McAfee Security for Microsoft Exchange

Transcription

1 Best Practices Guide McAfee Security for Microsoft Exchange Software version 7.6

2 COPYRIGHT Copyright 2012 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Security for Microsoft Exchange Best Practices Guide

3 Contents Preface 5 About this guide... 5 Audience... 5 Conventions... 5 Finding product documentation... 6 Contact Information Introduction 9 How does it work... 9 Where does MSME fit in an organization How s are scanned On Exchange Server On Exchange Server 2007/ Product features What is new in this release Installation 17 Supported environments Pre-installation checklist Installation scenarios Manually install MSME or Anti-spam add-on Silent installation Install MSME on Exchange Server 2007 Single Copy Cluster (SCC) Install MSME on Exchange Server 2007 Data Availability Group (DAG) Deploy MSME using McAfee epolicy Orchestrator Upgrade scenarios Post-installation tasks Product configurations 21 Product Health Alerts Policy settings Create policies Scanner settings Background scanning Content scanning On-demand scanning Proactive scanning Mail size filtering McAfee Global Threat Intelligence (GTI) file reputation Exclusion settings Using Regular Expressions Default vs. Enhanced configuration settings McAfee Anti-Spam add-on component Quarantine management Manage using epolicy Orchestrator Troubleshooting 27 Resolve Active-sync issues McAfee Security for Microsoft Exchange Best Practices Guide 3

4 Workaround Workaround Determine latency issues Microsoft Exchange Performance Counters Standard MSME Performance Counters Advanced MSME Performance Counters Important registry keys Error codes Related KnowledgeBase articles A Appendix Frequently asked questions 40 4 McAfee Security for Microsoft Exchange Best Practices Guide

5 Preface This guide provides the information you need to know as a best practice when you install, configure, use, and maintain your McAfee Security for Microsoft Exchange (MSME) software, version 7.6. For more information on How to install, upgrade, or manage the product using McAfee epolicy Orchestrator How to configure, use, and maintain the product See McAfee Security for Microsoft Exchange Software Installation Guide McAfee Security for Microsoft Exchange Software Product Guide About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who are responsible for configuring the product options on their systems, or for updating their systems. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Bold User input, Path, or Code Hypertext Title of a book, chapter, or topic; introduction of a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program; a code sample. A live link to a topic or to a website. McAfee Security for Microsoft Exchange Best Practices Guide 5

6 Introduction Finding product documentation Note: Tip: Important/Caution: Warning/Danger: Additional information, like an alternate method of accessing an option. Suggestions and recommendations. Valuable advice to protect your computer system, software installation, network, business, or data. Critical advice to prevent bodily harm when using a hardware product. Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access User documentation KnowledgeBase Do this 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. Contact Information SECURITY HEADQUARTERS: McAfee Labs (Anti-Virus & Vulnerability Emergency Response Team) Home Page Virus Information Library AVERT WebImmune & Submit a Virus Sample (Logon credentials required) AVERT DAT Notification Service 6 McAfee Security for Microsoft Exchange Best Practices Guide

7 Introduction Contact Information DOWNLOAD SITE Home Page Anti-Virus DAT File and Engine Updates ftp://ftp.mcafee.com/pub/antivirus/datfiles/4.x Anti-Spam Rules File and Engine Updates ftp://ftp.mcafee.com/spamdefs/1.x/ Product Upgrades Valid grant number required (contact Customer Service) HotFix and Patch Releases - For Security Vulnerabilities (Available to the public) - For Products (ServicePortal account and McAfee Technical Support grant number required) Product End-of-Life Support SOFTWARE AND HARDWARE TECHNICAL SUPPORT Home Page KnowledgeBase Search McAfee Technical Support ServicePortal (Logon credentials required) McAfee Security Alerting Service (MSAS) McAfee Security for Microsoft Exchange Best Practices Guide 7

8 Introduction Contact Information CUSTOMER SERVICE US, Canada, and Latin America toll-free: Phone: VIRUS NO or Monday-Friday, 8am-8pm, Central Time Web: MCAFEE BETA PROGRAM Download Site: to Submit Beta Feedback: TRAINING: MCAFEE UNIVERSITY WORLDWIDE OFFICES For addresses and phone numbers of worldwide offices: 8 McAfee Security for Microsoft Exchange Best Practices Guide

9 1 Introduction McAfee Security for Microsoft Exchange (MSME) protects your Microsoft Exchange server from various threats that could adversely affect the computers, network, or employees. MSME uses advanced heuristics against viruses, unwanted content, potentially unwanted programs, and banned file types or messages. It also scans: Subject line and body of the messages attachments (based on file type, file name, and file size) Text within the attachments The software also includes the McAfee Anti-Spam add-on component that protects your Exchange server from spam and phishing s. Contents How does it work Where does MSME fit in an organization How s are scanned Product features How does it work McAfee Security for Microsoft Exchange (MSME) integrates with Microsoft Exchange Server 2003/2007/2010 to scan messages for detections. Each time, an message is sent to or received from a source, MSME scans it comparing it with a list of known viruses and suspected virus-like behavior. MSME can also scan for content within the message using rules and policies defined within the software. When MSME receives an , it scans in the following order: 1 Corrupt or Encrypted content 2 File filter 3 Content scanning 4 Anti-virus Even though s are scanned in this order, if an item is detected first by the file filtering scanner, it will still be scanned for Anti-virus before being quarantined. McAfee Security for Microsoft Exchange Best Practices Guide 9

10 Introduction Where does MSME fit in an organization Where does MSME fit in an organization The following illustration provides an overview of exactly where to deploy MSME in your organization and the types of roles that you can configure. How s are scanned MSME scans an differently based-on whether it is an inbound, outbound or internal , depending on the Exchange server version. On Exchange Server 2003 Learn how s are scanned using MSME on Microsoft Exchange Server Scanning Inbound s on Exchange Server 2003 This section provides you step-by-step information on what happens to an that reaches your organization and how MSME scans it, to determine if the is clean or infected. 1 The reaches the Exchange SMTP stack on port 25, which is hosted by inetinfo.exe (IIS). 2 The event OnInboundCommand is initiated. 3 MSME ProtocolEvenSink is called which scans the for spam, phish or mail size. 4 If there is detection, it is dropped, else returned to the SMTP stack. 10 McAfee Security for Microsoft Exchange Best Practices Guide

