Guinevere 3
Guinevere 3
Installation Guide and User Manual
Copyright © 2005 - All rights reserved.
1
Guinevere 3
Acknowledgments ......................................................................................................... 5
Getting Started............................................................................................................. 5
Introduction ................................................................................................................ 6
System requirements ..................................................................................................... 8
Using the SETUP Program ................................................................................................. 9
Installing Guinevere .................................................................................................... 9
The Request Support Wizard.............................................................................................16
Running Guinevere.....................................................................................................22
The evaluation version of Guinevere ...................................................................................23
Known Issues with Guinevere ........................................................................................24
Uninstalling Guinevere ................................................................................................24
Configuring Guinevere.................................................................................................. 26
About ........................................................................................................................26
Guinterface .............................................................................................................26
License ......................................................................................................................27
Do not scan for viruses in outgoing messages .....................................................................28
UniversalAV options ...................................................................................................28
Select your AV Program ...............................................................................................29
What happens when a virus is detected............................................................................29
Attachment Blocking ......................................................................................................30
Add/Edit Pattern Blocking............................................................................................31
Fingerprinting ..............................................................................................................33
There are some negatives to using Fingerprinting................................................................34
Exploits......................................................................................................................35
Activate Mail Filters ...................................................................................................38
Creating a Filter........................................................................................................38
Mail Filtering Actions ..................................................................................................38
Advanced Options......................................................................................................39
SpamAssassin ...............................................................................................................42
Spam Assassin Overview ..............................................................................................43
SCS .......................................................................................................................44
Signature Files .............................................................................................................52
Oversized Messages .......................................................................................................54
Archiving ....................................................................................................................56
Return Receipts ............................................................................................................58
Add Return Receipt Requests to Outgoing Mail ...................................................................59
Outgoing Mail Reports .................................................................................................60
User Exceptions ............................................................................................................61
Location of Files ...........................................................................................................63
Copyright © 2005 - All rights reserved.
2
Guinevere 3
Notification/Disposition ..................................................................................................68
Inbound/Outbound Files treatment .................................................................................68
Send E-mail To .........................................................................................................69
E-mail Sender...........................................................................................................69
Resolve Names: Mailbox ID/Display Name .........................................................................70
Default Character Set .................................................................................................70
Customize Messages .......................................................................................................82
Advanced Tuning ..........................................................................................................83
Performance ............................................................................................................84
Service Direction .......................................................................................................86
Reports ......................................................................................................................87
Test a Message ........................................................................................................... 89
Guinevere Archive Viewer............................................................................................. 90
Launching the Guinevere 3 Archive Viewer........................................................................90
Advanced ................................................................................................................93
The Building Query window ..........................................................................................97
Using the Archive Viewer ........................................................................................... 100
Appendix 1: AV Integrations..........................................................................................106
Command Line Introduction ........................................................................................... 106
Specific AV Product Notes .......................................................................................... 106
McAfee Virus Scan Enterprise 8.0i, version 8.0.0 ............................................................... 106
Norton AntiVirus ..................................................................................................... 106
F-Prot .................................................................................................................. 107
Intel Landesk/NAV Corporate Edition............................................................................. 107
Sophos 5.0.1 .......................................................................................................... 107
Norman Virus Control ............................................................................................... 108
Trend Micro/Touchstone Software PC-Cillin..................................................................... 108
Grisoft 7.0............................................................................................................. 108
UniversalAV Integrations ............................................................................................... 108
How UniversalAV Works................................................................................................. 110
Specific AV Product Notes .......................................................................................... 110
McAfee v 5, 6.02, 7.0,8 ............................................................................................. 110
NAV Corporate Edition 7.0/7.5/7.6/8.0/8.1 .................................................................... 111
NAV 2002/2003 ....................................................................................................... 111
ETRUST INOCULATEIT 6/7 .......................................................................................... 111
Command Software's FPROT........................................................................................ 112
SOPHOS ................................................................................................................ 112
TRENDMICRO PC-CILLIN/OFFICE SCAN ............................................................................ 112
KASPERSKY ANTIVIRUS (formerly AVP)............................................................................ 112
DATA FELLOWS FSECURE............................................................................................ 113
ESET NOD.............................................................................................................. 113
AVAST32 ............................................................................................................... 113
Dr. Web................................................................................................................ 113
Norman Virus Control ............................................................................................... 114
RAV 8.6.103 ........................................................................................................... 114
MicroWorld eScan .................................................................................................... 114
VirusBuster (Hungarian)............................................................................................. 114
Panda Antivirus Platinum 6.26 ..................................................................................... 115
BitDefender 7.1 ...................................................................................................... 115
Unsupported Products............................................................................................... 115
Copyright © 2005 - All rights reserved.
3
Guinevere 3
Appendix 2: How Guinevere Works .................................................................................117
Appendix 3: Pattern Matching .......................................................................................119
Appendix 4: Fingerprinting ...........................................................................................120
Appendix 5: Compression Formats..................................................................................123
Appendix 6: Creating the Services Directory .....................................................................124
Copyright © 2005 - All rights reserved.
4
Guinevere 3
Acknowledgments
Getting Started
The file decoding engine is the UUDEVIEW ATL control,
licensed from the component's authors, Michael
Newcomb and Frank Pilhofer. It is licensed for use
only as part of this program, although a GPL version is
available. For more information, see
http://www.miken.com/uud
SpamAssassin is a wonderful open-source product. The
trademark is held by Deersoft Inc. Its home page is
http://www.spamasssassin.org
UCD-SNMP (also known as NET-SNMP) is also a
wonderful open-source product, with its home page at
http://www.net-snmp.org
The Zip/Unzip/GZip/Tar controls are licensed from
the commercial products at DynaZip,
http://www.dynazip.com
The ActiveReports engine is licensed from the
commercial product at DataDynamics,
http://www.datadynamics.com
The UNRAR.DLL is distributed by permission of the
author, Eugene Roshal. The RAR family of archive
programs may be found at http://www.rarlabs.com
Intended Audience
This manual is intended for IT administrators in their
use of Guinevere or anyone wanting to learn more
about Guinevere. It includes installation instructions
and features detailed descriptions of how this eSecurity product protects mail networks from both
spam and viruses.
Technical Support
If you have a technical support question, please
consult the Guinevere Technical Support section of
our website at http://www.beginfinite.com/.
Sales
To contact a Beginfinite sales team member, please
call +1-514-639-4850 or e-mail info@beginfinite.com.
Corporate Headquarters
100 Alexis Nihon Blvd., Suite 500, Montreal, Quebec,
H4M 2P1
GSEND is licensed as a single user copy for use only as
part of this program. This is a lobotomized, partially
functional copy. If you wish to use GSEND for other
purposes, contact mikebell90@yahoo.com.
Tel: 866-GO-GWAVA (866-464-9282) or +1 514 6394850.
GroupWise is a trademark of Novell Inc.
Guinevere is the original Anti-Spam/Anti-Virus solution
for GroupWise. Guinevere runs on the Windows OS and
provides advanced protection for small to medium size
Enterprises needing a cost effective solution against
Viruses and Spam. Thousands of companies have come
to rely on Guinevere as their best line of defense
against spam and viruses at the GWIA Gateway.
Windows is a trademark of Microsoft Corporation.
McAfee Virus Scan, Norton Anti-Virus, Kaspersky, ESet
NOD, Avast, BitDefender, QuickHeal, Sophos SWEEP,
IKARUS, Vexira, RAV, Panda, QuickHeal, AVP,
VirusBuster, F-SECURE, F-RISK, F-PROTECT, Cheyenne
Inoculan, Norman Virus Control, Touchstone/Trend
Micros's PC-cillin, Command F-PROT, Dr Solomon's, and
Intel LANDESK are trademarks of their respective
companies.
About Guinevere
Copyright Notice
Special Thanks to the Following:
The content of this manual is for informational use
only, and may change without notice. Beginfinite Inc.
assumes no responsibility or liability for any errors or
inaccuracies that may appear in this documentation.
GroupWise is a registered trademark of Novell, and is
copyrighted by Novell. (A)
Kim and Pam, who never get thanked. You guys rock!
© 1998-2005 Michael J Bell. All rights reserved.
The NSC volunteer sysops.
vbAccelerator Software License
And you, the customer, without whom there would be
no point in writing this manual! Thank you!
Version 1.0: Copyright (c) 2002 vbAccelerator.com
Guinevere and UniversalAV are trademarks owned by
Michael J. Bell.
v-3ai
Copyright © 2005 - All rights reserved.
5
Guinevere 3
Introduction
What is Guinevere?
Guinevere is a multi-faceted program, offering many powerful security features to enhance your
GroupWise Internet Agent (GWIA).
The primary purpose of Guinevere is to provide anti-virus protection for your GroupWise system.
Guinevere can be configured to scan all e-mail departing from or arriving at your company via the
Internet. In addition, it is easy to block spam, undesirable content, and archive mail for future disclosure.
Guinevere offers a great deal of flexibility. Most options can be configured separately for incoming and
outgoing traffic. Administrators have a variety of choices for dealing with infected mail including:
deleting the whole message; removing the file attachment; making a copy of the infected message; emailing specified users and/or the sender.
Guinevere scans for mail entering/exiting the Internet gateway exclusively.
It does not protect your system against internal e-mail carrying viruses, or crossing other GroupWise
gateways. Guinevere can perform an important protective function in conjunction with other virus
scanning programs implemented at the server and workstations. Also note that Guinevere can only detect
viruses which the underlying anti-virus scanning engine (provided by a third-party) can detect, although
the Attachment Blocking and Fingerprinting options can be powerful proactive protection. Update your
anti-virus product often!
Guinevere can accurately scan only PC compatible documents and executables. Guinevere can scan
Macintosh files, but only accurately identifies macro viruses (MS Word, Excel, etc.). This is a limitation of
commercial virus scanners, not Guinevere – The PC virus scanners simply do not include the definition
files for—fortunately non-existent—Macintosh and Linux viruses.
Copyright © 2005 - All rights reserved.
6
Guinevere 3
What is new in Guinevere 3
SpamAssassin Pre-Installed and
Pre-Configured.
Transactional Functionality
Currently, a bad e-mail can flub up the
whole system.
SpamAssassin daemonized, doubling the
speed while reducing memory and CPU usage
significantly
Memory usage – often 20-30 MB per thread
(Physical thread usage greatly reduces race
conditions and reduces by 99.99999% chances
of thread collision)
UI version of SA-Learn on the main Guinevere
Config Screen.
No need to install Perl or Perl modules. This
saves a great deal of effort with initial setup
The key is to keep a journal of the active
threads.
Upon any restart, will automatically move
these e-mails on restart to a “suspicious”
location.
Turbo charged SQL based archive
viewer
Similar to and based on the GWAVA Archive
Viewer
Much faster, easy to filter, easy to organize
Auto-Downloader/Installer
BUT: not backwards compatible. Legacy
Archive Viewer will be a separate download
for your convenience, and simply be a copy
of the G2 released EXE.
Allows you to download, and optionally
install updates for Guinevere.
You can specify frequency of updates,
whether an e-mail is sent to admin.
You can specify the categories of updates
that will apply.
In general, many will prefer the autodownload/notify than auto-install.
Tends to take more disk space.
Auto Digester
Send a digest of Spam Messages to people
each night.
Allows administrators more leeway in their
desire to just “whack” the spam.
Improved AV install and
Optimization Wizards
The current one is outdated and confusing.
Continues Support of Many versions of AV
products
More clearly Delineated Event
Categories
Easier to configure notifications, subject tags
etc.
Improved boilerplate Wizard
No hunting for files
Auto optimization wizard to pre-setup
Attachment Blocking and other features.
Spam Confirmation System (SCS)
feature
Requires “suspected spammers” to reply to a
unique hash code “challenge” via e-mail
Auto-Updates white-list upon proper reply
Allows you to set user exceptions
Locks down your system against new spam
threats
Copyright © 2005 - All rights reserved.
7
Guinevere 3
System requirements
Mandatory for All Installations
A Windows 95/98/ME/NT/200x/XP machine. At least 256 megabytes of RAM required; 512 megabytes
recommended. A Pentium II level machine is strongly recommended. Normally, disk space requirements
are minimal, but this depends on which configuration options are selected. For example, the more
messages that are archived, the more disk space required.
Novell GroupWise 5.2 or greater must be installed and GWIA (GroupWise Internet Agent) is used for all
Internet e-mail. The older SMTP/MIME 4.1 gateway is not supported. If you have more than one GWIA
utilizing SMTP services, you will need to purchase additional licenses of Guinevere, one per additional
GWIA running SMTP services.
A supported (DOS or Win32) virus scanning programs such as those sold by McAfee, F-PROT, Command,
Norman, Dr. Solomon, Sophos, Symantec, Trend, and others. Guinevere uses this program to detect the
viruses.
Installation
Please make sure GWIA and the rest of your GroupWise
system is functioning normally before installing Guinevere.
Send at least one test message outgoing to the Internet,
and one test message incoming to the GroupWise system.
Also, Guinevere assumes that addressing rules or Native
Internet addressing is in effect.
In other words, Guinevere assumes that if it tries to send a
piece of mail to user@somecompany.com, that the system
is both set up to understand this and in operation.
If you own GroupWise 5.2 and have not
set this up, check out Novell’s
knowledgebase, and search for internet
addressing rules before proceeding.
Installation consists of the following
steps:
Using the SETUP program to copy
program files to your hard drive.
Verifying the Guinevere installation.
Selecting your AV integration
Creating the Service Directory
(Note: This step requires a restart of
GWIA).
Completing your Configuration
Starting Guinevere and testing it!
Upgrading
Users should not install Guinevere 3 into
the same directory as an existing
Guinevere 2 or 1 installation. If upgrading from Guinevere 1, you must recreate your user configuration
from scratch. However it Is safe to copy the core *.INI files from your old Guinevere 2 directory, and any
customized files in the MSG subdirectory.
Important - Note that the VIRTHRD.BAT must be regenerated. Do this by reselecting an AV Integration in
the main configuration program.
Copyright © 2005 - All rights reserved.
8
Guinevere 3
Using the SETUP Program
Before running the SETUP program, shut off all anti-virus software. Most modern anti-virus software
includes both "on-access" Antivirus software (AV software running in the background that intercepts all
reads and writes to the hard disk) and "on-demand" components (AV software that is user-initiated).
Disable the AV software completely until configuration is complete.
Also consider shutting down any unnecessary services or programs until you are sure Guinevere is
functioning properly. The program is packed as a self-extracting, auto-running executable. Run the setup
program and follow all the prompts. The installation is well-guided. You will be asked at one point where
you wish to install Guinevere. The default (strongly recommended) is C:\GUIN3.
Installing Guinevere
Run Guinevere from the Start\Programs menu. An introductory screen will be presented. Click OK to begin
the installation procedure. The first step will be to choose an anti-virus program.
Step 1
After clicking OK, an informational screen is presented alerting administrator that an AV program must be
selected. It is vital to inform Guinevere of which anti-virus program is in use. Guinevere has no anti-virus
functionality of its own. Information provided about the supported integrations include universal AV,
command line AV and whether the software supports Windows 9X/ME.
Command line integrations (as with
Guinevere 1.x) –Guinevere runs an AV
scanner EXE directly, and receives feedback
from it. All of the items in this list are
command line integrations, except for the
last choice.
UniversalAV – Guinevere can use most AV
scanner’s real-time scanners. This is a
generic choice, listed at the bottom, and
works for nearly all AV Vendors
How to choose?
Command Line Integrations
Thoroughly tested over the last 5 years in Guinevere
Generally provide more information (such as a Virus Scan log) to the administrator.
Some of these integrations (McAfee, Norton) support cleaning of the virus file as well.
Some vendors do not support these or support them poorly.
More performance and memory intensive.
Requires the Real-Time scanner to be off entirely, or at least to exclude the C:\guin3 directory and subdirectories.
(The Guinevere 1 requirement to exclude the TEMP directory no longer applies)
UniversalAV
Supports the Real-time scanner for most products
Very low memory/performance overhead.
Little direct feedback available via e-mail notification to administrator (no virus scan log). However, many AV Vendors
offer their own built in e-mail/SNMP notify option for their real-time scanner for just this purpose.
Requires the Real-Time scanner to be on, excluding the C:\guin3 directory and subdirectories, and some very specific
and sometimes tricky configuration steps, outlined in the technical notes for UniversalAV.
If misconfigured, can be very problematic to diagnose, because one of the common steps is to disable all alert
messages.
Copyright © 2005 - All rights reserved.
9
Guinevere 3
Select the integration that you want to use and the Windows platform that Guinevere is running on (this
should be automatically detected). A file, VIRTHRD.BAT will be generated and placed in the Guinevere
application directory. This file is the heart of all scanning operations – it is invoked by Guinevere to check
the status of all messages being scanned, and contains the code to run the virus scanner and get positive
and negative feedback from it.
Choose platform
Administrators must then choose both the preferred AV software and identify which platform Guinevere
uses:
Windows 9x/ME
Windows NT/2000/XP/2003
Clicking Cancel stops the installation process without making any changes to your system. Or, click Next
to continue. You may also receive a caution during this process warning that the VIRTHRD.BAT file will be
overwritten.
Step 2
Technical notes will be displayed to help administrators ensure that Guinevere is properly configured.
These notes can be printed for reference. Click Previous to return to step 1, or Next to proceed. Clicking
Cancel halts the installation process.
Ninety per cent of the problems reported with Guinevere are related to not reading the technical notes! There are
specific AV vendor notes in the appendices for both Command Line integrations and UniversalAV. The technical notes
provided in the Configuration Program, however, may be newer.
Copyright © 2005 - All rights reserved.
10
Guinevere 3
Step 3
Select your AV integration type: Command Line or Universal AV. Unavailable options will be greyed-out.
The preferred option is selected
for you automatically.
It is important when using
command line scanners to properly
configure the PATH variable to
include the path of the anti-virus
program.
With Windows 9x/ME, this variable is stored in AUTOEXEC.BAT and requires a reboot to take effect. With
Windows 2000/NT/XP/2003, this variable is set in the Control Panel/System (Environmental Variables).
Click Previous to return to step 2, or Next to proceed. Clicking Cancel halts the installation process. You
will be reminded that the command line scanner and all auxiliary files must either be copied to the
Guinevere installation directory or (very preferably) to some other directory to which the path is pointing.
