Skip navigation

Email Gateway

4 Posts authored by: Debra Harper

I'll admit it: regexes are NOT my best subject.  I have written very, very simple ones before, but I really prefer to find them already written that I can repurpose, because I just don't think I'm good at writing them.  They seem deceptively simple, but I've been in support long enough to realize that writing a good one may possibly be an art.  I audit a fair number of service requests in a month, and I was seeing a trend so I decided to share some generalizations about using regexes in MEG.  If you're not familiar with what a regex even is, then I will quote Wikipedia and define it as a "sequence of characters that forms a search pattern, mainly for use in pattern matching with strings, or string matching, i.e. "find and replace"-like operations".

 

Anyway, frequently I see where someone has decided to use a regex in a dictionary in MEG's compliance area.  And  I also see where folks have attempted to write one to match a US Social Security number (SSN) and it's not turning out quite the way they would like.  Engineering has included one on the box already, but since it's under the 'Language N/A' section, it's possibly going unnoticed amongst the plethora of prebuilt regexes in that section designed to hit on identification numbers of all kinds.  These selections don't shout to the rafters that they are regexes, but under the hood, that's exactly what they are.  So, my advice would be just to use one of the prebuilt ones if at all possible.

 

Assuming that  you can't find a prebuilt one that does what you want, and you decide to write one, and it doesn't behave exactly the way you expected, you're going to be tempted to call support and see if we can help you with it.  While support cannot write it for you, we are happy to show you where to enter it in the UI, and we can often help you determine whether there is a better way to accomplish what you are attempting.

 

In upcoming releases, I think we will see even more possibilities for using regular expressions emerging in other sections of the product besides just in the compliance dictionaries, so the topic might be coming up more often.  Because of that, I asked MEG's engineering team if they had a primer they swore by when they wrote regexes, and they did.  They recommended http://perldoc.perl.org/perlrequick.html and http://perldoc.perl.org/perlretut.html as references to get started and/or become more proficient at writing regular expressions.  If this is something you need to write to accomplish your objective, I second engineering's recommendation to start with these links, and get started "expressing" yourself.

Sometimes, it's easy to get a touch overwhelmed.

 

Do you know the feeling?  You have so much data coming at you that sometimes you just want a summary that you can print out, take away from your desk and spread out on a table to peruse while you have a snack....

 

Okay, I'm kidding, a little, but  the other day a customer asked, "I would like a way to print out my configuration."

 

I don't know whether or not a snack was required, but our customer thought we might need to put in a product enhancement request for this.

 

Happily, we don't!  McAfee Email Gateway comes with a built-in configuration report under System > System Administration.  About halfway down that screen is the option to produce a Configuration Report.  You will need to have popups enabled on your browser for the appliance's IP, because the report is an HTML report that does pop up.  A Table of Contents is populated with links to the appropriate place in the full document to find the specific information you seek.  Following is an example ToC from a 7.0.0 lab appliance (the links do not work from this post, they are for illustration only, to show you the information that is included on the report):

 

Table of Contents

Appliance Setup
Basic Settings
Network Interface Settings
DNS and Routing
Remote Access
Time and Date
Database maintenance
Configuration Push
Role-based User Accounts
Group Management
Directory Services
Policy Groups
Logging, Alerting and SNMP
SNMP Monitor Settings
SNMP Alert Settings
Email Alerting
System Log Events
Component Update Configuration
Spam Update Settings
McAfee GTI Web Categorization Database Update Settings
Anti-Virus Update Settings
Automatic Package Updates
SMTP
Configuration
Protocol Presets
policy test1
Default
Scanning Policies
Default Web Mail Client policy
SWD
Default policy
Queued email delivery
Delivery settings
Physical Host
POP3
Quarantine Configuration
Miscellaneous
Transparent Settings
Operating System Settings
Miscellaneous Network Settings
SNMP

Report Information.

Generation time Mon Jan 20 13:47:15 UTC 2014 (Mon Jan 20 13:47:15 UTC 2014)
Appliance version Email Gateway (4500) v7.0
Build number 2151.108 WS_9_0_20120218_2000_108

 

 

A sample expansion of the DNS and Routing Section looks like this:

 

DNS and Routing

DNS Servers

Only send queries to these servers true

Table 3. Servers

Address
172.27.12.16


Network Routing

Dynamic routing enabled false
Static routes No values

 

 

So without digging through screens, it's quick and painless to figure out the answer to questions like, "What DNS server is this appliance using?" or other configuration questions that might arise while troubleshooting or even just doing the day to day administration of the appliance.


As you can see, the report is really quite comprehensive, and it provides administrators with another way to cope with documenting their system configurations, or to compare one appliance configuration with another (over time, sometimes an administrator will get a feeling that one appliance has something a bit different about it that is causing it to behave differently), and the system configuration report is a tool that can be used to prove or disprove this as well.  Again, the output is html, so it can be saved, or printed out.

 

Our customer was pleased to be able to print a full configuration report, saying that was exactly what they'd been looking for, so I thought pointing it out would serve as a pleasant reminder to some, and if you didn't know it was there, it's a new feature to you, and one we hope you find enjoyable and useful.