11 Introduction How s are scanned 5 If the is clean, it is processed by Postcat sink. 6 MSME receives the same stream and scans for file filter, content, and anti-virus. 7 If there is detection, an action is taken as per the product configuration, else the is sent to Exchange store. 8 Once Exchange store receives the and before saving it to its database, it calls Anti-Virus vendor using VSAPI and scans the . 9 If there is detection, it is either replaced with a notification or deleted as per the product configuration. Scanning Outbound s on Exchange Server 2003 This section provides you step-by-step information on what happens to an that goes out of the organization and how MSME scans it, to determine if the is clean or infected. 1 The end-user sends an to an external user, using the client. 2 Once Exchange store receives the , it scans the in Outbox folder using VSAPI. 3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is submitted to Transport queue. 4 SMTP stack hosted by Inetinfo.exe receives the (Outbound mails will not be scanned for spam). 5 MSME Transport sink (PostCat) is called and scans the mail for File filtering, Content scanning, then Anti-Virus scanning and also for disclaimer addition. 6 If there is detection, it is either dropped or replaced and appropriately returned back to the SMTP stack. 7 If the is clean, it is returned back to SMTP stack for further routing. Scanning Internal s on Exchange Server 2003 This section provides you step-by-step information on what happens to an that is sent within the organization and how MSME scans it, to determine if the is clean or infected. 1 The end-user sends an to an internal user, using the client. 2 Once Exchange store receives the , it scans the in Outbox folder using VSAPI. 3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is submitted to Transport queue. 4 SMTP stack hosted by Inetinfo.exe receives the . As the communication is internal and not over port, anti-spam component will not trigger. 5 MSME Transport sink (PostCat) is called and scans the mail for File filtering, Content scanning, then Anti-Virus scanning. 6 If there is detection, it is either dropped or replaced and appropriately returned back to the SMTP stack. 7 If the is clean, it is returned back to SMTP stack for further routing. McAfee Security for Microsoft Exchange Best Practices Guide 11

12 Introduction How s are scanned 8 Exchange Mailbox server receives the . 9 Exchange store sends the to MSME scanning for VSAPI. 10 VSAPI scan the for Anti-Virus, File Filtering, and Content Scanning and takes appropriate action based on the detection. On Exchange Server 2007/2010 Learn how s are scanned using MSME on Microsoft Exchange Server 2007/2010. Scanning Inbound s on Exchange Server 2007/2010 This section provides you step-by-step information on what happens to an that reaches your organization and how MSME scans it, to determine if the is clean or infected. 1 SMTP stack hosted by EdgeTransport.exe on Edge role, receives the . 2 MSME Transport Agent (McAfeeTxAgent) scans the for spam, phish or mail size. 3 If there is detection, it is dropped, else it is returned to the SMTP stack. 4 If the is clean, McAfeeTxRoutingAgent processes it. 5 MSME receives the same stream and scans for File filtering, Content scanning and Anti-Virus scanning. 6 If there is a detection, action is taken as per product configuration. 7 MSME stamps the with AV stamp as per Microsoft specifications. 8 The is now sent to Exchange Hub server role. 9 SMTP stack hosted by EdgeTransport.exe on Hub server role, receives the MSME Transport Agent (McAfeeTxAgent) scans the for spam, phish or mail size. Only in case of EdgeSync (Edge and Hub server), the session will be authenticated where anti-spam scanning is skipped. In this case, Originator check is used for session authentication. 11 If there is detection, the is dropped else, it is returned back to SMTP stack. 12 If the is clean, McAfeeTxRoutingAgent processes it and checks for AV stamp (if any). 13 If AV stamp is present, it checks and compares with the stamp MSME forms with engine/dat on Hub server role. 14 If the stamp is different, MSME receives the same stream and scans for File filtering, Content scanning and Anti-Virus scanning. 15 (On Transport, MSME is the one that does look for AV stamp whereas on VSAPI, Exchange Store does this work and MSME will not receive a scan call if AV stamp matches.) 16 If there is a detection, action is taken as per product configuration. 17 MSME stamps the with AV stamp as per Microsoft specifications. 18 The is routed to Exchange Mailbox server role. 19 Exchange store receives the mail and before saving it to its database, checks for the AV stamp. 12 McAfee Security for Microsoft Exchange Best Practices Guide

13 Introduction How s are scanned 20 If AV stamp matches, it saves the item without scanning. 21 If AV stamp does not match, Exchange store calls Anti-Virus vendor using VSAPI and scans the If there is detection, the is replaced or deleted as per product configuration. Scanning Outbound s on Exchange Server 2007/2010 This section provides you step-by-step information on what happens to an that goes out of the organization and how MSME scans it, to determine if the is clean or infected. 1 The end-user sends an to an external user, using the client. 2 Exchange store receives the and scans it in the Outbox folder using VSAPI. 3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is submitted to Transport queue. 4 SMTP stack hosted by EdgeTransport.exe on Hub server role, receives the . 5 MSME Transport Agent (McAfeeTxRoutingAgent) scans the for File filtering, Content scanning, then Anti-Virus scanning and also disclaimer addition. 6 If there is detection, it is dropped or replaced and appropriately returned to the SMTP stack. 7 If the is clean, it is returned to SMTP stack for further routing. 8 If the is routed to Edge server role from this hub server, then: a b c d e f SMTP stack hosted by EdgeTransport.exe on Edge server role, receives the . MSME Transport Agent (McAfeeTxRoutingAgent) checks for AV stamp (if any). If AV stamp is present, it checks and compares with the stamp MSME forms with engine/dat on Edge server role. If the stamp is different then, MSME receives the same stream and scans for File filtering, Content scanning, then Anti-Virus scanning. If there is a detection, action is taken as per product configuration. MSME stamps the with AV stamp, as per Microsoft specifications on Edge server role. 9 Now the is returned to SMTP stack, hosted by EdgeTransport.exe on Edge server role for further routing. Scanning Internal s on Exchange Server 2007/2010 This section provides you step-by-step information on what happens to an that is sent within the organization and how MSME scans it, to determine if the is clean or infected. 1 The end-user sends an to an internal user, using the client. 2 Exchange store receives the and scans it in the Outbox folder using VSAPI. 3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is submitted to Transport queue. McAfee Security for Microsoft Exchange Best Practices Guide 13

14 Introduction Product features 4 SMTP stack hosted by EdgeTransport.exe on Hub server role, receives the . 5 MSME Transport Agent (McAfeeTxRoutingAgent) scans the for File filtering, Content scanning, then Anti-Virus scanning. 6 If there is detection, it is dropped or replaced and appropriately returned to the SMTP stack. 7 MSME stamps the with AV stamp, as per Microsoft specifications on Hub server role. 8 If the is clean, it is returned to SMTP stack for further routing. 9 Exchange Mailbox server receives the Exchange store checks for AV stamp and if it matches, the will not be sent to MSME scanning for VSAPI, else the is scanned for Anti-Virus, File filtering and Content Scanning by VSAPI. Product features What is new in this release Role-based installation: Intelligent built-in installer to identify the Exchange server roles on Exchange 2007/2010 and deploy the product components. Similarly, on Exchange 2003, the user is prompted with the kind of MSME installation required that is either Frontend server or backend server. McAfee Global Threat Intelligence (GTI) for message and file reputation, reducing latency time to get around with new malicious contents, by connecting to our McAfee servers. Product Health Alerts to monitor the anomalies in the product and notify either epo or Exchange administrator. Improvised content scanning using regex based searching in the data. Improvised signed mail scanning with the option to remove malicious attachments from signed mails. Mailbox exclusions Support for adding Proxy server credentials for anti-spam rule updates from the product s user interface. HTML support for disclaimers Performance improvement in areas of Mailbox, Transport and On-demand scanners Quarantined items repository is updated with: Improvised search to have more comfortable search based on regex New options to View and Forward quarantined items Building Blacklist/Whitelist sender and recipients Showing the actual phrase that triggered the content scanning rule 14 McAfee Security for Microsoft Exchange Best Practices Guide

