McAfee Security for Microsoft Exchange

(1)

Best Practices Guide

Software version 7.6

(2)

2 McAfee Security for Microsoft Exchange Best Practices Guide COPYRIGHT

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

(3)

Preface

This guide provides the information you need to know as a best practice when you install, configure, use, and maintain your McAfee Security for Microsoft Exchange (MSME) software, version 7.6.

For more information on … See … How to install, upgrade, or manage

the product using McAfee ePolicy Orchestrator

McAfee Security for Microsoft Exchange 7.6.0 Software – Installation Guide

How to configure, use, and maintain the product

McAfee Security for Microsoft Exchange 7.6.0 Software – Product Guide

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for:

 Administrators — People who implement and enforce the company's security program.

 Users — People who are responsible for configuring the product options on their systems, or for updating their systems.

Conventions

This guide uses the following typographical conventions and icons.

Book title or

Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold Text that is strongly emphasized.

User input, Path,

or Code Commands and other text that the user types; the path of a folder or _{program; a code sample.}

(6)

Introduction

Finding product documentation

Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need:

To access… Do this…

User documentation 1 Click Product Documentation.

2 Select a Product, then select a Version.

3 Select a product document.

KnowledgeBase  Click Search the KnowledgeBase for answers to your product questions.

 Click Browse the KnowledgeBase for articles listed by product and version.

Contact Information

SECURITY HEADQUARTERS: McAfee Labs

(Anti-Virus & Vulnerability Emergency Response Team) Home Page

http://www.mcafeesecurity.com/us/security/home.asp Virus Information Library

http://vil.mcafeesecurity.com/

AVERT WebImmune & Submit a Virus Sample (Logon credentials required) https://www.webimmune.net/default.asp

AVERT DAT Notification Service

(7)

Contact Information

DOWNLOAD SITE Home Page

http://www.mcafeesecurity.com/us/downloads/ Anti-Virus DAT File and Engine Updates

http://www.mcafeesecurity.com/us/downloads/updates/

ftp://ftp.mcafee.com/pub/antivirus/datfiles/4.x Anti-Spam Rules File and Engine Updates

ftp://ftp.mcafee.com/spamdefs/1.x/ Product Upgrades

https://secure.nai.com/us/forms/downloads/upgrades/login.asp

Valid grant number required (contact Customer Service) HotFix and Patch Releases

- For Security Vulnerabilities (Available to the public)

http://www.mcafeesecurity.com/us/downloads/updates/hotfixes.asp

- For Products (ServicePortal account and McAfee Technical Support grant number required)

https://mysupport.mcafee.com/products/products.asp Product End-of-Life Support

http://www.mcafeesecurity.com/us/products/mcafee/end_of_life.htm

SOFTWARE AND HARDWARE TECHNICAL SUPPORT Home Page

http://www.mcafeesecurity.com/us/support/technical_support KnowledgeBase Search

http://knowledgemap.nai.com/

McAfee Technical Support ServicePortal (Logon credentials required) https://mysupport.mcafeesecurity.com

McAfee Security Alerting Service (MSAS)

(8)

Introduction Contact Information

CUSTOMER SERVICE

US, Canada, and Latin America toll-free:

Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday-Friday, 8am-8pm, Central Time

E-mail: https://secure.nai.com/us/forms/support/request_form.asp

Web: http://www.mcafeesecurity.com/us/support/default.asp

MCAFEE BETA PROGRAM Download Site:

http://www.mcafeesecurity.com/us/downloads/beta/mcafeebetahome.htm E-mail to Submit Beta Feedback:

[email protected] TRAINING: MCAFEE UNIVERSITY

http://www.mcafeesecurity.com/us/services/education/mcafee/university.htm

WORLDWIDE OFFICES

For addresses and phone numbers of worldwide offices:

(9)

1

Introduction

McAfee Security for Microsoft Exchange (MSME) protects your Microsoft Exchange server from various threats that could adversely affect the computers, network, or employees. MSME uses advanced heuristics against viruses, unwanted content, potentially unwanted programs, and banned file types or messages. It also scans:

 Subject line and body of the email messages

 Email attachments (based on file type, file name, and file size)

 Text within the email attachments

The software also includes the McAfee Anti-Spam add-on component that protects your Exchange server from spam and phishing emails.

How does it work

McAfee Security for Microsoft Exchange (MSME) integrates with Microsoft Exchange Server 2003/2007/2010 to scan email messages for detections.

Each time, an email message is sent to or received from a source, MSME scans it comparing it with a list of known viruses and suspected virus-like behavior. MSME can also scan for content within the email message using rules and policies defined within the software. When MSME receives an email, it scans in the following order:

1 Corrupt or Encrypted content 2 File filter

3 Content scanning 4 Anti-virus

Even though emails are scanned in this order, if an item is detected first by the file filtering scanner, it will still be scanned for Anti-virus before being quarantined.

(10)

Introduction

Where does MSME fit in an organization

The following illustration provides an overview of exactly where to deploy MSME in your organization and the types of roles that you can configure.

How emails are scanned

MSME scans an email differently based-on whether it is an inbound, outbound or internal email, depending on the Exchange server version.

On Exchange Server 2003

Learn how emails are scanned using MSME on Microsoft Exchange Server 2003.

Scanning Inbound emails on Exchange Server 2003

This section provides you step-by-step information on what happens to an email that reaches your organization and how MSME scans it, to determine if the email is clean or infected.

1 The email reaches the Exchange SMTP stack on port 25, which is hosted by inetinfo.exe (IIS). 2 The event OnInboundCommand is initiated.

3 MSME ProtocolEvenSink is called which scans the email for spam, phish or mail size. 4 If there is detection, it is dropped, else returned to the SMTP stack.

(11)

5 If the email is clean, it is processed by Postcat sink.

6 MSME receives the same stream and scans for file filter, content, and anti-virus.

7 If there is detection, an action is taken as per the product configuration, else the email is sent to

Exchange store.

8 Once Exchange store receives the email and before saving it to its database, it calls Anti-Virus

vendor using VSAPI and scans the email.

