“old days” of e-mail administration you pretty much only had to worry
about the threat of viruses. Install a virus scanner and make sure it stayed
updated and you were pretty safe. Ah yes, the good old days.
we are bombarded by multiple attacks via e-mail. E-mails themselves can contain
malicious code, phishing scams can tempt users, and attachments may pass
through virus scanners even through they have the potential for harm. To combat
these threats we need a tool that can do more than just provide virus
protection. Mail Security from GFI is one such product. In the last download we
looked at GFI’s Anti-Spam product, Mail
Essentials (ME). This time around we will look at its companion product
Mail Security (MS), which picks up where ME leaves off.
key features of MS include:
- Multiple anti-virus scanning engines: MS ships with the Norman and
Bit-Defender AV Engines. In addition the MacAfee and Kaspersky
engines can be added for an additional fee. Current best practice dictates
having multiple AV Engines.
- Attachment checking and filtering: Rule based configuration of E-mail
attachment blocking. Rules can be applied to all users or specific users.
Attachments such as .exe and .vbs can
be stopped and quarantined. Additional files types can be added and
prevented from entering. Executables are also run through the Trojan
executable scanner to determine risk level.
- Content Filtering: Rule based e-mail filtering for detection of
confidential or offensive information. Can be configured on in or out
- Automated removal of HTML scripts: potentially harmful scripts
can be removed from HTML based e-mail.
- Decompression Engine: Zipped or archived files are decompressed and
examined for potential harmful content and password protection.
GFI is a UK based software company that focuses
on mail and security software. All of their products are available as a 30 day
fully functioning evaluation product. After the evaluation period the software
continues to function but with limited capabilities. The MS package can be downloaded
from the company Web site along with excellent documentation. The list price of
MS for unlimited mailboxes is $3,999 plus 20% yearly for software maintenance.
Reduced pricing is available for 25, 50, 100, 250, 500 and 1000 mailboxes. A
25-mailbox license is as little as $449 plus maintenance. Additional discounts
are available when you purchase the MS companion Anti-SPAM checking software
product Mail Essentials.
can be installed on a Windows 2000 Professional / Server / Advanced Server or
Windows 2003 Server / Advanced Server or Windows XP. The application requires
IIS, Microsoft .Net Framework 1.1, and the Microsoft Message Queuing Service.
Note: Recently GFI made some changes to
MS 9 which require it to be installed in SMTP Gateway mode. The original
release and prior versions allowed installation on the Exchange server. If you
must install MS on your Exchange server you must download version 8 from the
GFI Web site. This download will focus on version 9.0, although the
functionality of the two products is very similar. SMTP mode places MS on a
separate mail relay or gateway server.
I prefer the relay / gateway server option. I prefer to offload these tasks
from my Exchange server, allowing Exchange to just be Exchange. This
configuration also allows MS to work with other non Exchange SMTP servers.
However the gateway configuration requires the additional setup of a mail
SMTP gateway configuration
we must configure a separate mail gateway server for MS to be installed on.
This server will receive all inbound mail before the Exchange server ever sees
it. Lucky for us Microsoft IIS has a powerful built in SMTP server, designed to
handle large volumes of mail.
we are setting up a separate gateway server, the installation is slightly more
complicated. First thing we need to do is install IIS on the server if it’s not
installed, and set up SMTP within IIS. The GFI documentation does a good job of
explaining this but we will run through it here.
SMTP via Add Remove Programs | Windows programs. SMTP is a sub component of
IIS. In Server 2003 select Application Server | Internet Information Server
(IIS) and then select the SMTP option. (Figure A) Once installed the
Internet Information Services MMC is used to manage the server.
will configure the properties of the SMTP server. Open the IIS console and
expand the server node. The Default SMTP Virtual server should be present. Right
click and select properties. On the General tab assign an IP address to the
server. Next click the Access tab. Here we can configure authentication and
connection parameter. If you wish to configure secure communication between the
gateway and your primary server you can configure those setting here.
concern for this discussion is the relay tab. To keep the gateway from becoming
an open relay we want to specify which server or server can relay mail through
this server. Click the relay tab and then click add. You can specify an IP
address and group of servers of a domain. (Figure B) When completed your
servers IP should be listed.
