ScanMail 5.1—Your Name's on Everyone's Lips
The newest crop of Exchange antivirus products prevents users from receiving infected mail.
- By Roberta Bragg
Ask any Exchange admin, security analyst, information system auditor,
or network admin worth their salt and whether they use it or not, they've
heard of ScanMail. ScanMail 5.1 uses the Antivirus API 2.0 to add new
features. This rainy Saturday I got to take it for a spin.
Installation's a snap. 5.1 requires Win2K SP1 or above (I used SP2) and
Exchange 2000 SP1. A wizard steps you through the installation process.
Want to install on multiple servers and place admin modules on your desktop?
No problem. Just select the servers and the workstation and identify which
modules to install. (You must, of course have appropriate permissions
to do so) The basic product comes with three modules: ScanMail Core Module
(the engine) and two management modules, ScanMail Management Console (SMMC)
and ScanMail Web Console. ScanMail also advertises that it is cluster
and multi-processor aware.
Documentation is straightforward, informative and useful. On-line help
provides the basics. The only thing missing is the 'why this is important',
'how to use this to your advantage' stuffbut hey, you can connect
the dots right?
All the basics are here. You can count on ScanMail to scan attachments,
message body, and files sent or replicated to public folders. Scanning
on demand and automated downloading of new patterns are both available.
Identified malware can be cleaned, quarantined, ignored or deleted. Compressed
attachments can be recursively scanned to 20 layers of compression. Detailed
logs are provided. Much of this is configurable.
But here's the good stuff. Antivirus 2.0 API added new capabilities and
ScanMail takes advantage of them:
Scanning can be done both on messages (body and attachments) entering
and leaving servers as well as on the Information store. Infected attachments,
and/or blocked attachment types are deleted or quarantined. The message
is left alone.
Alerts can be emailed to designated individuals (administrators, sender,
recipient) when a virus is found.
More information can be gleaned from an infection so ScanMail, when it
ferrets out the bad guys can email your designated chief virus officer
the details she needs. She'll know which message was affected, where it
came from and whom it was going to. She'll also find the information in
Statistics are exposed in the Performance Monitor tool as described below.
Red Alert, a configurable file blocking utility, can help you bridge
the gap between the discovery of a new virus outbreak and the availability
of a pattern to block it, or in fulfilling security policies which require
the blocking of known potential problem attachments. Simply enter the
extensions of file types you wish to block, and they'll be plucked from
messages faster than Krispy Krème Donuts at a Microsoft conference.
|When it finds a virus, ScanMail sends full details including
sender, recipient, and subject, to the administrator. It can move
attachments to quarantine and then deliver the cleansed message. (Click
image to view larger version.)
In addition to the SMMC, ScanMail includes several utilities. There's
server status pop up which indicates the scanner is healthy, A Real-time
Scan Monitor and a Performance Monitor.
The Real-time Scan Monitor indicates how long the scanner's been up,
its default action on identified viruses, and basic statistics on message
scanned, infected attachments and viruses found. The bottom half is a
real-time window into the logs; here you'll see a line for each message
scanned. Watching this is like washing the clothes tumble in the large
Laundromat dryers on Saturday afternoonnot much future in it but
it keeps the wee ones and the weird ones mesmerized.
Performance Monitor is a customized Win2K Performance Log and Alert console
with the new Exchange 2K SP1 counters selected. These counters are meant
to provide admins with useful information such as the total number of
messages processed by the scanner, how many per second, how many messages
have been processed, cleaned and quarantined both cumulatively and per
second. You'll also see how many separate files are processed. Tracking
these counters over time provides evidence of normal and siege circumstances.
Developing alerts based on them should help admins swing into defensive
mode on the cusp of new virus plaguesnot in their aftermath.
Lets face it, this product gets tested mega times a day on huge
networks so I'm hardly going to add much to its score. So what can one
day in operation tell me about ScanMail's effectiveness in the real world?
Not much. But I was able to see it respond to infected attachments and
Setting up a test was not all that easy. There are lots of viruses in
the wild and you might think attracting them to be just about as hard
as offering bare flesh to mosquitoes during a summer evening at the swimming
hole. It's not. So where does a responsible security evangelist go to
get virus code? (Note to editors: don't print my email address on this
It turns out that it's easy to download files which will start those
alarm bells ringing and yet not harm your system should things get out
of control. I found some in about 5 secondsand not at some shady
site that stockpiles toxic code, either. For more information see the
sidebar "Antiviral Scanner, This is Roberta, Are You Working?"
Have I got you salivating like two Dobermans who've trapped the mailman
inside their fence? No? Well, not even a teensy bit? That's better. Maybe
this product is not the answer to every potential new infectious concoction,
but it should gobble up a large number of them and spit out the bones.
I'd trust it to be a part of my preventative medicine program.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.