3.8 Configuring Antivirus Scanning

To work with MailMarshal, an antivirus product must offer a command-line interface or be supported by a custom MailMarshal DLL. The scanner must return a documented response indicating whether or not a virus is detected. Most commercially available virus scanners meet these specifications. For more information about supported antivirus products, see Trustwave Knowledge Base article Q10923.

To allow MailMarshal to use your antivirus product to scan email for viruses, first exclude specific MailMarshal folders from virus scanning. The MailMarshal Engine service does not run if an antivirus product scans these folders. Then, you must configure MailMarshal to use the antivirus product you installed.

3.8.1 Excluding Working Folders From Virus Scanning

MailMarshal uses a number of folders to process and quarantine email messages, possibly including virus infected messages. MailMarshal will not operate if these folders are scanned by an antivirus or anti-malware product.

To prevent scanning these working folders, you must configure your scanning products to exclude specific working folders on every MailMarshal Server. You must exclude these working folders even if you do not configure MailMarshal to scan for viruses using the antivirus product. If the virus scanner does not have the facility to exclude the appropriate folders, you must disable on-access scanning completely for that scanner.

Some scanners also automatically enable an Internet protection feature. In this case, disable the Internet protection option in addition to disabling the on-access scanning option.

MailMarshal checks for resident file scanning by writing the eicar.com standard test virus file (not a real virus) in each of the folders that must be excluded from scanning. If any copy of the test file is removed by a resident scanner, or if MailMarshal is denied access to the files, the MailMarshal Engine service on the Server does not start and MailMarshal sends an email notice to the administrator.

If the check succeeds, MailMarshal deletes copies of the eicar.com file, preserving the original in the Unpacking\avcheck folder.

By default, the MailMarshal setup program creates working folders in the MailMarshal installation folder. If you choose a different folder name or drive location when you install the product, you must exclude the folders in your specified installation location.

You can verify the location of these folders by running the MailMarshal Server Tool from the MailMarshal Tools group in the MailMarshal program group on each Server. Click the Folders tab to see the folder locations. For more information, see “Changing Folder Locations”.

For information about excluding folders from on-access scanning, refer to your antivirus product documentation. For example, in Network Associates NetShield, you can specify exclusions using the Exclusions tab in Scan Properties.

In your antivirus scanning product control panel, exclude the following MailMarshal folders from virus scanning:

C:\Program Files\Trustwave\Secure Email Gateway\Quarantine

C:\Program Files\Trustwave\Secure Email Gateway\Queues\Decryption

C:\Program Files\Trustwave\Secure Email Gateway\Queues\Incoming

C:\Program Files\Trustwave\Secure Email Gateway\Unpacking

MailMarshal uses folders in the Quarantine folder to store messages, including those quarantined by virus scanning rule actions. The product stores email in the Queues\Decryption and Queues\Incoming folders pending processing.

MailMarshal copies files to the Unpacking folder to scan for viruses. If an antivirus scanner finds and removes a file in the Unpacking folder before MailMarshal scans for viruses, MailMarshal may determine the file is virus-free and deliver the email with the virus still present.

3.8.2 Configuring MailMarshal to Use an Antivirus Product

If you have installed MailMarshal as an array with more than one Server, you must make the same virus scanners available on all MailMarshal Servers. You can make a scanner available by installing the software on the MailMarshal Server, or in some cases by installing the virus scanner software remotely and configuring MailMarshal to access it.

If you install command line virus software on more than one MailMarshal Server, you must install it in the same location (same drive letter and folder) on each Server.

To configure virus scanning in MailMarshal:

1.Ensure you have installed one or more supported virus scanners on each MailMarshal Server computer, following the manufacturer's instructions.

2.Ensure the scanner does not perform on-demand scanning of the MailMarshal excluded folders. For more information, see “Excluding Working Folders From Virus Scanning”.

3.Access the MailMarshal Management Console website.

4.In the left pane, under Configuration, expand Policy Elements.

5.In the right pane menu list, click Virus Scanners.

6.In the left pane of the Management Console, click Policy Elements, and then select Virus Scanners. 

7.Click Add.

8.Select your antivirus scanner from the list.

9.If you are configuring a command line scanner, in the Path field, enter the location of the antivirus scanner program, such as c:\McAfee\Scan.exe.

10.If your command line scanner is not in the list and you selected New Command Line, specify the additional details required. For assistance see Help.

11.Click Save to add the virus scanner. MailMarshal will test the action of the scanner on each installed MailMarshal email processing server.

12.If you plan to use more than one virus scanner, repeat Steps 7 through 11 for each scanner.