the check box titled “Allow all computers which authenticate to relay
regardless, of the list above.” (Figure C)
will configure the SMTP server to relay mail to your primary mail server. Under
the Default SMTP server right click Domains and select New. Select the remote
option and click next. Enter the name of the mail domain in the next box. When
completed the IIS manager will list the local domain and your remote domain (Figure
click on the newly created domain and select properties. Select “Allow
incoming mail to be relayed to this domain” and “Forward all mail to
a smart host”. Enter the name of the primary server in square brackets
that will receive the mail. (Figure E)
have now configured the gateway server to relay mail to and from your primary
mail server. The next step is to configure the Exchange or other mail server to
relay mail to the newly configured gateway server. (In this example we will use
Microsoft Exchange, however in gateway mode installation ME can work with any
Exchange System Manager expand the properties of your SMTP connector. On the
general tab click the “Forward all mail through this connector to the
following smart hosts” radio button. Add the IP address, enclosed in
brackets of the newly configured server. (Figure F)
test the configuration. Send an e-mail from an internal address to an external
address such as a hotmail or yahoo account. Send a message in the reverse
direction to test connectivity both ways. If both messages are received you
have successfully set up the SMTP box to relay mail to and from your Exchange
or SMTP server.
Installing Mail Security
the SMTP relay is set up we can move on to installing the actual MS product.
Double clicking the download file will begin the extraction and setup process.
During the initial phase of installation, MS checks for an installation of IIS.
If IIS is not present the install will stop with the message IIS not installed.
If all dependencies are met the welcome screen is displayed. (Figure G)
setup first launches it gives you the chance to check for a newer build. GFI
releases new builds quite frequently, so if it’s been even a few days since you
downloaded the file go a head and select Check for a newer build of GFI Mail
Security on the GFI Web site,” otherwise select do not check for a newer
build and move on. (Figure H) The next screen prompts to accept the
license agreement to proceed.
I) Next enter the
admin e-mail account and license key. Since this is an evaluation, leave
evaluation as the key (Figure J)
the IIS setup. MS creates an IIS site used to manage the product. Accept the
default Web site name, virtual directory and SMTP server information. (Figure
K) If ASP.NET is not registered on the default Web site then a pop up will
appear asking to register ASP.NET with the Web server. (Figure L)
local mail domains are displayed. These should match what was set up previously
in the SMTP server setup. (Figure M)
|Local mail domains|
message queuing is not installed the dialog will appear to install it. (Figure
N) Windows will automatically install the service and may prompt for the CD
choose an installation directory (Figure O.)
Finally you are ready to install the software (Figure P).
software will install and prompt to restart the SMTP service. (Figure Q)
After the finish dialog you will be prompted to reboot.
Special installation note on Windows Server 2003 SP1
SP1 for Windows Server 2003 includes Data Execution
Prevention technology (DEP.) This technology helps prevent malicious code from
running on a server. DEP is turned on by default for all programs and services
except those that the administrator selects. For MS to run properly the Mail
Security Scanning Engine (GFISCANM.EXE) and the Kaspersky
Virus Scanning Engine (KAVSS.EXE) must be added to the DEP exception list.
To configure the DEP exception list access the
system applet in Control Panel. Click the advanced tab and select settings
under the performance group. Select the Data Execution tab. Click
the radio button: Turn on “DEP for all services and programs except those
I select”. (Figure S) Click Add, and browse to the files mentioned
above. Click Apply and OK. Restart the GFI Content Security Updater Service and
the GFI Mail Security Scan Engine.
biggest change to MS with version 9 is that all management is performed from a Web
interface. Since this interface controls all of MS settings the Web interface
is locked down by default. To set security for the GFI management site, GFI
provides a tool located in the Mail Security program group called the Mail
Security Switchboard (Figure T) This
tool allows security to be configured in Local mode, which restricts access to
the local machine, or IIS mode, which allows access remotely.
