Product Reviews

McAfee GroupShield 5.0—The CDC for Exchange

The newest crop of Exchange antivirus products prevents users from receiving infected mail.

• By David W. Tschanz
• 12/01/2001

Network Associates provides a complete range of anti-virus software for desktops, servers, e-mail and Internet gateways. With the advent of SP1 for Exchange 2000, they released GroupShield 5.0 which can fully exploit Microsoft's Antivirus API 2.0. I received a copy less than a week after the upgrade and the code was still warm on the CD.

Installation
The program requires Windows 2000 Service Pack 1 and Exchange 2000 with Service Pack 1. It can be run as a new install or as an upgrade to 4.5. It can be set into a single server environment or a clustering server. Installation is straightforward and run by a wizard, though I found it to be a bit a slow (20 minutes to get through the whole installation process on a P3-800).

The installation doesn't require any user intervention except for agreeing to the EULA and determining the path. As soon as the installation is complete, the user is prompted to register the product and then led to the configuration manager. As can be expected, GroupShield includes the McAfee Active Virus Defense scanning engine. GroupShield can be configured and managed remotely from any machine equipped with the Exchange System Manager, not just the Exchange Server(s).

Documentation
The product was so new that I didn't receive a hardcopy manual, but I was able to access the 292 page Administrator's Guide from the McAfee website. The manual is comprehensive but didn't contain a troubleshooting section. Seems the folks at Network Associates are extremely confident. Then again this was the Administrator's Guide—there might be a 300 page troubleshooting manual I wasn't told about. (McAfee does however have a useful on line help section and a good support section at their website as well).

Provisions
I've been using McAfee products for a little over eight years. They are rugged, reliable and dependable. GroupShield does what you'd expect. The program is tightly integrated with Exchange 2000 and uses Antivirus API 2.0 to intercept and scan e-mail attachments and files sent or replicated to public folders and mailboxes. Scans can be set to On Demand, On Access or scheduled (part of "on demand") for periods of low server usage. A special console allows administrators to monitor the progress of an on demand scan. GroupShield also includes an incremental scanning option, designed to lessen server load, that scans only new or changed files in mailboxes and public folders.

The program happily scans whatever attachments the administrators opt for—from executables to compressed programs to files based on extensions. GroupShield can also be configured to hunt down all macros and delete them from the attachment or quarantine the whole message for review. It can also intercept encrypted messages being received or sent out, or let all through or just those to and from selected sources. GroupShield also allows for selective blocking by extension, filename and subject line and can send blocked files to a quarantine location. The quarantine location can be either a database or a directory.

On demand or automated downloading of updates for the virus database is available. When GroupShield finds "malware" the administrator has the option of having it cleaned, deleted or quarantined. Notifications can either not be sent or can be sent to one or more of the administrator, recipient or sender with an editable file that notifies the message recipient of what was done to the message and why (infected, blocked, encrypted).

The VSAPI tab on the Configuration Properties console makes available a number of VSAPI 2.0 related virus scanning options:

Proactive scanning, which is "on" by default, places incoming items in a queue for scanning when resources are available, thus reducing the load on the background and on-access scanning.

Background scanning, off by default, looks at each mail item for a version stamp. If the item has no stamp or the stamp is older than the current version, the item is scanned. Background scanning has several advantages: scanning occurs when the CPU is otherwise idle and the items, once scanned, don't need to be rescanned when they are accessed. Once it starts though, background scanning can't be switched off except by unmounting the information store or by unloading and disabling the GroupShield Exchange on-access scanner.

Version updating (auto-revving the *.DAT version after update) results in the version number being automatically updated after a successful *.DAT update. If background scanning is on, it will start to scan automatically because of the version change. Auto-revving *.DAT files after update ensures that items will be rescanned by the background or on-access scanner when, and only when, the version stamp indicates its necessary.

Scanning of plain text message bodies is available. This option is switched on and cannot be disabled. The scanning of *.RTF message bodies is an option that must be switched on (its default state) in order to block *.RTF messages (body and attachment) by subject-line content.

Outbreak Manager
Outbreak Manager is one of GroupShield's most impressive features. It's a continuous monitor that looks for suspicious activity and triggers a series of responses. The goal is to contain the outbreak before it gets out of hand. I have a master's in epidemiology and been working in disease control for several years—the methodology here is right out of the textbook.

Depending on the the anti-virus software being used, Outbreak Manager can be set to look for suspicious occurrences such as multiple viruses within a specified time period, multiple identical viruses during a specified time period and multiple identical items within a specified time period. In other words, stuff that shouldn't happen normally.

Administrators can set rules to govern what happens when Outbreak Manager detects any of the above. You can configure Outbreak Manager to send an alert and await user intervention as to what to do next. It can also be configured to automatically perform actions (such as sending alerts, deleting files, updating the anti-virus definition files or temporarily shutting down the mail server) based on rules you set. Escalation times can be configured for separate actions so that the response becomes incrementally more robust if, and only if, the initial responses fail and the outbreak continues unabated.

Logs and Monitoring
GroupShield comes complete with a full range of logging options covering every aspect of the product's operation from scanning logs to Outbreak Manager summaries. The McAfee Log Manager allows you to track every significant anti-virus event on the system from time scans were initiated to what viruses and suspicious activities were detected and where. Monitoring of e-mail traffic and virus detection rates are done using the GroupShield Exchange Object in the Windows 2000 Performance Monitor.

GroupShield provides instant notification when it detects a virus.

Testing
As you would expect, GroupShield was effective at nailing the domesticated virus code available from EICAR. It also identified all of the wild viruses that were fed into the system. This was probably a billionth of the actual testing that GroupShield gets subjected to everyday in the "real world."

The one thing that could be held against GroupShield was that the time it took to process an e-mail message was slower than the other products tested, up to twice as long when compared to both Mail essentials and SecuriQ.

Summary
McAfee's GroupShield is exactly what you would expect it to be: a solid, reliable product with enough robustness to assure that it will not let you down as long as you remember to maintain it. If it lacks in other bells and whistles such as content checking, anti-spamming and the like, that's by design. This is an anti-virus defense product and that's all it claims to be.