Please take the time to set this now.
You can this it by typing the name of the AV scanner executable from a DOS box.
Copyright © 2005 - All rights reserved.
11
Guinevere 3
Step 4
The next step in the Guinevere installation process is to configure the GWIA so that Guinevere can
interdict files. An informational screen
follows. It details the basic requirements for
setting up Guinevere.
A GroupWise system of 5.2 or better
A Windows workstation using 95 or better
for Guinevere
A desktop anti-virus product
Ensure drive letters have been mapped to
the GWIA gateway have loaded and that
the domain database is assigned. (Ie, only
the domain to which the GWIA gateway
has been assigned. Check this in NWADMIN
using the GroupWise View.) Generally,
one server performs both these duties.
Important – Set these drive letters to
reconnect permanently.
Ensure that these conditions have been met,
then click Next to continue or Cancel to halt
the installation process leaving your settings unchanged. Previous returns you to the preceding step.
Step 5
Locate the GWIA.CFG.
Typically, this is in
Sys:System.
Note – Sometimes GroupWise
systems can end up with
multiple GWIA.CFG files. You
must ensure that the correct
file is chosen. If a search on
your server reveals multiple
GWIA.CFG files, test which
one is live by changing a
setting in
NWADMIN/ConsoleOne, and
seeing which one is updated
(see properties and look at
the date).
The Wizard is not always able
to convert the UNC path into
mapped drive format, in
which case you have to do so
manually. Clicking Next will continue. Cancel will halt the installation process leaving your settings
unchanged. Previous will return you to the preceding step.
Copyright © 2005 - All rights reserved.
12
Guinevere 3
Step 6
Locate directories needed by
Guinevere.
UNC GWIA root
Mapped GWIA root
UNC Services Root
Mapped Services Root
These files must remain
consistent during Guinevere’s
operation.
Click Next to continue or
Cancel to halt the installation
process leaving your settings
unchanged. The Previous
button returns you to the
preceding step.
Step 7
Clicking Next will continue the installation process by automatically configuring the Guinevere.ini and the
GWIA.CFG chosen earlier. To examine which files will be edited, click the Detailed Info button. Cancel
will halt the installation process leaving your settings unchanged. Clicking Previous returns you to the
preceding step.
Copyright © 2005 - All rights reserved.
13
Guinevere 3
Guinevere will then make the edits to your system that are needed. A results dialogue box will be
presented. Click OK to close it, then click Next to complete the installation process. Clicking Cancel here
halts the installation process at this point. Clicking Previous returns you to the preceding screen.
Step 8
Setting the
GroupWise
login
information is
the final step.
This is
required so
that
notifications can be
delivered. A dialogue box informing you of this will
be presented. Clicking OK will launch the Guinevere
configuration program and select the Notification
Disposition settings screen so you can set the log-in
information.
Note - A caution that Virus Scanning is currently off (the
default) is also included.
Virus Scanning Disabled By Default
By default, even after selecting an AV scanner integration, Virus Scanning is DISABLED in both directions.
(Consult the Virus Scanning section of the Configuration Program).
The reason is it should be verified that the mail flow has been set up correctly, before actually start
scanning for viruses! It is best to just run a test of incoming and outgoing messages with virtually no
special options on first.
Attachment blocking and the SpamAssassin integration actually require virus scanning to be on (although a
“null integration” can be selected, in which no actual scanning is performed). Hence, a polite warning
about this will be presented if you exit the Configuration Program with one of these options on, and virus
scanning off.
It is worth understanding the terminology:
GWIA Directory - The directory where GWIA was installed by default. GWIA should already be installed and this
directory should already exist. By default this is located at <yourgwdomain>\WPGATE\GWIA. For Remote GWIA
installations, things can be a little more complicated, but the Location of Files wizard should be able to logic it out. It
should be one directory level above the SEND, RECEIVE, RESULTS, and DEFER subdirectories.
The correct configuration of this parameter is absolutely critical for proper function of Guinevere.
SMTP Services Directory - This is a directory that GWIA will use for moving information between Guinevere and GWIA. It
does not exist by default; it is created by the Location of Files Wizard. The wizard will suggest a location of
<yourgwdomain>\WPGATE\GWIA\THIRD by default (one below your GWIA directory). You may override this (although
generally this is not recommended) but keep in mind the location MUST be on the network, in a location the GWIA
daemon can log into.
Copyright © 2005 - All rights reserved.
14
Guinevere 3
Creating the Service Directory
This step requires that the GWIA be exited and restarted. You may therefore wish to wait until a time
that your users are less likely to be using the GWIA.
Setting necessary information in NWADMIN/ConsoleOne
This step has already been done for you, if you used the Location of Files wizard.
Restarting the GWIA
Before restarting the GWIA, take the time to verify that the Location of Files wizard has correctly created
the service directory (THIRD). GWIA will not do this automatically and all mail processing will stop if this
directory does not exist.
For the GWIA to see the changes the Location of Files wizard made to GWIA.CFG to set up the Services Directory, GWIA
must be restarted. Begin by quickly verifying that the Services directory has been correctly created. Now exit and
restart the GWIA. This is typically done by at the server GWIA is running on, switching to the GWIA screen, and pressing
F7. The GWIA should unload quickly. Reload the GWIA by typing "GWIA" at the server prompt.
Note that this is necessary even with GroupWise 5.5, and occasionally even with 6.0. Although GWIA 5.5/6.0 is
supposed to automatically restart after a configuration change (GWIA 5.2 does not), it nonetheless fails to load the
new configuration correctly. To resolve this issue, unload/reload the GWIA.
Verify that the GWIA has automatically created the following subdirectories underneath the service directory: SEND,
RECEIVE, And RESULT. If it has not, repeat your actions in this section carefully. Remember that the service directory
must already be created; GWIA will not do this.
Completing Your Configuration
Configure Guinevere according to your specifications. It is best to start with Virus Scanning off (this is the
default), and just test basic mail flow. Once the mail is operating, add and test virus scanning. Then
Attachment Blocking and other features as needed.
As with any complex system, test each adds variable. A basic description of a good testing regimen follows.
It is highly recommended that the SEND, RECEIVE, and RESULT subdirectories under both the SMTP Service Directory
and the GWIA directory be marked PURGEABLE (this is a Netware file attribute, settable in
NWADMIN/ConsoleOne/Explorer).
In fact, Novell generally recommends that all GroupWise directories and subdirectories be marked purgeable. (See
Novell’s TID on GroupWise Scalability)
Note for Windows 95/98/98SE/ME Users
When DOS boxes, such as VIRTHRD.BAT (often used for virus scanning) are launched in Windows
95/98/ME, Windows may "slow down" DOS programs running in the background, or not closing the DOS box
upon termination. This is not an issue in Windows NT/2000/XP. To solve these issues:
Launch the Windows Explorer. Navigate to the Guinevere application directory (Normally in C:\Guinevere). Make sure
the application directory is selected on the left pane.
Pull down the File menu and choose New/Shortcut. Point the New Shortcut at VIRTHRD.BAT, which should be located in
the Guinevere application directory. Name the shortcut "bVIRTHRD". Make certain this shortcut is being created in the
Guinevere application directory.
Right-click the shortcut and choose Properties. Ensure the following properties are set:
o
Program tab – The Close on Exit should be checked off.
o
Misc. tab - Allow screen saver and Always suspend should be unchecked. Also, the Idle Sensitivity slider
should be moved all the way to the left, under Low
Guinevere will automatically recognize this file and use it to launch VIRTHRD.BAT. If it does not exist,
Guinevere will launch VIRTHRD.BAT directly.
Copyright © 2005 - All rights reserved.
15
Guinevere 3
The Request Support Wizard
Guinevere has a Request
Support Wizard. This feature
will make it easy for you to
communicate with our support
team.
Click the Request Support
button to begin the process.
You may cancel the request for
support at any time.
The more information you
provide in the request, the
more quickly your support
caller will have the answers to
your problem. In some
instances, our support team
may first try to solve the issue
by recreating it on a test
machine.
The first screen is
informational. It explains the
request support process: These
are to compose a request,
attach files if necessary, and the store the generated result in a password protected archive.
The auto-generated password is always “help”.
The result may be sent to Guinevere manually or by auto-mailing GroupWise. Alternatively, you can send
an e-mail to Guinevere directly at support@gwava.com. You must allow password protected zip files to
exit via your admin mail account for this to reach support.
(Note – To allow all outbound password protected zip files to, check the box "Ignore Outbound Password
Protected Files" under Exploits. Or, make a user exception for the Administrative account.)
Click Next to begin.
Stand alone launch
Guinevere does not have to be
operating to activate the
automatic Request Technical
Support system. It can be run
from the start menu.
Also, do remember to
participate in the on-line
support forum at
http://www.gwava.com/.
Copyright © 2005 - All rights reserved.
16
Guinevere 3
Step 1
The first Request Support screen is a contact information form. There are three sections:
Identification information
Configuration information
A Few Questions related to your network set-up
Your entries—-including items in the drop-down menus—will be stored for your convenience so the same
data does not have to be entered each time you wish to contact the Guinevere support team.
Identification Information
Enter the preferred Contact Name, Contact E-Mail, Contact Phone number and Organization name in the
first section.
Configuration
The Configuration portion is where you provide details about the environment in which your copy of
Guinevere operates. Please enter which GroupWise version and Service Pack are in use, what OS the MTA
and Guinevere are running on, and any OS Service Pack installed. There are also fields for you to identify
your CPU, the amount of RAM, the Guinevere version installed and your type of File System.
A Few Questions
The final section of this screen is where you answer a few questions about your Guinevere configuration.
Please tell us whether Guinevere is running local to the MTA, whether it is running local to the GroupWise
domain, whether there are no duplicate GWIA.CFG files, which AV Product is in use, and, if possible, the
version number. Tell us how your anti-virus product is used with the “And I Use” drop-down menu to its
right.
As well, please estimate your approximate mail volume per day. Add any Other Configuration-Related
information you believe would help us understand your set-up. Then, click Next to continue. Clicking
Cancel returns you to the About screen.
Copyright © 2005 - All rights reserved.
17
Guinevere 3
Step 2
The second page of the Request Support form has two sections. The top part is where you categorize your
request. The second is a blank field where you detail your request for support.
Categorizing Your Request
Three drop-down menus are provided to help us direct your request for support to the appropriate staff.
The Type menu has three request descriptions:
Information Request
Bug Report
Enhancement Request
The Regarding drop-down menu classifies your request into one of eight categories:
AV Scanning
Attachment Blocking
AntiRelay Protection
Mail Filtering/Forwarding
SpamAssassin
Archiving
Notification
Something Else
Copyright © 2005 - All rights reserved.
18
Guinevere 3
The Priority drop-down menu helps us prioritize your communication to us:
Not Terribly Important; Just Wondering
Of Some Importance
Pretty Important to us
Very Important to us
CRITICALLY important to us
Please provide as much information as possible in the text entry field. Does it affect all users or only a
specific subset of them? Is the trouble clearly related to a specific function? Did Guinevere function
correctly until recently? Can the error be replicated easily? How frequently does the problem occur?
Click Next once you have completed the form. Clicking Cancel returns
you to the About screen while the Previous button allows you to edit the
previous screen.
Copyright © 2005 - All rights reserved.
19
Guinevere 3
Step 3
Attach supporting documents.
This screen is where you choose which files will be appended to your request. For your convenience, two
checkboxes are on this screen to help you attach critical files that may help our support team diagnose
the difficulty. These are:
Guinevere.INI, VIRTHRD.BAT and all other base configuration files
Notification-related configuration files
Other Files to Include
Use the Add A File to the List button to attach any other documents to your request for support. This may
include log files or error messages. Click Next once you have completed the form. Clicking Cancel
returns you to the Guinevere Manager About screen while the Previous button allows you to edit the
previous screen.
Copyright © 2005 - All rights reserved.
20
Guinevere 3
Step 4
Confirm the request
This is the final step in the
Request Support function.
All the information in your
request for support is now
in a compressed archive in
the C:\GUIN directory.
There are three options:
Exit the Request
Support function
without e-mailing
the archive
E-Mail the archive
then delete it
automatically
E-Mail the archive
automatically
Clicking Next returns you
to the Guinevere
Configuration About
screen.
Another method of
launching
Note that Request Support can also be launched as an external executable, typically in \Program
Files\Guinevere\Request Technical Support.
Copyright © 2005 - All rights reserved.
21
Guinevere 3
Running Guinevere
Run Guinevere from the
Start/Programs menu.
Other command line switches
are also useful:
If you have enabled
Preserve Statistics on
Exit, but want to
force the statistics to
clear, /rstats will
accomplish this.
If you are running multiple
instances of Guinevere,
/allowmultiple permits this.
Step 1
Load Guinevere.
Step 2
Log into the network and load
the GroupWise client (or a
component thereof, such as
Desktop or Address Book) if email options have been
configured.
Step 3
Click the Start button on the
upper left of the Guinevere
main screen. Guinevere will
begin running.
Every few seconds, Guinevere
should switch from scanning
the RECEIVE queue to scanning
the SEND queue.
The statistics reported by Guinevere include files processed and files scanned, both sent and received.
Below that are statistics for file types. To zero these statistics, press the Reset Statistics button.
For unattended operation, place a shortcut of Guinevere under the STARTUP menu, with a command line
option of "/U". If you accept the default installation parameters, the command would be
C:\Guin3\.Guinevere will then start automatically after being loaded.
There is a new GroupWise Mailer log-on now in Guinevere’s Notification/Disposition screen that –once an
administration name and password have been entered- will automatically log Guinevere into GroupWise as
needed, so it is no longer necessary to load a GroupWise client component at startup (like it was for
Guinevere 1 or Guinevere 2.
Finally, it will be necessary to alter the Registry so both the Netware client and Windows log in
automatically. This is beyond the scope of this manual; see appropriate manufacturers. (Mostly because
the method is highly dependent upon the OS and client-version).
Copyright © 2005 - All rights reserved.
22
Guinevere 3
The Buttons
Start - Begins running Guinevere. When Guinevere begins running, this button will change its function and become a
Pause/Continue button .
Reload Configuration – You can select this to request a reload of the configuration files. When Guinevere has finished
processing a busy thread, it will reload the configuration. This means you can freely run the Configuration Program at
the same time as the main program; however changes will not take effect until Reload Configuration is clicked.
Exit - Finish processing threads and exit Guinevere.
Reset Statistics - Clears the informational values, resetting all counters to 0.
The Information
WGO - "What's Going On" - A status message box. Do not worry if you can't read everything - if Logging is turned on in
the Configure screen, everything in this field will be written to a text file.
Files Processed - All files processed, sent or received, regardless of whether they had file attachments or were
infected. Below and indented are the totals for sent and received messages.
Files Scanned - Files that were actually scanned for viruses, because file attachments were detected. The different
types of file attachments (MIME, UUENCODE, BINHEX) are broken down below this and should sum to a total equal to
Files Scanned. Below and indented are the totals for sent and received messages.
Infected - The number of files in which an infection was detected.
Oversize - If the "Enforce Incoming Mail Size Limit" option is selected in the Oversized Messages section of the
Configuration Program this will indicate the number of incoming messages that exceeded this limit.
Forward - Number of messages forwarded because a mail filter was triggered.
Archived - Number of messages archived because a mail filter was triggered.
Deleted - Number of messages deleted because a mail filter was triggered.
Blocked - Number of Messages blocked because Attachment Blocking was triggered.
Stripped – Messages stripped due to the STRIP filter.
Spam – Messages deleted because SpamAssassin marked them as Spam.
Internal Errors - Any type of program error that is trapped will add to this counter. Ideally, this remains zero; there
are no normal processes that add to this count. Check the Logging for more detail. See also the "Max Errors" parameter
discussed under Advanced Tuning.
3P – If using 3rd party partner products, this indicates how often they are triggered.
Up At - The date and time Guinevere began running.
Reset At – Indicates when Reset Statistics was last pressed.
At the bottom of the screen, if logging is enabled, the current log file path is shown. Double-clicking on
the path automatically loads a copy of the log file for your perusal.
Stopping Guinevere
There are two ways to stop Guinevere.
One is to click the Exit button. Guinevere will shut down as soon as all busy threads are
completed.
The second is to create a file called STOPGW.CMD in the Status directory. (The file contents do not
matter). Guinevere will shut down automatically. This feature is provided so scheduled shutdown and
startup of Guinevere is possible.
The evaluation version of Guinevere
Please visit the Beginfinite web site to activate your evaluation copy of Guinevere. This is fully functional,
using the same code as the full version of Guinevere, but differs from the final version in one way:
After 30 days, Guinevere will enter “bypass mode” – all filtering/ scanning/ signature/ blocking functions will be
disabled, and mail will simply be “passed through”
After purchasing Guinevere, customers receive instructions in e-mail explaining how to convert Guinevere to a full
copy. Users will not have to reinstall Guinevere.
Copyright © 2005 - All rights reserved.
23
Guinevere 3
Known Issues with Guinevere
Messages with the mime type message/partial will not be properly put together, and therefore will never be flagged as
infected. Since GroupWise never produces these files as outgoing messages and the GWIA cannot handle this message
type for incoming messages anyway, this should not be a critical issue.
Incoming files containing nested multipart messages (one with multiple boundaries) where the first mime body part
defines the next boundary will be truncated at the first body part if infected/blocked. Please note that normal
multipart messages have only one boundary. This is exceedingly rare, and tends to occur in coincidence with a
message/rfc822 type. As of 1.0.13, the algorithm has been greatly improved, and this occurrence is even more
unlikely.
Uninstalling Guinevere
Stop Guinevere from running at its workstation
(optional) Choose Guinevere from the Add/Remove Programs icon in the Control Panel, and uninstall the main
program. This is just to remove the Guinevere files from the workstation; it is not needed to restore the GWIA back to
normal mail flow.
Open GWIA.CFG and remove the /SMTPHOME switch.
Save GWIA.CFG, and exit and restart GWIA.
The GWIA should now function in the same manner as prior to Guinevere's installation.
Internet RFCs
Guinevere uses the following Internet standards to guide it through processing and interpreting e-mail.
