GroupWise and Virus Protection
Novell Cool Solutions: Feature
Digg This -
Posted: 14 Nov 2001
Versions: GroupWise 5.5 and GroupWise 6
A constant worry for GroupWise admins is keeping their system free from viruses. As we see in this recent letter, people are always on the lookout for a program that will automatically provide a layer of protection against incoming mail containing viruses.
Mike L. wrote: I'm looking for an antivirus protection program that will scan incoming e-mail in GroupWise 6.0 before it is passed along to individual users. Do you have any recommendations for third-party products that do this?
Here are several good things to consider when looking for a solution to this problem, and some recommendations of GroupWise partner products that are available. For more info, see TID #2954960
- Virus Entry Points
- Workstation-based virus checking and its relationship to GroupWise
- Server-based virus checking and its relationship to GroupWise
- Virus protection on the POA
- Virus protection on the MTA
- Virus protection on the GWIA
- Virus protection for GroupWise WebAccess
A full virus-protection solution must include virus protection at all entry points. The most likely entry and propagation points in your network are the following (not in order of likelihood):
- Entry/propagation Point #1
Viruses from software or web-pages from the Internet
- Entry/propagation Point #2
Viruses brought in on removable media, (Disks, CDs and any other removable media)
- Entry/propagation Point #3
Viruses sent within a file that is attached to a message on a workstation with the GroupWise 32-Bit client in your GroupWise e-mail system
- Entry/propagation Point #4
Viruses sent from the Internet through E-mail
- Entry/propagation Point #5
Viruses sent by a GroupWise WebAccess client
Entry Points 1, 2 and 3 can only be effectively eradicated by a combination of desktop and server-based virus scanning. Here are several important things to consider when developing a virus scanning solution at the desktop and the workstation:
- A virus scanning solution at the desktop is essential, e-mail or no e-mail.
- If a user uses the GroupWise viewing technology to view a document, then a document-borne virus cannot infect the machine. The document would need to be opened into its native application. What's nice about the viewer technology is that GroupWise copies the file in its native format into the workstation's designated temp directory. When this is done, if a memory-resident virus scanning solution is running, it will detect the virus-infected document.
- Virus scanning software at the workstation can consume a lot of resources. Virus scanners interact with the operating system so that they can scan every file that is read from, or written to disk. Virus scanning software even catches information that passes through memory. That's a lot of scanning! If an end-user's machine is low on memory their machine may use the hard drive to create virtual memory. The virus scanning utility will really bog down machines that have to do a lot of swapping to disk for memory. The advice then, is to do your best to see that users are equipped with hardware that has sufficient memory and speed to run a workstation virus solution.
- Virus scanning software at the server is a good measure. However, virus scanning at the server cannot replace the function of virus scanning at the desktop.
- Server based virus scanning solutions SHOULD NOT scan the GroupWise Post offices and GroupWise Domains. Why? The GroupWise message store is encrypted. Encryption renders virus scanning solutions useless. In fact, some virus protection software is so limited that when a file is zipped using the popular ZIP file format, virus scanning software cannot detect the virus. When you point your server-based virus scanning solution at GroupWise, you cause needless processor overhead because the virus scanning software is scanning files that it can't possibly detect viruses in.
- Perhaps you are concerned that a user might place a file into the GroupWise input queues in an effort to sabotage the E-mail system. Even if someone were to place a file in one of the GroupWise queues in an effort to somehow route the virus into the E-mail system, the GroupWise agents would just throw the file away. The agent would throw it away because it would see that the file was not in the correct format, virus or no virus.
- Another good reason to keep virus scanning software away from the GroupWise message store is that they sometimes gum things up needlessly. Virus scanning software seems to have difficulty related to the speed in which files move from one GroupWise queue into the next. They'll exert a lock on a file, but never release the lock for example. Do yourself a favor, use Client/Server connections to the GroupWise message store, and steer your server-based virus-scanning solution away from your GroupWise System's directories and files.
There currently is no virus protection solution for the GroupWise POA. So if you do not have virus protection at users' desktops, they can propagate viruses through e-mail to other users in the GroupWise system.
There is a third-party virus protection solution for the GroupWise MTA called GWAVA (GroupWise Anti-Virus Agent). The GWAVA product is available at:
GWAVA is an NLM-based virus protection solution that works in conjunction with the GroupWise MTA. With MTA virus protection, if users attempt to send a message outside of their post office, this virus protection solution will help. Virus protection on the MTA is particularly important for those customers that have enabled MTA links to external GroupWise systems, or have enabled Internet Addressing and direct IDOMAIN to IDOMAIN communication via MTAs. The most likely use of the GWAVA agent is in conjunction with the MTA that is servicing the domain that your GroupWise Internet Agent is on.
Typically the biggest threat to your computing systems are the Internet propagated E-mail viruses. The best place to stop these viruses is at the entry point from the Internet. The GroupWise Internet Agent is the entry portal for Internet E-mail into the GroupWise System.
There are three common approaches to providing an E-mail virus scanning solution. They are:
- SMTP mail hosting with a virus scanner
- Virus-based protection at the MTA for the GWIA's domain
- GWIA third-party queue integration
TID #10007320 explains how to configure your GWIA for the first two solutions.
Let's explain these three approaches with some detail.
Mail hosting means that the GWIA is not sending or receiving SMTP mail with Internet SMTP hosts. Another SMTP device, the "host," is hosting the mail for the GWIA. The host receives E-mail off of the Internet. In the case of virus scanning mail hosts, the host scans the messages for viruses and then forwards them back to the GWIA via the SMTP protocol. Outgoing E-mail from the GWIA can be configured to relay its outgoing E-mail to the mail host. The mail host then scans outgoing mail for viruses on their way out onto the Internet. Virus scanning hosts can either be maintained at your site, or you may choose to have their virus protection hosted by an ASP such as Allegro. The following is the Allegro web-site:http://www.allegro.net/
With the GWAVA product mentioned earlier in this document, messages that are sent into GWIA's domain are taken by the GWAVA agent, and submitted to a server-based virus protection solution. After the messages have been scanned for viruses, GWAVA allows the messages to process through.
When the GWIA receives outgoing messages from the MTA, it converts the message to ASCII format. The GWIA typically spools these files up to its internal SMTP Daemon. The GWIA can be configured so that it spools these files into a different "third-party" directory. The third-party software will then scan the files in the third-party queue for viruses. The third-party software must then move the files to an input directory for the GWIA.
Many third-party solutions are written in such a manner that they work for many E-mail systems as a virus scanning solution. The October 1999 AppNotes has an article that lists some of the third-party virus scanning solutions. See the following URL for more information:
There are two third-party products that are specifically designed for the GWIA's third-party integrations queues. The first product is called Guinevere, often mentioned here in Cool Solutions. The following is the Guinevere Web-site:http://www.gwava.com/
Guinevere ingeniously leverages desktop virus scanning software to scan GroupWise messages. With the GWIA's configureable third-party queue, Guinevere scans the GroupWise messages and then moves them to the input queue for the GWIA. Guinevere does require a Windows 2000, Windows NT, or Windows 95/98 computer.
Another product similar to Guinevere is called GroupWise Footnote. The following is the GroupWise Footnote web-site:
GroupWise WebAccess changes the face of virus protection at your site. With GroupWise WebAccess the biggest concern is that users at home or on other computers (outside the control of your network) may be able to send virus laden attachments into your network. Fortunately the GroupWise 5.5 EP and GroupWise 6 WebAccess web-server servlets place attachments in their native format in a directory off of the file server where the web-server is running. The attachment files are placed there for a short period of time. A server-based virus protection solution should be scanning that temporary directory continuously in order to detect viruses. The default location for this directory on a NetWare server is: SYS:NOVELL\WEBACCESS\TEMP.
A Novell customer has done testing with server based virus solutions and WebAccess. They found that the server-based virus solution they already had implemented did not catch viruses in the ...\TEMP directory when they attached a virus-laden document. The customer's server-based virus detection solution seemed to rely on files being placed on a server via a NetWare client. In the case of WebAccess and a web-server, a file does not pass through a client, it is simply placed in the SYS:NOVELL\WEBACCESS\TEMP directory by the web-server process running on the server. The customer then tested with Computer Associate's InnoculateIT for NetWare. InnoculateIT for NetWare did detect viruses sent via the GroupWise WebAccess client. The following is the Computer Associate's web-site:
If you want to check GroupWise mails for viruses befor they are getting to users, you can use the software MTASieve and a normal virus scanner for NetWare.
This software has been running on my system for a few months and works fine. Some virus mails came in and were scanned and cleaned or rejected by the server directly.
For further questions you can ask me at P.Johnson@Schwartz.de
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com