McAfee GroupShield 5.0—The CDC for Exchange
The newest crop of Exchange antivirus products prevents users from receiving infected mail.
Network Associates provides a complete range of anti-virus software for
desktops, servers, e-mail and Internet gateways. With the advent of SP1
for Exchange 2000, they released GroupShield 5.0 which can fully exploit
Microsoft's Antivirus API 2.0. I received a copy less than a week after
the upgrade and the code was still warm on the CD.
The program requires Windows 2000 Service Pack 1 and Exchange 2000 with
Service Pack 1. It can be run as a new install or as an upgrade to 4.5.
It can be set into a single server environment or a clustering server.
Installation is straightforward and run by a wizard, though I found it
to be a bit a slow (20 minutes to get through the whole installation process
on a P3-800).
The installation doesn't require any user intervention except for agreeing
to the EULA and determining the path. As soon as the installation is complete,
the user is prompted to register the product and then led to the configuration
manager. As can be expected, GroupShield includes the McAfee Active Virus
Defense scanning engine. GroupShield can be configured and managed remotely
from any machine equipped with the Exchange System Manager, not just the
The product was so new that I didn't receive a hardcopy manual,
but I was able to access the 292 page Administrator's Guide from the McAfee
website. The manual is comprehensive but didn't contain a troubleshooting
section. Seems the folks at Network Associates are extremely confident.
Then again this was the Administrator's Guide—there might be a 300
page troubleshooting manual I wasn't told about. (McAfee does however
have a useful on line help section and a good support section at their
website as well).
I've been using McAfee products for a little over eight years. They are
rugged, reliable and dependable. GroupShield does what you'd expect. The
program is tightly integrated with Exchange 2000 and uses Antivirus API
2.0 to intercept and scan e-mail attachments and files sent or replicated
to public folders and mailboxes. Scans can be set to On Demand, On Access
or scheduled (part of "on demand") for periods of low server usage. A
special console allows administrators to monitor the progress of an on
demand scan. GroupShield also includes an incremental scanning option,
designed to lessen server load, that scans only new or changed files in
mailboxes and public folders.
The program happily scans whatever attachments the administrators opt
for—from executables to compressed programs to files based on extensions.
GroupShield can also be configured to hunt down all macros and delete
them from the attachment or quarantine the whole message for review. It
can also intercept encrypted messages being received or sent out, or let
all through or just those to and from selected sources. GroupShield also
allows for selective blocking by extension, filename and subject line
and can send blocked files to a quarantine location. The quarantine location
can be either a database or a directory.
On demand or automated downloading of updates for the virus database
is available. When GroupShield finds "malware" the administrator has the
option of having it cleaned, deleted or quarantined. Notifications can
either not be sent or can be sent to one or more of the administrator,
recipient or sender with an editable file that notifies the message recipient
of what was done to the message and why (infected, blocked, encrypted).
The VSAPI tab on the Configuration Properties console makes available
a number of VSAPI 2.0 related virus scanning options:
Proactive scanning, which is "on" by default, places incoming items in
a queue for scanning when resources are available, thus reducing the load
on the background and on-access scanning.
Background scanning, off by default, looks at each mail item for a version
stamp. If the item has no stamp or the stamp is older than the current
version, the item is scanned. Background scanning has several advantages:
scanning occurs when the CPU is otherwise idle and the items, once scanned,
don't need to be rescanned when they are accessed. Once it starts though,
background scanning can't be switched off except by unmounting the information
store or by unloading and disabling the GroupShield Exchange on-access
Version updating (auto-revving the *.DAT version after update) results
in the version number being automatically updated after a successful *.DAT
update. If background scanning is on, it will start to scan automatically
because of the version change. Auto-revving *.DAT files after update ensures
that items will be rescanned by the background or on-access scanner when,
and only when, the version stamp indicates its necessary.
Scanning of plain text message bodies is available. This option is switched
on and cannot be disabled. The scanning of *.RTF message bodies is an
option that must be switched on (its default state) in order to block
*.RTF messages (body and attachment) by subject-line content.
Outbreak Manager is one of GroupShield's most impressive features. It's
a continuous monitor that looks for suspicious activity and triggers a
series of responses. The goal is to contain the outbreak before it gets
out of hand. I have a master's in epidemiology and been working in disease
control for several years—the methodology here is right out of the
Depending on the the anti-virus software being used, Outbreak Manager
can be set to look for suspicious occurrences such as multiple viruses
within a specified time period, multiple identical viruses during a specified
time period and multiple identical items within a specified time period.
In other words, stuff that shouldn't happen normally.
Administrators can set rules to govern what happens when Outbreak Manager
detects any of the above. You can configure Outbreak Manager to send an
alert and await user intervention as to what to do next. It can also be
configured to automatically perform actions (such as sending alerts, deleting
files, updating the anti-virus definition files or temporarily shutting
down the mail server) based on rules you set. Escalation times can be
configured for separate actions so that the response becomes incrementally
more robust if, and only if, the initial responses fail and the outbreak
Logs and Monitoring
GroupShield comes complete with a full range of logging options covering
every aspect of the product's operation from scanning logs to Outbreak
Manager summaries. The McAfee Log Manager allows you to track every significant
anti-virus event on the system from time scans were initiated to what
viruses and suspicious activities were detected and where. Monitoring
of e-mail traffic and virus detection rates are done using the GroupShield
Exchange Object in the Windows 2000 Performance Monitor.
|GroupShield provides instant notification when it detects
As you would expect, GroupShield was effective at nailing the domesticated
virus code available from EICAR. It also identified all of the wild viruses
that were fed into the system. This was probably a billionth of the actual
testing that GroupShield gets subjected to everyday in the "real world."
The one thing that could be held against GroupShield was that the time
it took to process an e-mail message was slower than the other products
tested, up to twice as long when compared to both Mail essentials and
McAfee's GroupShield is exactly what you would expect it to be:
a solid, reliable product with enough robustness to assure that it will
not let you down as long as you remember to maintain it. If it lacks in
other bells and whistles such as content checking, anti-spamming and the
like, that's by design. This is an anti-virus defense product and that's
all it claims to be.
David W. Tschanz, Ph.D., MCSE, is author of the recent "Exchange Server 2007 Infrastructure Design: A Service-Oriented Approach" (Wiley, 2008), as well as co-author of "Mastering Microsoft SQL Server 2005" (Sybex, 2006). Tschanz is a regular contributor to Redmond magazine and operates a small IT consulting firm specializing in business-oriented infrastructure development.