RFC 2821 (formerly RFC 821) - SMTP protocol
RFC 2822 (formerly RFC 822) - Basic message and header formatting
RFC 2045-2049 - MIME structure and encoding
RFC 2298 - MDN (Message Disposition Notification)
RFC 2183 - Content-Disposition Header
RFC 1137 - Experimental RFC on character mapping
RFC 2257 - Compound HTML
RFC 2387 - Multipart/Related
RFC 184 - Signed/Encrypted E-mail
Note that the forced text wrapping option violates most of these. Please check these first before
commenting on the format of a message. There are links to them from http://www.ietf.org/.
Copyright © 2005 - All rights reserved.
24
Guinevere 3
Testing Guinevere
Step 1
Send several messages to an account on the Internet that you can check (such as a Web-based e-mail
service). Some messages should have one or more file attachments.
Step 2
You must verify that the messages are received and that Guinevere's main screen displays correctly. Log
into the Web-based e-mail service and send test messages the other way.
It is important to verify that the virus scanning portion of Guinevere is running correctly. To test this, add
this line to the top of VIRTHRD.BAT:
SET TEST=ON
When the virus scan is launched, you will be able see everything going on, and VIRTHRD will pause
repeatedly for user input.
Verify that no error messages have been generated (such as unknown file or command, which would imply
that the command line scanner was installed incorrectly).
Step 3
If an infected file to test Guinevere is available for testing, use it now by attaching it to a message. For
your convenience, a file called EICAR.ZIP is included in your application directory. If you unzip this file
three times, the final file to emerge will be called EICAR.COM.
This is a very special file, used by anti-virus vendors as a test of their product. Although it does not
actually contain a virus, nearly every Antivirus product will flag this file as infected. (Only one exception
to this has been found: Proland.) You can use this file to safely test Guinevere. (The file is zipped three
times to avoid detection during installation). The file may also be downloaded from http://www.eicar.org
Step 4
Remove the SET TEST=ON line from VIRTHRD.BAT before commencing daily operation of Guinevere.
Copyright © 2005 - All rights reserved.
25
Guinevere 3
Configuring Guinevere
The Configuration Program may be run at any time, even when the main program is running. Run it by
selecting Guinevere Configuration from the Start menu. After changing the configuration, Guinevere can
be forced to reload the configuration dynamically, by clicking Reload Configuration on the main screen.
About
The About screen is the default page of the Guinevere Configuration program.
From this screen, Guinevere administrators can determine which version of Guinevere is installed, change
or upgrade licensing information, request billing and technical support. For more information about
requesting technical support, read about our technical support wizard elsewhere in this manual.
At the bottom of every screen in the Guinevere configuration program are two buttons. Clicking OK saves
your edits to the settings while Cancel will close the program without saving any of your changes.
Guinterface
Guinterface (www.guinterface.com) is a web-based front end enabling you to administer Guinevere and
GWAVA blocked messages from anywhere in the world. Guinterface makes handling your blocked
messages easy by acting as a front end for these processes. It shows you the message information and
then allows you to quickly preview, save, delete or release it. Instead of spending hours dealing with
blocked messages you will now spend minutes. Guinterface does all the hard work for you and frees your
time for more productive work:
Delete or release Guinevere and GWAVA
blocked messages
Quick search for important messages
Compile statistics on blocked messages
Enable my users to handle their own blocked
email
View attachments of blocked messages
Manage undeliverable email (5.x GWIA Only)
Do all of the above from any location with
Web front-end
Copyright © 2005 - All rights reserved.
26
Guinevere 3
License
Click the Change Licensing button when you receive your final license (or evaluation license extension).
This will check the license file for validity and modify the configuration file appropriately.
Remember: Copy and paste!
We cannot advise strongly enough that administrators copy and paste the case sensitive license key and
code as sent by GWAVA licensing. Retyping risks errors. One wrong character will cause your installation
of Guinevere to time out in 30 days and revert to demo mode.
You may also copy the contents of the zipped, thereg.txt document sent by Licensing and paste it directly
into the top of the Guinevere.ini file found in your C:\guin3 directory. Save the Guinevere.ini and re-start
Guinevere.
Tip! When you enter your license key and code, enter a reminder in your electronic calendar 30 days
hence. One month from now, if your Guinevere installation enters bypass mode, you will be able to
diagnose the problem quickly.
Copyright © 2005 - All rights reserved.
27
Guinevere 3
Virus Scanning
This screen is where Guinevere administrators may enable or disable virus scanning, select an anti-virus
integration, and adjust UniversalAV parameters. For more information about Universal AV options, see the
appendices.
Do not scan for viruses in incoming
messages
When selected, Guinevere does not scan incoming messages for viruses. This is the DEFAULT when you
first install Guinevere. This setting is useful when testing mail flow to verify that GWIA is passing files
back and forth correctly.
Do not scan for viruses in outgoing messages
Guinevere does not scan incoming messages for viruses by
default. The reason this is the DEFAULT when you first
install Guinevere is to allow you to test mail flow and verify that GWIA is passing files back and forth
correctly.
UniversalAV options
Base Delay - Always wait at this many seconds before assuming the scan is done.
Incremental Delay per MB - Add this many seconds per MB of files total additional delay time.
Copyright © 2005 - All rights reserved.
28
Guinevere 3
Select your AV Program
This button allows you to regenerate VIRTHRD.BAT, by selecting a new virus
integration. This is identical to the step in the installation section where a
command line integration or
UniversalAV was selected.
You’ll note that your
current selection is
displayed.
Clicking Next will restart
the AV selection process.
For details about this, see
the installation portion of
the Guinevere
documentation.
What happens when
a virus is detected
The Infected
counter on the
main Guinevere
screen is updated
The message is
stripped of
attachments
Depending on your
settings in the Notification/Disposition Section of the Configuration Program, messages may be sent to the
Administrator, the recipient, and/or the sender.
Technical notes
Ninety per cent of the problems reported with Guinevere are related to not reading the technical notes!
There are specific AV vendor notes in the appendices for both Command Line integrations and
UniversalAV. The technical notes provided in the Configuration Program, however, may be newer.
Copyright © 2005 - All rights reserved.
29
Guinevere 3
Attachment Blocking
This is where you can prevent specific filenames or extensions or file types from entering and exiting your
e-mail system. Many common viruses contain extensions, such as .EXE, .COM, .PIF, .etc. (You can find an
inspirational list in BLOCKIT.SMP in the Guinevere install directory).
There are two tabs on this screen. The default is the General tab, which activates or deactivates
attachment blocking; and is used to Add, Edit and Remove the list of blocks. Note that user exceptions to
the Attachment Blocking rules can be configured in the User Exception section of the Configuration
Program.
Outbound and Inbound can be activated separately
To enable attachment blocking, click the Outbound Attachment Blocking or Inbound Attachment
Blocking checkboxes. Once either of
these is chosen, the Dynamically
Create Blockit.Bat with these settings
when configuration is
saved will highlight and
can be selected if
needed.
BLOCKIT.BAT
This is selected by default. When enabled, a batch file called BLOCKIT.BAT is created when exiting the
Configuration Program. This file contains all of the blocking logic for the Restricted Attachments. If it is
disabled, none of the changes made to the Restricted Attachment List will be saved.
Copyright © 2005 - All rights reserved.
30
Guinevere 3
The reason this is optional: experienced Guinevere users can gain more flexibility by manually editing
BLOCKIT.BAT. For example, the default message the user receives for an EXE for is:
.EXE file attachment detected and blocked
These messages are part of BLOCKIT.BAT and can be customized. Also, you JIM and TPB handlers can be
combined for specific effect.
What Happens When an Attachment is Blocked
The BLOCKED display on the main screen will increase for each message file blocked.
If a DEL handler is being used, the message will be deleted.
If you are using a TPB handler, instead of the JIM handler, the attachments will be stripped off the file, and the
recipient will receive a notice that the system administrator blocked the file. The message will identify what
attachment was blocked. The message is fully customizable.
If you are using a JIM handler, not only will the recipient receive a message, but the Administrator and the Sender
might also receive notice of the blocked files, depending on what has been set in the Notification/Disposition screen of
the Configuration Program. An advanced user might use the Advanced JIM Notification section to override specific
items from the Notification screen.
Add/Edit Pattern Blocking
Step 1
To add or edit a pattern
for blocking, begin by
enabling either the
inbound or outbound
attachment blocking
check boxes at the top of
the Attachment Blocking
configuration screen.
Step 2
Click the Add button to
create a new attachment
blocking filter.
Step 3
Enter the pattern blocking
file name or extension
type in the Pattern Field.
Asterisks and question marks may be used as wildcards. (Note that full pattern matching is not supported.
This is an exception to virtually everywhere else in the Guinevere Configuration Program. Treat the
wildcard capability just like it works in a DOS prompt: it is identical, as it runs in a batch file.)
You must then select the notification behavior that best suits your needs from the drop-down menu.
There are three options:
JIM – Notify everyone using Notification/Disposition settings
TPB – Notify no-one. Deliver the message stripped of attachments.
DEL – Notify no-one. Do not deliver the message
Removing Attachment Blocking
Choose the rule from the list of customized filters in Attachment Blocking screen of the Guinevere
Configuration program. Once it is highlighted, click the Remove button. The selected rule will be deleted
without confirmation.
Copyright © 2005 - All rights reserved.
31
Guinevere 3
Override notification
This tab in the Attachment Blocking screen is used to configure the notifications associated with
attachment blocks. At this screen one sets whether the message is passed to the recipient, and whether
administrators and senders are alerted about blocks. These are configured individually by means of
separate drop down menus, each with the following options:
Does the recipient get the message?
As configured in the Notification/Disposition settings
Always preserve the text message and strip attachments
Always delete the message entirely.
Notify Administrator(s)?
As configured in the Notification/Disposition settings
Never e-mail the administrator(s)
Always e-mail the administrator(s)
Notify sender?
As configured in the Notification/Disposition settings
Never e-mail the sender
Always e-mail the sender
Copyright © 2005 - All rights reserved.
32
Guinevere 3
Fingerprinting
Guinevere offers fingerprinting: this technology identifies files which may have had their extensions
changed in order to evade security processes.
Differences between Fingerprinting and Attachment
Blocking
Fingerprinting is similar to, but different from Attachment Blocking. The simplest way to explain it:
Attachment Blocking = block by file name, and Fingerprinting = block by file format. An attachment block
for *PIF would only block a PIF file that has an extension of PIF, like test.pif. If you were to rename
test.pif to test.123 the attachment would not be blocked. Fingerprinting ignores the file name and
extension and concentrates on the file format, so a renamed PIF file like test.123 could not slip past
Guinevere’s Fingerprinting.
To enable fingerprinting, click the Outbound Fingerprinting or Inbound boxes in the Fingerprinting
window. These can be configured separately.
You have several options when enabling fingerprinting. Skip Files With a TXT extension will ignore all
files with a .txt extension regardless of what the file really is. Below this
is a drop down menu with three general options for blocking:
Block all forms of DOS and Windows executables
Block selected list below. Guess a little (Do subclass by extension)
Block selected list below, don’t guess much
The first option is a blanket blocking of all executables, but not document types. The second and third
options are user selectable lists of file types that can be blocked. To exempt users from the
Fingerprinting rules, please use the Exceptions feature of the Guinevere configuration program.
Copyright © 2005 - All rights reserved.
33
Guinevere 3
Notification Override
There are three notification options for fingerprinted files. These are chosen from the drop down menu
provided:
Notify no-one. Do not deliver the
message
Notify no-one. Deliver message stripped
of attachments
Notify everyone using
Notification/Disposition settings.
There are some negatives to using Fingerprinting
It exacts a performance toll, as now it opens and examines each file, instead of just the filenames.
There is a small chance of a false positive.
For these reasons, before implementing Fingerprinting, Guinevere administrators are urged to read and
mull over the contents of the Fingerprinting appendix. It goes into detail about the pros and cons,
describes how the basic algorithm works, and discusses the different configuration options available.
Corrupted Zip files
Guinevere can fingerprint and block corrupted zip archives, but the control for deletion of such files is in
the Exploits screen of the Guinevere configuration program.
Copyright © 2005 - All rights reserved.
34
Guinevere 3
Exploits
Many of Guinevere’s security configuration options have been collected onto this single screen. This will
make it easier for administrators to set up or view Guinevere’s security settings at a glance. Both the
fingerprinting and decompression engine (see the Miscellaneous section of the Guinevere configuration
program,) also provide options for common security vulnerabilities and exploits.
Remember - Exploit protection only operates in the direction for which attachment blocking have been
turned on.
Configuration options
The CLSID vulnerability allows a destructive executable or script to hide behind an innocuous file name,
such as .txt. With this exploit, can be named with its CLSID (a 32-byte number kept in the registry). The
extension will be invisible, but it will execute! And the extension is invisible, regardless of the Explorer
setting.
Enable the Block CLSID Exploit checkbox to prevent this particular
vulnerability from penetrating Guinevere to attack your systems.
The CLSID blocker is very “trigger happy”. It looks for patterns such as “*.{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx}*”, where x = any hexadecimal digit (0-9, and A-F). Such file names rather unlikely to be
entered by accident.
Copyright © 2005 - All rights reserved.
35
Guinevere 3
Automatically Block Attachments with Double Extensions
Many virus writers try tricking users
into opening the virus by making
them believe the attachment is a
benign file type.
Virus writers often use a file name
like “SAFETOOPEN.TXT.EXE”. By
default, Windows machines are set
to hide extensions. (This is something IT departments might want to consider changing.) So the user sees
“SAFETOOPEN.TXT”, double clicks it, and their computer is infected.
Automatically block attachments with double extensions blocks attachments with double extensions, it
assumes that if there is a period followed by 2-4 characters followed by another period, followed by 2-4
characters, it is a “double-extension”. The last extension must be “near” the end of the filename.
The Ignore Numeric Extensions checkbox tells Guinevere to ignore files such as “Meeting.12.DOC” or
“Important.12.95.98.EXE”. It is intended to reduce false positives. Activate it by clicking the checkbox on
the Attachment Blocking screen in the Guinevere Configuration Program.
A caveat with the Allow User Exceptions to apply to Double Extensions feature is the presence of any
attachment blocking exception will match if user is in TO/FROM, regardless of pattern.(eg *.JPG acts as
an exception). In general, double extension blocking is designed to be a bit “trigger happy” and while this
option can be used to ameliorate that, it should be used with care as it can have an impact on
performance.
Block Zip/RAR files that are password protected
Guinevere can block
files that are stored
as ZIP or RAR
password-protected
archives through the
support of the internal decompression engine. To enable this, check the Block ZIP/RAR files that are
password-protected checkbox. An option closely related to this feature is the Ignore outbound password
protected files checkbox.
Note that in the event of an internal infection during a virus outbreak, you may wish to turn this off so
that outbound archives are scanned. While this may prove resource intensive, additional steps to ensure
customers and contacts are not infected by users on your network makes business sense.
To Block Zip files that are
corrupted, enable the corresponding
checkbox. This option requires the
support of Guinevere’s internal decompression engine.
Copyright © 2005 - All rights reserved.
36
Guinevere 3
Mail filtering
In general, the interface is straightforward –a list of currently active filters, that can be added to, edited
or removed.
Use Mail Filtering to perform special actions upon messages with specific criterion. You can filter by
From, To, and Subject. Mail filtering can be configured with specific user exceptions to the Mail Filters in
the User Exceptions section of the Configuration Program.
Common uses for Mail Filtering
A user is no longer at your firm and was subscribed to many mailing lists. As postmaster, you receive piles of these
undeliverable messages everyday and most mailing lists are difficult to unsubscribe from (many require that you log
onto a web page with a specific cookie, or have unresponsive list masters).
You believe a user is abusing your e-mail system and wish to investigate.
You do not want to receive e-mail from a known spam source anymore.
Blocking messages to a user who no longer exists
Auto-replying to let folks know an address has changed.
Monitoring a user’s e-mail
Forwarding messages for a user who is no longer at the company
Be aware of the following restrictions of Mail Filtering
If the message matches two or more criteria, only the first filter will be applied.
From and subject filters have priority over a competing To filter applied to the same message.
Copyright © 2005 - All rights reserved.
37
Guinevere 3
Activate Mail Filters
Selecting the Activate Mail Filters checkbox makes Guinevere actually look use your
list of filters. If it is off, none of the filters will be applied. This option is off by
default.
Creating a Filter
Click the Add button to create a new
mail filtration rule. If you wish to
create a filter, enter the information
below as needed:
Rule Name: (A mnemonic device,
currently used only in the
Configuration Program). Choose
a plain English, descriptive name
that will be easily understood by
other members of your IT team.
To Find: A pattern to match
against the address or subject,
which may contain wildcards,
and is not case-sensitive.
Whether to match the pattern
against the MAIL FROM, RCPT TO,
or SUBJECT fields.
Whether the filter applies to
Inbound messages.
Whether the filter applies to
Outbound messages
One of more actions to be
applied when the rule is
triggered (see below)
Click OK when your new rule has been
created to return to the Mail Filtering screen of the Guinevere Configuration Program.
Mail Filtering Actions
The actions that can be applied are:
Archive – Save a copy of the message to the Archive Directories.
Delete – Delete the message
Strip – Remove attachments from the message.
Forward To – Forward to a specified address. The address must be in Internet format, and you must support native
user@domain internet addressing. The original message will be destroyed (recipient will not receive it).
CC To – Identical to Forward action, except it’s just a copy. (The original message is untouched, and will be delivered
normally).
Reply Using – Use a specified text file (full path required, including filename) as the basis for a generated auto-reply.
The original message will be destroyed.
These actions can be combined with the Archive action – for example, you can select both the Delete and
Archive action. For the most part, these actions are self-explanatory. Each of these when triggered alters
the appropriate counter on the main Guinevere screen.
Forwarded/Carbon Copied messages are handled in a roundabout way, because of some spoofing
protection built into the GWIA. A dummy message is generated from your post office, enters Guinevere,
which substitutes in the appropriate message.
Copyright © 2005 - All rights reserved.
38
Guinevere 3
Advanced Options
There are advanced options for Mail Filtering. Click the Advanced options button on the Mail Filtering
screen of the Guinevere Configuration program to begin configuring them. Advanced options include:
How should FROM matching work?
