Protect your enterprise from malicious software with GFI Mail Security

by John "Kull MCSE, Network+, A+" | Jan 09, 2006 9:07:00 PM

Tags: Scanners, Cyberthreats, Microsoft Windows, John Kull MCSE, Network+, A+, malicious software, Mail Security, GFI Mail Security, e-mail, server

Takeaway: GFI's Mail Security is a sophisticated and powerful tool for preventing viruses and other malicious code from breaching your organization's defenses.

In the "old days" of e-mail administration you pretty much only had to worry about the threat of viruses. Install a virus scanner and make sure it stayed updated and you were pretty safe. Ah yes, the good old days.

Today we are bombarded by multiple attacks via e-mail. E-mails themselves can contain malicious code, phishing scams can tempt users, and attachments may pass through virus scanners even through they have the potential for harm. To combat these threats we need a tool that can do more than just provide virus protection. Mail Security from GFI is one such product. In the last download we looked at GFI's Anti-Spam product, Mail Essentials (ME). This time around we will look at its companion product Mail Security (MS), which picks up where ME leaves off.

The key features of MS include:

• Multiple anti-virus scanning engines: MS ships with the Norman and Bit-Defender AV Engines. In addition the MacAfee and Kaspersky engines can be added for an additional fee. Current best practice dictates having multiple AV Engines.
• Attachment checking and filtering: Rule based configuration of E-mail attachment blocking. Rules can be applied to all users or specific users. Attachments such as .exe and .vbs can be stopped and quarantined. Additional files types can be added and prevented from entering. Executables are also run through the Trojan executable scanner to determine risk level.
• Content Filtering: Rule based e-mail filtering for detection of confidential or offensive information. Can be configured on in or out bound e-mail.
• Automated removal of HTML scripts: potentially harmful scripts can be removed from HTML based e-mail.
• Decompression Engine: Zipped or archived files are decompressed and examined for potential harmful content and password protection.

GFI is a UK based software company that focuses on mail and security software. All of their products are available as a 30 day fully functioning evaluation product. After the evaluation period the software continues to function but with limited capabilities. The MS package can be downloaded from the company Web site along with excellent documentation. The list price of MS for unlimited mailboxes is $3,999 plus 20% yearly for software maintenance. Reduced pricing is available for 25, 50, 100, 250, 500 and 1000 mailboxes. A 25-mailbox license is as little as $449 plus maintenance. Additional discounts are available when you purchase the MS companion Anti-SPAM checking software product Mail Essentials.

Installation requirements

Mail Security can be installed on a Windows 2000 Professional / Server / Advanced Server or Windows 2003 Server / Advanced Server or Windows XP. The application requires IIS, Microsoft .Net Framework 1.1, and the Microsoft Message Queuing Service.

---

Note: Recently GFI made some changes to MS 9 which require it to be installed in SMTP Gateway mode. The original release and prior versions allowed installation on the Exchange server. If you must install MS on your Exchange server you must download version 8 from the GFI Web site. This download will focus on version 9.0, although the functionality of the two products is very similar. SMTP mode places MS on a separate mail relay or gateway server.

---

Personally I prefer the relay / gateway server option. I prefer to offload these tasks from my Exchange server, allowing Exchange to just be Exchange. This configuration also allows MS to work with other non Exchange SMTP servers. However the gateway configuration requires the additional setup of a mail gateway server.

SMTP gateway configuration

First we must configure a separate mail gateway server for MS to be installed on. This server will receive all inbound mail before the Exchange server ever sees it. Lucky for us Microsoft IIS has a powerful built in SMTP server, designed to handle large volumes of mail.

Since we are setting up a separate gateway server, the installation is slightly more complicated. First thing we need to do is install IIS on the server if it's not installed, and set up SMTP within IIS. The GFI documentation does a good job of explaining this but we will run through it here.

Install SMTP via Add Remove Programs | Windows programs. SMTP is a sub component of IIS. In Server 2003 select Application Server | Internet Information Server (IIS) and then select the SMTP option. (Figure A) Once installed the Internet Information Services MMC is used to manage the server.

Figure A

SMTP

Next we will configure the properties of the SMTP server. Open the IIS console and expand the server node. The Default SMTP Virtual server should be present. Right click and select properties. On the General tab assign an IP address to the server. Next click the Access tab. Here we can configure authentication and connection parameter. If you wish to configure secure communication between the gateway and your primary server you can configure those setting here.

Our concern for this discussion is the relay tab. To keep the gateway from becoming an open relay we want to specify which server or server can relay mail through this server. Click the relay tab and then click add. You can specify an IP address and group of servers of a domain. (Figure B) When completed your servers IP should be listed.

