Product Reviews

McAfee GroupShield 5.0—The CDC for Exchange

The newest crop of Exchange antivirus products prevents users from receiving infected mail.

Network Associates provides a complete range of anti-virus software for desktops, servers, e-mail and Internet gateways. With the advent of SP1 for Exchange 2000, they released GroupShield 5.0 which can fully exploit Microsoft's Antivirus API 2.0. I received a copy less than a week after the upgrade and the code was still warm on the CD.

Installation
The program requires Windows 2000 Service Pack 1 and Exchange 2000 with Service Pack 1. It can be run as a new install or as an upgrade to 4.5. It can be set into a single server environment or a clustering server. Installation is straightforward and run by a wizard, though I found it to be a bit a slow (20 minutes to get through the whole installation process on a P3-800).

The installation doesn't require any user intervention except for agreeing to the EULA and determining the path. As soon as the installation is complete, the user is prompted to register the product and then led to the configuration manager. As can be expected, GroupShield includes the McAfee Active Virus Defense scanning engine. GroupShield can be configured and managed remotely from any machine equipped with the Exchange System Manager, not just the Exchange Server(s).

Documentation
The product was so new that I didn't receive a hardcopy manual, but I was able to access the 292 page Administrator's Guide from the McAfee website. The manual is comprehensive but didn't contain a troubleshooting section. Seems the folks at Network Associates are extremely confident. Then again this was the Administrator's Guide—there might be a 300 page troubleshooting manual I wasn't told about. (McAfee does however have a useful on line help section and a good support section at their website as well).

Provisions
I've been using McAfee products for a little over eight years. They are rugged, reliable and dependable. GroupShield does what you'd expect. The program is tightly integrated with Exchange 2000 and uses Antivirus API 2.0 to intercept and scan e-mail attachments and files sent or replicated to public folders and mailboxes. Scans can be set to On Demand, On Access or scheduled (part of "on demand") for periods of low server usage. A special console allows administrators to monitor the progress of an on demand scan. GroupShield also includes an incremental scanning option, designed to lessen server load, that scans only new or changed files in mailboxes and public folders.

The program happily scans whatever attachments the administrators opt for—from executables to compressed programs to files based on extensions. GroupShield can also be configured to hunt down all macros and delete them from the attachment or quarantine the whole message for review. It can also intercept encrypted messages being received or sent out, or let all through or just those to and from selected sources. GroupShield also allows for selective blocking by extension, filename and subject line and can send blocked files to a quarantine location. The quarantine location can be either a database or a directory.

On demand or automated downloading of updates for the virus database is available. When GroupShield finds "malware" the administrator has the option of having it cleaned, deleted or quarantined. Notifications can either not be sent or can be sent to one or more of the administrator, recipient or sender with an editable file that notifies the message recipient of what was done to the message and why (infected, blocked, encrypted).

The VSAPI tab on the Configuration Properties console makes available a number of VSAPI 2.0 related virus scanning options:

Proactive scanning, which is "on" by default, places incoming items in a queue for scanning when resources are available, thus reducing the load on the background and on-access scanning.

Background scanning, off by default, looks at each mail item for a version stamp. If the item has no stamp or the stamp is older than the current version, the item is scanned. Background scanning has several advantages: scanning occurs when the CPU is otherwise idle and the items, once scanned, don't need to be rescanned when they are accessed. Once it starts though, background scanning can't be switched off except by unmounting the information store or by unloading and disabling the GroupShield Exchange on-access scanner.

Version updating (auto-revving the *.DAT version after update) results in the version number being automatically updated after a successful *.DAT update. If background scanning is on, it will start to scan automatically because of the version change. Auto-revving *.DAT files after update ensures that items will be rescanned by the background or on-access scanner when, and only when, the version stamp indicates its necessary.

Scanning of plain text message bodies is available. This option is switched on and cannot be disabled. The scanning of *.RTF message bodies is an option that must be switched on (its default state) in order to block *.RTF messages (body and attachment) by subject-line content.

