to modify.
3 Make the required changes in Choose when to scan. Click Next.
4 Select the desired folders by moving them to
Folder to scan. Click Next.
5 Choose a desired policy from the drop-down list and choose if you want to restart
scan from the last item. Click
Next.
6 Type a new name for the task.
7 Click
Finish, then Apply.
Deleting an on-demand scan
1 Click Dashboard | On-Demand Scans. The On-Demand Scans page appears listing all the
on-demand scans.
2 Click the Delete link of the scan task.
3 Click
Apply.
Note
Using this option, you can specify whether a scan can restart from the point where it was stopped.
Note
The status of the task that you have deleted changes to Marked for deletion. Click Undo
Delete
if you do not want to delete the task.
93
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
The ‘Run Now’ link
Once you have scheduled a new task, you can run a scan.
1 Click
Dashboard | On-Demand Scans. The On-Demand Scans page lists all the on-demand
scans.
2 Click the
Run Now link of the task you wish to start. A confirmation dialog box
appears.
3 Click OK to run the on-demand scan immediately.
Status report
A status report is a scheduled report sent to an administrator at a specific time. The report contains detection statistics within that specified time frame. You can choose a time, recipient email address/distribution list to send the report to, and a subject for the email. Reports are sent in HTML format.
Scheduling a new status report
1 Click Dashboard | Status Report. The Status Report page appears.
2 Click
New Report. The Report page appears.
3 In the when to report page, choose any of these options:
Not scheduled — Select the checkbox to set up a reporting task that you can
activate later. If you are modifying a report schedule, this option allows you to stop an existing report task.
Once — From the respective drop-down lists, choose a date, month, year and the
time when a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
Hours — Specify how frequently, the report task should take place (in hours), and
at how many minutes past the hour. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
Note
This option is available only if you click Apply after creating a new scan task.
Note
Click Refresh to update the schedule summary information.
94
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
Days — Specify the time how frequently, in days, the report task should take
place and at what time of the day. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
Weeks — Specify how frequently, in weeks, the report task should take place.
You can also specify on which days and at what time of day the task should take place. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
Months — On either the first, second, third, fourth or a last day, select a checkbox
by clicking on a desired month(s) and specify a time at which a report task has to start. You can select the checkbox and specify the number of hours and minutes after which the report task has to stop.
4 Click
Next. The Who to report to page appears.
5 In Recipient Email, specify the recipient’s email address to whom the report is to be
sent.
6 In
Subject line for report, specify the subject line in the report that is sent to the
recipient.
7 Click Next. The Please enter a task name page appears.
8 Type a meaningful name for the task.
9 Click Finish.
The ‘Run Now’ link
Once you have scheduled a new task, you can run a report task.
1 Click
Dashboard | Status Report. The Status Report page lists all the report tasks.
2 Click the
Run Now link of the task you wish to start. A confirmation dialog box
appears.
Note
Click the Modify link of a report task to modify its settings or click the Delete link of a report task to delete it.
Note
This option is available only if you click Apply after creating a new report task.
95
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
3 Click OK.
Graphical reports
The Graphical Reports section gives an explicit view of a graph of detected items. You can also find each detection by setting filters to specify the type of detections that are of interest.
Graphical Reports has two tabs:
Simple
Advanced
Simple reports
Viewing simple graphical reports:
1 Click
Dashboard | Graphical Reports. The Graphical Reports page appears with the Simple
tab
, by default.
2 From
Time Span, choose Today or This week to view only today's detections or
detections made in the last 7 calendar days (including today's date).
3 From
Filter, choose any of these:
Top 10 Viruses, Top 10 Spam Detections, Top 10 Spam Recipients, Top 10 Phish Detections, Top 10 Unwanted Programs
, Top 10 Unwanted Content Detections, Top 10 Infected Files or
Detections
.
4 Click Search.
Advanced reports
In Advanced Reports, you can set filters to narrow your search criteria.
Viewing an advanced report using search filters:
1 Click Dashboard | Graphical Reports. The Graphical Reports page appears.
2 Click
Advanced tab.
3 Select at least one filter, you can select up to three of these filters:
Subject
Recipient
Note
Click Refresh to update the schedule summary information.