Figure B

Servers IP

Uncheck the check box titled "Allow all computers which authenticate to relay regardless, of the list above." (Figure C)

Figure C

Relay

Now we will configure the SMTP server to relay mail to your primary mail server. Under the Default SMTP server right click Domains and select New. Select the remote option and click next. Enter the name of the mail domain in the next box. When completed the IIS manager will list the local domain and your remote domain (Figure D)

Figure D

Domains

Right click on the newly created domain and select properties. Select "Allow incoming mail to be relayed to this domain" and "Forward all mail to a smart host". Enter the name of the primary server in square brackets that will receive the mail. (Figure E)

Figure E

Primary

We have now configured the gateway server to relay mail to and from your primary mail server. The next step is to configure the Exchange or other mail server to relay mail to the newly configured gateway server. (In this example we will use Microsoft Exchange, however in gateway mode installation ME can work with any SMTP server.)

From the Exchange System Manager expand the properties of your SMTP connector. On the general tab click the "Forward all mail through this connector to the following smart hosts" radio button. Add the IP address, enclosed in brackets of the newly configured server. (Figure F)

Figure F

Configured server

Finally, test the configuration. Send an e-mail from an internal address to an external address such as a hotmail or yahoo account. Send a message in the reverse direction to test connectivity both ways. If both messages are received you have successfully set up the SMTP box to relay mail to and from your Exchange or SMTP server.

Installing Mail Security

Now that the SMTP relay is set up we can move on to installing the actual MS product. Double clicking the download file will begin the extraction and setup process. During the initial phase of installation, MS checks for an installation of IIS. If IIS is not present the install will stop with the message IIS not installed. If all dependencies are met the welcome screen is displayed. (Figure G)

Figure G

Installation

When setup first launches it gives you the chance to check for a newer build. GFI releases new builds quite frequently, so if it's been even a few days since you downloaded the file go a head and select Check for a newer build of GFI Mail Security on the GFI Web site," otherwise select do not check for a newer build and move on. (Figure H) The next screen prompts to accept the license agreement to proceed.

Figure H

New build?

(Figure I) Next enter the admin e-mail account and license key. Since this is an evaluation, leave evaluation as the key (Figure J)

Figure I

License

Figure J

Evaluation

Next is the IIS setup. MS creates an IIS site used to manage the product. Accept the default Web site name, virtual directory and SMTP server information. (Figure K) If ASP.NET is not registered on the default Web site then a pop up will appear asking to register ASP.NET with the Web server. (Figure L)

Figure K

Default

Figure L

ASP.NET

Next the local mail domains are displayed. These should match what was set up previously in the SMTP server setup. (Figure M)

Figure M

Local mail domains

If message queuing is not installed the dialog will appear to install it. (Figure N) Windows will automatically install the service and may prompt for the CD media.

Figure N

Queuing

Next choose an installation directory (Figure O.)

Figure O

Directory

Finally you are ready to install the software (Figure P).

Figure P

Install

The software will install and prompt to restart the SMTP service. (Figure Q) After the finish dialog you will be prompted to reboot.

Figure Q

Restart

Special installation note on Windows Server 2003 SP1

SP1 for Windows Server 2003 includes Data Execution Prevention technology (DEP.) This technology helps prevent malicious code from running on a server. DEP is turned on by default for all programs and services except those that the administrator selects. For MS to run properly the Mail Security Scanning Engine (GFISCANM.EXE) and the Kaspersky Virus Scanning Engine (KAVSS.EXE) must be added to the DEP exception list.

To configure the DEP exception list access the system applet in Control Panel. Click the advanced tab and select settings under the performance group. Select the Data Execution tab. Click the radio button: Turn on "DEP for all services and programs except those I select". (Figure S) Click Add, and browse to the files mentioned above. Click Apply and OK. Restart the GFI Content Security Updater Service and the GFI Mail Security Scan Engine.

Figure S

DEP

Managing MS

The biggest change to MS with version 9 is that all management is performed from a Web interface. Since this interface controls all of MS settings the Web interface is locked down by default. To set security for the GFI management site, GFI provides a tool located in the Mail Security program group called the Mail Security Switchboard (Figure T) This tool allows security to be configured in Local mode, which restricts access to the local machine, or IIS mode, which allows access remotely.

Figure T

Switchboard

If IIS mode is selected, two URL's are displayed for accessing each tool. Further security can be set by clicking the Security button. (Figure U) Here you can configure who has access to the configuration tool and the quarantine tool.

