This article applies to:

• Trustwave MailMarshal (SEG)

Question:

• How do I Install Anti-Virus Scanners with SEG/MailMarshal?

Procedure:

SEG/MailMarshal is not a traditional anti-virus scanner. Instead MailMarshal provides a framework under which third-party anti-virus scanners can be run to check email for viruses. Other SEG functions can also assist with blocking viruses and malware (such as Blended Threat checking, URL categorization, TextCensor, and Filetype/Filename checking) - check out Q10483 for more information on this.

Why use an anti-virus scanner under SEG?

So what benefits do you get from running an anti-virus scanner under SEG, compared with a typical installation of an anti-virus scanner on a server?

• Virus-infected messages are safely quarantined at the gateway and are not sent on to your mail server.
• Messages can be viewed safely via the Console.
• Email notifications can be sent to the administrator, sender, or recipients.
• High visibility - see at a glance all infected messages.
• Thoroughness - SEG first unpacks a message and then runs the scanner across each component.
• Ability to run multiple anti-virus scanners at once.

How does SEG utilize anti-virus scanners?

Anti-virus scanners are installed on the MailMarshal server and are either run from a special DLL-based interface (such as Bitdefender, McAfee, or Sophos "for Marshal"), or from a command line (such as or McAfee command line), using parameters set up in the SEG Configurator or MailMarshal (SEG) 10 Management Interface.

When a message is processed, SEG unpacks each message into its components. SEG calls the scanner, runs it against each component, and then decides whether to quarantine the message based on the return value from the scanner. Note, only the DLL-based scanners will return parameters such as the virus name. All scanners invoked from the command line will return only a single return code.

You can use one or multiple virus scanners under SEG. Virus scanners can differ in their ability to detect viruses. For maximum protection, you can run two or more different virus scanners in SEG, and yet another brand of virus scanner on the servers or desktops. Virus scanners also work at different speeds, which can be an important consideration for large sites with high email throughput. For a list of supported virus scanners refer to Q10923.


Important: New viruses are appearing all the time. To maintain adequate protection you must always keep your chosen virus scanning software and signature files up to date. Remember, SEG acts on the information provided by the virus scanner.

General hints for installing and setting up your virus scanner

The scanner is installed on the server as per the manufacturers instructions. The path to the scanner is entered into the appropriate part of the SEG Configurator. These steps are as follows:

1. Install the scanner on the SEG server.
   Once you have the virus scanner product and the updated signature files, install them into a new directory on the SEG server. If it is a command line scanner, once it is installed you should be able to run it directly from the command prompt using the appropriate parameters.
2. Add a new Virus Scanner in the SEG Configurator or MailMarshal (SEG) 10 Management Interface 
   To configure a new virus scanner, navigate to Policy Elements >  Virus Scanners and select New or Add. Select your virus scanner from the list provided and click Next. Browse to the path to where the main executable file of the software is installed (Note - for integrated scanners such as Sophos there is no need to browse to the executable). For example:
   
   C:\McAfee\Scan.exe
   
   Complete the add process (see Help for details).
   
   The parameters for some virus scanners are already set up in SEG.
   
   Note: These parameters may vary depending on the version of your virus scanning software so if in doubt consult your virus scanner's documentation. Clicking on the Vendors Web site button in the Configurator will cause MailMarshal to run Internet Explorer and go to the manufacturer's web site, allowing more information on that scanner to be gathered.
   
   Note there is usually a "{CmdFileName}" parameter in the string. This parameter tells the virus scanner which directories and files to scan. Important: ensure the quotation marks encase this parameter. If you get the path to the scanner, or the parameter string wrong, typically all your mail will be DeadLettered - i.e. stopped as MailMarshal times out waiting for the virus scanner.
   
   For all scanners invoked from the command line, it is recommended to enable the 'Single Thread' check box. This will mean only one instance of the scanner will be run at a time
   
   Sometimes the parameter string can be modified so that the virus scanner logs to a file in the c:\temp (or other) directory. Make sure this directory exists or change the path appropriately. This log file can also be attached to the email notifications sent out by MailMarshal. To attach the log file, edit the appropriate Email Template so that the 'Other' check box is checked and enter the path and filename of the log file. You may also wish to change the text in the body of the Template to say "Please see attached log file for details".

Check that key MailMarshal directories are excluded from any existing resident or on-access file scanning
Network servers are typically protected by virus-scanning packages to search disk directories for contaminated files, particularly newly created or imported files. You need to ensure that any virus scanning programs working on the MailMarshal server are configured to exclude resident or on-access file scanning of the MailMarshal Unpacking and quarantine directories (and their subdirectories). This is important because MailMarshal actually takes a copy of the message and then unpacks and checks it. A resident virus scanner can pick up this file and clean it. MailMarshal then determines that the copy is clean, thus causing the original message (with the virus) to pass through.

For the locations of these directories, please see Q10832.

How you exclude directories from resident scanning is specific to each scanner. For example, in Network Associates NetShield, exclusions are set via an Exclusions tab in Scan Properties. Refer to Q10923 for information on how to run a virus scanner check.


If you are unsure as to whether or not your virus scanner is set up correctly within MailMarshal, refer to Q10304 for further information.


Using other Virus Scanners
Trustwave has not tested every virus scanner available. With a bit of experimentation other virus scanners alternatives may be used. In general you need to follow these steps:

1. Verify that a version compatible with the Windows server is available.
2. Check that it has a command line interface and can be run silently in the background.
3. Install the product (make sure you have an appropriate license).
4. In the MailMarshal Configurator choose Custom Virus Scanner or New command line, and enter the appropriate executable file and parameters to invoke the scanner during message processing. Remember to use the "{CmdFileName}" parameter to indicate to the virus scanner which directories to scan.
5. For all scanners invoked from the command line, it is recommended to check the 'Single Thread' check box. This will mean only one instance of the scanner will be run at a time.
6. Test with a safe test virus. You can get one through the Trustwave "Test your email rules" facility. See article Q10489.

This article was previously published as:

NETIQKB29745

Marshal KB16