In-Depth

Stop Viruses at the Gate

The newest crop of Exchange antivirus products prevents users from receiving infected mail.

• By Roberta Bragg and David Tschanz
• 12/01/2001

What’s the biggest problem with desktop virus scanners? Getting users to update the signatures. While we insist desktop virus checkers be part of the generic desktop configuration, we prefer them to be the second line of defense. A better first barrier is a strong, mail server-based scanning tool that can prevent viruses and Trojans from getting to the user in the first place. Unfortunately, how much these products can do is limited by their ability to interface directly with the mail server processes. Think of it like this: A complex product like Exchange naturally protects its inner workings from intruders and only exposes areas that can safely allow development work that complements the product. Providing hooks for antiviral scanners wasn’t big on anyone’s horizon when Exchange was in development close to a decade ago, but it is now. To make it easier for server-based products, Microsoft provided the Antivirus API for Exchange 5.5 in its Service Pack 3 and Antivirus API 2.0 in SP1 for Exchange 2000.

Antivirus API 2.0—It’s About Time
While version 1.0 of anything is never what we want, this API was criticized for not providing enough access. Antivirus API 2.0 appears to provide the capabilities vendors want. Here’s a rundown:

• A change in the threading processes allows multiple items to be submitted for scanning simultaneously.
• High-priority (items someone is accessing) and low-priority (items that no one has accessed yet) management focuses attention where it needs to be while providing more efficient handling of the load. High-priority items will always be scanned first.
• Attachment scanning is proactive; arriving attachments are queued for scanning when they arrive at the information store—not when a user attempts to access them. (API 1.0 attachments were only scanned when they were accessed.) If there’s an attempt to access the attachment before it’s scanned, it’s then scanned immediately (it becomes a high-priority item).
• Background scanning processes traverse user mailbox folders looking for unscanned items that are then submitted for scanning.
• Message details are now provided so Exchange admins can track viral activity.
• Antiviral program Performance Monitor counters and event log events have been added that can track the amount of info being scanned. This information may help determine appropriate server sizing as well as notification that the antiviral product is working.

In sum, Antivirus API 2.0 provides the tools your antiviral vendor can use to help you detect, clean and study viral attacks. But remember, if you want the advantages this new API provides, you must select a product that has been designed to use them; the API’s existence alone doesn’t mean diddley.

The Contenders
For this roundup, we looked at five products that run directly on your Exchange 2000 server to provide a first line of defense. This article summarizes our results. You can see more extensive reviews and notes on working with the individual products in the online edition of this article posted on www.mcpmag.com.

Sybari Software’s Antigen 6.2 (Figure 1) impressed us with its thoroughness and flexibility. Of particular note is its ability to use any or all of five virus-detection engines (Norman, Network Associates’ McAfee 4.x, Sophos, Computer Associates’ Inoculat IT and CA Vet), all of which can be updated automatically. Antigen can use either the new Antivirus API 2.0 or, if you’re leery of installing the Exchange 2000 service pack, the older ESE interface. Either way, it quarantines suspicious messages and notifies an administrator of the problem. You can configure the types of file to scan and also decompress zip files to scan their contents. We would have preferred the help to be better integrated with the product (rather than supplied via browser or PDF), and we had some difficulty configuring a proxy server to allow automatic updating (a problem that Sybari tech support was quick to solve). But those are minor issues that are far outweighed by Antigen’s excellent protection features.

Figure 1. Antigen provides an easy-to-read summary of its activities and findings. (Click image to view larger version.)

McAfee’s GroupShield 5.0 is exactly what you’d expect it to be: a solid, reliable product with enough robustness to assure that it won’t let you down as long as you remember to maintain it. GroupShield includes an innovative Outbreak Manager: a monitor that looks for suspicious activity and triggers a series of responses. The goal is to contain the outbreak before it gets out of hand. Outbreak Manager can be set to look for suspicious occurrences such as multiple viruses within a specified time period, multiple identical viruses during a specified time period, or multiple identical items within a specified time period. You can configure escalation rules for separate actions so the response becomes incrementally more robust if, and only if, the initial responses fail and the outbreak continues unabated. On the negative side, GroupShield took up to twice as long as either Mail essentials or securiQ to do its job. GroupShield 5 also lacks the other bells and whistles such as content checking and anti-spamming found in other products in this review, but that’s by design; this is an antivirus defense product and that’s all it claims to be.