Figure U

Access control

Once the Web Interface tool is launched you are presented with a browser security dialog. You must have a local account on the server if running in local mode, or if accessing the console remotely you must be given permission with the switchboard tool. In this example we will look at the full console which includes the Quarantine. The Web interface looks very much like an MMC based tool. (Figure V)

Figure V

GI Security

Let's take a look at each section and examine its function. The layout of the MS product is quite intuitive. The left pane contains the various parameters or "Engines" that can be configured and the right pane displays the configuration of each parameter. Many of the sections such as the Actions tab are the same in each section, so we won't repeat it for each section. Each section contains a General tab for enabling or disabling a specific engine. Most sections contain an Actions tab for determining what to do with an e-mail when a specific engine is triggered. The Actions tab choices are: Delete or Quarantine the e-mail, send a notification to the administrator, and/or the user, and to log an occurrence of each rule. Notification and logging are optional parameters.

Settings Section

Here general parameters are configured. Several of these parameters are configured during installation but can be modified here as needed. The General tab contains the administrator e-mail address. (Figure W)  This address is used to send all notifications.

Figure W

General tab

The Updates tab (Figure X) allows selection of an update server to download updates for AV and Trojan and executables updates.

Figure X

Updates tab

The Local Domains tab (Figure Y) displays the local domains configured during installation and allows additional domains to be added as needed.

Figure Y

Local Domains tab

The SMTP Bindings tab (Figure Z) displays the Virtual server in IIS that MS is using. If more than one server is present on the server you can select the server for MS to use.

Figure Z

SMTP Bindings tab

The User Manager tab (Figure AA) is the local management tool for managing e-mail users. If MS is installed in AD mode, then AD maintains the user list. If installed in SMTP mode, as in this example, then MS stores the user's e-mail address information. This information is used in defining e-mail "rules" for specific users or groups of users.

Figure AA

User Manager tab

Version Information

Selecting this branch displays information about the current version and provides a link to download updates as needed. The Licensing section contains the current license key information and provides the ability to update the key. (Figure CC)

Figure CC

License Key

The Content Checking Section allows configuration of content checking rules. In this area we can manage the rules by selecting a particular rule and configuring the order it's applied as well as enable and disable rules as needed. We will take a closer look at rule configuration in a later section. Content checking rules can be applied to both inbound and outbound e-mails.

The Attachment Checking section configures the attachment-checking engine within MS. The attachment checking section works very similar to the Content checking section. Attachment checking can be configured to block and quarantine e-mails that contain a specific attachment as defined by the attachment checking rules. Attachment checking can be configured on both inbound and outbound e-mails.

The Virus Scanning Engines (Figure FF) sections allows configuration of four different virus-checking engines. MS includes the Norman and Bit-Defender engines in the base product. MacAfee and Kaspersky engines can be purchased as an add-on to the base product. This section displays the status of the four engines. Each engine can be disabled or enabled and the order in which they are applied can be set in this section.

Figure FF

Virus Scanning Engines

To further configure a particular engine, select it from the left pane or double click on the specific engine in the right pane. Each Engine is configured identically, so we will look at the Norman engine configuration as an example. Select the Norman engine and three tabs should appear. (Figure GG)

Figure GG

Norman engine

The General tab enables or disables the engine. The Actions tab allows configuration of a specific action when an e-mail triggers a virus engine. Each engine allows the following Actions: Delete or Quarantine the e-mail; Notify user or administrator and log occurrence of the event. At a minimum you must select to quarantine or delete the e-mail. If an e-mail is quarantined it must be later reviewed and approved or deleted by an administrator. Notification and logging are optional parameters.

The Updates tab configures the virus engine updates function. Updates can be set to download and install automatically, or download only and notify the administrator when the updates are ready to be installed. Additionally the update process can be invoked manually.

Decompression

The Decompression section (Figure JJ) configures the decompression engine. One common technique to make e-mail appear legitimate is to password protect a zip file and send it in an e-mail. MS offers six different checks for compressed files and each can be further configured by clicking the item and modifying the parameters as needed.

Figure JJ

Decompression

Trojan and Executables

The Trojan and Executables section allows configuration of the Trojan and Executables Engine. This feature allows scanning and analyzing of any executable file to determine if it could be potentially dangerous. MS is able to decompile the executable and determine what its action might be. It compares its finding to a database of malicious activities and the assigns a risk level to the executable. To configure this section you determine the risk level that you wish the files to be stopped and then select an action to take when the scanner is triggered. The Trojan and Executable scanner can also be configured to automatically check for and update its database.

E-mail Exploit

The E-mail Exploit section allows configuration of the e-mail exploit section of MS. An e-mail exploit is any program embedded in an e-mail that is designed to launch a program or take advantage of vulnerability. The Exploit tool does not detect if an exploit is malicious, but rather assumes a security risk if an exploit is attempting to launch a command on a system. MS enables all known exploit detection by default. Individual exploit detection can be enabled or disabled as needed. Like all the other detection engines, the e-mail exploit engine can be configured to download and install updates automatically.