Automatically delete relay messages that do not have a RCPT TO including…
How should forwarded messages be treated?
Forwarded messages should have this subject
Prevent Forward and CC filters from creating a loop
Allow multiple delete rules to fire against the same the same message
Normally, Guinevere checks the patterns in MAIL FROM filters against the MAIL FROM field. (This field is
removed by GroupWise). This is usually the most reliable field against which to check. However,
spammers have realized that it is 100 per cent legal according to the SMTP RFC to leave this field blank,
leaving only the regular FROM field (the one visible in the GroupWise client) as a possible match.
Therefore, Guinevere administrators
can choose here to match against the
MAIL FROM or both the MAIL FROM
and FROM fields in the drop-down
menu provided on this screen.
Copyright © 2005 - All rights reserved.
39
Guinevere 3
Automatically delete relay messages that do not have an RCPT TO including
This is basic anti-relay
protection. By definition, a relay
is an attempt for someone to
deliver mail using your GWIA to a domain not under your control.
GroupWise 6 users have the luxury of greatly improved anti-relay protection built-into the GWIA. It denies relaying
right where it should – at the daemon level.
GroupWise 5.x users are not so lucky. Even if they have Relay off (and they should) in ACCESS CONTROL in the GWIA
object, messages will be accepted, clog the message store, and be delivered to the administrator.
This feature can help. If turned on, no messages that are not being delivered directly to the domain
specified on the right (yes, you can use pattern matching) will get through. In fact, a delete filter will be
auto generated for them.
Enter a comma-delimited list (no spaces) of the patterns that that must be matched. This is not a
panacea. If there are POP3/IMAP4 users who use your GWIA to relay, their messages are not going to be
delivered either.
Regardless this feature is outstandingly useful as a temporary measure if there is a sudden need to survive
a flood of spam attempts against a GWIA.
How should forwarded messages be treated?
Forwarded and Carbon Copied messages can appear in several different formats to the recipient of the
message:
Forward messages as encapsulated attachments. (the default) – each forwarded message looks like a forwarded
message. The FROM/TO are still there, but you have to open the encapsulated message.
Forward messages inline, preserving FROM – Here the message structure is totally preserved, but the TO is lost (except
for a new header X-Apparently-To)
Forward messages inline, preserving FROM/TO – The message pretty much looks as the original recipient would have
seen it.
It might seem like a “no-brainer” to choose the last option, but a fair amount of e-mail services
sometimes reject these mails, because they appear to be forged; hence the need for many options to help
Guinevere administrators.
Prevent Forward and CC Filters from creating a loop
Imagine you have a forward filter that forwards all incoming messages (address match:
*@yourcompany.com) to monitor@yourcompany.com. Problems can result when the message is mailed to
monitor@yourcompany.com, that in itself, would normally trigger the rule again, creating an infinite
loop.
This option, located in the Advanced Options in the Mail Filtering section of the Guinevere Configuration
program, prevents that. Rules will fire on that message only once, and if it is forwarded through
Guinevere again, it will not trigger another Forward filter. It is off by default.
Copyright © 2005 - All rights reserved.
40
Guinevere 3
Allow Multiple DELETE rules to fire…
Normally, single messages have single
recipients 90 per cent of the time. When a
delete filter fires on that type of message, it deletes the message
alone. With multiple recipients for a single message, the matter gets
complicated – should Guinevere delete it for all recipients, or only for
the ones who have fired the rules?
By default, this feature, found in the Advanced Options of the Mail
Filtering section of the Guinevere configuration program, is off;
therefore Guinevere will only delete the first recipient for a message
even if multiple deletes would normally occur. Turning this on, allows
multiple deletes.
Although it is admittedly a bit confusing, there is an important
distinction between this option and the Prevent Forward option. This
option refers to how many fires of the rules are permitted on a single
message at that moment in time. The other option prevents rules from
firing if the message makes a round trip (effectively becoming a
different message) through the GWIA.
Worth Noting
In GroupWise 6, messages addressed to users who no longer exist are
automatically rejected at the gateway level. This removes a big burden from administrators.
However, it introduces question: what if you want to forward mail for them for a while or offer an autoreply? The answer is to temporarily add their mailbox id as a nickname to an existing account. The
interface for Mail Filtering has changed considerably from Guinevere 1. It has been streamlined and made
considerably more user friendly. Unfortunately, however, this means filters from Guinevere 1 must be reentered– there is no way provided to migrate these.
Copyright © 2005 - All rights reserved.
41
Guinevere 3
SpamAssassin
Guinevere provides integration with one of the best (and free) utilities in the world to find spam – Spam
Assassin. This product was developed on Unix, but it works on Win32 – with some modifications, all of
which are fully described in the installation documents.
SpamAssassin is truly wonderful. It applies about 800 rules, mostly text checks, but also RBL lookups, DNS
checks, and other sophisticated algorithms to every e-mail passing through it. It totals up the score from
each of piece of e-mail. If the sum exceeds a pre-defined threshold, SpamAssassin marks the messages as
spam.
Please remember
SpamAssassin requires Windows NT/2000/XP/2003. Do not try to run this on Win9x/ME.
Test carefully with a predefined sample of archived messages. Beginfinite offers its users support with
integrating Guinevere with SpamAssassin; however some SpamAssassin issues are beyond the scope of
integration. In these cases you’ll be directed to the SA-Talk mailing list.
Note: A free Windows GUI utility for configuring SpamAssassin is now at http://www.openhandhome.com/saconf.html
Copyright © 2005 - All rights reserved.
42
Guinevere 3
Spam Assassin Overview
When SpamAssassin is enabled by clicking the Activate SpamAssassin ™
checkbox at the top of the screen, Guinevere will pass incoming e-mail
to SpamAssassin for analysis. This feature is not activated by default.
It was observed during beta testing that the most common false positives are from mailing lists. Not too
surprising, because many of them teeter on being spam to begin with. Add (some of) these to your
whitelists (term used in SpamAssassin to mean addresses that are marked as never being sources of spam)
in LOCAL.CF.
Do not turn this on until SpamAssassin is both installed and fully tested!
Instructions are fully provided for how to run SpamAssassin manually on sample message files. Test with a
goodly sample first! A common issue reported during beta testing was “it marks everything as spam” – this
was always due to a faulty installation of SpamAssassin, but indicates why administrators want to test this
carefully first before activating it.
Which SpamAassassin? Built in or External?
This drop-down menu has two options: Use Built-in SpamAssassin or Use External SpamAssassin. Choose
the SpamAssassin installation that will be employed. External
SpamAssassin set-ups have certain benefits, but require
expertise to construct and maintain, as well as additional
CPU and RAM. The suggested selection is therefore Use BuiltIn SpamAssassin.
Scan only inbound messages that are less than ....
There are two reasons why Guinevere is not set to scan all incoming messages:
An enormous toll on performance for large messages. Every message is read and re-read multiple times.
More than 90 per cent of spam is small, between 3-18K.
The initial cutoff is set at 25,000 bytes. It can be changed here, but caution is advised.
Send Administrator Spam
Report
If this is enabled, each message flagged as spam will be sent to the inbound administrator mailbox
(specified in the Notification/Disposition section). The attachment will include SpamAssassin’s marked up
report, so administrators will be able to see exactly why SpamAssassin determined the message was spam.
This is great for diagnostics, but for efficiency, it is not advised that this be left on long. Also, the
Administrator must be a GroupWise mailbox address, not an Internet Address.
Copyright © 2005 - All rights reserved.
43
Guinevere 3
SCS
If this feature is enabled, all mail marked as spam, from “valid seeming” mailing addresses is stored for
24 hours in a series of subdirectories. The sender is sent a message prompting to return a message back
including a special code (which changes every hour). The boilerplate for the message, like all templates,
is in the MSG subdirectory.
If they do respond, their original message is delivered, and they are added to a special whitelist. Mail that
is not confirmed is deleted within 24 hours. Note that the Rules Store for SCS is defined in the location of
files screen of the Guinevere configuration screen.
The SCS Store Directory parameter specifies where pending mail should be stored and should be on a local
drive with plenty of disk space, to hold all the potentially pending mail. SCS uses the Delete Spam Above
setting if you set this to a nonzero value. If it is set to 15 for example, a score above 15 will not generate
a confirmation message under any circumstances.
The Spam Rules Directory must point to your SpamAssassin rules directory. This is where SCS.CF (the
whitelist) will be built dynamically.
Guinevere is smart enough not to be caught in a “mail storm” – users who continue to e-mail the system,
without responding to the confirmation request will be ignored, and their messages deleted. This state is
reset in 24 hours.
The reasons why SCS is not appropriate for all situations:
Works best in a small environment. Otherwise, it may increase the mail flow unacceptably and delay critical e-mails.
Mailing lists can be problematic.
Senders may feel offended at the implied label of being a spam.
Does not function properly when used with the “StickTo” option.
Copyright © 2005 - All rights reserved.
44
Guinevere 3
Built-In
The Integrated tab of the SpamAssassin component of the Guinevere configuration program has several
options for configuring an integrated SpamAssassin set-up
Skip all DNS-based tests – While faster, it is less accurate but good for diagnostic tests.
Show all SpamAssassin windows – This option presents all of SpamAssasin’s windows and is useful when debugging an
installation.
Adjust score downwards for
certain attachment types – This
option requires that
fingerprinting be turned on.
Then, enter a value in the
Subtract X Points field. Clicking
the Set Types button presents a
dialogue with a list of document
types similar to the attachment
blocking and fingerprinting type
selection lists elsewhere in this
program.
Note that Fingerprinting must be
turned on for this feature to
function.
Motivation and usage
If there is a document type used a
great deal in your firm, you can apply a
large point subtraction value to it to
ensure the mail attachment makes it
through. Be cautioned though, this
technique may have consequences that
require close attention.
Copyright © 2005 - All rights reserved.
45
Guinevere 3
Learn ham and spam
Clicking the Learn Ham and Spam button presents a dialogue
box for teaching Guinevere how to identify ham and spam that
your users need to have, or have blocked. If supplied with
samples of good and bad e-mail, Guinevere’s SpamAssassin
integration can use Bayesian algorithms to tweak its filtration.
The first two entry fields, Bayes Base Dir and Core Rules Dir,
show the paths to the rule sets on your installation. Below that
is the Bayes Configurations window. This lists one entry by
default when Guinevere 3 is first installed. If you decide to
create a user configuration tree, many folders may be listed.
The Ham and Spam directory fields point to the location where
your selections of spam and good e-mail are kept. Once
samples are added to these directories, click Learn Ham or
Learn Ham respectively. End by clicking Sync DB and then
Done to return to the Guinevere configuration program.
Note – Perform this task when Guinevere is not running or else
performance and stability issues may result.
Copyright © 2005 - All rights reserved.
46
Guinevere 3
Test a Message
Clicking the Test a Message button presents a dialogue box for inserting a message into a queue for
processing by your SpamAssassin set-up.
The first two fields are for locating the User Rules directory and the Core Rules directory. Below that is a
checkbox for enabling the selection of Local Rules Only. To choose the file, click the Select File button.
This will present a dialogue box permitting an administrator to navigate to the local rules file.
Lastly, there is a Test file button. This permits administrators to run SpamAssassin against a file to see
how it is processed. Click Done when complete.
Non-Integrated
This screen configures the nonintegrated version of SpamAssassin.
Such installations are not advised for
general use and require knowledge of
Perl as well the Q&A at
http://www.openhandhome.com
Copyright © 2005 - All rights reserved.
47
Guinevere 3
Digest
New in Guinevere is the Enable Spam Digest mode. These produce clickable
HTML reports which are sent to users. Any may caught as spam is listed and
users can click the entries to request a release. The digest can be sent out at a pre-determined hour by
means of the Digest at Which Hour entry field.
Use 0-23 to determine the hour of day when users are sent the digest of their blocked e-mail. Only one
number can be entered here.
To allow users to click the digest, enable the Permit users to
request submit of spam checkbox. Lastly is an entry field for
creating a name for describing the agent which has sent the
digest to the users.
Inbound Archiving must be activated to use digests. Archiving is not on, then resubmits in will fail as there is nothing to
resubmit.
Digest Exceptions
Click the Advanced Digest button to add per-user exceptions for Guinevere’s
spam digesting and resubmission. Logically, the Enable Spam Digests and
Permit users to request resubmit of spam must be enabled first.
Copyright © 2005 - All rights reserved.
48
Guinevere 3
The Advanced Digest Exclusions screen is a list window with three columns: Pattern, Digest and Resubmit?
Click Add to create a new user exception for digesting and resubmission rights.
Add a User Name to the data entry field, then enable either the Permit Digest and or Permit Resubmit
checkboxes as needed. Click OK to save your edits or Cancel to leave your exceptions list unchanged. The
Digest and Resubmit columns will be populated with zeros (not enabled) or ones (enabled).
The Edit and Remove buttons can be used to change or delete entries as needed.
Copyright © 2005 - All rights reserved.
49
Guinevere 3
Common Advanced
The last configuration screen in the Guinevere SpamAssassin settings screen is Common Advanced for
typical but advanced SpamAssassin customizations.
Some organizations fine it useful to pass along all messages to their users. Enable the Pass through
marked up reports to user checkbox to activate this functionality.
Delete Spam Above …
Even for administrators wanting to offer users
this additional flexibility, some mail is obviously
spam, and not a false positive. An example will
explain usage of this option: If the default
SpamAssassin threshold score is 5.0 but an
administrator sets the Delete Spam Above to 15. This means:
If the spam score is less than 5, it is not spam and is treated normally
If the spam score is between 5 and 15, it is spam, but is passed to the user with the marked-up spam report
If the spam score is greater than 15, it is spam, and deleted.
Additionally, there is a checkbox to Apply this to Admin Spam Notifications, too.
Pass Through Marked Up Report to User
Warning: This option is unsupported! Without incorporating special modifications directly to the
SpamAssassin Perl script, activating this option will cause most incoming mail to be blocked. The Perl
modifications are neither written nor supported by Beginfinite, but developed for two users who wrote
their own. These are in HandJ.DOC, included in the application directory. Normally, Guinevere deletes all
mail marked as spam. The user to whom it was addressed to does not receive it. This option instead
passes the marked-up (with spam report) message to the user.
Copyright © 2005 - All rights reserved.
50
Guinevere 3
One use is allowing users to filter on the subject ****SPAM**** instead of having the message auto-deleted.
This feature is enabled by clicking its checkbox in the Advanced features section on the SpamAssassin
section of the Guinevere configuration screen. This option is applied with the SCS – if the score is above
this threshold, no confirmation message is sent.
To experienced Guinevere administrators, this is known as the “Heath and James mod”, in honor of the intrepid users
who first developed the Perl mods required to support this technique.
Mark up non-spam as well with spam report is also an option. This can be useful in diagnostic and set-up
phases. The final configuration option here sets the range
between which mail tagged as spam generates a report to
the user.
Spam scoring between VALUE and VALUE generates a notification to the sender can be useful in alerting
senders that certain messages were blocked.
Run SAConf
The Run
SpamAssassin
Configuration
button.
Administrators will be presented with two data entry fields for determining the paths to the
SpamAssassin Rules and the Full path to the User Configuration File.
Finally, an option is available to Skip non-English configuration files. Enabling this checkbox speeds load
time considerably. Click Go when ready or Exit to cancel.
Copyright © 2005 - All rights reserved.
51
Guinevere 3
Signature Files
The GroupWise client already provides a signature option. However, there are some difficulties with the
implementation Novell provides:
The signature is stored locally in the registry instead of the user database in GroupWise 5.2. The signature does not
follow the user from workstation to workstation unless roaming user profiles or ZenWorks is utilized. In fact, if no user
profiles are used, a situation where a public workstation has an inappropriate signature forwarded to clients is all too
possible. This has been corrected in GW 5.5/6.0, which does use the user database to store the signature.
It is difficult to set a universal default. This is desirable for disclaimers, policy issues, etc.
There is no flexibility as far as when signatures are appended.
While the basic functionality described above is more than sufficient for 90 per cent of Guinevere
customers, some companies:
Have more than one outgoing Internet domain. They might want unique signatures for this circumstance.
Might want to suppress signatures going to one specific locale.
Have multiple offices each with their own GWIA installations and their own Internet Domains.
This address pattern feature addresses these needs. Multiple pattern matches can be added here, and
unique signature files can be specified for portions or the entirety of e-mail addresses in combination with
MAIL TO and MAIL FROM, as well as RCPT TO and RCPT FROM. If none of them match, the default
signature file is used.
Append Signature Files to All Outgoing Mail is off by default, when the signature option is selected, all
outgoing mail have a signature file appended to it. Normally this is a plain text ASCII file. Set the location
of this file in the Location of Files section of the Configuration Program.
Copyright © 2005 - All rights reserved.
52
Guinevere 3
HTML signatures
Create the plain text version of the file such as C:\SIG.TXT. Now, create an HTML file with the same
filename, with a .HTM extension appended (e.g. C:\SIG.TXT.HTM). The HTML file should NOT contain any
of the <HTML>, <HEAD>,<TITLE>,<BODY> tags. It just consists of bare HTML. For example:
<table><tr><td>MyCompanyName<td><img
src=”http://www.company.com/logo.jpg”> </tr></table>
This appends to all outgoing HTML mail a table containing a bit of text on the left, and the company logo
on the right. When mail is sent out that is just plain text, only the plain text signature will be used.
Append Signature Location
This drop down menu
specifies signature
files are inserted, at
the top, or end of
messages.
Except if the Subject Contains
If the subject contains !!NOSIG!! (or whatever has been specified for your installation), the outgoing
signature will be suppressed for this particular message. (!!NOSIG!! will be removed before the recipient
sees it). Note Be sure to choose
a name that is a
phrase
uncommonly
typed!
Multiple
Signatures are
supported by
Guinevere.
Administrators
can choose to append signatures according to the default
signature file or
Match against mail from, using only a portion of the
address after the @
Match against RCPT to, using only a portion of the address
after the @
Match against mail from, using the entire address
Matching against RCPT To, using the entire address
Click Add to insert a signature into the signature library.
You will be presented with a dialogue box to enter the
criteria and the path to the signature. Click OK to confirm
or Cancel to quit. To edit or remove signatures, click the
needed entry and click the required button.