96
McAfee® GroupShield™ 7.0 User Guide Getting Started with the User Interface
Dashboard
8
Reason
Ticket Number
Detection Name
Spam Score
4 Choose All Dates or a desired Date Range from the drop-down lists.
5 Choose Bar Graph or Pie Chart as required.
6 If you choose
Pie Chart, choose to Query on, from the drop-down list.
Recipient
Sender
Filename
Detection Name
Subject
Reason
Rule Name
Policy Name
Spam Score
7 In Maximum Results, specify the maximum number of segments you want to appear
in the pie chart. For example, if you are interested only in seeing the three most frequently assigned spam scores, type 3.
8 Click
Search.
Note
Query on and Maximum Results are available only for pie chart.
Note
Click Clear Filter to return to the default filter values.
97
9
Detected Items
Detected Items is used to view information about emails that contains spam, phish,
viruses, potentially unwanted programs, unwanted content, banned file types or messages, and all items. You should select at least one search filter, however you can use up to three search filters to narrow your search.
Topics covered are:
Spam
Phish
Viruses
Potentially Unwanted Programs
Unwanted Content
Banned File types/Messages
All Items
Figure 9-1 Detected Items
98
McAfee® GroupShield™ 7.0 User Guide Detected Items
Spam
9
Spam
Spam is an unwanted email message, specifically unsolicited bulk messages.
1 Click
Detected Items | Spam. The Spam page appears.
2 Select up to three of these search filters:
Ticket Number
Sender
Spam Score
Action Taken
3 Select All Dates to include all the entries. Else, select the desired date and time range
from the
Date Range drop-down lists.
4 Click Search. A list of spam items matching your search criteria are displayed in the
View Results section.
Phish
Phish is a method of fraudulently obtaining personal information (such as passwords, social security numbers, and credit card details) by sending spoofed email messages that look as though they have come from trusted sources such as legitimate companies or banks.
Typically, phishing email messages request that recipients click on a link in the email to verify or update the contact details or credit card information.
1 Click
Detected Items | Phish. The Phish page appears.
2 Select up to three of these search filters:
Ticket Number
Sender
Spam Score
Action Taken
Note
Click Clear Filter to return to the default search filter settings.
99
McAfee® GroupShield™ 7.0 User Guide Detected Items
Viruses
9
3 Select All Dates to include all the entries. Else, select the desired date and time range
from the
Date Range drop-down lists.
4 Click
Search. A list of phish items matching your search criteria are displayed in the
View Results section.
Viruses
A virus is a program/code that replicates itself, multiplies, and infects another useful program, boot sector, partition sector or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses replicate, many do a large amount of damage to the system.
1 Click
Detected Items | Viruses. The Virus Detections page appears.
2 Select up to three of these search filters:
Ticket Number
Filename
Action Taken
Submit to Avert
3 Select All Dates to include all the entries. Else, select the desired date and time range
from the
Date Range drop-down lists.
4 Click
Search. A list of viruses matching your search criteria are displayed in the View
Results
section.
Potentially unwanted programs
Potentially Unwanted Programs (PUPs) are the software programs written by legitimate companies which, if installed, may alter the security state or the privacy posture of a computer.
Note
Click Clear Filter to return to the default search filter settings.
Note
Click Clear Filter to return to the default search filter settings.
100
McAfee® GroupShield™ 7.0 User Guide Detected Items
Unwanted content
9
1 Click Detected Items | Potentially Unwanted Programs. The Potentially Unwanted Programs
page appears.
2 Select up to three of these search filters:
Ticket Number
Filename
Action Taken
Submit to Avert
3 Select All Dates to include all the entries. Else, select the desired date and time range
from the
Date Range drop-down lists.
4 Click
Search. A list of PUPs matching your search criteria are displayed in the View
Results
section.
Unwanted content
Any content that is filtered by the scanner is called unwanted content. You can use
Unwanted Content to view emails/attachments that contain unwanted content.
1 Click Detected Items | Unwanted Content. The Unwanted Content page appears.
2 Select any of these search filters:
Ticket Number
Filename
Action Taken
3 Select All Dates to include all the entries. Else, select the desired date and time range
from the
Date Range drop-down lists.
4 Click Search. A list of files containing unwanted content are displayed in the View
Results
section.
Note
Click Clear Filter to return to the default search filter settings.
Note
Click Clear Filter to return to the default search filter settings.
Loading...