If IIS mode is selected, two URL’s are displayed for
accessing each tool. Further security can be set by clicking the Security
button. (Figure U) Here you can configure who has access to the
configuration tool and the quarantine tool.
the Web Interface tool is launched you are presented with a browser security
dialog. You must have a local account on the server if running in local mode,
or if accessing the console remotely you must be given permission with the
switchboard tool. In this example we will look at the full console which
includes the Quarantine. The Web
interface looks very much like an MMC based tool. (Figure V)
take a look at each section and examine its function. The layout of the MS
product is quite intuitive. The left pane contains the various parameters or “Engines”
that can be configured and the right pane displays the configuration of each
parameter. Many of the sections such as the Actions tab are the same in each
section, so we won’t repeat it for each section. Each section contains a
General tab for enabling or disabling a specific engine. Most sections contain
an Actions tab for determining what to do with an e-mail when a specific engine
is triggered. The Actions tab choices are: Delete or Quarantine the e-mail,
send a notification to the administrator, and/or the user, and to log an
occurrence of each rule. Notification and logging are optional parameters.
general parameters are configured. Several of these parameters are configured
during installation but can be modified here as needed. The General tab
contains the administrator e-mail address. (Figure W) Â This address is used to send all
Updates tab (Figure X) allows selection of an update server to download
updates for AV and Trojan and executables updates.
Domains tab (Figure Y) displays
the local domains configured during installation and allows additional domains
to be added as needed.
|Local Domains tab|
The SMTP Bindings tab (Figure Z) displays the Virtual server in IIS
that MS is using. If more than one server is present on the server you can
select the server for MS to use.
|SMTP Bindings tab|
User Manager tab (Figure AA) is the local management tool for managing e-mail
users. If MS is installed in AD mode, then AD maintains the user list. If
installed in SMTP mode, as in this example, then MS stores the user’s e-mail
address information. This information is used in defining e-mail “rules”
for specific users or groups of users.
|User Manager tab|
this branch displays information about the current version and provides a link
to download updates as needed. The Licensing
section contains the current license key information and provides the ability
to update the key. (Figure CC)
The Content Checking Section allows
configuration of content checking rules. In this area we can manage the rules by selecting a particular rule and
configuring the order it’s applied as well as enable and disable rules as
needed. We will take a closer look at rule configuration in a later section.
Content checking rules can be applied to both inbound and outbound e-mails.
The Attachment Checking section configures
the attachment-checking engine within MS. The attachment checking section works
very similar to the Content checking section. Attachment checking can be
configured to block and quarantine e-mails that contain a specific attachment
as defined by the attachment checking rules. Attachment checking can be
configured on both inbound and outbound e-mails.
The Virus Scanning Engines (Figure FF) sections
allows configuration of four different virus-checking engines. MS includes the
Norman and Bit-Defender engines in the base product. MacAfee and Kaspersky engines can be purchased as an add-on to the base
product. This section displays the status of the four engines. Each engine can
be disabled or enabled and the order in which they are applied can be set in
|Virus Scanning Engines|
further configure a particular engine, select it from the left pane or double
click on the specific engine in the right pane. Each Engine is configured
identically, so we will look at the Norman engine configuration as an example.
Select the Norman engine and three tabs should appear. (Figure GG)
The General tab enables or disables the
engine. The Actions tab allows
configuration of a specific action when an e-mail triggers a virus engine. Each
engine allows the following Actions: Delete or Quarantine the e-mail; Notify
user or administrator and log occurrence of the event. At a minimum you must
select to quarantine or delete the e-mail. If an e-mail is quarantined it must
be later reviewed and approved or deleted by an administrator. Notification and
logging are optional parameters.
The Updates tab configures the virus engine
updates function. Updates can be set to download and install automatically, or
download only and notify the administrator when the updates are ready to be
installed. Additionally the update process can be invoked manually.
The Decompression section (Figure JJ) configures
the decompression engine. One common technique to make e-mail appear legitimate
is to password protect a zip file and send it in an e-mail. MS offers six
different checks for compressed files and each can be further configured by
clicking the item and modifying the parameters as needed.
Trojan and Executables
The Trojan and Executables section allows configuration of the Trojan and
Executables Engine. This feature allows scanning and analyzing of any
executable file to determine if it could be potentially dangerous. MS is able
to decompile the executable and determine what its action might be. It compares
its finding to a database of malicious activities and the assigns a risk level
to the executable. To configure this section you determine the risk level that
you wish the files to be stopped and then select an action to take when the
scanner is triggered. The Trojan and Executable scanner can also be configured
to automatically check for and update its database.
The E-mail Exploit section allows
configuration of the e-mail exploit section of MS. An e-mail exploit is any
program embedded in an e-mail that is designed to launch a program or take advantage
of vulnerability. The Exploit tool does not detect if an exploit is malicious,
but rather assumes a security risk if an exploit is attempting to launch a
command on a system. MS enables all known exploit detection by default.