Copyright © 2005 - All rights reserved.
53
Guinevere 3
Oversized Messages
GWIA already has settings (under Class of Service) for setting both Incoming and Outgoing mail size limits.
But there are severe limitations to the method implemented by GWIA.
Specifically, in GroupWise 5.2 and 5.5, it is not implemented at the "daemon" level. This has these
implications
GWIA will not protect systems in the following scenario: The entire message will be transmitted. Thus, you can have a
slow internet connection totally tied up receiving a single message. All your receive threads can be used up, effectively
generating a busy signal for other mail servers.
GWIA will then allow the message to be incorporated into the GroupWise Message Store (as part of an access denied
message to the administrator). This almost totally defeats the purpose of the incoming message limit. A big file could
both fill up a server hard drive and corrupt the GroupWise Message Store.
The text message portion never gets to the recipient. Since the recipient does not know what happened to the
message, several retries could occur. This further ties up the system.
GroupWise 6 cannot do much about the first scenario above.
Guinevere can do something about the last two. When this option is enabled and a message exceeding the
specified limit is received, Guinevere removes the file attachments(s), while continuing to pass messages
to the intended recipients. Warnings will be attached informing the recipients that the file sizes exceeded
allowed limits. User exceptions can be configured as well.
Guinevere 3 has the option of deferring large outbound messages until a convenient time window (e.g.
when bandwidth rates are low).
Copyright © 2005 - All rights reserved.
54
Guinevere 3
Block Incoming messages exceeding....
Set the maximum size threshold
here. Messages exceeding this
size will be stripped of their
attachments. The recipient will be notified. The sender and the administrator are not.
Defer Outgoing messages that exceed....
This option may prove
particularly useful if you have
WAN links, this may be useful. The message will not be processed until
the specified time windows.
There are two time fields for scheduling this. The first entry field sets
the processing start time using a 24-hour clock. Specify the time as
whole numbers. The second field limits this processing time.
Copyright © 2005 - All rights reserved.
55
Guinevere 3
Archiving
Guinevere’s archiving features have advanced significantly with Guinevere 3. Now with full SQL
integration, Guinevere 3 archives are now container files that give administrators granular control over
their mail archives.
Archive Inbound Messages
Select whether to archive all inbound
messages, just those that are infected or
blocked, or not to archive at all. All
messages are stored exactly the way they
arrived at the GWIA, in standard MIME
format. To read about how to decode and
view these messages, refer to the Archive
Viewer section of the Guinevere documentation.
Spam is a special case and archiving of spam is only activated via the SpamAssassin section of the Configuration
Program.
Important – If Archiving is not on, then resubmits in will fail as there is nothing to resubmit.
Archive Outbound Messages
Select whether to Archive all outbound messages, those that are infected or blocked, or not to archive
them at all. All messages are stored exactly the way they arrived at the GWIA, in standard MIME format.
To learn about how to decode and view these messages, refer to the Archive Viewer section of the
Guinevere documentation.
Copyright © 2005 - All rights reserved.
56
Guinevere 3
Turn off Archiving
When Disk Space is
below...
Archiving is a wonderful feature, but using this feature consistently runs the risk of running out of disk
space. That could be disastrous. To minimize that risk, the following guidelines are advised:
Never put the archive directories on a boot volume or on a network volume. The potential for something going wrong if
disk space is used up too great.
Turn on this option and specify a reasonable threshold.
When this option is activated, Guinevere will dynamically turn on/off archiving based on whether the free
disk space is above or below the configured threshold.
Zip Archives Hourly To Save Disk Space
All files in the archive directories will be compressed into zip files each hour. The zip file will have the
filename DAYMONTHYEAR.ZIP. This feature is particularly useful if your organization makes heavy use of
the Guinevere archiving features, whether via the Mail Filtering or Archiving options.
Archive Spam container files
Again, this is a diagnostic function, not recommended to be operational for long. It will archive each
message flagged as spam to the appropriate Archive directory. That is guaranteed to fill hard disks
quickly. It can be very helpful for new customers at first as you learn how to best configure Guinevere
and SpamAssassin. Another option below the Archive Spam Container Files is Archive Marked-Up
Version. Again, it might prove resource intensive. Archive Marked-Up Version determines whether the file
archived is the original unmarked-up file, or the one containing the spam analysis report. Note that
marked-up versions require significant editing if they are to be resubmitted to the GWIA for delivery.
SQL
Guinevere 3 now includes
powerful SQL-based
archives to work with
vastly-improved Archive viewer. The immediate advantage is that Guinevere now is far more scalable and
can process, submit and resubmit, view and print to ham/spam thousands of messages. The first step to
take advantage of this new functionality is to choose to Add to SQL database all incoming archived files
or Add to SQL database all outgoing archived files. When ready, click the Run Archive Viewer button.
This can also be run this independently from the Configuration Program; and has its own icon in the
Programs menu.
Run Archive Viewer
Click the Run Archive Viewer button to launch that application.
Copyright © 2005 - All rights reserved.
57
Guinevere 3
Return Receipts
GroupWise users have longed for the ability to verify that an outgoing Internet message actually was
delivered.
GroupWise 6 largely fills this need by supporting DSN (Delivery Status Notification) right out of the box.
But there are still some useful additional features in this section for GroupWise 6 users too.
An Overview of How Return Receipts Do and Do Not Work
Before launching into the configuration options, it is probably helpful to understand how return receipts
are supposed to work. There are three different “standards” for requesting a Return Receipts:
“Return-Receipt-To” (RRT) – This was introduced early in SendMail (the dominant Unix mail server) and copied by many
vendors. It consists of adding a single line to your header, Return-Receipt-To: <emailaddress> , where <emailaddress>
is the place the receipt should be sent.
“Message Disposition Notification” (MDN) – This is an official Internet standard. It works much like RRT, adding a special
header to the message containing the address to which the receipt should be sent.
“Delivery Status Notification” (DSN) – This is also an official Internet standard. It works differently from the other
methods, in that it is all takes place at the daemon level. In other words, when a mail server using DSN contacts
another mail server, and a receipt is requested specifically, it is not part of the message
The problem with any of these methods is simple: If the receiving mail server does not support the
method, it does not work. Additionally, there is no way to know other than trial and error, if a particular
mail server supports a particular standard of return receipts. (Actually, this statement is not totally
correct for DSN. To check if a mail server supports DSN, you can TELNET on port 25 of its IP address and
type EHLO. If one of the words that returns is DSN, it supports this.)
Copyright © 2005 - All rights reserved.
58
Guinevere 3
How Return Receipts Work in Guinevere
Guinevere supports the RRT and MDN return receipt request standards. It does not support DSN,
unfortunately, as that must be implemented at the daemon level, which Guinevere does not run at.
So, GroupWise 6 users with DSN may not need these features of Guinevere; however Guinevere also
supports another option – Outgoing Mail Reports, which can be used either in place of standard return
receipts or for diagnostic purposes.
How does this work?
For every outgoing message, GWIA creates a file in the RESULT
directory. The file contains the complete transcription of the SMTP
conversation. From that, Guinevere reports to the sender, depending
on your criteria. There are three possible types of outcomes.
Only 2xx (xx being an arbitrary two-digit number) results occurred – This
means the message was accepted by the mail server. It does not prove it
got to the final recipient, but it does prove that the user’s network
accepted it.
4xx results – A 4xx error is usually a “temporary” error, such as the
receiving mail server being down. Typically, GWIA places these in its
DEFER queue, and retries over and over for the next four days. Neither
the recipient nor the sender know what is going on unless the
administrator checks the logs.
5xx results – A 5xx error is always a fatal error. There are many reasons
why this can occur. Fundamentally, the message in its current state will
NEVER be accepted by the receiving mail server. GWIA does not always
alert the sender this.
Obviously, this is a useful feature not just for return receipt
emulation, but also for diagnostics.
We will examine those options now.
Add Return Receipt Requests to Outgoing Mail
Off by default. When enabled, Guinevere’s return receipt capabilities are activated. Guinevere may be
set to implement either or both of the most
widely used methods of requesting a receipt,
the Return-Receipt-To: and Message
Disposition Notification method. If a user is
sending a piece of mail to an Internet user
and wishes to receive confirmation of its
delivery, the user only needs to put "!!RET!!"
somewhere in the SUBJECT line. For example,
To: billg@acmeglassworks.com
From: Michael Bell
Subject: Can you come to Friday’s meeting? !!RET!!
The !!RET!! can be in the beginning, end, or middle of the subject line, because it is automatically
removed by Guinevere. (e.g. Bill will only see "Can you come to Friday’s meeting?" Optionally, if
Automatically Request Return
Receipts for all outgoing mail is
enabled, users do not have to do
anything – all outgoing mail will have this appended.
Copyright © 2005 - All rights reserved.
59
Guinevere 3
Outgoing Mail Reports
Outgoing Mail Report results may also be activated here. Senders will receive a message back consisting
of customizable boilerplate text, and the attachment of the SMTP conversation. Options for outgoing mail
reports for all OK message may be set, temporary failure messages and fatal messages.
In Sequoia (GroupWise 7) GWIA results files are processed slightly differently, and 2xx messages will no
longer be trappable.
Copyright © 2005 - All rights reserved.
60
Guinevere 3
User Exceptions
Administrators can set up specific users (or pattern matches) to free these them from Mail Filtering,
Oversized Messages, Spam, and Attachment Blocking.
The interface is straightforward. Here one may Add, Edit or Remove entries corresponding to the
users/pattern matches. The Trigger inbound exceptions only when all To recipients are excluded requires
some careful consideration.
Example: If someone mails an oversized message to both John and Sue at your company, yet only John has
a user exception for oversized messages, what should happen?
This checkbox is off by default. That means both John and Sue receive the message. If it is turned on, all
of the users in the recipient list will have to have the exception, or it will be blocked. Ninety per cent of
multiple recipient messages (or more) have only one RCPT TO – most SMTP servers generate one message
per recipient, even if multiple recipients are at the same domain (and even if 5000 are listed in the TO
header).
Copyright © 2005 - All rights reserved.
61
Guinevere 3
In the user exception screen, enter:
The address or pattern
Whether the exception
applies to inbound or
outbound messages. Use the
dropdown menu to make
this selection.
Whether the exception
applies to Attachment
Blocking, Oversized
Messages, Spam, or Mail
Filters.
If the exception is an Attachment
Blocking exception, pattern can be
added to show which exceptions to
which it applies (default is “*”,
which means all attachments). For
example *.JPG allows JPEG files
through to this person, even
though Attachment Blocking would
normally block these.
Copyright © 2005 - All rights reserved.
62
Guinevere 3
Location of Files
The Location of Files section is where you set many of the fundamental directory path locations for
Guinevere. The Location Of Files Wizard can be re-run if needed. Other sections of this manual cover
setting up some of these options. It is rare to have to change any of them, with one exception: Default
Signature File.
Users of previous versions of Guinevere may note that there are many more files in this location. This is
due to the integration of SpamAssassin.
GWIA Directory
GWIA should already be
installed and this directory
should already exist as this is
the directory where GWIA was
installed. By default this is
located at
<yourdomain>\WPGATE\GWIA.
It should be one directory level
above the SEND, RECEIVE,
RESULTS, and DEFER
subdirectories.
The default value for this directory is Z:\GWDOMAIN\WPGATE\GWIA. Normally, the Location of Files
wizard will determine the correct value automatically.
The correct configuration of this parameter is absolutely critical for proper functioning of
Guinevere.
Copyright © 2005 - All rights reserved.
63
Guinevere 3
SMTP Services Directory
This is a directory that GWIA and Guinevere
uses to "ferry" files back and forth to the
GWIA. The default for this directory is
Z:\GWDOMAIN\WPGATE\GWIA\THIRD. Again,
normally the Location of Files wizard will
determine the correct value for you
automatically.
Note:
It is strongly recommended that the
services directory be a subdirectory of <yourdomain>\WPGATE\GWIA, and be named THIRD. All documentation in this
manual will assume this.
At any rate the GWIA must be able to access this directory, wherever it is located. This mandates that this directory be
stored on a network drive.
This directory is normally automatically created by the Location of Files wizard. It's a good idea to double-check
though, because if this directory does not exist, GWIA will stop processing all mail.
Work File Directory
As file attachments are processed, they are
copied to subdirectories of this directory
and scanned. This means the contents of
this directory can occasionally be quite
large, although the size is dependent on the
frequency of mail and on the size of the
mail.
The directory can be located on either
network or local hard drives, although the
local drive is recommended to reduce
network traffic. In either case, the drive
must support long file names. The default
value for this directory is <AppPath>\WORK)
Status Message Directory
Small messages are created here by various
processes of Guinevere. These are
informational in nature, indicating whether
a thread has started or ended, or whether a
virus infection was found. The contents of
this directory will always be quite small.
This directory will be automatically created
if it does not exist. The directory can be
located on either network or local hard
drives, although the local drive is
recommended to reduce network traffic.
The default value for this directory is
<AppPath>\STATUS).
Copyright © 2005 - All rights reserved.
64
Guinevere 3
Log File Directory
This is where all the log files for Guinevere are
stored, assuming that logging has been turned
on. The default value for this directory is
<AppPath>\LOG).
Archive Directory
Specify a location where incoming mail that is
to be archived should be stored. Mail archiving
can be triggered by either setting the
appropriate option in the Archiving Section of
the Configuration Program or by a mail filter
triggering. The default value for this directory
is <AppPath>\CIN). Note that archive files are
sorted into appropriate subdirectories, such as
BLOCK, SPAM, etc.
SpamAssassin directories
There are four SpamAssassin directories
configured by default. The SpamAssassin Core
Rules, the User Rules, the Configuration Tree
and the Bayes Directory. Among other things,
these directories contain the working files and
customizations for your installation of
SpamAssassin. These directories must be in
mapped or local and permanently available to
protect your message system.
Forwarded Message Store
A limitation of using different Guinevere
installations at inbound and outbound is that
forwards and CCs will fail because the
forwarded messages are stored in different
locations. This switch lets each Guinevere
copy to look at the same shared directory
path. Since use of StickTo is very rare, the
default, which is
<WorkingDirectory>\TEMP\FWD should seldom
be changed.
Copyright © 2005 - All rights reserved.
65
Guinevere 3
Default Signature File
If “signatures” has been turned on in the
Signature Files section of the
Configuration Program, the signature file
location must be specified here. The file
should be an ASCII text file. Make sure
each line is no longer than 76 characters.
If it is longer than that length, put
carriage returns at the end.
If a path is not specified, there’s a
default signature
(C:\GUIN3\MSG\SIGSAMPLE.TXT) that will
appear. Note that this setting should be a
full pathname including the filename, not
just a directory.
GSend Queue Directory
GSEND is used to deliver notifications and
spam digests. This directory. Messages
found in that directory will be processed.
Note that GSend must be set up first with
a user name and password to function.
SQL Processing Directory
This is the working directory for
Guinevere’s SQL-related functionality.
Event Log Directory
This directory contains Guinevere’s main
logs. These are very useful for diagnosis in
80 per cent the time when problems
arise.
The helper apps (sql, gsend, gwatch,
update) store their own logs.
Copyright © 2005 - All rights reserved.
66
Guinevere 3
GWIA install wizard
The Guinevere 3 Guinevere
Install Wizard assists
administrators in creating
the correct locations and
paths for installation files. It
also configures the GWIA to
ensure the services
directory is functioning
properly with Guinevere.
Click the Installation Wizard
button to begin. See the
installation process
elsewhere in this manual for
details.
Copyright © 2005 - All rights reserved.
67
Guinevere 3
Notification/Disposition
This section of the Guinevere Configuration program explains how to configure the way Guinevere treats
infected or blocked messages– whether the messages should be destroyed or partially preserved, whether
senders and Administrators should alerted about problem messages and files.
Inbound/Outbound Files treatment
This determines whether settings made in this
frame will affect Inbound or Outbound messages.
It is important to note that all settings below can
be configured independently for each direction.
Choose the option desired in the drop-down menu.
Message Handling
There are two options for handling
deleted or infected messages. Toggle
between them by using the radio buttons
on the Notification/Disposition screen in
the Guinevere Configuration program.
They are:
Delete the file including the text
message
Remove the file attachments only
but preserve the text message
Copyright © 2005 - All rights reserved.
68
Guinevere 3
If the first option is selected, the entire file will be deleted and the recipient will not even know that a
message was directed towards their mailboxes. In fact, if you don't activate any of the e-mail options
discussed below, administrators will probably never know either. If the second option is selected,
Guinevere removes all of the file attachments, but preserves the text message. A small tag will be
appended to the message.
Default: Remove the File Attachments, but Preserve the Text Message.
Send E-mail To ...
Selecting this option
will cause Guinevere to
send an e-mail to a
specified address:
(Subject: Infected File
Intercepted by Guinevere!) with the infected file as an attachment, as well as the report from the virus
scanner as an attachment and the following text message:
The Virus Report and the original file are attached. Please be careful that
you do not infect your workstation.
There is also an option for sending this same material to the message sender. Note that some virus
scanning integration do not support attaching the Virus Report (among them is UniversalAV).
By default, this option is off for both directions of e-mail flow. The e-mail is sent to a comma-delimited
list of one or more recipients (the list may include both Internet addresses and GroupWise addresses. If
using Internet addresses, it is assumed that the GroupWise system is configured to understand
user@domain addressing.) This is particularly useful for e-mail administrators. It is recommended to use
GroupWise Mailbox IDs when possible.
The e-mail/no e-mail checkbox may be independently configured for inbound/outbound mail. However,
the recipient list is the same for both directions.
E-mail Sender
This option sends an e-mail back to the original sender. By default, it is off for both directions. The
message contains the text:
This is an automatic message from the GroupWise Antivirus Scanner.
A message was received from you with a subject of (subject is filled in here)
The message was addressed to (recipient name is filled in here).
The message apparently contains a virus in one of the file attachments.
You will want to consult with your system administrator on how to deal with this.
Copyright © 2005 - All rights reserved.
69
Guinevere 3
Resolve Names: Mailbox ID/Display Name
GroupWise needs to know
how to look up the person
mail is being sent to in its
address books.
The Mailbox ID is usually
equivalent to the NDS
Network ID. (e.g. MBELL) Choose this option if you are more comfortable with network IDs. This is almost
always the best option.
The Display Name is the full name of the person. (e.g., Michael Bell). Choose this option for any of these
reasons:
Full name is easier to deal with
You want to e-mail a resource or group/distribution list.
You want to e-mail an Internet user.
The default is Mailbox ID for both directions.
Default Character Set
When a file is infected, and Guinevere needs to remove the file attachments while preserving the text
message, a problem can arise.
While Guinevere does its
best to preserve the
character set information
supplied in the message, it cannot be guaranteed that Guinevere will always succeed. If Guinevere cannot
figure out what character set to use, Guinevere will use this parameter as a default. The default is USASCII. International character sets are specified as ISO-8859-xx, where xx is the number assigned by the
ISO. The default is US-ASCII for both directions.
Copyright © 2005 - All rights reserved.
70
Guinevere 3
GroupWise Notification/Disposition Options
Guinevere 3’s Notification/Disposition screen also includes settings for configuring its interactions with
GroupWise.
The Log into GroupWise as needed checkbox can be enabled. User name and password fields are
provided for this. Administrators should select this unless single sign on or a similar authentication process
is available. The purpose of this feature is to provide access to GSEND, which needs to log into GroupWise
so it can deliver notification and digest reports.
Two other options are
available:
Log all mailing
activity for diagnostic
purposes
Never clean up the
GroupWise mail box
If you do not configure the
GSEND settings, a caution will
appear once. This alert is
likely to appear when first
installing Guinevere.
Copyright © 2005 - All rights reserved.
71
Guinevere 3
Reply Flood
The last tab in the Notification/Disposition screen is for Reply Flood Protection configuration options. This
is useful in protecting networks during massive virus outbreaks. It temporarily turns off reply to sender
features as this can often be spoofed.
Interval Width
High breakpoint per cent
Minimum Messages to Activate
Low breakpoint per cent
These values are used in concert to protect a messaging environment. The default setting is –1 and this
deactivates the reply flood control.
Copyright © 2005 - All rights reserved.
72
Guinevere 3
Miscellaneous
This screen pertains to logging, Event Logging, and SNMP configuration controls as well as decompression
settings and testing features.
Force Outgoing MIME Messages to Wrap at 76
characters
Ever since GWIA was introduced, some administrators have
found GroupWise's "non-wrapping" lines problematic. The
observed symptom is an Internet user receives mail and the line
extends beyond the edge of the screen instead of wrapping,
making it difficult for the recipient to read. Another symptom is
"=" characters scattered in the text.
Pre-GWIA, putting a /WRAP-76 in the GWIA.CFG (then
SMTP.CFG) file located in the GWIA directory root would force
line wrapping. Not so in GWIA.
Novell has followed the RFCs (Internet Standards) correctly but
there are many of noncompliant mail packages out there.
There are several ways of resolving this:
Make the recipient fix it - The easiest way is for the recipient to
either upgrade their mail packages or to turn on line wrapping
(often an option in their menu somewhere). This is the easiest,
but all too often unfeasible solution.
Add the /WRAP-76 line to GWIA.CFG and switch to UUENCODED
mail only, which will wrap properly. There are instructions how
to do this on http://support.novell.com. (Or, GW 5.5/6.0 has
these parameters under the Message Formatting button, located
on the SMTP/MIME Settings sheet)This works, but MIME messages
Copyright © 2005 - All rights reserved.
73
Guinevere 3
are vastly superior for international use. (UUENCODED messages do not support character set information and assume
US ASCII)
Upgrade to GW 5.2.3 or above (or to GW 5.5), and add both the /WRAP-76 and /NPQMT lines to GWIA.CFG. (GW 5.5 has
these parameters under the Message Formatting button, located on the SMTP/MIME Settings sheet) Now MIME messages
will wrap properly, but only US-ASCII is allowed. This is probably the best option.
Turn on the "Force Outgoing MIME Messages to Wrap at 76 Chars" option in Guinevere. This actually forces the lines to
break at 76 characters, inserting hard breaks as necessary. This option is not generally recommended, as it violates a
bunch of Internet RFCs and may look quite bad on some recipients’ mail systems. But if none of the other options have
worked, this may be worth a try.
Fix Problems with Underscores and Slashes in Mailbox IDs
The issue this addresses has become considerably less of an issue in the last few years, so this feature is
mostly being preserved for legacy purposes. In fact, as of GroupWise 5.5.1, by default the issue described
below is disabled.
Novell also introduced character mapping in GWIA. Certain characters such as (,),:,<space>,_ can cause
problems when used in Internet addresses. So, Novell implemented RFC 1137, which allowed interesting
mappings such as:
With outgoing mail, transform addresses with _ to #U# and / to #S#
With incoming mail, transform _ to <space>
Here Novell’s use of this method is presents challenges of its own. RFC 1137 has never been approved as a
standard and is not implemented widely. There is no way to disable this behavior (at least until
GroupWise 5.5.1 came out).
The major source of problems is the underscore character"_" and the / character. Other mappings ("", "<",
">", etc.) are not as problematic because those characters are extremely rare for user mailboxes. This
option when selected, reverses the effect: Outgoing mail is scanned for "#u#" and for "#s#" and it is
replaced with _ and / respectively; incoming mail is scanned for "_" and it is replaced with "#u#".
Preserve Statistics on Exit
If enabled, all of the statistics on the main Guinevere screen are preserved when Guinevere is exited and
restarted. Otherwise, they are returned to zero. You can also manually reset them using the Reset
Statistics button on the main Guinevere screen.
Enable Redline
Integration
If enabled, Event
Logging will be
turned on to ensure
easy compatibility
with RedLine,
GWAVA’s GroupWise
monitoring tool. The
Event Log directory
path will also be
presented for
reference.
Test Pattern
This presents a dialogue box for testing strings against patterns. This is useful for testing potential
exceptions, filters and signatures.
Copyright © 2005 - All rights reserved.
74
Guinevere 3
Logging
Enable Logging to Disk
If this is deselected, no standard logging will be performed.
Log File Shouldn't Exceed
After the Log File reaches this size, it
will be closed and a new one created in
its place. These will be numbered
sequentially. The default is about eight megabytes.
Store Log Files for this many days
If any Log Files older than this are found, they will be
deleted. The default is three days.
There can be this many Log Files per day
This lets administrators specify precisely how many
log files can be created in a single day. If this number
is exceeded, Log File #1 will be overwritten. The default is three days.
Copyright © 2005 - All rights reserved.
75
Guinevere 3
Decompression
Guinevere can decompress various types of archive files, specifically
ZIP
GZIP
RAR
TAR
CAB
Guinevere can also decompress self-extracting flavors of all of these, but only ZIP is selected by default.
This is for performance reasons as it is comparatively rare that other archive types need to be filtered
and scanned.
The Maximum Archive to recursively decompress entry field controls the number of levels deep
Guinevere will unzip. Sometimes viruses are zipped several times in an attempt to evade detection.
Copyright © 2005 - All rights reserved.
76
Guinevere 3
Event Logging
Detailed
Logging
Normally, only
“interesting”
events are logged
to the event log,
such as a virus or spam. If you enable this feature, all traffic, both benign and malign is logged and it is
more disk space intensive.
Enable SNMP
For administrators who have SNMP monitoring workstations, this is a useful option. Guinevere will
generate either an
EVENT trap (for
generic events like a
virus found) or an
ERROR trap (for
errors occurring in
the program).
To use this feature, enter the SNMP community string and the monitoring workstation’s hostname. Also,
import the Guinevere.MIB file provided in the application directory into monitoring software. Finally, you
must install NET-SNMP.
Copyright © 2005 - All rights reserved.
77
Guinevere 3
Helper Applications
This screen activates and deactivates helper applications in the Guinevere ‘ecosystem’. For example, the
GSEND tie-in can activate Guinevere’s digest function. It is strongly advised that administrators consult
the other sections of this manual. GSend, GWATCH, and the new SQL digester and Updater run in system
tray.
Autoload GSEND – GSEND is used to deliver
notifications and spam digests.
Autoload VFIX – This is used to fix some virus
scanning issues. Use only if directed by GWAVA
support or technical notes.
Autoload GWATCH – GWATCH monitors the
health of Guinevere and can head problems off
before they become serious.
Autoload SQL Processor –Processes SQL inserts
and spam digests. Leave on if you are using
those features
Autoload Updater – This automatically
downloads updates, unzips them and alerts the
administrator.
Copyright © 2005 - All rights reserved.
78
Guinevere 3
The Auto-Updater
This new feature watches the
Guinevere web site to ensure
that updates, notices,
promotions, SpamAssassin Engine
updates, various enhancements
and Beta Software are
downloaded automatically to
your installation.
For security reasons,
items are downloaded
only, and not installed.
This assistant can search
for updates
automatically, and by
default checks every 40
hours.
The default download
directory is
c:\guin3\updaterooot\
Click OK to confirm your changes
or Cancel to leave the Auto
Updater with your settings
unchanged.
E-Mail notification
The auto-updater can be
configured to send e-mail
alerting administrators about
Successful downloads
Failed downloads
There is also an option to
suppress alerts for failed
master index
notifications
The E-Mail Notification Screen
can also be used to set the
preferred e-mail address for
alerts, as well as standard single
addressers or for groups.
Click OK to confirm your changes
or Cancel to leave the Auto
Updater with your settings
unchanged.
Copyright © 2005 - All rights reserved.
79
Guinevere 3
Connection
How the Auto-Updater assistant connects to
the internet, and to the Guinevere web site
can also be set.
The Use If-Modified-Since to reduce
network traffic checkbox to manage your
network resources. Download from this
URL determines the path from which
Guinevere checks for updates. Do not alter
this path unless directed by GWAVA
technical support.
The When Downloading, retry this many
times before giving up and Wait this many
minutes between retries controls how
often failed updates will be attempted. The
default values are 4 and 1 respectively.
Guinevere uses the proxy configuration set in Internet Explorer; however, there are two entry fields for
Proxy User Name and Proxy Password.
Click OK to confirm your changes or Cancel to leave the Auto Updater with your settings unchanged.
Log Settings
The logging settings for the Auto Updater assistant can be configured. Enable the Log to Disk checkbox to
activate or deactivate logs. The Log to this directory path is used to set the log location. Keep logs for
this many days sets time, in days, when logs are purged.
Finally, there is a checkbox to enable Verbose Logging.
Copyright © 2005 - All rights reserved.
80
Guinevere 3
GWATCH
GWATCH monitors the health of Guinevere and can head problems off before they become serious.
Gwatch is only active if loaded. This is done in the Helper Applications tab in the Miscellaneous section of
the Guinevere configuration program.
The screen has three areas for What to watch, When to act and How to react.
For what to watch, there are there options: Check if Guinevere is loaded, Check to see if Guinevere is
Pulsing and Test mail flow every 15 minutes. When to act has one field, a value in minutes for response
after an adverse condition is detected.
The last component of the GWATCH configuration screen is the reaction section.
Log into GWATCH.Log
Run a program
Terminate GWATCH after 30 seconds
Send an e-mail (Choose mailbox ID or display name)
Force Windows to reboot
Copyright © 2005 - All rights reserved.
81
Guinevere 3
Customize Messages
This screen allows you easy access to
every alert and notification message
used Guinevere.
Administrators cannot add messages to
this screen, but the messages can be
edited. To view or change a message,
select it, and click the Edit Value
button. This will present a window with
the text of the message and all of its
variables in one window.
Copyright © 2005 - All rights reserved.
82
Guinevere 3
Advanced Tuning
As the title of these options cautions, most Guinevere administrators should not need to alter these
parameters often or at all. Please do so with care.
Threads
The number of threads refers to the maximum number of DOS boxes allowed to launch simultaneously.
One DOS box is launched for each message that contains a file attachment. Except for debugging,
changing this parameter would be unusual. If you all of your threads are used up and a thread does not
clear in five minutes, Guinevere will deliberately freeze itself.
In tests, on a Pentium 133, our engineers found a thread took approximately 10 seconds to run even when
infected. On a Pentium II it averaged two seconds. Since an average of 10% of e-mail has attachments, it
is unlikely it is for things to clog. It is unusual for even two or three threads to be in use.
Enable Thread Aging
Enabling this checkbox will force threads which appear to have stopped functioning to close. This should
generally be left off. If so many threads are locking up that this feature must be enabled for operations
and not testing, then forcing them to quit is akin to putting black tape over the ‘check engine’ light in a
car.
SA Threads
This field controls the number of Spam Assassin integrated sessions. Guinevere engineers advise that this
value should be one third to one half of the spawn threads value listed above.
Copyright © 2005 - All rights reserved.
83
Guinevere 3
Performance
Polling Delay
The polling delay is approximately how many milliseconds elapse between Guinevere completing an
operational cycle (this time is indeterminate and depends on many variables) and the next time it scans a
directory. This delay represents idle time.
Increase the time (up to 60000) to reduce network traffic, but also make Guinevere process messages less
frequently (thus possibly piling up unprocessed messages in your queues).
High volume (> 8000 messages per day) systems should reduce this down to as low as 50 to greatly increase
performance.
Low volume systems (<2000) should probably leave this alone.
Base64 Text Check
This should rarely be needed. For some (and not 95 per cent of them) international users, GroupWise
encodes the text in Base64. If they have signature files activated, the message is corrupted. This fixes this
– but it is really strongly recommend it not be on unless needed.
Local Caching
When
selected, the
message will
be cached on the local hard drive, reducing network traffic by a considerable amount while processing.
This can produce a large performance increase in high volume systems, negligible otherwise.
Cache Directory
This checkbox enables a directory that will reduce the need to access the network. This is enabled by
default.
Copyright © 2005 - All rights reserved.
84
Guinevere 3
Processing
Scan Lines
To identify whether a message contains a file attachment, Guinevere scans the message looking for clues.
This option defines how deep it looks. If Guinevere reads that many lines from the message, and still has
not reached the file attachment, Guinevere will assume the message has no file attachment.
Raise the number to increase accuracy a small amount, but slow Guinevere. (Consider how often text
messages with 200+ lines arrive. If this is rare, do not change this setting – it takes a toll in performance).
The default is 1000 lines.
Max Errors
Specify here the number of errors Guinevere will tolerate before shutting itself down automatically Zero,
the default, tells Guinevere not to shut down regardless of the number of errors.
Clean Results
When selected (as it should be under all normal circumstances), Guinevere moves "S/R Pairs" from RESULT
subdirectory under the Service Directory to the RESULT subdirectory under GWIA. A result file (R File) is
created for every mail sent. Normally you want these automatically deleted by GroupWise, but they can
be useful for debugging. Our recommendation is for this option to be left on).
Copyright © 2005 - All rights reserved.
85
Guinevere 3
File processing
Files can be
processed from
newest to oldest or
oldest to newest.
Alternatively,
Guinevere can be set to process them in series
Service Direction
This drop-down menu
controls which
queues are serviced
by Guinevere. There
are three options:
Both directions—this is the default
Inbound
Outbound
Copyright © 2005 - All rights reserved.
86
Guinevere 3
Reports
The Reports configuration screen allows administrators to generate SQL or Log-based reports quickly and
easily. The default is to use Guinevere’s new SQL-based system rather than the older event-log based
method.
List all mail filters
Oversized messages by date and then sender
domain
List all user exceptions
List all blocked attachments and extensions
Viruses by date
Fingerprinted messages by date and then
sender domain
Filtered messages by date and then filter
name
Spam by date
Attachment blocks by date
Oversized messages by date
Filtered messages by date
Fingerprinted messages by date
Viruses by date and then sender domain
Spam by date and then sender domain
Attachment blocks by date and then sender
domain
Copyright © 2005 - All rights reserved.
Filtered messages by date and then filter
criteria
Full traffic report by date
Full traffic report by date including
attachments
Full traffic report by date and then sender
domain
Summery of all events (slow
87
Guinevere 3
Choose the reports or report desired, then set the parameters:
Start and end date
Prompt for export to disk after generation
Messages in both directions, inbound mail or outbound mail (The Event Log version of the reports lacks this
functionality on this screen)
Page break after each day
Suppress detail
Event-Log Based Logging
The Event-Log Based
reports are the same as
the SQL reports. The
parameters are set
differently. Beneath the
report lists, configure the
Start Date and the End
Date. There is also a
checkbox to Prompt for
export to disk after
generation. The Event
Directory entry field sets
the path for this data.
Finally, there are two
formatting checkbox
options: Page break after
each day and Suppress
detail.
Click the Generate Report
button to create your
report.
The Reports
Note that the reports are
generated considerably faster
if they are sorted by date.
Sorting by other subcriteria
can slow report generation. A
typical report window looks
like this:
Most of the interface is self
explanatory – there are
options to print, to navigate
to other pages, to zoom, and
to search for specific text.
Note that CTRL-PGUP and
CTRL-PGDN can be used to go
to the beginning and end of the report.
Copyright © 2005 - All rights reserved.
88
Guinevere 3
Test a Message
Guinevere allows administrators to test messages with a handy utility kept in the Guinevere directory.
Launch this application from the Start Menu.
The User Rules and Core Rules directories can be customized if need be for a particular test, and a
checkbox can be enabled to ensure Local Rules Only are fired in the trial. Click the Select File button to
navigate to a test message and then Done when finished
Copyright © 2005 - All rights reserved.
89
Guinevere 3
Guinevere Archive Viewer
The Guinevere Archive Viewer is a stand-alone application for viewing e-mails intercepted by Guinevere.
Users of previous versions may note that the Archive Viewer included in Guinevere 3 includes many new
features including:
SQL Integration permits fast and
flexible searching, filtering and sorting.
Web Browse html, jpeg, gif files in a
safe browser interface
View Zip attachments and extract the
contents.
Open SpamID files directly.
WhiteList/BlackList
Export to HTML
Submit as Spam/Ham
Search for text in columns
The Guinevere Archive Viewer does more than provide access to stored messages. The Archive Viewer can
also be used to submit mail items to the HAM or SPAM lists as well as the Allow or Block Address list. The
Archive Viewer can view the archives in SQL or Folder modes. SQL mode is the recommended mode to
view the archives as is provides a much faster and scalable architecture to viewing large Guinevere
archives.
The new archive viewer works only with G3 archives. The older archive viewer, which works with G2 archives, is in
<app>\tools\legacy.