15 Introduction Product features Features and benefits Feature McAfee Global Threat Intelligence file reputation McAfee Global Threat Intelligence message reputation McAfee Stack Upgrade Product Health Alerts Rich Notifications Role based Modification Performance Usability Additional Features Description For cloud-based real-time malware detection. McAfee antivirus technology with McAfee GTI technology blocks viruses and malicious code threats and offers real-time security using a combination of signature and behavior analysis with community threat intelligence. It drills down to find threats using advanced heuristics and generic detection. It even finds and blocks new viruses before they are detected with the latest.dat signatures. For significantly increased spam detection through our Global Threat Intelligence based cloud offering. The additional knowledge provided by McAfee Global Threat Intelligence message reputation data enables appliances and services to more accurately filter communications and protect electronic communications and transactions between people, companies and countries. Latest McAfee Agent/Engine for the best protection. Product alerts around error scenarios such as DAT/Engine download failure, Anti-Spam Rules Update failure, disk space, Safe and RpcServ down, Refer Notification section for more. Enhanced notification options such as notifying internal/external recipients and senders, HTML format support for disclaimers. McAfee Security for Microsoft Exchange will detect the modified exchange server role and required components will be added. Significant improvements in On-demand and Transport scan. Search improvements in detected items report along with regular expression support. Graphical user interface for Anti-Spam proxy settings. Restore default built-in configuration profiles from the user interface. Forward quarantined items to administrator or any address. View quarantined items from the Detected Items page. Regular expression support for Content scanning. Import or export blacklists and whitelists. Actual banned word or phrase in the detected items report. Allow/block the sender from detected items. Exclusion of Mailbox scanning. McAfee Security for Microsoft Exchange Best Practices Guide 15

16

17 2 Installation Things you must know as a best practice before you install, upgrade or deploy McAfee Security for Microsoft Exchange. Contents Supported environments Pre-installation checklist Installation scenarios Upgrade scenarios Post-installation tasks Supported environments For a complete list of McAfee Security for Microsoft Exchange 7.6 Supported environments, see KnowledgeBase article KB Pre-installation checklist Before installing McAfee Security for Microsoft Exchange v7.6 software, ensure that: [ ] Your system meets the minimum hardware and software. Refer to Hardware and Software Requirements section in the User Guide. [ ] You have the Windows administrator credentials to install the product. This account must be a Domain administrator and these credentials are required to launch the product installer. [ ] Your quarantine database is configured locally or externally (using McAfee Quarantine Manager). [ ] You uninstall any previous version of the product prior to the GroupShield xx/groupshield xxx. Note For future reference, please make a note of the Domain administrator user name and domain name:. You can directly upgrade from GroupShield xx/groupshield xxx to this release. McAfee Security for Microsoft Exchange Best Practices Guide 17

18 Installation Installation scenarios Installation scenarios Make sure that you follow these instructions as a best practice, when you install the product in any of the following scenarios. Manually install MSME or Anti-spam add-on When you install MSME or Anti-spam add-on manually on an Exchange server, make sure that you use the correct executable based on the processor architecture. Processor architecture MSME executable to use Anti-spam add-on executable to use 32-bit (x86) setup_x86.exe ASAddOn_x86.exe 64-bit (x64) setup_x64.exe ASAddOn_x64.exe Silent installation To install the product silently on an Exchange server with default settings, double-click the Silent.bat file available in the download package. To customize the installation, modify these parameters in the batch file: Silent installation Necessary parameters Parameter Value Description SET ADMIN_ _ID <admin>@<msme>.com Specify the administrator s address for notifications SET AUTO_UPDATE 1 To enable automatic updates SET INSTALL_DIR %SystemDrive%\MSME Specify the installation path SET E2003_ROLE 0 = Mailbox role 1 = Hub role 2 = Both Hub + Mailbox Specify the Exchange server role SET DB_PATH_CHANGED 1 To change the Postgres database path DATABASEDIR C:\ProgramData\McAfee\MSME\MSMEData Specify the new Postgres database location 18 McAfee Security for Microsoft Exchange Best Practices Guide

19 Installation Upgrade scenarios Install MSME on Exchange Server 2007 Single Copy Cluster (SCC) If you are installing MSME for the first time on a cluster, install it on the Active node, then install it on the Passive node. (Don t failover) In case of an upgrade, make sure that you install MSME on the Active node first, then on the Passive node. Create MSME Cluster in the same cluster group, where you have Microsoft Exchange resources configured. Install MSME on Exchange Server 2007 Data Availability Group (DAG) Make sure that you install MSME on a Mailbox role. Use the McAfee Security for Microsoft Exchange Cluster Replication Setup utility to replicate the quarantine database, policy configurations and product updates. The service used is McAfee Security for Microsoft Exchange Replication Service. Deploy MSME using McAfee epolicy Orchestrator When you perform a deployment task from McAfee epo, make sure that you select the product based on the Exchange server architecture under Product and components field. For example, select McAfee Security for Microsoft Exchange (x86)- Licensed 7.6.<build>.<package>, if you are going to deploy MSME on a 32-bit client computer. In case of a 64-bit computer, you must select McAfee Security for Microsoft Exchange (x64)- Licensed 7.6.<build>.<package> under Products and components. Upgrade scenarios You can upgrade to McAfee Security for Microsoft Exchange, version 7.6 software from: McAfee GroupShield for Microsoft Exchange McAfee GroupShield for Microsoft Exchange Before you upgrade to this release: Check Event Viewer and Product Log for any GroupShield specific errors Make sure that the quarantine database is working fine Make sure that you have taken backup of any important data, such as: Quarantine database McAfeeConfig.xml GroupShield for Exchange Registry hive Post-installation tasks After installing McAfee Security for Microsoft Exchange using any of the scenarios mentioned earlier, you must verify: McAfee Security for Microsoft Exchange Best Practices Guide 19

20 Installation Post-installation tasks If the McAfee Security for Microsoft Exchange service is running in the Services console. If instances of MSME processes such as Postgress.exe*32, RPCServ.exe*32 and SAFeService.exe*32 appear in the Task Manager Processes tab. If old GroupShield for Exchange 7.0.x policies have been migrated using the MSMEePOUpgrade.exe file (from epolicy Orchestrator). 20 McAfee Security for Microsoft Exchange Best Practices Guide

21 3 Product configurations Configure the policies and settings in your McAfee Security for Microsoft Exchange software for optimum performance. Contents Product Health Alerts Policy settings Scanner settings Exclusion settings Using Regular Expressions Default vs. Enhanced configuration settings McAfee Anti-Spam add-on component Quarantine management Manage using epolicy Orchestrator Product Health Alerts This new feature checks the health of its components, which is a continuous sub-system, running under SAFe service. It continuously monitors processes like RPC Server (Main and Scanner), Postgres and other Exchange plugins like VSAPI and Transport. Based on the product configuration, this will send notifications to the epo or domain administrator, when any of the process it monitors fails to launch or exits erroneously. It also monitors activities such as: Downloading DATs/Anti-virus Engine Downloading Anti-Spam Rules Loading Anti-virus Engine Postgres failing to quarantine or log detections Postgres database initialization failure Postgres failing to store a record On-demand scan failure Database disk space going below the threshold McAfee Global Threat Intelligence file reputation scanning failure McAfee Security for Microsoft Exchange Best Practices Guide 21