Individual exploit detection can be enabled or disabled as needed. Like all the
other detection engines, the e-mail exploit engine can be configured to
download and install updates automatically.
The HTML Threat section allows configuration
of the HTML Threat Engine in MS. The threat engine scans and “sanitizes”
e-mails that have the MIME type set to text/html or any attachments with an .htm or .html. It removes embedded html scripts in e-mails â€”
another known method of attack. The only configuration is enabling or disabling
the engine and choosing to scan inbound and or outbound e-mails.
The Patch Checking section enables manually
checking the GFI Web site for patches or updates for the MS product. Clicking
the check for patches button will query the GFI server for any available
patches. IF any are available they will be listed in the right pane along with
a link for downloading. IF no patches are available a message is displayed
indicating no patches are available.
The Reporting section (Figure OO) is
used to configure a backend database for gathering statistical information for
all the e-mails processed by quarantined by MS. MS supports both a local MS
Access database as well as the ability to connect to a SQL server.
Unfortunately missing from the MS product is a front end for the database.
Real Time Monitor
The Real Time Monitor section allows viewing
in real time what the MS engines are processing. This can be a great tool for
troubleshooting. The auto refresh interval allows auto updates of processing
Configuring Rules for Attachments and Content
Attachment Checking and Content Checking modules utilize the concept of “Rules”
to process e-mails. Rules are created and then applied to inbound or outbound e-mails.
Rules can be created based on specific criteria and can be enabled, disabled
and applied in a specific order. The Attachment Checking and Content Checking
sections both have a default rule enabled when the product is installed. These
rules can be modified as needed, or you can create additional rules to suit
your particular environment.
take a moment to configure a rule. In this example, we will create a rule to
check outbound e-mail for a specific combination of words. This rule will look
for the words “patient’ and “name.” in all outbound e-mail (In a
hospital environment we are under the HIPAA privacy laws which require that
patient information be sent via secure methods. Normal SMTP e-mail is not
secure.) This rule will stop any e-mails that are sent out that may contain
patient information. We can then contact the sender of the e-mail and provide
follow up training and suggest alternate methods for delivering the
the Add Rule button. On the General tab enter a name for the rule. (Figure
Click the check box for outbound e-mail. Next click
the Body tab. Type Patient and Click the AND button. Type Name,
Click the Add Condition button. The Condition will now move to the Conditions
list. (Figure RR) We will leave the subject section blank.
Under the action tab we will set the action to
Quarantine e-mail.If we wanted to apply this rule to specific users we
could select them under the Users/Folders tab. For this example our rule is
complete. Click Apply to finish the rule. The rule should now appear in the
content checking window and be enabled.
Managing the Quarantine
All e-mails that are not deleted by a specific
Engine are sent to the Quarantine. Quarantine e-mails must be reviewed by an
administrator and further approved or deleted. MS offers two ways to manage the
e-mail Quarantine. The administrator can work directly with the store from the
MS console, or can receive an HTML e-mail form that allows approval or deletion
of each item on an individual basis. Having worked with both methods in the
past, I recommend working directly with the Quarantine store. The e-mail notifications
can be very cumbersome to deal with each item individually. Working with the
Quarantine store allows quarantined e-mails to be deleted or released in mass,
a much quicker process.
Let’s take a closer look at how the Quarantine
works. The Quarantine section is broken down into four groups: Today,
Yesterday, This Week and All E-mails. You can select any of these links to
further group quarantined items. Clicking on the top Quarantine link will
display statistics for each category as well as allowing searches for specific
senders / recipients or specific quarantine reasons. (Figure UU)
In this example we will select all e-mails to
display a list of everything in the Quarantine. Individual or multiple e-mails
can be “checked” and then approved or deleted with the appropriate
button on the top of the form. Clicking any section allows more detail to be
displayed to further analyze if the e-mail should be approved or deleted.
The quarantine store also offers the ability to
group quarantined e-mail by search folders. Search folders allow the
administrator to group e-mails together by search criteria, such as e-mails
that were quarantined because they contained a virus. Search folders allow the
Quarantine store to be organized to make it easier for the administrator to
Security when used together with its companion product Mail Essentials can be a
powerful tool for any organization looking for a cost effective solution for
protecting their organization from e-mail based threats. Like Mail Essentials,
Mail Security is not a set it and forget about it product. The product must be
initially configured and the Quarantine store must be managed on a daily or
weekly basis depending on the size of the organization.