Option definitions — Anti-Virus — Basic Options Use this page to specify basic options for anti ‑virus scanning

Table 4-27 Option definitions — Enable anti‑virus scanning for "policy name"

Option Definition

Enable anti‑virus scanning When selected, enables anti‑virus scanning of email messages.

Overview of Email menu

Email Policies

4

Table 4-28 Option definitions — Specify which files to scan

Option Definition

Specify which files to

scan • Scan all files — Offers the highest security. However, scanning takes longer and might affect performance.

Some operating systems such as Microsoft Windows use the extension name of a file to identify its type. For example, files with the extension .exe are programs.

However, if an infected file is renamed with a harmless extension such as .txt, it can escape detection. The operating system cannot run the file as a program unless it is renamed later. This option ensures that every file is scanned.

• Default file types — The scanner examines only the default file types — in other words, it concentrates its efforts on scanning those files that are susceptible to viruses.

For example, many popular text and graphic formats are not affected by viruses.

Currently the scanner examines over 100 types by default, which includes .exe and .com file types.

• Defined file types — Scans only the types in the list.

Using this option, you can specify the types of files that you want scanned.

Scan archive files

(ZIP, ARJ, RAR ...) By default, the scanner does not scan inside file archives such as .zip or .lzh files because any virus‑infected file inside them cannot become active until it has been extracted.

When selected, Email Gateway scans these types of files.

However, scanning takes longer and might affect performance. As the contents of these files are harmful only when files inside are extracted, they can be scanned by the on‑access scanners on individual computers in your network.

Find unknown file

viruses An anti‑virus scanner typically detects viruses by looking for the virus signature, which is a binary pattern that is found in a virus‑infected file. However, this approach cannot detect a new virus because its signature is not yet known, therefore the scanner uses another technique: heuristic analysis. Program file heuristics scans program files and identify potential new file viruses. Macro heuristics scans for macros in the attachments (such as those used by Microsoft Word, Microsoft Excel, and Microsoft Office) and identify potential new macro viruses.

When selected, does extra analysis to find any virus‑like behavior.

Find unknown macro viruses to Remove all macros from document files

Macros inside documents are a popular target for virus writers.

When selected, take actions against macros in documents. Macros inside documents are a popular target for virus writers.

Enable McAfee Global Threat Intelligence file reputation with Sensitivity level

Enables McAfee Global Threat Intelligence file reputation on your appliance.

McAfee Global Threat Intelligence file reputation complements the DAT‑based signatures by providing the appliances access to millions of cloud‑based signatures.

This reduces the delay between McAfee detecting a new malware threat and its inclusion in DAT files, providing broader coverage.

The sensitivity levels enable you to balance the risk of missing potentially harmful content (low settings) with the risk of false positive detections (high settings).

For gateway appliances, the recommended sensitivity level is Medium.

4

Overview of Email menu

Email Policies

Table 4-29 Option definitions — Actions

Option Definition

Attempt to clean When selected, the infection inside the item is removed, if possible. When deselected, the entire item is removed.

If cleaning

succeeds Specify the secondary actions to take if the appliance successfully cleans the infection. Original email options

• Quarantine — Select to have the message added to the Quarantine database.

If you are using off‑box quarantine, you can also select the quarantine queue into which the email message is placed. This includes custom quarantine queues that you have created.

• Annotate and deliver original to x lists — Deliver the original email message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list.

Notification email options

• Deliver to the sender of the original email — Send a notification email message to the sender of the original email message.

• Deliver to the recipient(s) of the original email — Send a notification email message to the recipients of the original email message.

• Deliver a notification to x lists — Send a notification email message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list.

Modified email options

• Quarantine — Select to have the message added to the Quarantine database.

If you are using off‑box quarantine, you can also select the quarantine queue into which the email message is placed. This includes custom quarantine queues that you have created.

• Forward modified to x lists — Send the modified email message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list.

• Annotate and deliver modified to x lists — Deliver the modified email message to the selected distribution lists, with annotations added. Click Edit to select the lists, or to create a distribution list.

• Deliver to the sender of the original email — Send the modified email message back to the original sender.

Other actions

• Modify subject — McAfee Email Gateway re‑writes the subject of the email message using user‑definable templates, and then delivers the message to the intended recipients.

• Modify headers — McAfee Email Gateway modifies the email message headers using user‑definable templates, and then delivers the message to the intended

recipients. You can select multiple header modification templates.

Notification and annotated email options

When clicked, opens another window where you can specify who the appliance will notify when a threat is detected.

If cleaning fails Specify the secondary actions to take if the appliance cannot clean the infection.

• Deny connection (Block) • Replace detected item with an alert (Modify)

• Refuse the data and return an error code (Block)

• Allow Through (Monitor)

• Accept and then drop the data (Block)

Overview of Email menu

Email Policies

4

Table 4-29 Option definitions — Actions (continued)

Option Definition

And also Specify the secondary actions to take.

Original email options

• Quarantine — Select to have the message added to the Quarantine database.

If you are using off‑box quarantine, you can also select the quarantine queue into which the email message is placed. This includes custom quarantine queues that you have created.

Notification email options

• Deliver to the sender of the original email — Send a notification email message to the sender of the original email message.

• Deliver to the recipient(s) of the original email — Send a notification email message to the recipients of the original email message.

Modified email options

• Quarantine — Select to have the message added to the Quarantine database.

If you are using off‑box quarantine, you can also select the quarantine queue into which the email message is placed. This includes custom quarantine queues that you have created.

• Forward modified to x lists — Send the modified email message to the selected distribution lists. Click Edit to select the lists, or to create a distribution list.

• Deliver to the sender of the original email — Send the modified email message back to the original sender.

Other actions

• Modify subject — McAfee Email Gateway re‑writes the subject of the email message using user‑definable templates, and then delivers the message to the intended recipients.

• Modify headers — McAfee Email Gateway modifies the email message headers using user‑definable templates, and then delivers the message to the intended

recipients. You can select multiple header modification templates.

If a file is zero bytes after cleaning

Provides an action against a file that is now empty. Zero‑byte files cannot carry threats, but you might prefer to remove the files if they confuse users.

The available options are:

• Keep zero byte file

• Remove zero byte file

• Treat as a failure to clean

4

Overview of Email menu

Email Policies

Table 4-30 Option definitions — Obfuscated content

Option Definition

Make deobfuscated content available to other

scanners When selected, provides extra protection against unwanted

content. The techniques that detect hidden viruses and malware are made available to content scanning.

Table 4-31 Option definitions — Additional anti‑virus engine

Option Definition

Enable Commtouch

Command anti‑virus When selected, enables the Commtouch^® Command anti‑virus engine within your policies.

Scanning optimization Select how the Commtouch^® Command anti‑virus engine is used:

• Perform optimized scanning — Objects are not passed to the Commtouch^® Command anti‑virus engine if the McAfee^® anti‑virus engine makes a detection that is then either replaced with an alert message, or that causes the email message to be dropped.

Depending on the actions configured for the McAfee anti‑virus engine, the additional anti‑virus engine might not be used to scan an email message.

• Perform exhaustive scanning — Objects are always passed to the Commtouch^® Command anti‑virus engine after the McAfee^® engine completes its scan.

Exhaustive scanning might result in your McAfee Email Gateway reporting multiple detections for a single email message.

In document Administrators Guide Revision A. McAfee Gateway Appliances (Page 149-153)