22 Product configurations Policy settings Policy settings Create policies Always create policies on Gateway servers using the SMTP addresses and on Mailbox servers using Active Directory (AD) groups. On Mailbox server, designing policies based on SMTP addresses will be very costly, as the product does not get the SMTP addresses. In order to resolve this, AD queries are made, which will slow down the performance on Mailbox servers. Scanner settings Background scanning Schedule this during non-peak hours of the day or during weekends. This should be OFF by default. If you want to enable this option, modify the values for BackgroundScanningLowerAgeLimit and BackGroundScanningAttachmentMessagesOnly settings, to get the best output. As the messages having attachments are more vulnerable and have malicious content, any viruses or executables will be replaced in this task. Content scanning This is CPU intensive and will take time to scan the contents of each attachment, hence use this feature wisely. If you want to remove all the URL s or any content based data then you should do this on Gateway servers which will not cause internal traffic to have latency. Ideally, it is better to have this on Edge server role, as this will not put Store and Hub server on load, as most of the content will get filtered out on Edge and scanning gets avoided due to AV stamp, which is used in on-access policy and in turn has content scanning filter. On-demand scanning Schedule it as a single task to scan all the mailboxes. Do not have multiple on-demand scan tasks running, as this may cause internal heap fragmentation in the Store process. MSME pulls all s for all the users mailboxes in one go, which will cause the memory to blot. On-demand user creation on Exchange Server 2010 When MSME is installed on an Exchange 2010 Mailbox Server, a user and a mailbox are created, to allow the product the ability to perform On-demand scans. This user is called GSOD_<hostname>. There will be one user or mailbox created in the organization for each Mailbox server, which has MSME installed. On-demand user access rights and permissions on Exchange Server 2010 For each database in the mailbox, On-demand user has Active Directory permissions with Send-As and Receive-as extended rights. These rights are required to open 22 McAfee Security for Microsoft Exchange Best Practices Guide

23 Product configurations Exclusion settings the mailbox, so that Exchangestoreiterator.dll can iterate through all the items in the mailbox. On-demand user has the Application Impersonation role assignment. This enables the On-demand User account to impersonate the specified user accounts and perform mailbox operations by using their rights. On-demand user can access the public folder database. On-demand user has PublishingEditor access rights. This enables on-demand user to create, read, modify, delete all items and files, and create subfolders. Proactive scanning Proactive scanning can be set as OFF, which is similar to our prescribed maximum performance configuration. Ideally, proactive scanning works before the message is saved in the Exchange database. Mail size filtering Enable or configure this option, if you want granular level filtering of s based on file size or attachment size. If Mail Size Filtering is enabled from Policy Manager On-Access (Master Policy), the filter will be triggered only when the is inbound from an external source. This filter will not work for internal and outbound s. Mail size filtering will work only on inbound s that are scanned by the Transport scanner and only when the anti-spam add-on component is installed. If you are using VSAPI scanner or do not have the anti-spam add-on, use File Filtering File Size option. For an overview on how scanning works, refer the How s are scanned section. McAfee Global Threat Intelligence (GTI) file reputation McAfee Global Threat Intelligence file reputation technology should be set as Low on Mailbox servers and High on the Gateway servers, as malicious contents enter from the internet to any organization. This will make sure that all the malicious attachments are cleaned on the Gateway and once it is AV stamped, it will reduce the load on Hub and Mailbox server. Exclusion settings Exclude all the MSME folders including quarantine database, replication folders in DAG on Exchange server 2010, MSME binary folders, Exchange binary and database. On SCC clusters, exclude the shared drive as well. For more information on exclusions, refer to the McAfee KnowledgeBase article KB McAfee Security for Microsoft Exchange Best Practices Guide 23

24 Product configurations Using Regular Expressions Using Regular Expressions Use regular expressions for performing search actions related to Content Scanning and quarantined items. For more information on how regex could be used with MSME, refer to the Regular Expressions (regex) section. Default vs. Enhanced configuration settings For maximum protection, use Enhanced settings and for maximum performance, use Default settings. Differences in Default and Enhanced configurations Feature Default Enhanced Message Reputation Not enabled Enabled Maximum nesting level Scanner TimeOut 1 minute 2 minutes GTI File Reputation Not enabled Enabled Sensitivity level = Medium Password Protected File Allow through Replace and Quarantine Protected File Allow through Replace and Quarantine File Filter Not enabled Enabled with default rule (*.exe, *.com, *.bat, *.scr) Encrypted File Allow through Replace and Quarantine Corrupted File Allow through Replace and Quarantine McAfee Anti-Spam add-on component McAfee Anti-spam works on all the exchange server versions hosting SMTP stack. For example, on Exchange server 2003 it will be on Front-end servers and on Exchange server 2007/2010 servers having Edge and Hub server roles. All s that have the spam score more than the threshold set in product user interface will be treated as spam and action is taken as per configuration settings. In larger enterprises, if you have any appliance performing the Anti-Spam operation, then DO NOT install this Anti-Spam component on Hub server. This is to avoid load on the server. If you have both Edge server and Hub server, then deploy anti-spam only on the Edge server and not on the Hub server. Doing this will improve the product s performance. 24 McAfee Security for Microsoft Exchange Best Practices Guide

25 Product configurations Quarantine management Quarantine management Configure this according to the hardware availability, which refers to the disk space where the quarantine database is located. Schedule the Purge and Optimization task monthly on servers with High spam-detection rate to keep the database growth under control. Note that, all spam s are not unwanted s. Manage using epolicy Orchestrator Make sure that the entire configuration required for all managed nodes are properly configured and enforced. If you want to enforce a different policy on a different client computer, group this computer and then enforce the policy. For example, group all Transport servers under the group Transport and Mailbox servers under the group Mailbox. McAfee Security for Microsoft Exchange Best Practices Guide 25

26

27 4 Troubleshooting Determine and troubleshoot issues while using McAfee Security for Microsoft Exchange. Learn about the available performance counters, important registry keys, and error codes associated with this product. Contents Resolve Active-sync issues Determine latency issues Important registry keys Error codes Resolve Active-sync issues To resolve active-sync issues, you must enable Proactive scanning. Use either of the following workarounds resolve the issue. Workaround 1 1 Click Start Programs McAfee GroupShield for Exchange. 2 From the Configure section in the left pane, click Settings & Diagnostics. 3 In the Microsoft Virus Scanning API (VSAPI) section, ensure that Proactive Scanning is enabled. 4 Click Apply. 5 Close the MSME console. Workaround 2 Follow this procedure only if the previous workaround fails to address the issue. 1 Open Registry Editor. [Click Start Run, type regedit and click OK] 2 Go to the following location: 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\GroupShield for Exchange 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\GroupShield for Exchange 3 Create a new DWORD DisableAutoRev from Edit New DWORD Value. 4 Double-click DisableAutoRev and set the Value data to 1. 5 Click OK. 6 Close the registry editor. McAfee Security for Microsoft Exchange Best Practices Guide 27