HTML Threat

The HTML Threat section allows configuration of the HTML Threat Engine in MS. The threat engine scans and "sanitizes" e-mails that have the MIME type set to text/html or any attachments with an .htm or .html. It removes embedded html scripts in e-mails â€" another known method of attack. The only configuration is enabling or disabling the engine and choosing to scan inbound and or outbound e-mails.

Patch Checking

The Patch Checking section enables manually checking the GFI Web site for patches or updates for the MS product. Clicking the check for patches button will query the GFI server for any available patches. IF any are available they will be listed in the right pane along with a link for downloading. IF no patches are available a message is displayed indicating no patches are available.

Reporting

The Reporting section (Figure OO) is used to configure a backend database for gathering statistical information for all the e-mails processed by quarantined by MS. MS supports both a local MS Access database as well as the ability to connect to a SQL server. Unfortunately missing from the MS product is a front end for the database.

Real Time Monitor

The Real Time Monitor section allows viewing in real time what the MS engines are processing. This can be a great tool for troubleshooting. The auto refresh interval allows auto updates of processing information.

Configuring Rules for Attachments and Content

The Attachment Checking and Content Checking modules utilize the concept of "Rules" to process e-mails. Rules are created and then applied to inbound or outbound e-mails. Rules can be created based on specific criteria and can be enabled, disabled and applied in a specific order. The Attachment Checking and Content Checking sections both have a default rule enabled when the product is installed. These rules can be modified as needed, or you can create additional rules to suit your particular environment.

Let's take a moment to configure a rule. In this example, we will create a rule to check outbound e-mail for a specific combination of words. This rule will look for the words "patient' and "name." in all outbound e-mail (In a hospital environment we are under the HIPAA privacy laws which require that patient information be sent via secure methods. Normal SMTP e-mail is not secure.) This rule will stop any e-mails that are sent out that may contain patient information. We can then contact the sender of the e-mail and provide follow up training and suggest alternate methods for delivering the information.

Click the Add Rule button. On the General tab enter a name for the rule. (Figure QQ)

Figure QQ

Add Rule

Click the check box for outbound e-mail. Next click the Body tab. Type Patient and Click the AND button. Type Name, Click the Add Condition button. The Condition will now move to the Conditions list. (Figure RR) We will leave the subject section blank.

Figure RR

Conditions

Under the action tab we will set the action to Quarantine e-mail.If we wanted to apply this rule to specific users we could select them under the Users/Folders tab. For this example our rule is complete. Click Apply to finish the rule. The rule should now appear in the content checking window and be enabled.

Managing the Quarantine

All e-mails that are not deleted by a specific Engine are sent to the Quarantine. Quarantine e-mails must be reviewed by an administrator and further approved or deleted. MS offers two ways to manage the e-mail Quarantine. The administrator can work directly with the store from the MS console, or can receive an HTML e-mail form that allows approval or deletion of each item on an individual basis. Having worked with both methods in the past, I recommend working directly with the Quarantine store. The e-mail notifications can be very cumbersome to deal with each item individually. Working with the Quarantine store allows quarantined e-mails to be deleted or released in mass, a much quicker process.

Let's take a closer look at how the Quarantine works. The Quarantine section is broken down into four groups: Today, Yesterday, This Week and All E-mails. You can select any of these links to further group quarantined items. Clicking on the top Quarantine link will display statistics for each category as well as allowing searches for specific senders / recipients or specific quarantine reasons. (Figure UU)

Figure UU

Quarantine

In this example we will select all e-mails to display a list of everything in the Quarantine. Individual or multiple e-mails can be "checked" and then approved or deleted with the appropriate button on the top of the form. Clicking any section allows more detail to be displayed to further analyze if the e-mail should be approved or deleted.

The quarantine store also offers the ability to group quarantined e-mail by search folders. Search folders allow the administrator to group e-mails together by search criteria, such as e-mails that were quarantined because they contained a virus. Search folders allow the Quarantine store to be organized to make it easier for the administrator to manage.

Powerful tool

Mail Security when used together with its companion product Mail Essentials can be a powerful tool for any organization looking for a cost effective solution for protecting their organization from e-mail based threats. Like Mail Essentials, Mail Security is not a set it and forget about it product. The product must be initially configured and the Quarantine store must be managed on a daily or weekly basis depending on the size of the organization.

Print/View all Posts Comments on this article

Virus protection Mark W. Kaelin | 01/09/06