Archive Database Organization
Before using Archive Viewer, it is important to review and expand upon some concepts from previous
chapters – location, format, and disposition of archive files.
The “root” archive directory (henceforth referred to as <RootArchiveDirectory> – all archive-related files
are stored under this directory tree. The default location is <ProductDirectory>\Archive. <Product
Directory> itself usually defaults to the Guin3/Archive folder. You may change these values in the Location
of files section in the Configuration Program. Under the “root” archive directory, each agent creates a
subdirectory for itself.
Container Files are created, one for each archived message. The databases typically have filenames
similar to YYYYMMDD.DB. They contain all of the MIME header information as well as basic information
such as From, To, Subject, Attachment Names, Event types, etc.
Launching the Guinevere 3 Archive Viewer
There are two ways of launching the Archive Viewer. It can be launched from inside the Guinevere
Manager. See the Archiving section for more information. Alternatively, you can run the Archive viewer
from the Guinevere menu, located under the Programs menu.
Begin by selecting your archive for viewing.
Archive Viewer opens with a screen presenting the user with several buttons: Select Archive Folder,
Compact, Advanced and Done, which quits the Archive Viewer. Note: With Switch to SQL mode clicked,
the button toggles to read Switch to Folder Mode. Above, the Select Archive Folder will now read Select
MetaDatabase.
Copyright © 2005 - All rights reserved.
90
Guinevere 3
Select Archive Folder
Locate the directory where the archives are stored. Select the archive folder and click OK. The archive
viewer will open with the oldest archived message selected. Typically, the archives are in the active
MTAs; however, should you wish to examine mail now moved to other volumes, the click Open Unlisted
Database button.
Wildcards and searches
Guinevere can search with wildcards. The
Archive Viewer now automatically wraps
search phrases in wild cards; moreover,
there are changes in how they operate in
Folder versus SQL mode
Unlimited in Folder mode is *, while
in SQL mode this value is
represented by %
Single character in Folder mode is ?
while in SQL mode this value is
represented by _
Tools
Compact database: Marking records as
deleted does not regain any disk space
unless one compacts them. Doing so is an
intensive operation that absolutely
requires exclusive access to the
database.
Copyright © 2005 - All rights reserved.
91
Guinevere 3
Select metadatabase
Any existing databases at this location will be shown. Click Create a new database or Import into an
existing database. Next, choose a source directory which contains the .zip and .ini files required for
importation. A window will be presented for you to navigate to the source files that will be copied.
Note: The importation tool does not screen for duplicate data.
There four options at the bottom of this dialogue box: Choose Another MetaDatabase, Open Unlisted Data
Database, Remove selected entry and Show Only the Last 30 Days.
Copyright © 2005 - All rights reserved.
92
Guinevere 3
Advanced
This screen is obtained by pressing the Advanced button at the
introductory screen of the Guinevere 3 Archive Viewer, by pressing F –
12, or by selecting Preferences from the View Menu. It permits
administrators to configure the Guinevere Archive Viewer’s
operations. There are four tabs: General, View, Folder Mode and SQL
Mode. The default first tab is General.
Setting
Comment
Do not open archives
exceeding
This sets the upper limit of the size of archive which may be opened. The
default is 15,000 kb.
Number of directories n
history
The default number of directories in the archive history is 20.
When quitting
The options available in this drop-down menu option allow you to
automatically always clear the local cache, never clear the local cache or
prompt to clear the local cache.
Copyright © 2005 - All rights reserved.
93
Guinevere 3
View
Setting
Comment
Percentage of width for
text view
This setting customizes the width allocated for text in the Archive
Viewer.
Percentage of height
for list
This setting customizes the amount of space allocated for lists in the
Archive Viewer.
Show only primary
domain in FROM
DOMAIN column
This restricts the data in the From column to the primary domain. For
example: mail.anothercompany.com you want to show
anothercompany.com.
Convert headers from
OEM to ANSI
Enabling this option translates headers into ANSI. The MTA often
stores subjects and other headers in DOS code which may be
problematic to understand and diagnose.
Automatically view last
opened archive
Activating this option will automatically open the last viewed archive.
Copyright © 2005 - All rights reserved.
94
Guinevere 3
SQL mode
Setting
Comment
Fetch data in chunks of
this many items
Prefetch this many items (often called “Chunks”) entry field. The
default for this value is 100.
Note: You can navigate the pre-fetched items directly when in the
Archive Viewer’s SQL mode by using the Chunk Navigator.
While it may seem tempting to increase the number of pre-fetched
chunks, doing so increases the memory requirements and display time
dramatically.
Never retrieve more
items than
The Maximum Number in Database. The default for this value is
100,000.
Default SQL Filter
This permits you to define the main screen’s default SQL filter.
Copyright © 2005 - All rights reserved.
95
Guinevere 3
Prompts
Setting
Comment
Don’t confirm the file
deletion
Enabling this checkbox allows administrators to delete items without
an additional confirmation prompt.
Request information
repeatedly with
multiple resubmits
This option separates information requests per item during bulk
resubmit.
Display pop-up when
resubmitting mail or
resubmitting spam and
ham
Enabling this checkbox will prompt the administrator with a pop-up
when resubmitting. You will be prompted if there is an issue
connecting or logging into the mail server. It has a similar function in
the case of multiple items selected for resubmit.
Copyright © 2005 - All rights reserved.
96
Guinevere 3
The Building Query window
Clicking the Default SQL Filter button in the Advanced window presents the Building Query window.
There are two tabs: Criteria and
Grouping. Criteria builds the
elements of the SQL request while
Grouping defines the priority of
their processing.
Click the … button under Criteria
to begin constructing your query.
The options are Add a new
condition, add a new group,
delete a condition, move up and
move down. Click and release the
mouse on the needed options.
In our example, we will choose
Add a new condition. This adds a
line to the Criteria tab window.
Building your Query
The phrases Records where * is equal to * will appear.
Each of the underlined portions is a customizable portion
of the request. The second * changes depending upon
what criterion was selected first; moreover, the middle
portion of the equation is also variable.
To store your built query, click the Save button, or Clear
to begin again. The Load button is used to edit existing
queries. To leave the Building Query window without
saving, you may also click Cancel.
Copyright © 2005 - All rights reserved.
97
Guinevere 3
Grouping
The grouping tab allows you to order the construction of your Query. Again, begin by clicking the
ellipses (…) button.
The first field mirrors that in the Criteria tab:
Subject
Recipient
Recipient Type
Archive Path
Event
Guinevere Date
Guinevere Time
Mime Date
Mime Time
Attachment Count
Guinevere Message ID
Spam Score
Spam ID Path
Mime Header
Mime Header field
Order
The Sort component of
the equation has two
options, Ascending and
Descending. You may
define more than one
sort order, and the
order of prioritization.
Copyright © 2005 - All rights reserved.
98
Guinevere 3
Another way of starting the Query Builder
It is not necessary to restart the Archive Viewer to gain access
to the Query Builder. To gain access to the Query
Builder from within the program, press the SQL button
in the toolbar.
Load and save
Once the query has been generated, click the Save button.
Enter a name in the entry field in the window that appears and click OK or Cancel. When saving, you will
be asked whether or not you wish to apply the new filter. The Load button above the save button is used
to edit an existing Query.
Copyright © 2005 - All rights reserved.
99
Guinevere 3
Using the Archive Viewer
Once you have located the archive folder you wish to view, a list of messages archived in that folder is
presented in the Archive Viewer window.
The main archive viewer screen has several regions: the button bar is on top, the message list is below it;
underneath that are areas for displaying the selected message’s triggering events and other information
as well as headers and text.
Headers displays the MIME header of the message and information about the archive.
Text displays a list of text files associated with the message (after it is broken into its component parts).
Attachments displays a list of attachments (if any) associated with the message.
Text Body displays the text content of the file selected in the Text area.
Other Archives lists all the messages, and the date they were saved, in the current archive folder including the .CSV
list of archived files. Note: the archive viewer cannot open the .CSV file.
Copyright © 2005 - All rights reserved.
100
Guinevere 3
Buttons
Save (Control+S) the text or attachment from the currently opened message
archive. This button also allows you to save HTML reports. (Control+E)
Copy the text currently displayed in the text body to the clipboard so you can
paste it into another application or into an e-mail message. (Control+C)
Delete the selected message from the archive.
Resend the selected message—allows the message to be resent independent of
Guinevere’s filters and rules. (Control+R)
Refresh the archive list. (F5)
This button displays column display options for the Archive Viewer. Options
include sorting the list view by File Name, Date, Subject, From, To, CC, BCC,
Reason, SpamID, From Domain, InfStatus, Size, Cache Status for Text
Headers, ATT list, TextList, and Real Date. Enable these by clicking on their
respective checkboxes.
Display Preferences options for customizing the Archive Viewer. (F12)
Add to Spam Vector Set. (Turns the entry red)
Add to Ham Vector Set. (Turns the entry green)
BWJournal This is your list of black and white lists. (Control+B)
Define SQL Query presents the Query Builder window. (Control+Q)
The Chunk Navigator: Use the left and right arrows to navigate through the
current SQL database. The value reported between them indicates which
“chunk” is being viewed. The size of the chunks, or pre-fetched items in your
SQL query session, can be changed in the advanced configuration settings.
Increasing the value from its default of 100 will increase memory requirements.
Note: The Chunk Navigator is only visible when in SQL mode.
Exit the Archive Viewer or Open
(Control+O) another archive.
Copyright © 2005 - All rights reserved.
Print
101
Guinevere 3
Menus
Guinevere 3 Archive Viewer menus keyboard shortcuts.
File
Open Archive Ctrl – O
Save
Text Ctrl – S
Attachment
HTML Report Ctrl - E
Print Ctrl - P
Window 1…
Window 2…
Window 3…
Exit
Edit
Copy Message Text to the Clipboard Ctrl – C
Delete Message Del
Refresh F5
View
Columns Ctrl – L
Preferences F12
Journal of Blacklists and Whitelists Ctrl – J
Actions
Blacklists (Address blocks: From, To)
Whitelists (User Exceptions: From, To)
Add message to spam vector set Ctrl – A
Add message to ham vector set Ctrl – H
Resubmit to Guinevere Ctrl – R
SQL
Set Filters Ctrl – Q
Previous Chunk Shift – F6
Next Chunk F6
Go To Ctrl - G
Copyright © 2005 - All rights reserved.
102
Guinevere 3
View attachments
Archive Viewer allows users to right click attachments so that the contents can be examined. For
example, you can right click in the Attachments section of the Archive Viewer to see attachments in the
secure browser.
This addition to the
Guinevere Archive
Viewer feature set
allows administrators
to examine many
attachments,
including Zip
archives. This allows
for fast analysis of
attachments for both network
security purposes, but also for
the enforcement of corporate
communication policies.
The Archive Viewer secure browser disables
ActiveX, cookies, java and javascript but
you can also view HTML and graphics.
Security precaution
For security, image loading is off by default
in the Archive Viewer’s embedded secure browser. It can be switched if needed. The reason disabling this
is because of exploits which use image formats that can take control of computers.
Right clicking
The Guinevere 3 Archive viewer also introduces context sensitive right clicking. The mail elements in the
rows and columns have meta
attributes. These alter the way right
clicking behaves. Depending upon what
is being selected, context sensitive
options available include:
Copy selected column
Find Text
Previous Chunk
Next Chunk
Open Spam ID file in Notepad
Blacklist address (From, To)
Whitelist address (From, To)
Add the message to the
SmartBlocker Manager spam
vector set
Add the message to the
SmartBlocker Manager ham vector set
The options available change depending upon the column. All options remain visible, but some may be
greyed-out. Finally, the right click options available are the same in both Folder and SQL mode. Note that
you can select multiple items in the overview.
Copyright © 2005 - All rights reserved.
103
Guinevere 3
White and Black List
Adding a message to your “book” of white or black lists is accomplished by first
selecting the message, then selecting White List or Black List by right clicking.
Note: The Happy or Unhappy Face buttons in the toolbar are NOT for black or whitelisting. They are for
adding archived mail to SPAM and HAM vectors. There are more options available to whitelisted addresses
than there are for blacklisted ones. Both White and Blacklists can be applied directionally (To, From or
Both). However, whitelisting can be more customized to permit specific forms of white listing.
For example, messages from a graphic arts firm may be exempted from oversized attachment blocks.
Options include:
Oversized Messages
Virus Scanning
Content Filtering
Attachment Blocking
RBL
Address Blocking
SuRBL
Spam
Fingerprinting
Red, Green and Blue
Message IDs change can change colour when marked as Ham, Spam, and Resubmitted: Red for mail that
was marked as spam and green for mail which marked as spam and Blue for resubmitted messages. Note:
Messages may also be marked grey when inaccessible.
Headers
The message headers displayed in the Archive Viewer also contain information about why the message
was blocked by Guinevere and stored in the archive. Remember that you must manually set Guinevere to
archive a specific type of message or it will not appear in the Archive.
Guinevere now inserts two X-headers when applicable:
X-ArchiveReason: shows which Guinevere filter caused the message to be archived (an Address Block in the example
above).
X-IDFileName: shows the file attachment—either virus or blocked file—that caused the message to be archived.
Additional Message Information
The text and file attachments are also shown in the main viewer area when a message is selected. And, of
course, the elements in these windows can be right clicked according to their attributes, as can much of
the other archive entries in the viewer.
Text Body section
The bottom right corner of the Guinevere 3 Archive Viewer reveals the actual content of the message.
You can see all the formatting information in plain code.
Copyright © 2005 - All rights reserved.
104
Guinevere 3
Resubmitting Messages
When resubmitting a message, it is tagged
so that Guinevere will not run it through the
Guinevere policies a second time. To resend
a message, click the Resubmit button on the
toolbar.
To resend a message, click the Resubmit
button. In the Resubmit Options window
that opens, the To, From, and Subject
information should already be in place. You
can enter additional information to be
delivered with the redirected message in
the Notice text box.
View Columns
The Archive Viewer lets administrators
customize which columns are shown for
sorting. Select the Columns from the View
Menu or press Control+L. A window listing
the sorting columns available in the Archive
Viewer will be presented. Enable the
checkboxes needed to present the columns
required.
Copyright © 2005 - All rights reserved.
105
Guinevere 3
Appendix 1: AV Integrations
Command Line Introduction
Guinevere supports command line integrations. The general method (with a few exceptions) consists of
running a AV scanner using command line switches, and getting appropriate feedback from the scanner to
indicate the presence or absence of infection in a scanned file.
Command line integrations work well and will continue to be enhanced in Guinevere. In particular they
offer some advantages over UniversalAV – integration of scan logs and cleaning options for some AV
scanners – and some disadvantages – higher memory footprint.
All command line integrations require the following:
That any real time scanner (e.g. one that scans infected files as they are created) be either turned off entirely or at
least exclude the C:\GUIN3 directory and all subdirectories.
That the PATH environmental variable be set to include the directory path (excluding the filename) where the AV
scanner EXE resides. The PATH variable is configured in AUTOEXEC.BAT in Windows 9x/ME and in the Environmental
Variables section of the SYSTEM control panel in Windows NT/2000/XP. If you can open a DOS box, go to any arbitrary
directory and type the AV scanner executable filename (without path), and have it execute, then it is properly
configured
Choosing between a command line integration and UniversalAV is not always straightforward. Most AV
scanners are supported by both methods; some are not. Read these notes, and the UniversalAV notes, and
experiment.
Please note that the following notes are not complete or fully updated. The most updated technical
notes can be obtained by clicking on the appropriate AV scanner integration in the Select Anti-Virus dialog
box. Please read these!
Specific AV Product Notes
McAfee Virus Scan Enterprise 8.0i, version 8.0.0
The consumer version of this virus scanner is not supported. To add a command line integration of
McAfee:
Add 'C:\Program Files\Common Files\Network Associates\Engine' to the path.
Disable the on-access and on-delivery e-mail scanner.
There is a separate integration labeled “McAfee [with Cleaning]”. This is identical in function to the
standard integration, except the recipient will receive a second e-mail a few minutes later containing a
ZIP file of the disinfected attachments.
Norton AntiVirus
Guinevere supports versions 4, 5, 6 (sometimes known as 2000), 2001, 2002 of this product. Please see the
Intel Landesk section for NAV Corporate Edition support.
Copyright © 2005 - All rights reserved.
106
Guinevere 3
NAV 5/6/2001
There are two options:
Use the NAVDX integration. This runs NAVDX, which is a DOS protected mode scanner. This is the recommended
solution, providing full protection and maximal performance. This only works on Win9x/ME, however.
Use the NAVW32 integration. This runs NAVW32.EXE (some versions of NAV call the main NAV program a different
name, in which case VIRHTRD.BAT will need to be edited appropriately). This is NOT recommended as a general rule. It
is slower and consumes more memory. Additionally, scan logs will NOT be appended to e-mail reports to the
administrator (use NAV's built- in alerting techniques). Please note that if you use the NAVW32 integration, there are
some specific configuration instructions that must be followed, (see next).
NAV 2002/2003
You must use the specific NAVW32 integration listed for NAV 2002 (not the older one). There are also
some specific things you need to do, listed below.
Using NAVW32 – Special Settings
After installing NAV and before running Guinevere for the first time, be sure to go to the Norton Utilities
Options screen. Turn off AutoProtect.
Under the Manual Scans category, make sure the following are set correctly:
Items to Scan in Addition To Files -- These should all be deselected.
How to Respond When a Virus is Found:
NAV 5/2000/2001: Set this to delete the infected file. This is Crucial.
NAV 2002: Set this to Repair, then Quarantine.
File Types to Scan – All
Scan within compressed files - Guinevere automatically decompresses files for you, so this is optional.
InoculateIT 6.0/7.0
There is one integration and it works quite well. The INOCMD32 integration is for the 32 bit command line
scanner packaged with this product. It works on all Win32 OSes.
F-Prot
The situation with F-PROT is a bit confusing. Different companies sell F-PROT in slightly different
packages all over the world.
Command Software F-PROT
There are both DOS and 32-bit command line scanner integrations available. The latter is preferable.A
more reliable and more heavily tested integration. It runs the DOS FINDVIRU command line scanner.
Intel Landesk/NAV Corporate Edition
Intel Landesk version 5.x is supported. The VSCAND DOS command line scanner is used for this integration.