28 Troubleshooting Determine latency issues 7 Click Start Settings Control Panel Administrative Tools Services. 8 Right-click the service GroupShield for Exchange and select Restart. 9 Close the Services console. Determine latency issues Determine performance or latency issues using Windows Reliability and Performance Monitor, in Microsoft Windows 2003/2008 Server. To access this utility: 1 Click Start Run. 2 Type perfmon and click OK. The following tables detail the Product specific counters and their description. Microsoft Exchange Performance Counters Counter Name Messages Processed Messages Processed/sec Messages Cleaned Messages Cleaned/sec Messages Quarantined Messages Quarantined/sec Messages Deleted Messages Deleted/sec Files Scanned Files Scanned/sec Files Cleaned Files Cleaned/sec Files Quarantined Files Quarantined/sec Bytes Scanned Comments The total number of top-level messages processed The rate at which top-level messages are processed The total number of top-level messages cleaned The rate at which top-level messages are cleaned The total number of top-level messages quarantined The rate at which top-level messages are quarantined The total number of top-level messages deleted at the request of the virus scanner The rate at which top-level messages are being deleted at the request of the virus scanner The total number of separate files processed The rate at which separate files are processed The total number of separate files cleaned The rate at which separate files are cleaned The total number of separate files quarantined The rate at which separate files are quarantined The total number of bytes in all files processed 28 McAfee Security for Microsoft Exchange Best Practices Guide

29 Troubleshooting Determine latency issues Counter Name Queue Length Folders Scanned in Background Messages Scanned in Background Comments The current number of outstanding requests queued for On-access or Proactive scanning The total number of folders processed by background scanning The total number of messages processed by background scanning Standard MSME Performance Counters Counter Name Background scanning threads Background messages scanned Background messages skipped Background messages up to date External Results: Accepted External Results: Not Accepted External Results: Not present Comments Number of threads currently running background scanning Total number of messages scanned during background scanning Total number of messages skipped during background scanning Total number of messages with up-to-date virus stamps during background scanning Number of messages delivered with AV stamps that can be preserved Number of messages delivered with AV stamps that cannot be preserved Number of messages delivered without AV stamps Advanced MSME Performance Counters Counter Name Messages Scanned as MIME Messages Scanned as MIME/sec Messages Scanned as MAPI Messages Scanned as MAPI/sec Bytes Read Bytes Written Queue Length (Low Priority) Comments The total number of top-level messages processed as MIME The rate at which top-level messages are processed as MIME The total number of top-level messages processed as MAPI The rate at which top-level messages are processed as MAPI The total number of bytes read The total number of bytes written The current number of outstanding low-priority McAfee Security for Microsoft Exchange Best Practices Guide 29

30 Troubleshooting Important registry keys Counter Name Comments requests that are queued Threads Checks Satisfied by MFT Stamp Checks Satisfied by MFT Stamp/sec Checks Satisfied by Instance Stamp Checks Satisfied by Instance Stamp/sec Checks Satisfied by Master Instance Stamp Checks Satisfied by Master Instance Stamp/sec Checks Not Satisfied Checks Not Satisfied/sec Rpc latency Rpc Request The current number of threads in a thread pool used for virus scanning (the number of threads used for background scanning not included) The number of times virus scan checks were satisfied by stamp in the Message Folder Table The rate at which virus scan checks are satisfied by stamp in the Message Folder Table The number of times virus scan checks were satisfied by the instance stamp The rate at which virus scan checks are satisfied by the instance stamp The number of times virus scan checks were satisfied by the master instance stamp The rate at which virus scan checks are satisfied by the master instance stamp The number of times virus scan checks were not satisfied by any stamp The rate at which virus scan checks are not satisfied by any stamp in milliseconds averaged for the past 1024 packets is the number of client requests that are currently being processed by the store. Important registry keys Create these registry keys when the significance matches with your requirements. McAfee Security for Microsoft Exchange Important registry keys Registry Key Path Significance Name: DigestMail Type: DWORD Value: 1 Name: ODUserID Type: REG_SZ Value: [Example: HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\A DUserCache HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\E 2007 Maintains a cache of User Alias Vs SMTP address, which is used when MSME is integrated with MQM and the same address is used for Digest mail feature. Valid only for all Exchange Mailbox servers. Should be the address of the On-demand user 30 McAfee Security for Microsoft Exchange Best Practices Guide

31 Troubleshooting Error codes Registry Key Path Significance Name: EWSUrl Type: REG_SZ Value: address>/ews/exchange. asmx Name: SCLJunkThreshold Type: DWORD Default value: 4 HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\O ndemand HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\A ntispam created by the product, used for interacting with Exchange web services for getting mail data from exchange database. Valid only for Exchange 2010 Mailbox servers. This is the URL used to connect to Exchange web services hosted by CAS server. This value is populated by powershell script GetHubTxDetails.ps1 during installation and also whenever MSME service is restarted. Valid only for Exchange 2010 Mailbox servers. This is the SCL junk threshold, which is retrieved from AD and is at organization level. Any score above this value will be treated as Junk mail, which helps in Junk routing on Exchange 2007/2010 Hub servers. This value is populated by powershell script GetSCLJunkThreshold.ps1 during installation, and also after some frequency. Error codes These are codes generated by the product, that you can use for troubleshooting or while contacting McAfee Technical Support. Error codes and description Code 0x x x x x Parameter McEFAIL McEOUTOFMEMORY McEINVALIDTYPE McENOENUMINPROGRESS McESECTIONNOTFOUND McAfee Security for Microsoft Exchange Best Practices Guide 31

32 Troubleshooting Error codes 0x x x x x x a 0x b 0x c 0x d 0x e 0x f 0x x x x x x x x x x x a 0x b 0x c 0x d 0x e 0x f 0x x x McECOMPONENTNOTFOUND McEFACTORYFUNCTIONNOTFOUND McESTREAMNOTOPEN McESTREAMSEEK McEINVALIDPARAM McESTREAMREAD McESTREAMWRITE McESETSTREAMSIZE McEFILEALREADYEXISTS McEINCONSISTENTPERSISTENCEMETHOD McESUBSYSTEMNOTSUPPORTED McEINVALIDSTATE McEOBJECTNOTFOUND McEFAILEDTOCREATESYSTEMOBJECT McEXMLPARSERROR McEPOSTFIXEVALERROR McEINCOMPATIBLETYPES McENOTSUPPORTED McESUBSYSTEMDOESNOTEXIST McEPROPNOTFOUND McERECORDSETNOTOPEN McECONNECTFAILED McESTORENOTSTARTED McESTORELOCATIONNOTFOUND McEFAILEDAUTHENTICATION McESTRINGNOTFOUND McEXMLPARSEERROR McEXSDPARSEERROR McEFAILEDTOPENFILE McEUNRECOGNISEDFILETYPE 32 McAfee Security for Microsoft Exchange Best Practices Guide