9 If there is detection, it is either replaced with a notification or deleted as per the product

configuration.

Scanning Outbound emails on Exchange Server 2003

This section provides you step-by-step information on what happens to an email that goes out of the organization and how MSME scans it, to determine if the email is clean or

infected.

1 The end-user sends an email to an external user, using the email client.

2 Once Exchange store receives the email, it scans the email in Outbox folder using VSAPI. 3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is

submitted to Transport queue.

4 SMTP stack hosted by Inetinfo.exe receives the email (Outbound mails will not be scanned for

spam).

5 MSME Transport sink (PostCat) is called and scans the mail for File filtering, Content scanning,

then Anti-Virus scanning and also for disclaimer addition.

6 If there is detection, it is either dropped or replaced and appropriately returned back to the SMTP

stack.

7 If the email is clean, it is returned back to SMTP stack for further routing.

Scanning Internal emails on Exchange Server 2003

This section provides you step-by-step information on what happens to an email that is sent within the organization and how MSME scans it, to determine if the email is clean or

infected.

1 The end-user sends an email to an internal user, using the email client.

2 Once Exchange store receives the email, it scans the email in Outbox folder using VSAPI. 3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is

4 SMTP stack hosted by Inetinfo.exe receives the email. As the communication is internal and not

over port, anti-spam component will not trigger.

5 MSME Transport sink (PostCat) is called and scans the mail for File filtering, Content scanning,

then Anti-Virus scanning.

6 If there is detection, it is either dropped or replaced and appropriately returned back to the SMTP

stack.

(12)

Introduction

8 Exchange Mailbox server receives the email.

9 Exchange store sends the email to MSME scanning for VSAPI.

10 VSAPI scan the email for Anti-Virus, File Filtering, and Content Scanning and takes appropriate

action based on the detection.

On Exchange Server 2007/2010

Learn how emails are scanned using MSME on Microsoft Exchange Server 2007/2010.

Scanning Inbound emails on Exchange Server 2007/2010

This section provides you step-by-step information on what happens to an email that reaches your organization and how MSME scans it, to determine if the email is clean or infected.

1 SMTP stack hosted by EdgeTransport.exe on Edge role, receives the email.

2 MSME Transport Agent (McAfeeTxAgent) scans the email for spam, phish or mail size. 3 If there is detection, it is dropped, else it is returned to the SMTP stack.

4 If the email is clean, McAfeeTxRoutingAgent processes it.

5 MSME receives the same stream and scans for File filtering, Content scanning and Anti-Virus

scanning.

6 If there is a detection, action is taken as per product configuration. 7 MSME stamps the email with AV stamp as per Microsoft specifications. 8 The email is now sent to Exchange Hub server role.

9 SMTP stack hosted by EdgeTransport.exe on Hub server role, receives the email.

10 MSME Transport Agent (McAfeeTxAgent) scans the email for spam, phish or mail size. Only in case

of EdgeSync (Edge and Hub server), the session will be authenticated where anti-spam scanning is skipped. In this case, Originator check is used for session authentication.

11 If there is detection, the email is dropped else, it is returned back to SMTP stack.

12 If the email is clean, McAfeeTxRoutingAgent processes it and checks for AV stamp (if any). 13 If AV stamp is present, it checks and compares with the stamp MSME forms with engine/DAT on

Hub server role.

14 If the stamp is different, MSME receives the same stream and scans for File filtering, Content

scanning and Anti-Virus scanning.

15 (On Transport, MSME is the one that does look for AV stamp whereas on VSAPI, Exchange Store

does this work and MSME will not receive a scan call if AV stamp matches.)

16 If there is a detection, action is taken as per product configuration. 17 MSME stamps the email with AV stamp as per Microsoft specifications. 18 The email is routed to Exchange Mailbox server role.

(13)

20 If AV stamp matches, it saves the item without scanning.

21 If AV stamp does not match, Exchange store calls Anti-Virus vendor using VSAPI and scans the

email.

22 If there is detection, the email is replaced or deleted as per product configuration.

Scanning Outbound emails on Exchange Server 2007/2010

This section provides you step-by-step information on what happens to an email that goes out of the organization and how MSME scans it, to determine if the email is clean or

infected.

1 The end-user sends an email to an external user, using the email client.

2 Exchange store receives the email and scans it in the Outbox folder using VSAPI.

3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is

5 MSME Transport Agent (McAfeeTxRoutingAgent) scans the email for File filtering, Content

scanning, then Anti-Virus scanning and also disclaimer addition.

6 If there is detection, it is dropped or replaced and appropriately returned to the SMTP stack. 7 If the email is clean, it is returned to SMTP stack for further routing.

8 If the email is routed to Edge server role from this hub server, then:

a SMTP stack hosted by EdgeTransport.exe on Edge server role, receives the email. b MSME Transport Agent (McAfeeTxRoutingAgent) checks for AV stamp (if any).

c If AV stamp is present, it checks and compares with the stamp MSME forms with engine/DAT

on Edge server role.

d If the stamp is different then, MSME receives the same stream and scans for File filtering,

Content scanning, then Anti-Virus scanning.

e If there is a detection, action is taken as per product configuration.

f MSME stamps the email with AV stamp, as per Microsoft specifications on Edge server role. 9 Now the email is returned to SMTP stack, hosted by EdgeTransport.exe on Edge server role for

further routing.

Scanning Internal emails on Exchange Server 2007/2010

This section provides you step-by-step information on what happens to an email that is sent within the organization and how MSME scans it, to determine if the email is clean or

infected.

1 The end-user sends an email to an internal user, using the email client.

2 Exchange store receives the email and scans it in the Outbox folder using VSAPI.

3 If there is detection, it is replaced/deleted as per the product configuration and if replaced it is

(14)

Introduction Product features

5 MSME Transport Agent (McAfeeTxRoutingAgent) scans the email for File filtering, Content

scanning, then Anti-Virus scanning.

6 If there is detection, it is dropped or replaced and appropriately returned to the SMTP stack. 7 MSME stamps the email with AV stamp, as per Microsoft specifications on Hub server role. 8 If the email is clean, it is returned to SMTP stack for further routing.

9 Exchange Mailbox server receives the email.

10 Exchange store checks for AV stamp and if it matches, the email will not be sent to MSME

scanning for VSAPI, else the email is scanned for Anti-Virus, File filtering and Content Scanning by VSAPI.

Product features

What is new in this release

 Role-based installation: Intelligent built-in installer to identify the Exchange server roles on Exchange 2007/2010 and deploy the product components. Similarly, on Exchange 2003, the user is prompted with the kind of MSME installation required that is either Frontend server or backend server.

 McAfee Global Threat Intelligence (GTI) for message and file reputation, reducing latency time to get around with new malicious contents, by connecting to our McAfee servers.

 Product Health Alerts to monitor the anomalies in the product and notify either ePO or Exchange administrator.

 Improvised content scanning using regex based searching in the email data.

 Improvised signed mail scanning with the option to remove malicious attachments from signed mails.

 Mailbox exclusions

 Support for adding Proxy server credentials for anti-spam rule updates from the product’s user interface.

 HTML support for disclaimers

 Performance improvement in areas of Mailbox, Transport and On-demand scanners

 Quarantined items repository is updated with:

 Improvised search to have more comfortable search based on regex

 New options to View and Forward quarantined items

 Building Blacklist/Whitelist sender and recipients

(15)

Product features

Features and benefits

Feature Description

McAfee Global Threat

Intelligence file reputation

For cloud-based real-time malware detection. McAfee anti-virus technology with McAfee GTI technology blocks anti-viruses and malicious code threats and offers real-time security using a combination of signature and behavior analysis with community threat intelligence. It drills down to find threats using advanced heuristics and generic detection. It even finds and blocks new viruses before they are detected with the latest .DAT signatures.

McAfee Global Threat

Intelligence message reputation

For significantly increased spam detection through our Global Threat Intelligence based cloud offering. The additional knowledge provided by McAfee Global Threat Intelligence message reputation data enables appliances and services to more accurately filter communications and protect electronic communications and transactions

between people, companies and countries. McAfee Stack

Upgrade Latest McAfee Agent/Engine for the best protection.

Product Health

Alerts Product alerts around error scenarios such as DAT/Engine download failure, Anti-Spam Rules Update failure, disk space, Safe and RpcServ down, Refer Notification section for more.

Rich Notifications Enhanced notification options such as notifying

internal/external recipients and senders, HTML format support for disclaimers.

Role based

Modification McAfee Security for Microsoft Exchange will detect the modified exchange server role and required components will be added.

Performance Significant improvements in On-demand and Transport

scan.

Usability _ _{Search improvements in detected items report along with}

regular expression support.

 Graphical user interface for Anti-Spam proxy settings.  Restore default built-in configuration profiles from the user

interface.

Additional

Features  Forward quarantined items to administrator or any email _address.

 View quarantined items from the Detected Items page.  Regular expression support for Content scanning.  Import or export blacklists and whitelists.

 Actual banned word or phrase in the detected items report.  Allow/block the sender from detected items.

(16)

(17)

2

Installation

Things you must know as a best practice before you install, upgrade or deploy McAfee Security for Microsoft Exchange.

Contents  Supported environments  Pre-installation checklist  Installation scenarios  Upgrade scenarios  Post-installation tasks

Supported environments

For a complete list of McAfee Security for Microsoft Exchange 7.6 Supported environments, see KnowledgeBase article KB73835.

Pre-installation checklist

Before installing McAfee Security for Microsoft Exchange v7.6 software, ensure that: [ ] Your system meets the minimum hardware and software. Refer to Hardware and Software Requirements section in the User Guide.

[ ] You have the Windows administrator credentials to install the product. This account must be a Domain administrator and these credentials are required to launch the product

installer.

[ ] Your quarantine database is configured locally or externally (using McAfee Quarantine Manager).

[ ] You uninstall any previous version of the product prior to the GroupShield 7.0.1 xx/GroupShield 7.0.2 xxx.

Note

 For future reference, please make a note of the Domain administrator user name and domain name: _____________.

 You can directly upgrade from GroupShield 7.0.1 xx/GroupShield 7.0.2 xxx to this release.

(18)

Installation Installation scenarios

Installation scenarios

Make sure that you follow these instructions as a best practice, when you install the product in any of the following scenarios.

Manually install MSME or Anti-spam add-on

When you install MSME or Anti-spam add-on manually on an Exchange server, make sure that you use the correct executable based on the processor architecture.

Processor architecture

MSME executable to use Anti-spam add-on executable to use 32-bit (x86) setup_x86.exe ASAddOn_x86.exe 64-bit (x64) setup_x64.exe ASAddOn_x64.exe

Silent installation

To install the product silently on an Exchange server with default settings, double-click the

Silent.bat file available in the download package.

To customize the installation, modify these parameters in the batch file:

Silent installation – Necessary parameters

Parameter Value Description

SET

ADMIN_EMAIL_ID <admin>@<msme>.com Specify the administrator’s email address for notifications

SET AUTO_UPDATE 1 To enable automatic

updates SET INSTALL_DIR %SystemDrive%\MSME Specify the

installation path SET E2003_ROLE 0 = Mailbox role

1 = Hub role

2 = Both Hub + Mailbox

Specify the Exchange server role

SET

DB_PATH_CHANGED 1 To change the Postgres database path

DATABASEDIR C:\ProgramData\McAfee\MSME\MSMEData Specify the new Postgres database location

(19)

Upgrade scenarios

Install MSME on Exchange Server 2007 Single Copy Cluster

(SCC)

 If you are installing MSME for the first time on a cluster, install it on the Active node, then install it on the Passive node. (Don’t failover)

 In case of an upgrade, make sure that you install MSME on the Active node first, then on the Passive node.

 Create MSME Cluster in the same cluster group, where you have Microsoft Exchange resources configured.

Install MSME on Exchange Server 2007 Data Availability Group

(DAG)

Make sure that you install MSME on a Mailbox role.

Use the McAfee Security for Microsoft Exchange – Cluster Replication Setup utility to replicate the quarantine database, policy configurations and product updates. The service used is McAfee Security for Microsoft Exchange Replication Service.

Deploy MSME using McAfee ePolicy Orchestrator

When you perform a deployment task from McAfee ePO, make sure that you select the product based on the Exchange server architecture under Product and components field.

For example, select McAfee Security for Microsoft Exchange (x86)- Licensed 7.6.<build>.<package>, if you are going

to deploy MSME on a 32-bit client computer. In case of a 64-bit computer, you must select

McAfee Security for Microsoft Exchange (x64)- Licensed 7.6.<build>.<package> under Products and components.

Upgrade scenarios

You can upgrade to McAfee Security for Microsoft Exchange, version 7.6 software from:

 McAfee GroupShield 7.0.1 for Microsoft Exchange

 McAfee GroupShield 7.0.2 for Microsoft Exchange Before you upgrade to this release:

 Check Event Viewer and Product Log for any GroupShield specific errors

 Make sure that the quarantine database is working fine

 Make sure that you have taken backup of any important data, such as:

 Quarantine database

 McAfeeConfig.xml

 GroupShield for Exchange Registry hive

Post-installation tasks

After installing McAfee Security for Microsoft Exchange using any of the scenarios mentioned earlier, you must verify:

(20)

Installation Post-installation tasks

 If the McAfee Security for Microsoft Exchange service is running in the Services console.  If instances of MSME processes such as Postgress.exe*32, RPCServ.exe*32 and

SAFeService.exe*32 appear in the Task Manager | Processes tab.

 If old GroupShield for Exchange 7.0.x policies have been migrated using the

(21)

3

Product configurations

Configure the policies and settings in your McAfee Security for Microsoft Exchange software for optimum performance.

Product Health Alerts

This new feature checks the health of its components, which is a continuous sub-system, running under SAFe service. It continuously monitors processes like RPC Server (Main and Scanner), Postgres and other Exchange plugins like VSAPI and Transport. Based on the product configuration, this will send notifications to the ePO or domain administrator, when any of the process it monitors fails to launch or exits erroneously.

It also monitors activities such as:

 Downloading DATs/Anti-virus Engine

 Downloading Anti-Spam Rules

 Loading Anti-virus Engine

 Postgres failing to quarantine or log detections

 Postgres database initialization failure

 Postgres failing to store a record

 On-demand scan failure

 Database disk space going below the threshold

(22)

Product configurations Policy settings

Policy settings

Create policies

Always create policies on Gateway servers using the SMTP addresses and on Mailbox servers using Active Directory (AD) groups. On Mailbox server, designing policies based on SMTP addresses will be very costly, as the product does not get the SMTP addresses. In order to resolve this, AD queries are made, which will slow down the performance on Mailbox servers.

Scanner settings

Background scanning

Schedule this during non-peak hours of the day or during weekends.

This should be OFF by default. If you want to enable this option, modify the values for

BackgroundScanningLowerAgeLimit and BackGroundScanningAttachmentMessagesOnly

settings, to get the best output. As the messages having attachments are more vulnerable and have malicious content, any viruses or executables will be replaced in this task.

Content scanning

This is CPU intensive and will take time to scan the contents of each attachment, hence use this feature wisely. If you want to remove all the URL’s or any content based data then you should do this on Gateway servers which will not cause internal traffic to have latency. Ideally, it is better to have this on Edge server role, as this will not put Store and Hub server on load, as most of the content will get filtered out on Edge and scanning gets avoided due to AV stamp, which is used in on-access policy and in turn has content scanning filter.

On-demand scanning

Schedule it as a single task to scan all the mailboxes.

Do not have multiple on-demand scan tasks running, as this may cause internal heap fragmentation in the Store process. MSME pulls all emails for all the users’ mailboxes in one go, which will cause the memory to blot.

On-demand user creation on Exchange Server 2010

When MSME is installed on an Exchange 2010 Mailbox Server, a user and a mailbox are created, to allow the product the ability to perform On-demand scans. This user is called

GSOD_<hostname>. There will be one user or mailbox created in the organization for each Mailbox server, which has MSME installed.

On-demand user access rights and permissions on Exchange Server 2010

 For each database in the mailbox, On-demand user has Active Directory permissions

(23)

Exclusion settings

the mailbox, so that Exchangestoreiterator.dll can iterate through all the items in

the mailbox.

 On-demand user has the ―Application Impersonation‖ role assignment. This enables the ―On-demand User‖ account to impersonate the specified user accounts and perform mailbox operations by using their rights.

 On-demand user can access the public folder database. On-demand user has

PublishingEditor access rights. This enables on-demand user to create, read, modify, delete all items and files, and create subfolders.

Proactive scanning

Proactive scanning can be set as OFF, which is similar to our prescribed maximum

performance configuration. Ideally, proactive scanning works before the email message is saved in the Exchange database.

Mail size filtering

Enable or configure this option, if you want granular level filtering of emails based on file size or attachment size.

If Mail Size Filtering is enabled from Policy Manager | On-Access (Master Policy), the filter will be triggered only when the email is inbound from an external source. This filter will not work for internal and outbound emails.

Mail size filtering will work only on inbound emails that are scanned by the Transport

scanner and only when the anti-spam add-on component is installed. If you are using VSAPI scanner or do not have the anti-spam add-on, use File Filtering | File Size option.

For an overview on how email scanning works, refer the How emails are scanned section.

McAfee Global Threat Intelligence (GTI) file reputation

McAfee Global Threat Intelligence file reputation technology should be set as Low on Mailbox servers and High on the Gateway servers, as malicious contents enter from the internet to any organization. This will make sure that all the malicious attachments are cleaned on the Gateway and once it is AV stamped, it will reduce the load on Hub and Mailbox server.

Exclusion settings

Exclude all the MSME folders including quarantine database, replication folders in DAG on Exchange server 2010, MSME binary folders, Exchange binary and database. On SCC clusters, exclude the shared drive as well. For more information on exclusions, refer to the McAfee KnowledgeBase article KB51471.

(24)

Product configurations Using Regular Expressions

Using Regular Expressions

Use regular expressions for performing search actions related to Content Scanning and quarantined items. For more information on how regex could be used with MSME, refer to the Regular Expressions (regex) section.

Default vs. Enhanced configuration settings

For maximum protection, use Enhanced settings and for maximum performance, use Default settings.

Differences in Default and Enhanced configurations

Feature Default Enhanced

Message Reputation Not enabled Enabled Maximum nesting

level 10 50

Scanner TimeOut 1 minute 2 minutes GTI File Reputation Not enabled Enabled

Sensitivity level = Medium Password Protected

File Allow through Replace and Quarantine Protected File Allow through Replace and Quarantine

File Filter Not enabled Enabled with default rule (*.exe, *.com, *.bat, *.scr)

Encrypted File Allow through Replace and Quarantine Corrupted File Allow through Replace and Quarantine

McAfee Anti-Spam add-on component

McAfee Anti-spam works on all the exchange server versions hosting SMTP stack. For example, on Exchange server 2003 it will be on Front-end servers and on Exchange server 2007/2010 servers having Edge and Hub server roles. All emails that have the spam score more than the threshold set in product user interface will be treated as spam and action is taken as per configuration settings.

In larger enterprises, if you have any appliance performing the Anti-Spam operation, then DO NOT install this Anti-Spam component on Hub server. This is to avoid load on the server.

If you have both Edge server and Hub server, then deploy anti-spam only on the Edge server and not on the Hub server. Doing this will improve the product’s performance.

(25)

Quarantine management

Configure this according to the hardware availability, which refers to the disk space where the quarantine database is located.

Schedule the Purge and Optimization task monthly on servers with High spam-detection rate to keep the database growth under control. Note that, all spam emails are not unwanted emails.

Manage using ePolicy Orchestrator

Make sure that the entire configuration required for all managed nodes are properly configured and enforced. If you want to enforce a different policy on a different client computer, group this computer and then enforce the policy. For example, group all Transport servers under the group ―Transport‖ and Mailbox servers under the group ―Mailbox.‖

(26)

(27)

4

Troubleshooting

Determine and troubleshoot issues while using McAfee Security for Microsoft Exchange. Learn about the available performance counters, important registry keys, and error codes associated with this product.

Resolve Active-sync issues

To resolve active-sync issues, you must enable ―Proactive scanning‖. Use either of the following workarounds resolve the issue.

Workaround 1

1 Click Start | Programs | McAfee | GroupShield for Exchange.

2 From the Configure section in the left pane, click Settings & Diagnostics.

3 In the Microsoft Virus Scanning API (VSAPI) section, ensure that Proactive Scanning is enabled. 4 Click Apply.

5 Close the MSME console.

Workaround 2

Follow this procedure only if the previous workaround fails to address the issue.

1 Open Registry Editor. [Click Start | Run, type regedit and click OK] 2 Go to the following location:

32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\GroupShield for Exchange

64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\GroupShield for Exchange

3 Create a new DWORD DisableAutoRev from Edit | New | DWORD Value. 4 Double-click DisableAutoRev and set the Value data to 1.

5 Click OK.

(28)

Troubleshooting Determine latency issues

7 Click Start | Settings | Control Panel | Administrative Tools | Services.

8 Right-click the service GroupShield for Exchange and select Restart. 9 Close the Services console.

Determine latency issues

Determine performance or latency issues using Windows Reliability and Performance Monitor, in Microsoft Windows 2003/2008 Server.

To access this utility:

1 Click Start | Run.

2 Type perfmon and click OK.

The following tables detail the Product specific counters and their description.

Microsoft Exchange Performance Counters

Counter Name Comments

Messages Processed The total number of top-level messages processed Messages Processed/sec The rate at which top-level messages are processed Messages Cleaned The total number of top-level messages cleaned Messages Cleaned/sec The rate at which top-level messages are cleaned Messages Quarantined The total number of top-level messages

quarantined

Messages Quarantined/sec The rate at which top-level messages are quarantined

Messages Deleted The total number of top-level messages deleted at the request of the virus scanner

Messages Deleted/sec The rate at which top-level messages are being deleted at the request of the virus scanner Files Scanned The total number of separate files processed Files Scanned/sec The rate at which separate files are processed Files Cleaned The total number of separate files cleaned Files Cleaned/sec The rate at which separate files are cleaned Files Quarantined The total number of separate files quarantined Files Quarantined/sec The rate at which separate files are quarantined Bytes Scanned The total number of bytes in all files processed

(29)

Determine latency issues

Counter Name Comments

Queue Length The current number of outstanding requests queued for On-access or Proactive scanning Folders Scanned in Background The total number of folders processed by

background scanning

Messages Scanned in Background The total number of messages processed by background scanning

Standard MSME Performance Counters

Counter Name Comments

Background scanning threads Number of threads currently running background scanning

Background messages scanned Total number of messages scanned during background scanning

Background messages skipped Total number of messages skipped during background scanning

Background messages up to date Total number of messages with up-to-date virus stamps during background scanning

External Results: Accepted Number of messages delivered with AV stamps that can be preserved

External Results: Not Accepted Number of messages delivered with AV stamps that cannot be preserved

External Results: Not present Number of messages delivered without AV stamps

Advanced MSME Performance Counters

Counter Name Comments

Messages Scanned as MIME The total number of top-level messages processed as MIME

Messages Scanned as MIME/sec The rate at which top-level messages are processed as MIME

Messages Scanned as MAPI The total number of top-level messages processed as MAPI

Messages Scanned as MAPI/sec The rate at which top-level messages are processed as MAPI

Bytes Read The total number of bytes read Bytes Written The total number of bytes written

(30)

Troubleshooting Important registry keys

Counter Name Comments

requests that are queued

Threads The current number of threads in a thread pool used for virus scanning (the number of threads used for background scanning not included) Checks Satisfied by MFT Stamp The number of times virus scan checks were

satisfied by stamp in the Message Folder Table Checks Satisfied by MFT

Stamp/sec

The rate at which virus scan checks are satisfied by stamp in the Message Folder Table

Checks Satisfied by Instance

Stamp The number of times virus scan checks were satisfied by the instance stamp Checks Satisfied by Instance

Stamp/sec

The rate at which virus scan checks are satisfied by the instance stamp

Checks Satisfied by Master

Instance Stamp The number of times virus scan checks were satisfied by the master instance stamp Checks Satisfied by Master

Instance Stamp/sec The rate at which virus scan checks are satisfied by the master instance stamp Checks Not Satisfied The number of times virus scan checks were not

satisfied by any stamp

Checks Not Satisfied/sec The rate at which virus scan checks are not satisfied by any stamp

Rpc latency in milliseconds averaged for the past 1024 packets Rpc Request is the number of client requests that are currently

being processed by the store.

Important registry keys

Create these registry keys when the significance matches with your requirements.

McAfee Security for Microsoft Exchange – Important registry keys

Registry Key Path Significance

Name: DigestMail Type: DWORD Value: 1 HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\A DUserCache

Maintains a cache of User Alias Vs SMTP address, which is used when MSME is integrated with MQM and the same address is used for Digest mail feature. Name: ODUserID Type: REG_SZ Value: [Example: HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\E 2007

Valid only for all Exchange Mailbox servers.

Should be the email address of the On-demand user

(31)

Error codes

Registry Key Path Significance

<[email protected]>] created by the product, used for interacting with Exchange web services for getting mail data from exchange database. Name: EWSUrl Type: REG_SZ Value: https://<IP address>/EWS/Exchange. asmx HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\O nDemand

Valid only for Exchange 2010 Mailbox servers. This is the URL used to connect to Exchange web services hosted by CAS server. This value is populated by powershell script GetHubTxDetails.ps1 during installation and also whenever MSME service is restarted. Name: SCLJunkThreshold Type: DWORD Default value: 4 HKEY_LOCAL_MACHINE\SOFTWAR E\Wow6432Node\McAfee\MSME\A ntiSpam

Valid only for Exchange 2010 Mailbox servers. This is the SCL junk

threshold, which is retrieved from AD and is at

organization level. Any score above this value will be treated as Junk mail, which helps in Junk email routing on Exchange 2007/2010 Hub servers.

This value is populated by powershell script

GetSCLJunkThreshold.ps1 during installation, and also after some frequency.

Error codes

These are codes generated by the product, that you can use for troubleshooting or while contacting McAfee Technical Support.

Error codes and description

Code Parameter 0x80004005 McEFAIL 0x80040200 McEOUTOFMEMORY 0x80040201 McEINVALIDTYPE 0x80040202 McENOENUMINPROGRESS 0x80040203 McESECTIONNOTFOUND

(32)

Troubleshooting Error codes

0x80040204 McECOMPONENTNOTFOUND 0x80040205 McEFACTORYFUNCTIONNOTFOUND 0x80040206 McESTREAMNOTOPEN 0x80040208 McESTREAMSEEK 0x80040209 McEINVALIDPARAM 0x8004020a McESTREAMREAD 0x8004020b McESTREAMWRITE 0x8004020c McESETSTREAMSIZE 0x8004020d McEFILEALREADYEXISTS 0x8004020e McEINCONSISTENTPERSISTENCEMETHOD 0x8004020f McESUBSYSTEMNOTSUPPORTED 0x80040210 McEINVALIDSTATE 0x80040211 McEOBJECTNOTFOUND 0x80040212 McEFAILEDTOCREATESYSTEMOBJECT 0x80040213 McEXMLPARSERROR 0x80040214 McEPOSTFIXEVALERROR 0x80040215 McEINCOMPATIBLETYPES 0x80040216 McENOTSUPPORTED 0x80040217 McESUBSYSTEMDOESNOTEXIST 0x80040218 McEPROPNOTFOUND 0x80040219 McERECORDSETNOTOPEN 0x8004021a McECONNECTFAILED 0x8004021b McESTORENOTSTARTED 0x8004021c McESTORELOCATIONNOTFOUND 0x8004021d McEFAILEDAUTHENTICATION 0x8004021e McESTRINGNOTFOUND 0x8004021f McEXMLPARSEERROR 0x80040220 McEXSDPARSEERROR 0x80040221 McEFAILEDTOPENFILE 0x80040222 McEUNRECOGNISEDFILETYPE

(33)

Error codes 0x80040223 McECORRUPTFILE 0x80040224 McECOUNTERNAMENOTFOUND 0x80040225 McERECORDEXCEEDSMAXFILESIZE 0x80040226 McENOMORERECORDS 0x80040227 McEINVALIDQUERY 0x80040228 McENOSUCHQUERYRECORD 0x80040229 McECOMNOTINITIALISED 0x8004022a McECANNOTCONNECTTOWEBSERVER 0x8004022b McEINVALIDQUERYSYNTAX 0x8004022c McESCANNERFAILEDTOLOADFACTORY 0x8004022d McESCANNERFAILEDTOINITLOADER 0x8004022e McESCANNERFAILEDTOLOADPOLICY 0x8004022f McESCANNERFAILEDTOSCAN 0x80040230 McEFILEIOERROR 0x80040231 McEFILENOTFOUND 0x80040232 McETOOMANYOPENFILES 0x80040233 McEDISKFULL 0x80040234 McEACCESSDENIED 0x80040235 McEPERFCOUNTERSNOTSTARTED 0x80040236 McENORPCSERVER 0x80040237 McESERVERFAILED 0x80040238 McESQLQUERYFAILED 0x80040239 McETIMEOUT 0x8004023a McEFAILEDTOLOADPOLICYXML 0x8004023b McETASKNOTFOUND 0x8004023c McENORECORDS 0x8004023d McENOPOLICYID 0x8004023e McENOSUCHRECORD 0x8004023f McETIMEDOUT 0x80040240 McEUNREADCALENDARITEM

(34)

Troubleshooting Error codes

0x80040241 McFAILEDCREATESYSOBJECT 0x80040242 McECASTROPHICESERVICESFAILURE 0x80040243 McEFIREWALLCOMMSFAILURE 0x80040244 McEFIREWALLILLEGALIPADDRESS 0x80040245 McESYSTEMREAPERNOTSTARTED 0x80040246 McEUNKNOWNSYSCOUNTER 0x80040247 McEFAILEDOPENMETRICSQUERY 0x80040248 McEFAILEDADDCOUNTER 0x80040249 McEFAILEDINITAILIZETHREAD 0x80040250 McEFAILEDOPENSOCKET 0x80040251 McEFAILEDBINDTOSOCKET 0x80040252 MCEFAILEDTOLISTENTOSOCKET 0x80040253 MCEFAILEDTOGETPORTNUMBER 0x80040254 McEFUNCTIONNOTFOUND 0x80040255 McENOTSUPPORTEDONPLATFORM 0x80040256 McEINVALIDCODEPOINT 0x80040257 McEINVALIDUTF8CODEUNIT 0x80040258 McEINVALIDUTF16CODEUNIT 0x80040259 McEINVALIDUTF32CODEUNIT 0x8004025a McEENDOFBUFFER 0x8004025b McESAFENOTINITIALIZED 0x8004025c McFAILEDGETHOSTINFO 0x8004025d McEINVALIDCLIENTADDRESS 0x8004025e McESTORECOMPACTING 0x8004025f McEINVALIDPINGCMD 0x80040260 McEFAILEDSENDPINGREQ 0x80040261 McEFAILEDTOCREATECMAWRAPPER 0x80040262 McEINVALIDIMPORTEXPORTFILE 0x80040263 McENOSTOREDITEM 0x80040264 McEINVALIDPASSWORD

(35)

Related KnowledgeBase articles 0x80040265 McEEXCEEDSIZELIMIT 0x80040266 McEINTERNAL 0x80040267 McEOLDERDATS 0x80040268 McESUBMITTEDALREADY 0x80040269 McEWINSERVICENOTRUNNING 0x80041009 McEMQMTRAININGDISABLED 0x80042000 McENULLPOINTEREXCEPTION 0x80042001 McEDUPLICATEENTRY

Appendix – Frequently asked questions

Provides answers to common situations that you might encounter when installing or using the product and contains troubleshooting information in the form of frequently asked questions.

Installation

Where can I find systematic instructions on how to install this product?

Refer the McAfee Security for Microsoft Exchange – Installation Guide.

How do I install the product silently?

Execute the Silent.bat file in the download package. For information on customization, see Silent installation section.

What is the supported ePolicy Orchestrator version?

McAfee ePolicy Orchestrator 4.5 or later

What is the supported McAfee Agent version?

McAfee Agent 4.5 or later

On what port does the MSME configuration replication works?

This service does not work on Ports, but keeps monitoring the folders that are set by administrator using replication user interface.

Do I have to consider anything special while upgrading to MSME 7.6 from GroupShield for Exchange 7.0.x in a CCR or DAG environment?

No considerations. Follow the standalone installation steps.

Policy Manager

How do I create and use email policies?

Always create policies on gateway servers using the SMTP addresses and on mailbox servers using Active Directory (AD) groups. On Mailbox server, designing policies based on SMTP addresses will be very costly, as the product does not get SMTP addresses and in order to resolve the same, AD queries are made. Doing this will slow down the performance on the Mailbox servers.

(41)

Do domain names in policies affect performance?

Yes. For detailed explanation, refer previous question ―How do I create and use email policies.‖

How does policy priority work?

Whenever a child policy gets satisfied first, based on the priority of resolution, the next policy is never evaluated.

Is it beneficial to have multiple policies and will it affect the server performance?

Yes, this will affect performance. During policy evaluation, when the first child policy is not satisfied and next policy is evaluated, there may be AD queries which might have to be made, resulting in slow performance.

How do I configure MSME to block executable files at a granular level?

You can do this using the File Filtering option. For example, let us see how to filter specific executable files such as the Windows executables.

1 Log on to the MSME user interface and click Policy Manager | On-Access (Master Policy). 2 Under Core-Scanners, click File Filtering and enable this option.

3 Under Options (Core Anti-Spam Settings), click Edit.

4 Under Available rules drop-down list, select <Create a new rule…>.

5 Specify a rule name and under File category filtering, select Enable file category filtering. 6 From File categories list, select Other specific formats.

7 From Subcategories list, select Windows Executables. 8 Click Save.

Settings & Diagnostics

What type of file is detected as Packers or PUPs, and from where I can control this setting?

Packers and PUPs belong to the malicious content category that is detected based on the category. Packers generally are files that is compressed or packed using some algorithm and then get de-compressed on execution.

Control this setting from Anti-Virus settings in the product’s user interface.

Can I export the Blacklists and Whitelists from one MSME server to another?

Yes, you can export the blacklists and whitelists from one MSME server to another. To do this:

1 Log on to the MSME user interface and click Policy Manager | Gateway (Master Policy). 2 Under Core-Scanners, click Anti-Spam.

4 Click Mail Lists tab, and then click Export to save all Blacklisted and Whitelisted senders/recipients

(42)

Troubleshooting

Does enabling McAfee GTI cause email latency?

Yes, there will be latency due to the email validation by GTI.

How do I verify if Transport scanner is scanning for spam emails?

You can verify this from the product’s user interface in either of the following ways:

 From the Recently Scanned items page, see the mails scanned and check the policy used to scan the email. It should show Gateway under Scanned by field.

 From the Detected Items database, check if there are any spam emails detected. Finally verify if the emails are not through authenticated sessions, which is logged under MSME Debug Logs.

Anti-spam add-on

How do I update the Anti-spam engine manually?

Update registry key and place the new engine on the specified directory which is entered in registry under ―SpamEngineVersion‖ registry key under

―MSME\SystemState‖ registry. These two values should be in-sync. For example, if the engine version is ―7793‖, create a directory with the name ―7793‖ under

―MSME\Bin\AntiSpam\Engine‖ and copy the engine file ―masecore.dll‖ to this

directory.

Can I edit the Anti-spam rules manually?

No.

What should I consider before adding an email address to the Blacklist?

 Make sure that McAfee Anti-Spam add-on component is installed.

 The Microsoft Exchange server must be a Transport server. For example, have an Exchange server 2007.2010 in Edge/HUB role and Exchange server 2003 in the front-end.

 Have an un-authenticated connection, where emails reach the server directly from internet.

How do I blacklist or whitelist an email address?

1 Log on to the MSME user interface and click Policy Manager | Gateway (Master Policy). 2 Under Core-Scanners, click Anti-Spam.

4 Click Mail Lists tab and then click Add for the required options such as Blacklisted or Whitelisted

senders/recipients.

What should I do when few emails are not being detected as spam?

From Settings & Diagnostics | Anti-Spam page, select Enable message reputation and apply the

settings. Also, adjust the spam score to a value between 51 and 79, which will help with the detection rate. Note that emails with a lower spam score (51–59) could still be legitimate, so tweaking the score is required.

(43)

Where can I get the Anti-spam add-on license?

You can download the "asa.zip" from the McAfee download site, if you have valid

Anti-spam grant number. If you do not have a valid Anti-spam grant number, call the McAfee Customer Service team.

Regular Expressions (regex)

Does enabling regex cause email latency?

Yes, enabling regular expression causes email latency, as Content Scanning is a process intensive configuration.

Where do I find more information on regex?

Several websites on the internet provide information on regular expressions. To name a few, see:

http://www.regular-expressions.info/reference.html http://www.regexbuddy.com/regex.html

How do I block certain Credit Card numbers and Social Security numbers using regex?

1 Log on to the McAfee Security for Microsoft Exchange user interface and perform the following

steps:

2 Click Policy Manager | Shared Resource. The Shared Resources page appears. 3 Under Filter Rules tab, click New Category and specify a category name. 4 Click OK.

5 Under Content Scanner Rules, click Create New.

6 Specify the Rule Name, Description and under Word or Phrase specify the regular expression.

Example: How to validate Credit Card Numbers

Card type Regular Expression Description

Visa ^4[0-9]{12}(?:[0-9]{3})?$ All Visa card numbers start with number 4. New cards have 16 digits. Old cards have 13.

MasterCard ^5[1-5][0-9]{14}$ All MasterCard numbers start with the numbers 51 through 55. All have 16 digits.

American Express ^3[47][0-9]{13}$ American Express card numbers start with 34 or 37 and have 15 digits. Diners Club ^3(?:0[0-5]|[68][0-9])[0-9]{11}$ Diners Club card numbers

begin with 300 through 305, 36 or 38. All have 14 digits. There are Diners Club cards that begin with 5 and have 16 digits.

(44)

Troubleshooting

Card type Regular Expression Description

These are a joint venture between Diners Club and MasterCard, and should be processed like a MasterCard.

Discover ^6(?:011|5[0-9]{2})[0-9]{12}$ Discover card numbers begin with 6011 or 65. All have 16 digits.

JCB ^(?:2131|1800|35\d{3})\d{11}$ JCB cards beginning with 2131 or 1800 have 15 digits. JCB cards beginning with 35 have 16 digits.

Based on the example mentioned above, you can also create a similar regular expression for Social Security numbers. For more examples on regular expressions, refer http://www.regular-expressions.info/examples.html.

7 Select the Regular Expression option and click Save.

8 Add this to the Content Scanning policy in Policy Manager by clicking Policy Manager | On-Access (Master Polic

McAfee Security for Microsoft Exchange

Best Practices Guide

LICENSE INFORMATION License Agreement

Contents

Preface 5

Preface

About this guide

Conventions

Introduction

Finding product documentation

To access… Do this…

Contact Information

SECURITY HEADQUARTERS: McAfee Labs

DOWNLOAD SITE Home Page

SOFTWARE AND HARDWARE TECHNICAL SUPPORT Home Page

CUSTOMER SERVICE

US, Canada, and Latin America toll-free:

WORLDWIDE OFFICES

Contents

How does it work

Introduction

Where does MSME fit in an organization

Scanning Inbound emails on Exchange Server 2003

Scanning Outbound emails on Exchange Server 2003

Scanning Internal emails on Exchange Server 2003

Introduction

On Exchange Server 2007/2010

Scanning Outbound emails on Exchange Server 2007/2010

Scanning Internal emails on Exchange Server 2007/2010

Product features

Features and benefits

Installation

Pre-installation checklist

Installation scenarios

Processor architecture

Silent installation

Silent installation – Necessary parameters

Install MSME on Exchange Server 2007 Single Copy Cluster

Install MSME on Exchange Server 2007 Data Availability Group

Upgrade scenarios

Post-installation tasks

Product configurations

Contents

Product Health Alerts

Policy settings

Content scanning

On-demand user creation on Exchange Server 2010

Proactive scanning

McAfee Global Threat Intelligence (GTI) file reputation

Using Regular Expressions

Differences in Default and Enhanced configurations

McAfee Anti-Spam add-on component

Quarantine management

Troubleshooting

Contents

Resolve Active-sync issues

Workaround 2

Determine latency issues

Microsoft Exchange Performance Counters

Counter Name Comments

Counter Name Comments

Standard MSME Performance Counters

Counter Name Comments

Advanced MSME Performance Counters

Counter Name Comments

Counter Name Comments

Important registry keys

McAfee Security for Microsoft Exchange – Important registry keys

Registry Key Path Significance

Error codes

Error codes and description

Related KnowledgeBase articles

KB article# Title

Troubleshooting

Troubleshooting

Appendix – Frequently asked questions

Contents

Installation

Where can I find systematic instructions on how to install this product?

What is the supported McAfee Agent version?