Difference NAI VirusScan + NAI NetShield

Hi,

Could someone explain me the difference between NAI VirusScan and NAI
NetShield? Because both programs are for fileserver and I don't know which I
should use because I don't know the differences.

And 2nd question, if NAI GroupShield for Exchange is installed, do I need
NAI WebShield too?

Thx
Neil

Neil wrote:
> Hi,
>
> Could someone explain me the difference between NAI VirusScan and NAI
> NetShield? Because both programs are for fileserver and I don't know which I
> should use because I don't know the differences.
>
> And 2nd question, if NAI GroupShield for Exchange is installed, do I need
> NAI WebShield too?
>
> Thx
> Neil
>
- New VirusScan Enterprise 7.x replaces old NetShield 4.5 product.
- If you use GroupShield, you don't need WebShield SMTP for e-mail scanning

BR,

Janne

To add to what Janne stated:

Enterprise VirusScan v7.x is for both workstation and server. Netshield was a server
scanner and had Alert Manager built-in. ON Server platforms you need to install a separate
version of Alert Manager to be the approx. equal of Netshield. Netshield is also NOT
Win2003 server certified while Enterprise VirusScan v7.x is.

Dave



"Janne Aro" <jarno.aro@welho.com> wrote in message news:c3ahjr$6ug$1@nyytiset.pp.htv.fi...
| - New VirusScan Enterprise 7.x replaces old NetShield 4.5 product.
| - If you use GroupShield, you don't need WebShield SMTP for e-mail scanning
|
| BR,
|
| Janne

"Neil" <d_stricks@hotmail.com> wrote:

> Could someone explain me the difference between NAI VirusScan and NAI
> NetShield? Because both programs are for fileserver and I don't know which
I
> should use because I don't know the differences.

The new 7.x versions of VirusScan are also for servers... so yes you can use
this as opposed to the previous 4.5.x versions.

That applies to Windows OS... I believe there is no Netware 7.x, so 4.5.x is
still the latest.

This will provide you with file system protection on the server, but will
not provide you with a view into the message store (which is where GSE comes
in ).

> And 2nd question, if NAI GroupShield for Exchange is installed, do I need
> NAI WebShield too?

As you are asking specifically about McAfee, I will answer McAfee specific
and try not to sound like an advert

For anyone else... if you are not interested in McAfee / specific product
"stuff"...stop reading

My answer would be that yes, you do need both.

OK, why? And no, I dont work for McAfee... well, not any more... so I am
reasonably unbias

Although GSE 6.0 on Exchange 2000 includes SMTP transport scanning (which
works really nicely BTW...) and would cover bridgehead scenarios, the
Exchange server is not the only device in the network which is capable of
generating SMTP data to be sent out of the organisation;

There is no real way to force all SMTP connections via the Exchange MTA,
especially with the new viruses with their own SMTP engines, so you should
also be looking at how you can check the SMTP traffic leaving the other
nodes in the company, besides the Exchange server.

Besides automated business processes which many generate SMTP mails both to
internal and external addresses, we have all seen far too many viruses to
know that in fact having something checking the SMTP traffic flying around
and potentially out of the network regardless of source is not a bad way to
work. If an unprotected machine is sending out @MM malware, then having
something to block that before it even leaves the company is beneficial to
you as a business because the harvested addresses from your client machines
will never receive the (known) virus because it was blocked during
distribution before it left your LAN.

The WebShield (Appliance) is a good way of doing this... It has a
transparant bridge mode, so it is simple to place it into parts of the
network and any SMTP traffic will be picked up, scanned / content scanned
(spam checked) and logged/cleaned. The most common deployment model would
be:

Internet
|
FW
|
WS-Appliance
|
LAN Hub
|-------------------------------------+
MailServer (and everything else)

In this way because the WS box is physically in line and everything going
into and out of the company is being scanning.

(These boxes can also do HTTP, FTP and POP3 (all still in transparent bridge
mode), though this possibly require more than one appliance depending on
your throughput requirements and the appliance model you are looking at.

In this way, you have a better control over the SMTP traffic.

Unless its changed in the last few weeks, the software WebShield package
does not support transparent bridging, so relies on having mail forwarded to
it as a relay... that will not be checking mail from clients... you need to
have inserted into the physical flow of SMTP traffic over the network to do
this i.e.: The Appliance with transparent bridging.

Now, if you can guarantee that the Exchange box is the only one that
*should* be generating and recieving SMTP traffic, and you dont want to scan
HTTP, FTP or POP3 from clients then you can block all others from being able
to send SMTP at the firewall / router and stick with the Exchange server AV
only for SMTP.

Its surprising just how many people *don't* run firewalls, or dont wish to
block SMTP from the clients.

As a side note, the other nice thing about GSE6 is with the (optional)
Anti-spam module, spam gets nuked well away from the users.

I have set it up with the following limits:

Spam Score 10 or higher - Reject the SMTP connection
Spam Score 7 or higher - Public Spam Folder (aged to nuke after 2 weeks -
restricted to Admin viewing only)
Spam Score 4 or higher - User Spam Folder (user gets to determine if they
want the mail).

Here is a recent spam analysis that ended up in the Public Spam Folder -
(Yes! Its the Nigerian Spam.... )

(The Spam engine is based on SpamAssassin so the rules / scoring may look
familar )

X-OriginalArrivalTime: 13 Mar 2004 18:53:02.0990 (UTC)
FILETIME=[69B50AE0:01C4092C]
X-NAI-Spam-Flag: YES
X-NAI-Spam-Level: ********
X-NAI-Spam-Score: 8.3
X-NAI-Spam-Threshold: 4
X-NAI-Spam-Report: 7 Rules triggered
* 3.7 -- NIGERIAN_2 -- Contains two or more phrases common in 419 scam
mails
* 1.4 -- SUBJ_ALL_CAPS -- Subject is all capitals
* 1.1 -- MSG_ID_ADDED_BY_MTA_2 -- 'Message-Id' was added by a relay (2)
* 0.9 -- DEAR_FRIEND -- Contains 'dear friend'
* 0.9 -- MILLION_USD -- Talks about millions of dollars
* 0.4 -- LINES_OF_YELLING -- A WHOLE LINE OF YELLING DETECTED
* -0.2 -- NIGERIAN_1 -- Contains one or more phrases common in 419 scam
mails


Here is a recent spam that has ended up in my User Folder:

X-NAI-Spam-Flag: YES
X-NAI-Spam-Level: ****
X-NAI-Spam-Score: 4.8
X-NAI-Spam-Threshold: 4
X-NAI-Spam-Report: 3 Rules triggered
* 3 -- HTML_IMAGE_ONLY_04 -- HTML: images with 200-400 bytes of words
* 1.8 -- HTML_MESSAGE -- HTML included in message
* -0.1 -- USER_AGENT_MOZILLA_UA -- User-Agent header indicates a non-spam
MUA (Mozilla)
X-NAI-Spam-Checker-Version: NAI SpamAssassin 1.1 (core version 2.44 date
20031024 serial 1112)
X-NAI-Spam-Route: User-Junk-Folder

I have also setup blacklists of addresses I have used as spam bait so
whenever bulk mail comes in with any of those addresses in the header, the
spam score rockets regardless of any other rules which may trigger or if
there are also legitimate addresses in the (bulk spam mail) header and
causes Exchange to reject the SMTP connection... You do have the choice of
logging / quarantine. In my case, I just dump it.

Basically, if it contains spam bait (false email addresses as mailto: on my
website actually) its not a business mail I want.

This has dramatically decreased (we are talking rejecting 8 out 10 mails)
the amount of spam I am seeing as the Exchange server now rejects the mail
all together... No logging, no quarantine etc This has also had a positive
effect on my Exchange Store size.

Hope that helps / gives some background.

..\/.artin

Well it is good to see that not everyone is a McAfee basher ! ;-)

Sometimes I do wonder why there are Symantec AV related News Groups but not McAfee [sigh].