33 Troubleshooting Error codes 0x x x x x x x x a 0x b 0x c 0x d 0x e 0x f 0x x x x x x x x x x x a 0x b 0x c 0x d 0x e 0x f 0x McECORRUPTFILE McECOUNTERNAMENOTFOUND McERECORDEXCEEDSMAXFILESIZE McENOMORERECORDS McEINVALIDQUERY McENOSUCHQUERYRECORD McECOMNOTINITIALISED McECANNOTCONNECTTOWEBSERVER McEINVALIDQUERYSYNTAX McESCANNERFAILEDTOLOADFACTORY McESCANNERFAILEDTOINITLOADER McESCANNERFAILEDTOLOADPOLICY McESCANNERFAILEDTOSCAN McEFILEIOERROR McEFILENOTFOUND McETOOMANYOPENFILES McEDISKFULL McEACCESSDENIED McEPERFCOUNTERSNOTSTARTED McENORPCSERVER McESERVERFAILED McESQLQUERYFAILED McETIMEOUT McEFAILEDTOLOADPOLICYXML McETASKNOTFOUND McENORECORDS McENOPOLICYID McENOSUCHRECORD McETIMEDOUT McEUNREADCALENDARITEM McAfee Security for Microsoft Exchange Best Practices Guide 33

34 Troubleshooting Error codes 0x x x x x x x x x x x x x x x x x x x x a 0x b 0x c 0x d 0x e 0x f 0x x x x x McFAILEDCREATESYSOBJECT McECASTROPHICESERVICESFAILURE McEFIREWALLCOMMSFAILURE McEFIREWALLILLEGALIPADDRESS McESYSTEMREAPERNOTSTARTED McEUNKNOWNSYSCOUNTER McEFAILEDOPENMETRICSQUERY McEFAILEDADDCOUNTER McEFAILEDINITAILIZETHREAD McEFAILEDOPENSOCKET McEFAILEDBINDTOSOCKET MCEFAILEDTOLISTENTOSOCKET MCEFAILEDTOGETPORTNUMBER McEFUNCTIONNOTFOUND McENOTSUPPORTEDONPLATFORM McEINVALIDCODEPOINT McEINVALIDUTF8CODEUNIT McEINVALIDUTF16CODEUNIT McEINVALIDUTF32CODEUNIT McEENDOFBUFFER McESAFENOTINITIALIZED McFAILEDGETHOSTINFO McEINVALIDCLIENTADDRESS McESTORECOMPACTING McEINVALIDPINGCMD McEFAILEDSENDPINGREQ McEFAILEDTOCREATECMAWRAPPER McEINVALIDIMPORTEXPORTFILE McENOSTOREDITEM McEINVALIDPASSWORD 34 McAfee Security for Microsoft Exchange Best Practices Guide

35 Troubleshooting Related KnowledgeBase articles 0x x x x x x x x McEEXCEEDSIZELIMIT McEINTERNAL McEOLDERDATS McESUBMITTEDALREADY McEWINSERVICENOTRUNNING McEMQMTRAININGDISABLED McENULLPOINTEREXCEPTION McEDUPLICATEENTRY Related KnowledgeBase articles Here is a list of all KnowledgeBase articles related to this product. For more information on how to search or find the product documentation, see Finding product documentation section. KB article# KB75555 KB75371 KB75370 KB75367 Title Security for Microsoft Exchange and virtualization Quarantined mail items are not downloaded in the original format Quarantined messages are not forwarded in.msg format s are sent to external recipients after being released from quarantine KB75197 How to roll back the DAT file version in Security for Microsoft Exchange 7.6 KB75095 KB74881 KB74131 McAfee GroupShield / McAfee Security for Exchange Web Interface fails to load Content of Security for Exchange Status Report is not ordered by date Anti-spam rule update generates event ID 2170 in the Windows Application Event log KB73997 Working with Transport Agents in McAfee Security for Exchange 7.6 KB73918 Upgrade from GroupShield Patch 1 to Security for Exchange 7.6 fails even though minimum requirements are met for upgrade KB73835 Supported environments for McAfee Security for Microsoft Exchange 7.6 KB73808 KB73806 Security for Microsoft Exchange 7.6 fails to install on Windows Server bit Edition Changes made to Security for Exchange filters under one policy affect changes to other policies for the same filter McAfee Security for Microsoft Exchange Best Practices Guide 35

36 Troubleshooting Related KnowledgeBase articles KB73783 KB73688 KB73683 Security for Microsoft Exchange cluster resource fails to come online on a Windows 2008 server Compatibility of McAfee Security for Microsoft Exchange 7.6 and Exchange 2010 SP2 McAfee Quarantine Manager 7.0 database starts growing rapidly in size KB73639 How to manually update the Anti-Spam engine in MSME 7.6 KB73431 KB73229 KB73163 KB73124 KB73113 KB72974 GroupShield/Security for Microsoft Exchange is not detecting spam (issue: authenticated connections) Security for Exchange local update task gets overwritten by epo policy enforcement Security for Microsoft Exchange compatibility with epo running IE9 or Firefox 7.0 The Minimum Escalation Requirement (MER) tool shows an incomplete list of McAfee products Security for Exchange 7.6 anti-spam activation module fails to update the evaluation license on a Windows 2008 server CorelDRAW Parser Buffer Overflow Vulnerability and McAfee Security for Microsoft Exchange 7.6 KB72702 How to add or remove McAfee Event Sinks from IIS with MSME 7.6 KB72648 KB72647 KB72646 KB72543 KB72542 KB72539 KB72522 KB72503 KB72502 KB69349 The Notifications template for internal senders and recipients still shows GroupShield for Exchange instead of Security for Exchange If the anti-spam component is activated after expiry of the evaluation period, spam and phish are not scanned Spam is not being routed to the user junk folder intermittently on a Microsoft Exchange 2003 server You are prompted to type the SQL Named Instance of the epo server during an upgrade of GroupShield to Security for Exchange Security for Exchange 7.6 is not supported on Chinese Traditional and Korean languages Warning messages in bodies do not display correctly with Security for Exchange 7.6 Uninstallation of the Security for Exchange Anti-Spam component fails via epo items containing localized characters are not displayed correctly in Detected items when viewed through Internet Explorer Cannot open the Sitelist Editor after installing or upgrading to Security for Exchange 7.6 SaaS uninstaller is not able to remove McAfee Security Service for Exchange 36 McAfee Security for Microsoft Exchange Best Practices Guide

37 Troubleshooting Related KnowledgeBase articles KB67525 KB67514 KB67505 KB67504 KB67503 KB67492 KB67491 KB67580 KB67543 KB67519 KB67042 KB67527 KB67539 KB67533 KB72500 KB72496 KB72495 KB72494 KB72493 KB72492 Write-ahead transaction logs take up excessive space with Security Service for Exchange Postgres database processes fail to start with Security Service for Exchange After a successful DAT or Engine update with Security Service for Exchange 7.0, the DatDate registry entry is not updated Disclaimers are not applied to outbound with Security Service for Exchange messages released from the Security Service for Exchange 7.0 quarantine database are in.eml format instead of.msg It is not possible to download infected items from the McAfee Security Service for Exchange 7.0 quarantine database McAfee Security Service for Exchange fails to quarantine infected messages on Microsoft Windows 2008 Server GS7MESData folder in the Security Service for Exchange database location rapidly increases in size Security Service for Exchange 7.0 Web User Interface (WebUI) compatibility issue with Microsoft Internet Explorer 8.0 INTERNAL - ERROR: Unable to find any Qualifying Products (when trying to update McAfee Security Service for Exchange using a SuperDAT) Security Service for Exchange Release Notes (Master List) Security Service for Exchange 7.0 Release Notes (Addendum) Slow processing of after starting the Security Service for Exchange 7.0 service RPCServ.exe uses excessive CPU time when the Security Service for Exchange service is started on an Exchange 2003 Mailbox server MQM does not push information to Security for Exchange after upgrading from GroupShield for Exchange Content Scanning Rules are ignored when importing an MSME 7.6 configuration file from another MSME 7.6 installation DAT folder fails to copy during upgrade when the GroupShield for Exchange resource points to a volume mount-point In Exchange 2003 Cluster environments the startup type of the MSME 7.6 service changes to Automatic when the installer is modified GroupShield for Exchange is installed when deploying Security for Exchange via epo The AutoUpdate task fails to run during Security for Exchange deployment from epolicy Orchestrator McAfee Security for Microsoft Exchange Best Practices Guide 37

38 Troubleshooting Related KnowledgeBase articles KB72491 KB72489 KB72488 KB73007 KB73804 KB73188 KB73363 KB70380 KB70130 KB73024 KB74104 The repair option in the Security for Microsoft Exchange installer does not repair the corrupt configuration Spurious Postgres errors are logged in the Application event log after installing Security for Exchange The Microsoft Exchange Database Resource remains in a stopped state after upgrading to MSME 7.6 messages quarantined by Security for Microsoft Exchange 7.6 are released in.eml format instead of.msg format The Anti-Spam Rule Updater service is not present after installing Security for Microsoft Exchange 7.6 McAfee Transport Agents are loaded but spam is not being scored and not detected Older DATs are not deleted when MSME DAT files are updated via McAfee Agent or VirusScan Enterprise Update Tasks Issue with DAT 6682 and McAfee products How to enable Global Threat Intelligence Technology in your McAfee product Detected Items in Security for Exchange 7.6 show a Display Name instead of an SMTP address and cannot be released from quarantine McAfee Security for Microsoft Exchange fails to quarantine items and the console fails to open (Postgres database is corrupt) KB68003 Spam is not routing to the User Junk Folder on Exchange Server 2010 KB74026 Error 1722 (when installing Security for Exchange 7.6) KB74170 KB67003 KB66909 KB73699 KB72026 KB72025 KB66326 KB73008 KB Engine (Beta) support for Security for Exchange 7.6 and GroupShield for Exchange 7.0x When an item is detected by GroupShield/Security for Exchange with an action to replace item with an alert, the item is deleted instead (Transport Level scanning) VirusScan Enterprise exclusions (Master Article) How to add exclusions for specific Packer types in McAfee Security for Exchange 7.6. Security for Microsoft Exchange Release Notes (Master List) Security for Microsoft Exchange Release Notes (Addendum) The GroupShield/Security for Exchange interface fails to open (modifications made to system Hosts file) How to enable eservices scanner debug logging in McAfee Security for Microsoft Exchange 7.6 The operation failed with error (Quarantine database/postgres issue in Security for Exchange) 38 McAfee Security for Microsoft Exchange Best Practices Guide

39 Troubleshooting Related KnowledgeBase articles KB51471 KB55595 VirusScan Enterprise / SaaS Endpoint Protection exclusions for Exchange Server 2007 and 2010 when running Security for Exchange / GroupShield for Exchange VirusScan Enterprise / SaaS Endpoint Protection exclusions for Exchange Server 2003 when running Security for Exchange / GroupShield for Exchange KB73025 How to enable Debug logging in McAfee Security for Microsoft Exchange 7.6 KB73598 KB54890 KB59415 KB74691 KB74202 KB72925 Product version information for Security for Microsoft Exchange Disclaimer Addition within McAfee Point Products How to submit spam and phishing samples to the McAfee Spam Analysis Team How to manually roll back the Anti-Virus Scanning Engine in Security for Exchange How to manually roll back the Anti-Virus Scanning Engine in McAfee Security for Microsoft Exchange 7.6 Security for Exchange does not scan the contents of Microsoft Outlook.PST files McAfee Security for Microsoft Exchange Best Practices Guide 39

40 A Appendix Frequently asked questions Provides answers to common situations that you might encounter when installing or using the product and contains troubleshooting information in the form of frequently asked questions. Contents Installation Policy Manager Settings & Diagnostics Anti-spam add-on General Installation Where can I find systematic instructions on how to install this product? Refer the McAfee Security for Microsoft Exchange Installation Guide. How do I install the product silently? Execute the Silent.bat file in the download package. For information on customization, see Silent installation section. What is the supported epolicy Orchestrator version? McAfee epolicy Orchestrator 4.5 or later What is the supported McAfee Agent version? McAfee Agent 4.5 or later On what port does the MSME configuration replication works? This service does not work on Ports, but keeps monitoring the folders that are set by administrator using replication user interface. Do I have to consider anything special while upgrading to MSME 7.6 from GroupShield for Exchange 7.0.x in a CCR or DAG environment? No considerations. Follow the standalone installation steps. Policy Manager How do I create and use policies? Always create policies on gateway servers using the SMTP addresses and on mailbox servers using Active Directory (AD) groups. On Mailbox server, designing policies based on SMTP addresses will be very costly, as the product does not get SMTP addresses and in order to resolve the same, AD queries are made. Doing this will slow down the performance on the Mailbox servers. McAfee Security for Microsoft Exchange Best Practices Guide 40