GFI’s Mail essentials 2000 features completeness and ease of operation. Key features include anti-spam protection, e-mail encryption, e-mail archiving, disclaimers, personalized auto responders and POP3 downloading. All of this is transparent to the user and has the benefit of requiring no training for users and little, if any, additional administration beyond the initial set-up. The antivirus engine scans all inbound and outbound mail both internally and inter-company and can quarantine or remove suspicious attachments. It can also be configured to remove scripting code in the body of a message. This can present a problem for forms included in newsletters, for example, but that’s a small price to pay for security. The nice thing about this feature is that it’s not dependent on keeping a virus list up to date; it detects and removes scripts regardless. Mail essentials’ failings are relatively minor; it lacks some of the nifty administrative tools and monitoring options you can find in other products, and the manual is poorly indexed. But it does perfectly what it was designed to do: identify, hunt and kill anything that looks like a threat to e-mail security with the quiet relentlessness and thoroughness of white blood cells gobbling an intruder in your bloodstream.

Trend Micro’s ScanMail 5.1 includes solid scanning options and useful tools. ScanMail is, of course, an established offering that makes good use of the new AVAPI features. You can scan the information store in the background, as well as conduct high-priority scans of messages entering and leaving the server. When it finds a virus, ScanMail sends full details to the administrator, as shown in Figure 2. Other goodies shipped as part of ScanMail include Red Alert (a configurable file blocker designed to deal with sudden new problems), a real-time monitor to give you extensive information on the program’s operation, and a customized Performance Monitor console set up to keep an eye on Exchange activity. ScanMail is a tried-and-true alternative that gets used every day on huge networks. We’d trust it to be a part of our preventive medicine program.

Figure 2. When it finds a virus, ScanMail sends full details including sender, recipient, and subject, to the administrator. It can move attachments to quarantine and then deliver the cleansed message. (Click image to view larger version.)

GROUP Software’s securiQ Suite is a rules-based product that requires a lot of extra administrative effort. Reaching beyond virus scanning, it includes components to block spam, add automatic attachments (such as company disclaimers) to outgoing mail, encrypt archived mail and control access to it, and manage anti-virus scanning. Everything in the suite is rules-based, and there’s a steep curve involved in learning to write the rules. We also had trouble installing the suite on two different networks, though tech support did come to our rescue. SecuriQ Suite is a powerful tool, but difficult to learn, and it won’t block viruses out of the box.

Picking Your Product
The best way to pick an e-mail security package is to ask yourself what you need from the product. If antivirus protection is all you’re after, then GroupShield 5 is a good choice. The Active Virus Defense component combined with the features of AVAPI 2.0 and the elegantly tailored Outbreak Manager make this an excellent package. For a product with more features, GFI’s Mail essentials 2000 was David's personal favorite. It includes a powerful antivirus engine along with a number of e-mail management tools, such as spam protection and disclaimer management, making it ideal for the corporate environment.

Of the other products we looked at, we’re especially impressed by the installation and configuration flexibility offered by Antigen. And, of course, ScanMail has proved itself multiple times in very large installations, making it a safe choice for anyone hunting enterprise-level protection. We were less thrilled with securiQ suite, which offers promise hidden behind a difficult learning process.

Obviously any e-mail scanning system has to be part of a total package and continuously maintained in order to be reasonably successful. That system has to include an educated user (see "The Human Factor" for more). Some may think that the virus writers are winning in their contest with antivirus scanners at this point. After all, the writers have the simpler job; all they need to do is find a chink in the armor and exploit it. With a little misdirection and camouflage and by playing on a false sense of security, they can use these vulnerabilities to devastating effect. But by equipping your mail server with an industrial-strength antivirus scanner such as one of the products we reviewed here, you can up your chance of beating them on your own network.