A strange problem found in our newly setup exchange farm. GSE 7.01 is installed on the hub servers running on Exchange 2007 sp2 win2k8 sp2 server.Only transport scanning is enabled and only AV is enabled.Rest of the settings are disabled.(file filtering,corrupt content) etc as policy is set to allow through.
Everything is working fine and eicar is also getting detected.However mails sent from OWA by internal users to internal or external users are been dropped.Checking the exchange troubleshooting wizard suggest that it is been dropped by Mcafee tx agent.
Troubleshooting so far done was to disable transport scan and enable vsapi.the OWA mails went through,however as expected eicar wasnt getting detected on the hub server.
Had opened a case with Mcafee a week before.Yet to get a indepth analysis for the issue.
We have decided not to install gse on the mailbox servers as all the mails would be sent and recieved via the hub.
The issue doesnt always happen and is only for OWA users as of now.Rest of the settings just works fine.
are you seeing any errors in the app log for groupshield?
is it easily repo'd?
how often is this occurring?
i would suggest to enable pipeline tracing to see the mailflow of the emails? this will show you if the email is getting past the mcafee agents or not.
along with the pipeline tracing you can also enable a type of message tracking for groupshield. what this log will show is when we recieve the email and when we process the email. it will show what whether we deleted the email or sent it through as clean.
see KB66204 "Enabling eServices scanner debug logging in GroupShield 7.x for Microsoft Exchange"
just make sure to turn off both logging options after the issue has been replicated.
I was suggested to change the gateway entry as per KB 51109.I have tried that on 1 hub server and seems to be working as expected.I am planning to try it on the next hub server and see if that would help.If so i would consider that a solution.
if not I will try the KB you have mentioned for the analysis.
that would indicate the emails are causing a trigger action in groupshield. by default on hub servers the action gse will take for any detection is to delete the email regardless of what the actual setting is in the gui. the gateway reg key allows groupshield to use the actual action setting that is set in the gui instead of automatically deleting the email. you shouldn't have to do any other troubleshooting since it sounds like the issue has been resolved.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.