cancel
Showing results for 
Search instead for 
Did you mean: 
nwfban
Level 7
Report Inappropriate Content
Message 1 of 20

Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Hi everyone,

I'm new to this site, and pretty new to McAfee products.

Just a quick intro, our UK business was using SOPHOS for anti-virus and anti-spam (on Exchange) , however since a buyout from an American company last year, we have now had to follow their policy and install McAfee on our systems.

We have successfully installed GroupShield for Exchange and updated to SP1 and PATCH1 (Product version 7.0.1309.100)

I am having a few configuration issues which are probably easily solved, although I'm not too sure where to look in the configuration options!!

We have GroupShield set for Content Filtering and applied the Medium and High rules to the Master Policy (On-Access)

However, a lot of internal email is being stopped due to some random content rules!

How can I configure it so that any internal email is not scanned for content? This was possible on our old system but I appriciate this may not be possible on the new system.  Currently we are having to drop into the Quarantine Manager and check the filter every few hours.

I did find some white lists under "Gateway" - "Core Anti-Spam settings" , however when I set @ourdomain.com as a whitelisted receiver, it meant all spam was coming through to the users!  If I set @ourdomain.com as a whitelisted sender, the email still gets blocked because of the recipient.....

This then brings me onto my next question.

We have configured Quarantine Manager 7 on another server.  I have linked this to GroupShield and it quarantines based on the rules I have set.

If we "Release" email, the email goes to the recipient, but the button for Saving or the link to View is missing.  This is how it looks:

Local Actions

Your Administrator has released this withheld e-mail message for you to examine.To view this data as Plain Text, click 'View File'.To save the data to your local disk for later viewing, click 'Save'.If your e-mail program does not allow you to do this, save the message in HTML format on your local drive. Then open the message with Microsoft Internet Explorer (version 5.5. or above), and click 'Save' again to save the data to disk.

View File as Text:

Save File To Local Drive:

[          ]

I appriciate any help to these two questions

Kind Regards,

Luke

Message was edited by: nwfban on 04/08/11 10:14:34 CDT
1 Solution

Accepted Solutions
Reliable Contributor Aidan
Reliable Contributor
Report Inappropriate Content
Message 2 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Content Scanning - in the policy manager - hit the Create Sub-Policy  -  give name - select  "All of the rules apply "  - add then "SMTP address of Sender e-mail is" and "SMTP recipient e-mail addrtess is" - specify  *@yourdomain.com for both .... (this can also be AD groups etc) then set that sub policy with content turned off (or with a different set of content rules) this would mean that mail sent from your domain to your domain will use a different policy. Mail sent from your domain to ouside and mail sent from outside to your domain will still use the original policy.

Also in GSE 7x its difficult to determine which words caused the trigger - this is changed in next release MSME 7.6 - coming soon - this has entry column in detected items for "Banned Phrase" so you can tell what triggered the quarantine action.

For the Released items this is the formmat its is released in - on GSE machine if you access registry at :

HKEY_LOCAL_MACHINE\Software\McAfee\Groupshield for Exchange

Look for DWORD "ReleaseMailAsEML" and change from 1 to 0

Restart the McAfee Groupshield Service.

Now mails can be released in MSG format compatible directly with Outlook.

If running GSE701 P1 with MQM then advice would be to install GSE701 P1 Rollup 1 for the following Resolved Issue  :-

8. ISSUE:

GroupShield for Exchange fails to quarantine emails in McAfee Quarantine Manager, if the file size is greater

than 20KB.

Reference ID: 647050

19 Replies
Reliable Contributor Aidan
Reliable Contributor
Report Inappropriate Content
Message 2 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Content Scanning - in the policy manager - hit the Create Sub-Policy  -  give name - select  "All of the rules apply "  - add then "SMTP address of Sender e-mail is" and "SMTP recipient e-mail addrtess is" - specify  *@yourdomain.com for both .... (this can also be AD groups etc) then set that sub policy with content turned off (or with a different set of content rules) this would mean that mail sent from your domain to your domain will use a different policy. Mail sent from your domain to ouside and mail sent from outside to your domain will still use the original policy.

Also in GSE 7x its difficult to determine which words caused the trigger - this is changed in next release MSME 7.6 - coming soon - this has entry column in detected items for "Banned Phrase" so you can tell what triggered the quarantine action.

For the Released items this is the formmat its is released in - on GSE machine if you access registry at :

HKEY_LOCAL_MACHINE\Software\McAfee\Groupshield for Exchange

Look for DWORD "ReleaseMailAsEML" and change from 1 to 0

Restart the McAfee Groupshield Service.