41 Troubleshooting Related KnowledgeBase articles Do domain names in policies affect performance? Yes. For detailed explanation, refer previous question How do I create and use policies. How does policy priority work? Whenever a child policy gets satisfied first, based on the priority of resolution, the next policy is never evaluated. Is it beneficial to have multiple policies and will it affect the server performance? Yes, this will affect performance. During policy evaluation, when the first child policy is not satisfied and next policy is evaluated, there may be AD queries which might have to be made, resulting in slow performance. How do I configure MSME to block executable files at a granular level? You can do this using the File Filtering option. For example, let us see how to filter specific executable files such as the Windows executables. 1 Log on to the MSME user interface and click Policy Manager On-Access (Master Policy). 2 Under Core-Scanners, click File Filtering and enable this option. 3 Under Options (Core Anti-Spam Settings), click Edit. 4 Under Available rules drop-down list, select <Create a new rule >. 5 Specify a rule name and under File category filtering, select Enable file category filtering. 6 From File categories list, select Other specific formats. 7 From Subcategories list, select Windows Executables. 8 Click Save. Settings & Diagnostics What type of file is detected as Packers or PUPs, and from where I can control this setting? Packers and PUPs belong to the malicious content category that is detected based on the category. Packers generally are files that is compressed or packed using some algorithm and then get de-compressed on execution. Control this setting from Anti-Virus settings in the product s user interface. Can I export the Blacklists and Whitelists from one MSME server to another? Yes, you can export the blacklists and whitelists from one MSME server to another. To do this: 1 Log on to the MSME user interface and click Policy Manager Gateway (Master Policy). 2 Under Core-Scanners, click Anti-Spam. 3 Under Options (Core Anti-Spam Settings), click Edit. 4 Click Mail Lists tab, and then click Export to save all Blacklisted and Whitelisted senders/recipients to a CSV file. McAfee Security for Microsoft Exchange Best Practices Guide 41

42 Troubleshooting Related KnowledgeBase articles Does enabling McAfee GTI cause latency? Yes, there will be latency due to the validation by GTI. How do I verify if Transport scanner is scanning for spam s? You can verify this from the product s user interface in either of the following ways: From the Recently Scanned items page, see the mails scanned and check the policy used to scan the . It should show Gateway under Scanned by field. From the Detected Items database, check if there are any spam s detected. Finally verify if the s are not through authenticated sessions, which is logged under MSME Debug Logs. Anti-spam add-on How do I update the Anti-spam engine manually? Update registry key and place the new engine on the specified directory which is entered in registry under SpamEngineVersion registry key under MSME\SystemState registry. These two values should be in-sync. For example, if the engine version is 7793, create a directory with the name 7793 under MSME\Bin\AntiSpam\Engine and copy the engine file masecore.dll to this directory. Can I edit the Anti-spam rules manually? No. What should I consider before adding an address to the Blacklist? Make sure that McAfee Anti-Spam add-on component is installed. The Microsoft Exchange server must be a Transport server. For example, have an Exchange server in Edge/HUB role and Exchange server 2003 in the frontend. Have an un-authenticated connection, where s reach the server directly from internet. How do I blacklist or whitelist an address? 1 Log on to the MSME user interface and click Policy Manager Gateway (Master Policy). 2 Under Core-Scanners, click Anti-Spam. 3 Under Options (Core Anti-Spam Settings), click Edit. 4 Click Mail Lists tab and then click Add for the required options such as Blacklisted or Whitelisted senders/recipients. What should I do when few s are not being detected as spam? From Settings & Diagnostics Anti-Spam page, select Enable message reputation and apply the settings. Also, adjust the spam score to a value between 51 and 79, which will help with the detection rate. Note that s with a lower spam score (51 59) could still be legitimate, so tweaking the score is required. 42 McAfee Security for Microsoft Exchange Best Practices Guide

43 Troubleshooting Related KnowledgeBase articles Where can I get the Anti-spam add-on license? You can download the "asa.zip" from the McAfee download site, if you have valid Anti-spam grant number. If you do not have a valid Anti-spam grant number, call the McAfee Customer Service team. Regular Expressions (regex) Does enabling regex cause latency? Yes, enabling regular expression causes latency, as Content Scanning is a process intensive configuration. Where do I find more information on regex? Several websites on the internet provide information on regular expressions. To name a few, see: How do I block certain Credit Card numbers and Social Security numbers using regex? 1 Log on to the McAfee Security for Microsoft Exchange user interface and perform the following steps: 2 Click Policy Manager Shared Resource. The Shared Resources page appears. 3 Under Filter Rules tab, click New Category and specify a category name. 4 Click OK. 5 Under Content Scanner Rules, click Create New. 6 Specify the Rule Name, Description and under Word or Phrase specify the regular expression. Example: How to validate Credit Card Numbers Card type Regular Expression Description Visa ^4[0-9]{12}(?:[0-9]{3})?$ All Visa card numbers start with number 4. New cards have 16 digits. Old cards have 13. MasterCard ^5[1-5][0-9]{14}$ All MasterCard numbers start with the numbers 51 through 55. All have 16 digits. American Express ^3[47][0-9]{13}$ American Express card numbers start with 34 or 37 and have 15 digits. Diners Club ^3(?:0[0-5] [68][0-9])[0-9]{11}$ Diners Club card numbers begin with 300 through 305, 36 or 38. All have 14 digits. There are Diners Club cards that begin with 5 and have 16 digits. McAfee Security for Microsoft Exchange Best Practices Guide 43

44 Troubleshooting Related KnowledgeBase articles Card type Regular Expression Description These are a joint venture between Diners Club and MasterCard, and should be processed like a MasterCard. Discover ^6(?:011 5[0-9]{2})[0-9]{12}$ Discover card numbers begin with 6011 or 65. All have 16 digits. JCB ^(?: \d{3})\d{11}$ JCB cards beginning with 2131 or 1800 have 15 digits. JCB cards beginning with 35 have 16 digits. Based on the example mentioned above, you can also create a similar regular expression for Social Security numbers. For more examples on regular expressions, refer 7 Select the Regular Expression option and click Save. 8 Add this to the Content Scanning policy in Policy Manager by clicking Policy Manager On-Access (Master Policy) Content Scanning. 9 Under Activation, select Enable. 10 Under Content Scanner rules and associated actions, click Add rule. 11 Under Select rules group, select the regex rule that you created earlier from the drop-down list. 12 Specify the action to take, when the rule is triggered. 13 Click Save. General Can delivery be prioritized? No. It cannot be prioritized, as this is an Exchange server task. If an is scanned in the HUB server, will it be scanned in the Mailbox server? It depends. If the scanned on the HUB server has the same Anti-Virus (AV) stamp, then it will not be scanned on the Mailbox server. If the AV stamp differs either in terms of AV vendor or in terms of Engine/DAT version, it will be scanned on the Mailbox server. Why should I use "Run as administrator" option in Windows 2008, to open the MSME user interface? Due to security reasons, MSME will not be able to communicate with the RPC servers. This is due to the SID having no permission to do IPC with RPC process. 44 McAfee Security for Microsoft Exchange Best Practices Guide

45 Troubleshooting Related KnowledgeBase articles Under which executable does the scanning modules of MSME gets loaded across all Exchange versions? The RPCServ.exe process loads all the scanning binaries. To find the process id of the scanner process, check the command line in Task Manager and see which RPCServ.exe process has the command line parameter: /EVENTNAME:Global\MSME_scanner_RPCEvent What is the optimum McAfee Security for Microsoft Exchange configuration? The configurations are for Enhanced protection and Maximum performance. Use Maximum performance as the default configuration. What should I exclude if MSME and a file level anti-virus is installed on the same server? Exclude all the MSME binary folders and sub-folders, Postgres database, Replication folders, Exchange folders, epo event folder, and product log. Where can I find more information about Security? For product solutions on security, go to: McAfee Security for Microsoft Exchange Best Practices Guide 45