Well it is good to see that not everyone is a McAfee basher ! ;-)
Sometimes I do wonder why there are Symantec AV related News Groups but not McAfee [sigh].
Dave
|
| > Could someone explain me the difference between NAI VirusScan and NAI
| > NetShield? Because both programs are for fileserver and I don't know which
| I
| > should use because I don't know the differences.
|
| The new 7.x versions of VirusScan are also for servers... so yes you can use
| this as opposed to the previous 4.5.x versions.
|
| That applies to Windows OS... I believe there is no Netware 7.x, so 4.5.x is
| still the latest.
|
| This will provide you with file system protection on the server, but will
| not provide you with a view into the message store (which is where GSE comes
| in
).
|
| > And 2nd question, if NAI GroupShield for Exchange is installed, do I need
| > NAI WebShield too?
|
| As you are asking specifically about McAfee, I will answer McAfee specific
| and try not to sound like an advert
|
| For anyone else... if you are not interested in McAfee / specific product
| "stuff"...stop reading
|
| My answer would be that yes, you do need both.
|
| OK, why? And no, I dont work for McAfee... well, not any more... so I am
| reasonably unbias
|
| Although GSE 6.0 on Exchange 2000 includes SMTP transport scanning (which
| works really nicely BTW...) and would cover bridgehead scenarios, the
| Exchange server is not the only device in the network which is capable of
| generating SMTP data to be sent out of the organisation;
|
| There is no real way to force all SMTP connections via the Exchange MTA,
| especially with the new viruses with their own SMTP engines, so you should
| also be looking at how you can check the SMTP traffic leaving the other
| nodes in the company, besides the Exchange server.
|
| Besides automated business processes which many generate SMTP mails both to
| internal and external addresses, we have all seen far too many viruses to
| know that in fact having something checking the SMTP traffic flying around
| and potentially out of the network regardless of source is not a bad way to
| work. If an unprotected machine is sending out @MM malware, then having
| something to block that before it even leaves the company is beneficial to
| you as a business because the harvested addresses from your client machines
| will never receive the (known) virus because it was blocked during
| distribution before it left your LAN.
|
| The WebShield (Appliance) is a good way of doing this... It has a
| transparant bridge mode, so it is simple to place it into parts of the
| network and any SMTP traffic will be picked up, scanned / content scanned
| (spam checked) and logged/cleaned. The most common deployment model would
| be:
|
| Internet
| |
| FW
| |
| WS-Appliance
| |
| LAN Hub
| |-------------------------------------+
| MailServer (and everything else)
|
| In this way because the WS box is physically in line and everything going
| into and out of the company is being scanning.
|
| (These boxes can also do HTTP, FTP and POP3 (all still in transparent bridge
| mode), though this possibly require more than one appliance depending on
| your throughput requirements and the appliance model you are looking at.
|
| In this way, you have a better control over the SMTP traffic.
|
| Unless its changed in the last few weeks, the software WebShield package
| does not support transparent bridging, so relies on having mail forwarded to
| it as a relay... that will not be checking mail from clients... you need to
| have inserted into the physical flow of SMTP traffic over the network to do
| this i.e.: The Appliance with transparent bridging.
|
| Now, if you can guarantee that the Exchange box is the only one that
| *should* be generating and recieving SMTP traffic, and you dont want to scan
| HTTP, FTP or POP3 from clients then you can block all others from being able
| to send SMTP at the firewall / router and stick with the Exchange server AV
| only for SMTP.
|
| Its surprising just how many people *don't* run firewalls, or dont wish to
| block SMTP from the clients.
|
| As a side note, the other nice thing about GSE6 is with the (optional)
| Anti-spam module, spam gets nuked well away from the users.
|
| I have set it up with the following limits:
|
| Spam Score 10 or higher - Reject the SMTP connection
| Spam Score 7 or higher - Public Spam Folder (aged to nuke after 2 weeks -
| restricted to Admin viewing only)
| Spam Score 4 or higher - User Spam Folder (user gets to determine if they
| want the mail).
|
| Here is a recent spam analysis that ended up in the Public Spam Folder -
| (Yes! Its the Nigerian Spam....
)
|
| (The Spam engine is based on SpamAssassin so the rules / scoring may look
| familar
)
|
| X-OriginalArrivalTime: 13 Mar 2004 18:53:02.0990 (UTC)
| FILETIME=[69B50AE0:01C4092C]
| X-NAI-Spam-Flag: YES
| X-NAI-Spam-Level: ********
| X-NAI-Spam-Score: 8.3
| X-NAI-Spam-Threshold: 4
| X-NAI-Spam-Report: 7 Rules triggered
| * 3.7 -- NIGERIAN_2 -- Contains two or more phrases common in 419 scam
| mails
| * 1.4 -- SUBJ_ALL_CAPS -- Subject is all capitals
| * 1.1 -- MSG_ID_ADDED_BY_MTA_2 -- 'Message-Id' was added by a relay (2)
| * 0.9 -- DEAR_FRIEND -- Contains 'dear friend'
| * 0.9 -- MILLION_USD -- Talks about millions of dollars
| * 0.4 -- LINES_OF_YELLING -- A WHOLE LINE OF YELLING DETECTED
| * -0.2 -- NIGERIAN_1 -- Contains one or more phrases common in 419 scam
| mails
|
|
| Here is a recent spam that has ended up in my User Folder:
|
| X-NAI-Spam-Flag: YES
| X-NAI-Spam-Level: ****
| X-NAI-Spam-Score: 4.8
| X-NAI-Spam-Threshold: 4
| X-NAI-Spam-Report: 3 Rules triggered
| * 3 -- HTML_IMAGE_ONLY_04 -- HTML: images with 200-400 bytes of words
| * 1.8 -- HTML_MESSAGE -- HTML included in message
| * -0.1 -- USER_AGENT_MOZILLA_UA -- User-Agent header indicates a non-spam
| MUA (Mozilla)
| X-NAI-Spam-Checker-Version: NAI SpamAssassin 1.1 (core version 2.44 date
| 20031024 serial 1112)
| X-NAI-Spam-Route: User-Junk-Folder
|
| I have also setup blacklists of addresses I have used as spam bait so
| whenever bulk mail comes in with any of those addresses in the header, the
| spam score rockets regardless of any other rules which may trigger or if
| there are also legitimate addresses in the (bulk spam mail) header and
| causes Exchange to reject the SMTP connection... You do have the choice of
| logging / quarantine. In my case, I just dump it.
|
| Basically, if it contains spam bait (false email addresses as mailto: on my
| website actually) its not a business mail I want.
|
| This has dramatically decreased (we are talking rejecting 8 out 10 mails)
| the amount of spam I am seeing as the Exchange server now rejects the mail
| all together... No logging, no quarantine etc This has also had a positive
| effect on my Exchange Store size.
|
| Hope that helps / gives some background.
|
| .\/.artin
|
|
