This article applies to:

• Trustwave MailMarshal (SEG)
• Trustwave ECM/MailMarshal Exchange

Question:

How do I stop viruses and malware with MailMarshal? 

Procedure:

In addition to running a virus scanner under MailMarshal, there are many other features and rules you can implement to combat viruses and other malware. This article describes a series of practices you can use to help protect your system against viruses and malicious code.

1. Run a reliable virus scanner and keep it updated.
   
   This step is obvious, but vitally important. Install a good quality virus scanner under MailMarshal, and ensure it is updated automatically and regularly. 
   
   For extra protection, you may even choose to run more than one virus scanner under MailMarshal. Virus scanners differ in design and performance, and some administrators feel more secure with two. 
   
   Spyware scanners are also available for use with MailMarshal.
   
   • Please refer to the following articles:
     • Q10923 : What Virus Scanners are supported by MailMarshal SMTP? 
     • Q10922 : What Virus Scanners are supported by MailMarshal Exchange?
   
    
2. Enable anti-spam and Zero Day Threat features in MailMarshal.
   
   Malicious code is commonly delivered using spam. The SpamCensor and Known Threat scripts are updated frequently and very effective against spam. SpamProfiler and Blended Threat Module can provide additional protection. Availability of these features varies by product version.
    
3. Block all executable files.
   

   Executable files are a common vector for viruses. In most cases, in day-to-day business, users do not need to send and receive .exe files via e-mail. So why not block them? Taking this simple step will greatly reduce your risk of users double clicking on those strange attachments and unleashing the latest nasty from the Internet. To block executable files enable the Block EXECUTABLE Files default rule that is available in the default policy.

    

4. Use the MailMarshal Blended Threats Service.
   
   This service performs a real-time check of websites that are linked from email message bodies.
   
   
5. Block all double executable extensions.
   
   Viruses and malware often generate e-mail attachments with double executable extensions to disguise themselves as legitimate files. Implementation of a rule, as outlined in Q10225, that identifies and quarantines these files will introduce an additional level of security into your system.
   • Q10225 : How do I block Double Extension Executables?

   As the 'Block EXECUTABLE Files' rule utilizes MailMarshal file type identification methods and the 'Block Double Executables Extensions' rule utilizes file name identification methods, benefits will be gained by implementing both rules.

    
6. Block files with potentially suspicious file name extensions.
   
   There are several file types, not covered in MailMarshal's file type identifier, that are useful to block via a file name rule (as opposed to a file type rule). Chief amongst these are the visual basic scripts (*.vbs),  which are frequently used by virus writers.

   Enable MailMarshal's default 'Block Dangerous Attachments' rule which is found in the Content Security (Inbound) Ruleset in version 5.X, or simply enable MailMarshal's default 'Block Suspect Attachments' rule found in current versions.

   The other option is to create your own rule. Use a file name rule to block the following filename extensions, all of which are capable of containing malicious code: -
   
   *.bat, *.chm, *.cmd, *.com, *.pif, *.hlp, *.hta, *.inf, *.ins, *.js, *.jse, *.lnk, *.reg, *.sct, *.shs, *.url, *.vb, *.vbe, *.vbs, *.wsc, *.wsf, *.wsh

7.  Block file names of known viruses.
   
   If you know the name of a dangerous attachment, you can specify it via a specific file name rule.  An example of this is the Nimda virus which had an attachment with a filename of 'readme.exe'. The rule might look like this:

   Standard Rule: Block NIMDA
   When a message arrives
   Where message is incoming
   Where message contains attachments named readme.exe
   Move the message to Suspect

    
8. Block all forms of encrypted messages and files.
   
   Unless MailMarshal has the means to decrypt a message or an attachment, it will not be able to scan it for viruses. Encrypted items can include password protected zip files, word documents, S/MIME or PGP encrypted messages. You can enable two of MailMarshal's default rules; 'Block Password Protected Attachments', and 'Block S/MIME and PGP Encrypted', to block these files. These rules are located in both the Content Security (Inbound) and Content Security (Outbound) Rulesets or E-mail Policies.
   
   Note, if you are running MailMarshal Secure you need to exclude S/MIME data from your rule which blocks encrypted files.
    
9. Subscribe to a virus alert service.
   
   We recommend that you subscribe to an e-mail virus alert service from any of the major Anti-virus vendors, or other third party organizations. If there is news of a new serious outbreak of a virus, immediately view the information available from the vendor's website and make adjustments to your rules as appropriate. From time to time, for threats we consider significant, Marshal will issue an alert to its support newsletter subscribers, and post information on our website.
    
10. Be wary of passing messages through from the Deadletter folders.
    
    Messages placed in the Deadletter folders are there by design. They usually have encountered unpacking or other errors and are un-scanned by MailMarshal. They may contain malicious content.  If the message looks suspicious, then don't pass it through.

This article was previously published as:

NETIQKB29079

Marshal KB59