Dave



"Wrangler" <Wrangle@nowhere.com> wrote in message
news:4058ef12$0$3308$cc9e4d1f@news-text.dial.pipex.com...
| "Neil" <d_stricks@hotmail.com> wrote:
|
| > Could someone explain me the difference between NAI VirusScan and NAI
| > NetShield? Because both programs are for fileserver and I don't know which
| I
| > should use because I don't know the differences.
|
| The new 7.x versions of VirusScan are also for servers... so yes you can use
| this as opposed to the previous 4.5.x versions.
|
| That applies to Windows OS... I believe there is no Netware 7.x, so 4.5.x is
| still the latest.
|
| This will provide you with file system protection on the server, but will
| not provide you with a view into the message store (which is where GSE comes
| in ).
|
| > And 2nd question, if NAI GroupShield for Exchange is installed, do I need
| > NAI WebShield too?
|
| As you are asking specifically about McAfee, I will answer McAfee specific
| and try not to sound like an advert
|
| For anyone else... if you are not interested in McAfee / specific product
| "stuff"...stop reading
|
| My answer would be that yes, you do need both.
|
| OK, why? And no, I dont work for McAfee... well, not any more... so I am
| reasonably unbias
|
| Although GSE 6.0 on Exchange 2000 includes SMTP transport scanning (which
| works really nicely BTW...) and would cover bridgehead scenarios, the
| Exchange server is not the only device in the network which is capable of
| generating SMTP data to be sent out of the organisation;
|
| There is no real way to force all SMTP connections via the Exchange MTA,
| especially with the new viruses with their own SMTP engines, so you should
| also be looking at how you can check the SMTP traffic leaving the other
| nodes in the company, besides the Exchange server.
|
| Besides automated business processes which many generate SMTP mails both to
| internal and external addresses, we have all seen far too many viruses to
| know that in fact having something checking the SMTP traffic flying around
| and potentially out of the network regardless of source is not a bad way to
| work. If an unprotected machine is sending out @MM malware, then having
| something to block that before it even leaves the company is beneficial to
| you as a business because the harvested addresses from your client machines
| will never receive the (known) virus because it was blocked during
| distribution before it left your LAN.
|
| The WebShield (Appliance) is a good way of doing this... It has a
| transparant bridge mode, so it is simple to place it into parts of the
| network and any SMTP traffic will be picked up, scanned / content scanned
| (spam checked) and logged/cleaned. The most common deployment model would
| be:
|
| Internet
| |
| FW
| |
| WS-Appliance
| |
| LAN Hub
| |-------------------------------------+
| MailServer (and everything else)
|
| In this way because the WS box is physically in line and everything going
| into and out of the company is being scanning.
|
| (These boxes can also do HTTP, FTP and POP3 (all still in transparent bridge
| mode), though this possibly require more than one appliance depending on
| your throughput requirements and the appliance model you are looking at.
|
| In this way, you have a better control over the SMTP traffic.
|
| Unless its changed in the last few weeks, the software WebShield package
| does not support transparent bridging, so relies on having mail forwarded to
| it as a relay... that will not be checking mail from clients... you need to
| have inserted into the physical flow of SMTP traffic over the network to do
| this i.e.: The Appliance with transparent bridging.
|
| Now, if you can guarantee that the Exchange box is the only one that
| *should* be generating and recieving SMTP traffic, and you dont want to scan
| HTTP, FTP or POP3 from clients then you can block all others from being able
| to send SMTP at the firewall / router and stick with the Exchange server AV