One of the more complex tasks that email administrators face is keeping the email coming in and out of their organizations compliant with regulations and internal policies.

 

In the McAfee Email Gateway (MEG), one of the primary tools used to achieve this is the content security engine, or CSE.  The CSE's function is to extract textual content and filter it.  The companies who develop content extraction and filtering engines have concentrated their resources into making these products world class, and McAfee licenses this capability.  Generally speaking, the engines I have worked with, while quite good at what they do, are occasionally going to run into a problem extracting text from a given file, or sometimes even from a new type of file.  This occurs because as application software evolves, it involves greater feature complexity and sometimes even fundamental file format changes.  When these applications deploy, and the resulting files start being passed around via email, sometimes we find that an engine may not be extracting and/or filtering that content properly.

 

In the MEG, the CSE is responsible for file filtering, compliance, and image filtering, so any email that is filtered by any of these types of policies is being scanned by the CSE.  Prior to version 7.6.0, a failure to properly scan was frequently accompanied by segmentation violations, also sometimes called SEGV's.  Continual resubmission of the email by the sending server sometimes led to conditions where appliance memory and CPU became overutilized.  To combat this problem, 7.6.0 implemented the "Unscannable Content" feature, which wraps the CSE with the capability to detect this condition, identifies the offending content, retries a user-configurable number of times, and quarantines it (by default) to a special queue for unscannable content if it continues to fail through the allowed number of iterations.  This is preferred behavior because a message containing content that fails to be completely filtered would not normally be allowed to be delivered by policy, but rather should be quarantined for administrator inspection. The problem is that in some cases an administrator either finds the amount of such failures unacceptable or feels the engine should have been able to extract and filter the content without error.  Note that there is not an absolute correlation between file type and success or failure; in other words, one .pptx file may process gracefully through the MEG appliance while another .pptx may not. It seems to depend more upon the component complexity of the individual files than on file type.  It goes almost without saying then (but I will), that yes, we might identify and fix one .xlsx issue for you today, and might find a different issue next month, or six months from now, because neither we nor the CSE vendors can predict with absolute certainty what new things might start to cause a problem with the engine without your help, and this is where you can assist.

 

In these cases, there is little we can do without the offending email or attachment.  If you suspect the CSE is not working right with a given file, or kind of file, you should open a case with support, and provide a sample that we and the vendor can work with if necessary.  We will use the sample to replicate the problem, and to test any fix we may receive from the CSE vendor.  We may, under some circumstances need to allow the vendor to use it to replicate, unit test and QA their fix also.  Please be patient; if the vendor has to provide a fix, we will have to incorporate it into our own release schedules.

 

As mentioned, 7.6.0 and above does provide some relief from the worst side effects of this, plus an easy way for an administrator to download a copy of the offending email from the user interface so it can be submitted.  Applying the latest patch releases for your platform is always highly recommended, and will incorporate the latest and most effective content security engines.

 

Additional information is available in the October 16th post in this blog, entitled "New Unscannable Content Feature in MEG 7.6", and also in the following KnowledgeBase articles:

 

KB79035 Email Gateway 7.6: Unscannable content detection feature

KB79617 McAfee Email Gateway Unscannable Content and Segmentation Violations

As the holiday season approaches, which is a time where we typically see more spam activity than at other times of the year, it's a good time to remember the McAfee Customer Submission Tool.

If you are not familiar with MCST, it's a plugin for Microsoft Outlook, supporting Outlook 2010 and below, that allows easy, user-friendly methods of working with actual emails to customize a user's experience and diminish administrator load.  It can help you reduce the amount of unwanted email (or spam) that you receive, while helping to ensure that the mail you do wish to receive gets through.

 

How does it work?  Extra buttons or menu entries become available when you read your email.  These allow you to

 

• Submit email samples to McAfee Labs for further analysis
• Submit email samples to McAfee Quarantine Manager to help prevent further spam
• Submit unwanted email that was not categorized as spam (or phish)
• Submit email that was wrongly categorized as spam (or phish)
• Delete the email message optionally after the submission
• Add a spam sender’s email address to the blacklist to prevent more spam
• Add a sender’s email address to a whitelist to prevent further email from that sender being wrongly
categorized as spam or phish
• Add all the email addresses in your Microsoft Outlook Contacts folder to a whitelist, to prevent
emails from known contacts being wrongly categorized as spam or phish
• Access the tool using the buttons available in the standard toolbar and the entries available in the Actions menu or the ribbon interface in Outlook 2010.

 

And best of all - it's free!  You can download either the 32 bit or 64 bit version from
http://www.mcafee.com/us/downloads/free-tools/customer-submission-tool.aspx.  On the right side of the page is a box listing "McAfee Customer Submission Instructions" in the eight languages McAfee Email Gateway supports.  Clicking on your language will allow you to download a Product Guide and a supplemental Readme.  Both are very helpful and informative.

Filter Blog

By date:
By tag: