5.3 Stopping Viruses and Malware

Blocking virus and malware infections at the email gateway is a primary goal of email content security for most organizations. MailMarshal can scan email messages for virus infection using any of a number of virus scanners, including McAfee for Marshal and Sophos for Marshal. Nearly all MailMarshal installations use virus scanning.

MailMarshal also provides additional important layers of protection against malware using Zero Day updates from Trustwave, Yara Analysis Engine malware detection, and the Outbreak Detection function of SpamProfiler.

5.3.1 How MailMarshal Uses Virus Scanners

MailMarshal can use one or more scanners to check email for viruses. Because virus scanners have differing architecture and update policies, some organizations choose to use multiple scanners.

Information 

Note: Before MailMarshal can use a virus scanner in email processing, you must configure it within MailMarshal.

 

For more information about configuring virus scanners, see “Configuring Antivirus Scanning”.

MailMarshal invokes the virus scanner after unpacking all elements of an email message. MailMarshal then passes the elements to the scanner software for analysis, and takes action based on the result returned from the scanner.

5.3.1.1 Features

MailMarshal supports the following virus prevention and management features:

Email antivirus scanning at the gateway: Adds a proactive layer of defense at a key strategic point in the network.

Multiple virus and malware scanners (optional): Increases the chances of detecting a virus and reduces the vulnerabilities from delays in patch updates.

Virus notification and reporting: Provides email notifications of specific viruses, and comprehensive reporting on virus incidents (including the virus names if provided by the scanner in use).

MailMarshal also provides additional features that can help with virus protection, including:

Unpacking documents and archives

Scanning text for keywords and suspect code

Blocking dangerous file types

Blocking encrypted files

5.3.1.2 Implementation Options

To work with MailMarshal, a virus scanner must have a command-line interface or a MailMarshal DLL supplied by Trustwave. The scanner must return a documented response indicating whether or not a virus is detected. Most commercially available virus scanners meet these specifications.

Information 

Note: Because DLL based scanners are always resident in memory, they are about 10 times faster than command line scanners. Trustwave recommends the use of DLL scanners for sites with high message traffic.

 

Install one or more chosen scanners on each MailMarshal email processing server following the manufacturer's instructions. For more information about supported antivirus software, see “Supported Antivirus Software”. For more information about installing virus scanners, see “Configuring Antivirus Scanning”.

Tip 

Tip: Several integrated scanners are available through Trustwave, including implementations of Bitdefender, McAfee, and Sophos. These software packages are available from links in the MailMarshal installation package, or in separate downloads from www.trustwave.com.

 

5.3.2 Anti-Malware Policy and Rules

The default email policy provided with MailMarshal includes two policy groups titled Anti-Malware (Inbound) and Anti-Malware (Outbound). These policy groups include a number of rules to block viruses and malware.

To view the Anti-Malware policy groups:

1.In the left pane of the Management Console, select the item Email Policy.

2.Expand Content Analysis Policy, and select the item Anti-Malware (Inbound) or Anti-Malware (Outbound).

3.To view details of each rule, including a description of its intended use, double-click the rule name in the right pane.

The default rules include rules to implement Zero Day protection and Yara Analysis Engine action, to attempt to block malware infected email messages using traditional scanners, to block malware-related messages by their content, and to apply SpamProfiler's Outbreak Detection technology.

The rules that invoke malware scanners are disabled by default. You must install and configure at least one scanner before you can enable these rules.

5.3.3 Best Practices

Trustwave recommends the following basic practices to ensure security with respect to malware/viruses and scanning:

Ensure that SpamCensor and SpamProfiler updating is enabled, to provide a Zero Day layer of protec­tion. The SpamCensor updater also delivers updates for the Yara Analysis Engine and file unpacking.

Block messages and attachments that MailMarshal cannot scan, such as password protected attach­ments and encrypted attachments (for example files of type ‘Encrypted Word Document’).

Block encrypted messages that MailMarshal cannot decrypt, such as PGP and S/MIME messages and encrypted ZIP files.

Block executable and script files by type and name. This helps to ensure that unknown viruses will not be passed through.

Subscribe to email notification lists for malware outbreaks. Such lists are available from many antivirus software companies. When an outbreak occurs, block the offending messages by subject line or other identifying features.

Information 

Note: If resident or “on access” virus scanning is enabled, exclude the MailMarshal working folders from scanning. See “Excluding Working Folders From Virus Scanning”. Some integrated scanners use additional temporary locations, and these must also be excluded. See release notes for the specific scanners.

 

5.3.4 Viewing Virus Scanner Properties

Double click the name of any virus scanner in the right pane to review MailMarshal configuration information for that scanner. With external scanners you can modify the configuration. For details of the fields, see the Help for this panel.

Trustwave MailMarshal 10.2.5 User Guide August 2024
< Previous Section   |   Next Section >
Full document: see MailMarshal Documentation.