| only for SMTP.
|
| Its surprising just how many people *don't* run firewalls, or dont wish to
| block SMTP from the clients.
|
| As a side note, the other nice thing about GSE6 is with the (optional)
| Anti-spam module, spam gets nuked well away from the users.
|
| I have set it up with the following limits:
|
| Spam Score 10 or higher - Reject the SMTP connection
| Spam Score 7 or higher - Public Spam Folder (aged to nuke after 2 weeks -
| restricted to Admin viewing only)
| Spam Score 4 or higher - User Spam Folder (user gets to determine if they
| want the mail).
|
| Here is a recent spam analysis that ended up in the Public Spam Folder -
| (Yes! Its the Nigerian Spam.... )
|
| (The Spam engine is based on SpamAssassin so the rules / scoring may look
| familar )
|
| X-OriginalArrivalTime: 13 Mar 2004 18:53:02.0990 (UTC)
| FILETIME=[69B50AE0:01C4092C]
| X-NAI-Spam-Flag: YES
| X-NAI-Spam-Level: ********
| X-NAI-Spam-Score: 8.3
| X-NAI-Spam-Threshold: 4
| X-NAI-Spam-Report: 7 Rules triggered
| * 3.7 -- NIGERIAN_2 -- Contains two or more phrases common in 419 scam
| mails
| * 1.4 -- SUBJ_ALL_CAPS -- Subject is all capitals
| * 1.1 -- MSG_ID_ADDED_BY_MTA_2 -- 'Message-Id' was added by a relay (2)
| * 0.9 -- DEAR_FRIEND -- Contains 'dear friend'
| * 0.9 -- MILLION_USD -- Talks about millions of dollars
| * 0.4 -- LINES_OF_YELLING -- A WHOLE LINE OF YELLING DETECTED
| * -0.2 -- NIGERIAN_1 -- Contains one or more phrases common in 419 scam
| mails
|
|
| Here is a recent spam that has ended up in my User Folder:
|
| X-NAI-Spam-Flag: YES
| X-NAI-Spam-Level: ****
| X-NAI-Spam-Score: 4.8
| X-NAI-Spam-Threshold: 4
| X-NAI-Spam-Report: 3 Rules triggered
| * 3 -- HTML_IMAGE_ONLY_04 -- HTML: images with 200-400 bytes of words
| * 1.8 -- HTML_MESSAGE -- HTML included in message
| * -0.1 -- USER_AGENT_MOZILLA_UA -- User-Agent header indicates a non-spam
| MUA (Mozilla)
| X-NAI-Spam-Checker-Version: NAI SpamAssassin 1.1 (core version 2.44 date
| 20031024 serial 1112)
| X-NAI-Spam-Route: User-Junk-Folder
|
| I have also setup blacklists of addresses I have used as spam bait so
| whenever bulk mail comes in with any of those addresses in the header, the
| spam score rockets regardless of any other rules which may trigger or if
| there are also legitimate addresses in the (bulk spam mail) header and
| causes Exchange to reject the SMTP connection... You do have the choice of
| logging / quarantine. In my case, I just dump it.
|
| Basically, if it contains spam bait (false email addresses as mailto: on my
| website actually) its not a business mail I want.
|
| This has dramatically decreased (we are talking rejecting 8 out 10 mails)
| the amount of spam I am seeing as the Exchange server now rejects the mail
| all together... No logging, no quarantine etc This has also had a positive
| effect on my Exchange Store size.
|
| Hope that helps / gives some background.
|
| .\/.artin
|
|

Janne Aro <jarno.aro@welho.com> wrote:

> - If you use GroupShield, you don't need WebShield SMTP for e-mail
> scanning

Groupshield requires running on an Exchange-Server, however. Putting a
SMTP-Relay into the DMZ running Webshield SMTP is a very good first
line of defence, especially since under real outbreak conditions, any
virus scanner running ON the exchange server will have real problems
due to the high load.

Seen it myself during the ILOVEYOU-outbreak - on-access-scanner on an
Exchange-server took 10 minutes to note that there was an infected
message in the inbox (by that time, there were tons more of them, of
course...)

--
Juergen Nieveler / juergen.nieveler@web.de / PGP supported!
I know a good tagline when I steal one.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:

> Sometimes I do wonder why there are Symantec AV related News Groups but
not McAfee [sigh].

I dont know, but I do know there are some forums which probably have take
the place of a usenet group.

..\/.artin

Thanks for all of your answers!

Neil