Product Reviews

ScanMail 5.1—Your Name's on Everyone's Lips

The newest crop of Exchange antivirus products prevents users from receiving infected mail.

• By Roberta Bragg
• 12/01/2001

Ask any Exchange admin, security analyst, information system auditor, or network admin worth their salt and whether they use it or not, they've heard of ScanMail. ScanMail 5.1 uses the Antivirus API 2.0 to add new features. This rainy Saturday I got to take it for a spin.

Installation
Installation's a snap. 5.1 requires Win2K SP1 or above (I used SP2) and Exchange 2000 SP1. A wizard steps you through the installation process. Want to install on multiple servers and place admin modules on your desktop? No problem. Just select the servers and the workstation and identify which modules to install. (You must, of course have appropriate permissions to do so) The basic product comes with three modules: ScanMail Core Module (the engine) and two management modules, ScanMail Management Console (SMMC) and ScanMail Web Console. ScanMail also advertises that it is cluster and multi-processor aware.

Documentation
Documentation is straightforward, informative and useful. On-line help provides the basics. The only thing missing is the 'why this is important', 'how to use this to your advantage' stuff—but hey, you can connect the dots right?

Provisions
All the basics are here. You can count on ScanMail to scan attachments, message body, and files sent or replicated to public folders. Scanning on demand and automated downloading of new patterns are both available. Identified malware can be cleaned, quarantined, ignored or deleted. Compressed attachments can be recursively scanned to 20 layers of compression. Detailed logs are provided. Much of this is configurable.

But here's the good stuff. Antivirus 2.0 API added new capabilities and ScanMail takes advantage of them:

Scanning can be done both on messages (body and attachments) entering and leaving servers as well as on the Information store. Infected attachments, and/or blocked attachment types are deleted or quarantined. The message is left alone.

Alerts can be emailed to designated individuals (administrators, sender, recipient) when a virus is found.

More information can be gleaned from an infection so ScanMail, when it ferrets out the bad guys can email your designated chief virus officer the details she needs. She'll know which message was affected, where it came from and whom it was going to. She'll also find the information in the logs.

Statistics are exposed in the Performance Monitor tool as described below.

Red Alert, a configurable file blocking utility, can help you bridge the gap between the discovery of a new virus outbreak and the availability of a pattern to block it, or in fulfilling security policies which require the blocking of known potential problem attachments. Simply enter the extensions of file types you wish to block, and they'll be plucked from messages faster than Krispy Krème Donuts at a Microsoft conference.

When it finds a virus, ScanMail sends full details including sender, recipient, and subject, to the administrator. It can move attachments to quarantine and then deliver the cleansed message. (Click image to view larger version.)

Kool tools
In addition to the SMMC, ScanMail includes several utilities. There's server status pop up which indicates the scanner is healthy, A Real-time Scan Monitor and a Performance Monitor.

The Real-time Scan Monitor indicates how long the scanner's been up, its default action on identified viruses, and basic statistics on message scanned, infected attachments and viruses found. The bottom half is a real-time window into the logs; here you'll see a line for each message scanned. Watching this is like washing the clothes tumble in the large Laundromat dryers on Saturday afternoon—not much future in it but it keeps the wee ones and the weird ones mesmerized.

Performance Monitor is a customized Win2K Performance Log and Alert console with the new Exchange 2K SP1 counters selected. These counters are meant to provide admins with useful information such as the total number of messages processed by the scanner, how many per second, how many messages have been processed, cleaned and quarantined both cumulatively and per second. You'll also see how many separate files are processed. Tracking these counters over time provides evidence of normal and siege circumstances. Developing alerts based on them should help admins swing into defensive mode on the cusp of new virus plagues—not in their aftermath.

Results
Lets face it, this product gets tested mega times a day on huge networks so I'm hardly going to add much to its score. So what can one day in operation tell me about ScanMail's effectiveness in the real world? Not much. But I was able to see it respond to infected attachments and block others.

Setting up a test was not all that easy. There are lots of viruses in the wild and you might think attracting them to be just about as hard as offering bare flesh to mosquitoes during a summer evening at the swimming hole. It's not. So where does a responsible security evangelist go to get virus code? (Note to editors: don't print my email address on this one, ok?)

It turns out that it's easy to download files which will start those alarm bells ringing and yet not harm your system should things get out of control. I found some in about 5 seconds—and not at some shady site that stockpiles toxic code, either. For more information see the sidebar "Antiviral Scanner, This is Roberta, Are You Working?"

Summary
Have I got you salivating like two Dobermans who've trapped the mailman inside their fence? No? Well, not even a teensy bit? That's better. Maybe this product is not the answer to every potential new infectious concoction, but it should gobble up a large number of them and spit out the bones. I'd trust it to be a part of my preventative medicine program.