Outbreak Manager
Outbreak Manager is one of GroupShield's most impressive features. It's a continuous monitor that looks for suspicious activity and triggers a series of responses. The goal is to contain the outbreak before it gets out of hand. I have a master's in epidemiology and been working in disease control for several years—the methodology here is right out of the textbook.

Depending on the the anti-virus software being used, Outbreak Manager can be set to look for suspicious occurrences such as multiple viruses within a specified time period, multiple identical viruses during a specified time period and multiple identical items within a specified time period. In other words, stuff that shouldn't happen normally.

Administrators can set rules to govern what happens when Outbreak Manager detects any of the above. You can configure Outbreak Manager to send an alert and await user intervention as to what to do next. It can also be configured to automatically perform actions (such as sending alerts, deleting files, updating the anti-virus definition files or temporarily shutting down the mail server) based on rules you set. Escalation times can be configured for separate actions so that the response becomes incrementally more robust if, and only if, the initial responses fail and the outbreak continues unabated.

Logs and Monitoring
GroupShield comes complete with a full range of logging options covering every aspect of the product's operation from scanning logs to Outbreak Manager summaries. The McAfee Log Manager allows you to track every significant anti-virus event on the system from time scans were initiated to what viruses and suspicious activities were detected and where. Monitoring of e-mail traffic and virus detection rates are done using the GroupShield Exchange Object in the Windows 2000 Performance Monitor.

GroupShield
GroupShield provides instant notification when it detects a virus.

Testing
As you would expect, GroupShield was effective at nailing the domesticated virus code available from EICAR. It also identified all of the wild viruses that were fed into the system. This was probably a billionth of the actual testing that GroupShield gets subjected to everyday in the "real world."

The one thing that could be held against GroupShield was that the time it took to process an e-mail message was slower than the other products tested, up to twice as long when compared to both Mail essentials and SecuriQ.

Summary
McAfee's GroupShield is exactly what you would expect it to be: a solid, reliable product with enough robustness to assure that it will not let you down as long as you remember to maintain it. If it lacks in other bells and whistles such as content checking, anti-spamming and the like, that's by design. This is an anti-virus defense product and that's all it claims to be.

comments powered by Disqus

Reader Comments:

Wed, Mar 30, 2005 Chip California

Great article. I can agree with Fat Tony's comment about the product in the past. It was a pain but if you babysat it things were good. I too have worked with the latest versions and found them to be very impressive. I understand GroupShield has a semi-new dev team and I would like to openly congratulate them on a job well done with GroupShield 6.0. My testing has placed it ahead of Trend and Symantec on performance and catch rate. If you haven't tried GS 6.0 then you really need to step up get yourself a copy. Truely awesome product.

Sat, Mar 19, 2005 mike tel aviv

Works great. I'd highly recommend it as well as Webshield which is very impressive.

Wed, Jun 18, 2003 Anonymous Anonymous

if the product is configured correctly and you have done the basics, it works like a rocket. We have had it running in our enviroment for 4 years and it hasnt let us down once

Thu, Jan 2, 2003 KRW Anonymous

Has always performed very well for me. I'm up to 5.2 now.

Mon, Oct 7, 2002 Anonymous Anonymous

jk

Fri, Jul 5, 2002 Ed Anonymous

Works fine and does the job, apart from it will not send the ticket information to the sender (external), it just sends it twice to the recipient. Very annoying but good product.

Thu, May 23, 2002 Fat Tony Anonymous

David, this must be the only Exchange AV solution you have ever tried. Groupshield 4.5 caused big problems on our IMC, hopefully v5 fixes that. Its better than Norton, but isnt in the same class/cost as Trend.

Sun, May 12, 2002 Anonymous Anonymous

I had the latest version of Groupshield as well as the latest dat files installed on my Exchange server. Immediately it started picking up the klez virus. Four days later my entire network went down including my e-mail server. The day before it went down, Groupshield detected about a dozen virus containing messages. When we finally got it back up and ran Trend Micro's Scanmail on it, there were 218 infected messages in the queue waiting to go in to the mailboxes.

Sat, Dec 1, 2001 J Roberts UK

Hope they fixed the problem with the updates requiring a reboot or all attachments get stripped, kind of makes the auto update a bit pointless.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.