Now mails can be released in MSG format compatible directly with Outlook.

If running GSE701 P1 with MQM then advice would be to install GSE701 P1 Rollup 1 for the following Resolved Issue  :-

8. ISSUE:

GroupShield for Exchange fails to quarantine emails in McAfee Quarantine Manager, if the file size is greater

than 20KB.

Reference ID: 647050

Reliable Contributor Aidan
Reliable Contributor
Report Inappropriate Content
Message 3 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Oh .... the Rollup 1 is available at McAfee Site for download with your grant number.

nwfban
Level 7
Report Inappropriate Content
Message 4 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Excellent, thanks for the quick answers!

Quarantine Release is now working perfectly, fantastic thanks.  That was getting annoying as the "fix" I had was to download and save the *.eml file, remotely copy it to desktop then drag and drop it into outlook!

Good news about the content that actually causes the trigger - some rules have had me scratching my head working out which word caused it!

Out of interest, I notice in some of the rules there are "complex" - for instance there's one that's rect*

Does this mean if this rule is set, any word starting with rect will cause the email to be blocked, for example rectify?

I'll do the sub-policy in the morning, I never even thought of that, but again thanks for the help as I can see that will fix the problem (and I can also then add all of our domain email accounts globally as accepted senders)

Again, thanks!

Luke

Reliable Contributor Aidan
Reliable Contributor
Report Inappropriate Content
Message 5 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Well a complex phrase has like a base element such as you state rect* but it also has a section on "additional" criteria which will make GSE look at any word starting with "rect" BUT will investigate it further based on the additional criteria. Rectify itself would not be triggered on.

nwfban
Level 7
Report Inappropriate Content
Message 6 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

I thought it best to reply to this email as the issue is from whitelisting our domain email (I think)

We are receiving spam where the sender is spoofed as an internal address.

As per Aidan's advice, I did the following to stop mail being sent internally to not be content / spam checked

"Content Scanning - in the policy manager - hit the Create Sub-Policy - give name - select "All of the rules apply " - add then "SMTP address of Sender e-mail is" and "SMTP recipient e-mail addrtess is" - specify *@yourdomain.com for both .... (this can also be AD groups etc) then set that sub policy with content turned off (or with a different set of content rules) this would mean that mail sent from your domain to your domain will use a different policy. Mail sent from your domain to ouside and mail sent from outside to your domain will still use the original policy."

An example header:

From: Rolex.com <luke.argent@witwoods.com>

To: <luke.argent@witwoods.com>

Subject: Rolex For You Now -04%

So it's spoofing my email address as the sender.

To temporarily get around this, I've added Rolex.com to the black-list, but there's other emails coming into our users that are spoofing the sender address as an internal address and I'd rather just find a way to stop this entirely without having to try and add key words from each email all of the time.

Any help appriciated.

EDIT: Just noticed that Exchange Security 7.6 is available on my download page.  Going to uninstall Groupshield and install ES, I'm assuming that's the replacement for GS?

Message was edited by: nwfban on 05/10/11 03:24:37 CDT

Message was edited by: nwfban on 05/10/11 03:24:52 CDT
Highlighted
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 7 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

I would suggest to get mcafee security for exchange 7.6 installed.  with msme 76 we introduce mcafee global threat intelligences message reputation (formally trusted source).  This technology should help to detect spam emails that are being spoofed.  for more info on the technology see http://www.mcafee.com/us/mcafee-labs/technology/gti-reputation-technologies.aspx

nwfban
Level 7
Report Inappropriate Content
Message 8 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Hi tlange

I upgraded to msme yesterday.  Just trying to find a "Best Practices" document like there was for GroupShield.

I'm just looking into how to configure the reputation.

McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 9 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

it is located under settings &  diagnostics \ anti-spam

i would suggest to select to perform the reputation after spam scanning so performance will be less impacted.

as for the reputation level that will be something you will need to possible tweek based on the scores that are being set.  the default is 80.

nwfban
Level 7
Report Inappropriate Content
Message 10 of 20

Re: Whitelisting domains in GroupShield 7.0.1 & Releasing email from Quarantine Manager

Jump to solution

Excellent - that's now set.

Just a quick one, I know you didn't provide the original reply but Aidan mentioned:

"Also in GSE 7x its difficult to determine which words caused the trigger - this is changed in next release MSME 7.6 - coming soon - this has entry column in detected items for "Banned Phrase" so you can tell what triggered the quarantine action."

I can't see the column for the phrase - was that not introduced?  It still is difficult to see what triggers the email being blocked for content-filtering !

Thanks for the help.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator