Stop Viruses at the Gate
The newest crop of Exchange antivirus products prevents users from receiving infected mail.
What’s the biggest problem with desktop virus scanners? Getting users
to update the signatures. While we insist desktop virus checkers be part
of the generic desktop configuration, we prefer them to be the second
line of defense. A better first barrier is a strong, mail server-based
scanning tool that can prevent viruses and Trojans from getting to the
user in the first place. Unfortunately, how much these products can do
is limited by their ability to interface directly with the mail server
processes. Think of it like this: A complex product like Exchange naturally
protects its inner workings from intruders and only exposes areas that
can safely allow development work that complements the product. Providing
hooks for antiviral scanners wasn’t big on anyone’s horizon when Exchange
was in development close to a decade ago, but it is now. To make it easier
for server-based products, Microsoft provided the Antivirus API for Exchange
5.5 in its Service Pack 3 and Antivirus API 2.0 in SP1 for Exchange 2000.
Antivirus API 2.0—It’s About Time
While version 1.0 of anything is never what we want, this API was criticized
for not providing enough access. Antivirus API 2.0 appears to provide
the capabilities vendors want. Here’s a rundown:
- A change in the threading processes allows multiple items to be submitted
for scanning simultaneously.
- High-priority (items someone is accessing) and low-priority (items
that no one has accessed yet) management focuses attention where it
needs to be while providing more efficient handling of the load. High-priority
items will always be scanned first.
- Attachment scanning is proactive; arriving attachments are queued
for scanning when they arrive at the information store—not when a user
attempts to access them. (API 1.0 attachments were only scanned when
they were accessed.) If there’s an attempt to access the attachment
before it’s scanned, it’s then scanned immediately (it becomes a high-priority
- Background scanning processes traverse user mailbox folders looking
for unscanned items that are then submitted for scanning.
- Message details are now provided so Exchange admins can track viral
- Antiviral program Performance Monitor counters and event log events
have been added that can track the amount of info being scanned. This
information may help determine appropriate server sizing as well as
notification that the antiviral product is working.
In sum, Antivirus API 2.0 provides the tools your antiviral vendor can
use to help you detect, clean and study viral attacks. But remember, if
you want the advantages this new API provides, you must select a product
that has been designed to use them; the API’s existence alone doesn’t
For this roundup, we looked at five products that run directly
on your Exchange 2000 server to provide a first line of defense. This
article summarizes our results. You can see more extensive reviews and
notes on working with the individual products in the online edition of
this article posted on www.mcpmag.com.
Sybari Software’s Antigen 6.2 (Figure 1) impressed us with its thoroughness
and flexibility. Of particular note is its ability to use any or all of
five virus-detection engines (Norman, Network Associates’ McAfee 4.x,
Sophos, Computer Associates’ Inoculat IT and CA Vet), all of which can
be updated automatically. Antigen can use either the new Antivirus API
2.0 or, if you’re leery of installing the Exchange 2000 service pack,
the older ESE interface. Either way, it quarantines suspicious messages
and notifies an administrator of the problem. You can configure the types
of file to scan and also decompress zip files to scan their contents.
We would have preferred the help to be better integrated with the product
(rather than supplied via browser or PDF), and we had some difficulty
configuring a proxy server to allow automatic updating (a problem that
Sybari tech support was quick to solve). But those are minor issues that
are far outweighed by Antigen’s excellent protection features.
Figure 1. Antigen provides an easy-to-read summary of its
activities and findings. (Click image to view larger version.)
McAfee’s GroupShield 5.0 is exactly what you’d expect it to be: a solid,
reliable product with enough robustness to assure that it won’t let you
down as long as you remember to maintain it. GroupShield includes an innovative
Outbreak Manager: a monitor that looks for suspicious activity and triggers
a series of responses. The goal is to contain the outbreak before it gets
out of hand. Outbreak Manager can be set to look for suspicious occurrences
such as multiple viruses within a specified time period, multiple identical
viruses during a specified time period, or multiple identical items within
a specified time period. You can configure escalation rules for separate
actions so the response becomes incrementally more robust if, and only
if, the initial responses fail and the outbreak continues unabated. On
the negative side, GroupShield took up to twice as long as either Mail
essentials or securiQ to do its job. GroupShield 5 also lacks the other
bells and whistles such as content checking and anti-spamming found in
other products in this review, but that’s by design; this is an antivirus
defense product and that’s all it claims to be.
GFI’s Mail essentials 2000 features completeness and ease of operation.
Key features include anti-spam protection, e-mail encryption, e-mail archiving,
disclaimers, personalized auto responders and POP3 downloading. All of
this is transparent to the user and has the benefit of requiring no training
for users and little, if any, additional administration beyond the initial
set-up. The antivirus engine scans all inbound and outbound mail both
internally and inter-company and can quarantine or remove suspicious attachments.
It can also be configured to remove scripting code in the body of a message.
This can present a problem for forms included in newsletters, for example,
but that’s a small price to pay for security. The nice thing about this
feature is that it’s not dependent on keeping a virus list up to date;
it detects and removes scripts regardless. Mail essentials’ failings are
relatively minor; it lacks some of the nifty administrative tools and
monitoring options you can find in other products, and the manual is poorly
indexed. But it does perfectly what it was designed to do: identify, hunt
and kill anything that looks like a threat to e-mail security with the
quiet relentlessness and thoroughness of white blood cells gobbling an
intruder in your bloodstream.
Trend Micro’s ScanMail 5.1 includes solid scanning options and useful
tools. ScanMail is, of course, an established offering that makes good
use of the new AVAPI features. You can scan the information store in the
background, as well as conduct high-priority scans of messages entering
and leaving the server. When it finds a virus, ScanMail sends full details
to the administrator, as shown in Figure 2. Other goodies shipped as part
of ScanMail include Red Alert (a configurable file blocker designed to
deal with sudden new problems), a real-time monitor to give you extensive
information on the program’s operation, and a customized Performance Monitor
console set up to keep an eye on Exchange activity. ScanMail is a tried-and-true
alternative that gets used every day on huge networks. We’d trust it to
be a part of our preventive medicine program.
|Figure 2. When it finds a virus, ScanMail sends
full details including sender, recipient, and subject, to the administrator.
It can move attachments to quarantine and then deliver the cleansed
message. (Click image to view larger version.)
GROUP Software’s securiQ Suite is a rules-based product that requires
a lot of extra administrative effort. Reaching beyond virus scanning,
it includes components to block spam, add automatic attachments (such
as company disclaimers) to outgoing mail, encrypt archived mail and control
access to it, and manage anti-virus scanning. Everything in the suite
is rules-based, and there’s a steep curve involved in learning to write
the rules. We also had trouble installing the suite on two different networks,
though tech support did come to our rescue. SecuriQ Suite is a powerful
tool, but difficult to learn, and it won’t block viruses out of the box.
Picking Your Product
The best way to pick an e-mail security package is to ask yourself
what you need from the product. If antivirus protection is all you’re
after, then GroupShield 5 is a good choice. The Active Virus Defense component
combined with the features of AVAPI 2.0 and the elegantly tailored Outbreak
Manager make this an excellent package. For a product with more features,
GFI’s Mail essentials 2000 was David's personal favorite. It includes a powerful
antivirus engine along with a number of e-mail management tools, such
as spam protection and disclaimer management, making it ideal for the
Of the other products we looked at, we’re especially impressed by the
installation and configuration flexibility offered by Antigen. And, of
course, ScanMail has proved itself multiple times in very large installations,
making it a safe choice for anyone hunting enterprise-level protection.
We were less thrilled with securiQ suite, which offers promise hidden
behind a difficult learning process.
Obviously any e-mail scanning system has to be part of a total package
and continuously maintained in order to be reasonably successful. That
system has to include an educated user (see "The Human Factor" for more). Some may think that the virus writers are winning in their contest
with antivirus scanners at this point. After all, the writers have the
simpler job; all they need to do is find a chink in the armor and exploit
it. With a little misdirection and camouflage and by playing on a false
sense of security, they can use these vulnerabilities to devastating effect.
But by equipping your mail server with an industrial-strength antivirus
scanner such as one of the products we reviewed here, you can up your
chance of beating them on your own network.