It does work, quite well, on all OSes. It is located on disc 2 of the NAVCE distribution, and must be
installed separately.
Sophos 5.0.1
Add C:\Program Files\Sophos\Sophos Anti-Virus to path. Then, in the on-access settings, remove the
checkmark from the enable on-access scanning for this computer.
Copyright © 2005 - All rights reserved.
107
Guinevere 3
For Windows NT/200X/XP users, the preferred solution is the SAV32CLI.EXE program. This is a 32 bit
command line scanner. Some installation notes are quoted from the SAV32CLI README: "By default,
SAV32CLI uses the scanning engine and virus data of the local installed version of Sophos Anti-Virus for
Windows NT via the Sophos Anti-Virus (SAVI). If no local installation is detected, it will look for the
following files: SAVI.DLL, OSDP.DLL, VEEX.DLL, and VDL.DAT to perform its scan. They are provided on
this CD in the WIN32\I386\SAV32CLI folder. All the files listed above must be present, either in a local
installation of Sophos Anti-Virus for Windows NT or in the same folder as SAV32CLI.EXE itself"
Norman Virus Control
Norman Virus Control is supported. There are two options:
The preferred solution is the NVC32 integration. This boasts 32 bit command line support, with good performance and
memory usage. This works for Norman v4. Norman v5 users should select the NVCC integration, which provides similar
functionality.
The older solution for this vendor is still supported. This was the NVC DOS command line scanner.
Trend Micro/Touchstone Software PC-Cillin
This product is marketed by Touchstone software, but the AV technology is licensed from Trend Micro.
The DOS based command line scanner (PCSCAN) is supported.
Grisoft 7.0
. It has been reported to work with Grisoft version 7 on all WinOSes
UniversalAV Integrations
Please read these notes carefully!
In theory, Guinevere supports nearly any real-time scanner, without needing to configure or install
command line scanners. This means virtually any AV vendor can be supported, with relatively few
configuration changes.
In practice, you MUST follow carefully AND UNDERSTAND these instructions or else it is more than likely
that files will NOT be scanned correctly (or scanned at all)
You are not required to use UniversalAV with Guinevere. All of the old command line integrations are still
available, will remain supported and continue to be enhanced. In some cases, the command-line
integration offers a superior experience. For example, the command line integrations often offer extra
“goodies” like cleaning of infected files, or inclusion of the scan log in the e-mail notification to the
Administrator. None of that is available with UniversalAV.
For some users (particularly those of NAVCE), however, the command line options are considerably
inferior to UniversalAV in most ways.
If you choose to use the command line integrations, be sure to follow the instructions in the technical
notes that appear when you select that integration. In particular,
Real-time scanning should be off entirely, or at least exclude the C:\GUIN3 directory and subdirectories
The command line executable must be in the PATH. (Guinevere now checks this automatically and warns you when you
try to scan.)
Requirements
The AV real-time scanner must be configured as follows:
It must not SCAN C:\GUIN3 (the program directory) and its subdirectories, particularly the Work directory
(which you might have reconfigured elsewhere, but is at C:\GUIN3\WORK by default). It SHOULD also
ignore all network drives, or at least the GroupWise directories, or else conflicts may occur.
Copyright © 2005 - All rights reserved.
108
Guinevere 3
It MUST SCAN C:\STAGE and its subdirectories. Guinevere will copy files here for scanning. If one would
rather use another directory for staging, edit VIRTHRD.BAT. However, the staging directory should be on
the same drive as the Work directory (which must be excluded from scan), which is usually
C:\GUIN3\WORK
It MAY SCAN other subdirectories freely. Guinevere does not care, so you can continue to protect the rest
of your server/workstation.
It MUST BE configured to scan all files regardless of extensions. That is probably standard procedure
nowadays, given the plethora of malignant extensions
It MUST BE configured to perform one of the following actions if it finds a virus.
DELETE the infected file
DENY FILE ACCESS to the file
It MUST NOT pop up annoying messages to the workstation boasting about its amazing virus scanning
prowess. If it does, you have to use VFIX with it. Now, many real-time scanners can be configured to fit
these requirements, but some do not, and consequently, they will not work.
Copyright © 2005 - All rights reserved.
109
Guinevere 3
How UniversalAV Works
It is prudent to understand how Guinevere performs
It copies the files to the C:\STAGE directory.
It waits at least the delay in seconds specified as the Universal AV Base Delay (main AV Screen), and adds to this the
Incremental delay per MB of files.
When the time delay expires, Guinevere looks to see if any files have been removed or altered. If they have, it assumes
there was a virus present. If not, it assumes there was not.
Obviously, the delay parameters may need to be adjusted particularly if your company commonly sends very large files
or very complicated archives (with many subdirectories). Guinevere can only guess the AV scan is done - it does not
know for certain! (Actually this statement is excessively pessimistic .In testing, we have found most AV products
tended to block access to the file entirely until the scan was done, in which case the delay needs to be minimal at
most.)
One final unfortunate aspect - to find out any info like "What virus was it that was sent to me (the system
administrator?", you must check the AV System logs on the Guinevere machine. Guinevere has no means of assessing
this. A significant mitigating factor, however, is that many AV Vendors include e-mail/SNMP notification so
Administrators can be notified of infection. This may of course, be used, though connecting a specific e-mail with the
infection will be problematic.
Additional Comments
Note that Guinevere was tested on the Workstation editions noted below. If you are running a server
edition, you may have to make extra effort to find out if the GWIA directory is being scanned (which
would be bad). You may have to add the whole GW domain directory to the exclusions. It might not be a
bad idea to mentally note this every time excluding C:\GUIN3 is suggested below.
Some of the AV products create automatic scheduled tasks - these are automatic scans running at regular
intervals. Disable these or at least make sure they do not scan C:\GUIN3, C:\STAGE, or the GWIA
subdirectory.
While the AV program is performing an update of its signatures, there might be about 30 seconds where
the realtime monitor is not working (varies by vendor). Now technically this issue is true of the COMMAND
LINE scanner too, and has not been a common problem before. Obviously, since most of the live update
features provided by vendors let you schedule their updates, the best answer is to schedule it for an
extremely idle period to minimize probability of a virus getting through.
Test as follows:
Configure product as described above and in the notes below.
Attempt to download EICAR.COM from www.eicar.org to your desktop. It should fail. This indicates the real-time
scanner is on.
Unzip EICAR.ZIP in the C:\GUIN3 directory. It needs to be unzipped several times, until the EICAR.COM file comes out.
It should NOT be touched, because you are under an excluded directory (It should be 68 bytes by the way), and you
should be able to make untouched copies of it freely within the C:\GUIN3 tree.
Send an outgoing message with a benign attachment (text message as well) All should be well.
Send an outgoing message with EICAR.COM (text message as well). It should be caught.
Reverse the direction!
Specific AV Product Notes
McAfee v 5, 6.02, 7.0,8
The consumer version of this virus scanner is not supported. Here are the details necessary for the
successful virus scanner integration:
The on-access virus scanner must be on. In properties, go to the messages configuration options and remove check
from 'show the messages dialog when a virus is detected' checkbox
Leave check in 'delete files' checkbox but remove all others.
Exclude the c:\guin3 directory from being scanned.
Copyright © 2005 - All rights reserved.
110
Guinevere 3
NAV Corporate Edition 7.0/7.5/7.6/8.0/8.1
(Version7.5 tested)
Also straightforward, but a few more details:
Norton Antivirus services must be loaded
Go to Configure/File System Real Time Protection
Enable file system realtime protection, and select ALL files
Set these actions for both macro and non macro viruses:
First action: Delete, second action: Quarantine
Uncheck network drives. This is important, or the computer may scan the GWIA.
Uncheck Display Message on Infected Computer
Check the Exclude files/Folders, and configure it to exclude c:\guin3 and subdirectories.
NAV 2002/2003
Go to OPTIONS
Under AutoProtect, turn on AutoProtect, and make sure Comprehensive File Scanning is enabled.
Action should be Deny Access to Infected Files (cleaning will NOT work)
Exclusions: add c:\guin3 and subdirectories. You might also add the network drives.
Optionally, script blocking and e-mail scanning should be off
Now, create in Notepad a file called VFIX.INI with these contents
o
[Settings]
o
WindowName=Norton
o
DontDoChey=True
Save the file to C:\GUIN3 (make sure Notepad does not add .TXT to it)
Add LoadVFIX=1 to the [Miscellaneous] section of Guinevere.INI (VFIX will now autoload whenever Guinevere is loaded).
NOTE: Because of the difficulties involved in suppressing pop-ups with NAV 2002, we lean towards
advising that the regular NAV command line integrations be used instead of UniversalAV.
ETRUST INOCULATEIT 6/7
Choose Realtime Options
Scan Tab
Direction - Incoming and Outgoing files
File Actions - Delete Files
Selection Tab
Regular Files - All Extensions
Filters Tab - Add C:\GUIN3 as an excluded directory.
Advanced
Protected Areas - Turn off Protect Network Drives.
Turn off Realtime Pop-up messages.
Copyright © 2005 - All rights reserved.
111
Guinevere 3
Command Software's FPROT
Preferences
Reporting - turn everything off
Active Protection
Enable DVP on
Uncheck Network Drives
Select Delete Files as the action
Files to Include/Exclude:
Add c:\guin3 to excluded directories .
Search on your drive for DVPRPT.EXE and rename it to DVPRPT.OLD. There may be multiple copies. This
admittedly drastic step suppresses the pop-up messages entirely. There does not appear to be a
“standard” way of doing so.
SOPHOS
In the On-access setting go to the scanning options:
Check the scan all files as well as the scan inside archive files checkboxes.
Exclusions: c:\guin3.
TRENDMICRO PC-CILLIN/OFFICE SCAN
Go to the Real-Time Scan page
Enable Real-Time scan
Scan ALL file types
Uncheck Clean Compressed Files
File Action: Deny Access or Delete File
Exception Files: Add C:\GUIN3 as an exception, as well as network drives.
Note - There appears to be no way to suppress the pop-up message. One could use VFIX (similar to the
instructions under NAV 2002, but with WindowName=OfficeScan), it probably is not necessary as the popup box is "intelligent" (it is not buffered, so there is only one queued in memory at any time).
KASPERSKY ANTIVIRUS (formerly AVP)
Some may find this product’s interface a bit difficult, but it is a full-featured product with many options.
Load the Antivirus Monitor. It will appear in the taskbar. Right-click, choose Kaspersky Antivirus Monitor
Settings. Double click on the EXPERT tab. This is important, because you do not get all the choices
otherwise. It is at the lower left of the screen.
Customize Tab
Use Sound Effects set to OFF
Display Attention Messages set to OFF
Objects Tab
Set the Action to REPORT ONLY
Set the Scan types to ALL FILES
Turn off Scan Sector, Scan Memory.
On the left side of the screen, navigate to the C:\GUIN3 directory and uncheck it from scanning. This is not obvious,
but that is how you exclude it. Also, uncheck any network drives listed here.
Copyright © 2005 - All rights reserved.
112
Guinevere 3
DATA FELLOWS FSECURE
This product is difficult to configure correctly unless you are an experienced administrator. The
workstation install MUST be a managed workstation (not standalone) as several required options are only
available via the Policy Manager. I suggest creating a separate domain containing only this workstation, so
you can heavily customize the policies without affecting other workstations
Here are the settings you need to make in Policy Manager. Many of them you may want to mark as FINAL
to force the setting. See the Policy Manager manual for information. In addition, configure automatic
updates here.
Under the Management Agent tree
Under Alerting, is a tab called Alert Forwarding. Scroll the grid on the right to the right, and one will see that there is
a Local User Interface section. Uncheck all the checkboxes under this column.
Under the FSECURE AV tree
Under the Settings for Real Time section
Enable Scanning
Under the File Scanning section
Scan Files = ALL
Action on Infection = Delete Automatically
Scan Network Drives = disabled
Under Inclusions and Exclusions section
Excluded Objects Enabled = Enabled
Add the C:\GUIN3 subdirectory as an excluded object.
ESET NOD
Go to AMON control center, and choose SETUP
Under Actions, uncheck the Display Warning Panel
Under Exclude, exclude the C:\GUIN3 directory and network drives.
AVAST32
Go to the On-Access Control dialog
Choose Standard Shield and View/Change settings
Scanner (basic) - leave everything on
Scanner (advanced) - turn everything on, and change to ALL FILES for the created/modified option
Advanced - turn Silent Mode on, default action = NO.
Advanced - Add C:\GUIN3\* to your exclusion list (the * is important!). You may also want to add your network drives.
Dr. Web
Right-click on the Spider icon in the taskbar, choose Settings
Scan tab
On Access Scan: Turn off Smart Scan, leave other two checkboxes on.
File Types tab
All files should be selected
For all the subtabs under Actions and Archives, make sure DELETE is chosen as the action (that's about 6
subtabs) Add C:\guin3 as well as the network drives to the Exclusion box in the Path tab.
Copyright © 2005 - All rights reserved.
113
Guinevere 3
Norman Virus Control
Go to the Configuration Editor
Under Common Settings
Select all of the Scan Items
Select all of the Exclude Items
Add to the Exclude List C:\GUIN3
1.
Under On-Access Scanner
Leave everything as inherited from Common Settings
Set as your cleanup option to Deny Access
There is no way to tell Norman not to pop-up its alert windows.
You need to request a special file from me, called KILLNORM.EXE, which can kill the pop-up windows the
alert will generate. Add one line to VIRTHRD.BAT, to do this, which does admittedly, however, make it
tempting to use the command line integration instead of UniversalAV for Norman.
RAV 8.6.103
Right Click in system tray: Monitor/Configure.
Action Settings
Set all 3 actions choices to BLOCK
Uncheck "Dialog when virus found"
Engine Settings
scan all files
Add <xxx> to excluded list
Exclude all network drives.
Note: support for a command line integration of RAV is also possible and will be provided upon request.
MicroWorld eScan
Monitor Settings
Monitoring On
Scan on Write On
In case of infection
Automatic Action should be set to Block Access to File
Objects should be set to all files
All Files: Excludes
Add C:\guin3 as well as network drives
VirusBuster (Hungarian)
Go to the VBSHIELD settings
General Settings: Turn off Display Warning Messages
General Scan Settings
Turn on Deny Access to Infected Files
Copyright © 2005 - All rights reserved.
114
Guinevere 3
Scan Area Settings
All Files
Scan Method Settings
All 4 of the If .... found menus should be set to DELETE.
Excluded Paths Settings
Add C:\GUIN3 as well as your network drives to the box.
Panda Antivirus Platinum 6.26
Launch the main Panda product in Advanced mode.
Click on Permanent to your left. Now choose Configure from the top.
Scan Tab
Scan All Files
Uncheck Novell Network/Windows Network check boxes
Compressed Files on.
Actions Tab
Prevent Access to Infected File
Exclusions Tab
Add the C:\GUIN3 directory to the list of excluded folders.
Warnings Tab
Turn off the Display Warning to Workstation
BitDefender 7.1
Right click on icon in taskbar and choose options.
On the Main Control Center:
Select Virus Shield. Make sure it is enabled
Turn off Enable email protection and Monitor registry behavior.
Make sure Protect file system & p2p transfers is active, and click advanced.
Enable Scan Accessed files and P2P transfers
Scan all files and Scan inside archives should also be enabled
Action and Second action to take when a virus is found should be Deny Access and Continue.
Uncheck Show warning when a virus is found
(optional) Set Do not scan files greater than ____ kbytes to 0 (which means all files, regardless of size)
Under Exclude path from scan, add C:\GUIN3 and any network drives.
Unsupported Products
eSafe Antivirus (Eliashim repackaged)
Grisoft (AVG) (free version, corporate version works fine)
Vexira (commercial version of ANTIVIR)
Copyright © 2005 - All rights reserved.
115
Guinevere 3
No ability to exclude directories (just files and extensions) Therefore this trio is UNSUPPORTED by UniversalAV unless
this situation changes.
QuickHeal
VirusBuster II (Leprechaun)
QuickHeal is frankly a limited product and not recommended. And as for VirusBuster II, they've taken a decent product
from which they licensed the engine (VirusBuster (Hungarian)) and reduced its functionality. Both have significant and
unsupportable failings.
Inoculan 4.0/4.5
This cannot be supported as it does not support excluding specific directories (only file extensions).
Unfortunate, because we were really hoping to enhance support for this product. However, eTrust
InoculateIT 6 does work, so we do not anticipate further enhancements to 4.5
Copyright © 2005 - All rights reserved.
116
Guinevere 3
Appendix 2: How Guinevere Works
In order to understand how Guinevere operates, it is important to comprehend how messages flow in and
out of the GroupWise Internet Agent (GWIA).
The examples below illustrate this. The examples assume a simple installation, one where the GWIA is
installed as a subdirectory of one of your GroupWise Domains. The domain in question is named
MYDOMAIN and is housed on the file server MYFS on the MYVOL volume. All gateways are stored as
subdirectories of the WPGATE directory. Normally therefore, you will find the main GWIA directory at
MYDOMAIN\WPGATE\GWIA. A single sender and recipient will be assumed for the purposes of simplicity. (If
you have updated your gateway from the older SMTP/MIME directory, however, your GWIA gateway might
very well be located at MYDOMAIN\WPGATE\SMTP.)
Message Flow When Guinevere is Not Installed
The GWIA directory contains four relevant subdirectories: SEND, RECEIVE, RESULT, and DEFER.
Sending a Message
When a user sends a message with an Internet recipient, GroupWise routes the message to the GWIA. The
GWIA is a multithreaded program. This means various processes can all run more or less simultaneously.
In the encoding process, the message is "translated" into proper Internet message format. This requires
building all of the header lines (TO, FROM, SUBJECT, etc.) that you often see attached to a message. File
attachments are typically "encoded" into one of three encoding formats:
MIME - This is by far and away the most common and universal format now. The GWIA defaults to translating all
messages into MIME format. (Strictly speaking, MIME really refers to the set of standards governing the structure of the
body of an e-mail message and its attachments, not the encoding. Mime Attachments are encoded in either Base64,
Quoted-Printable, or ASCII text. However, it is common usage (if a bit misleading) to refer to both the structure and
the encoding methods as MIME format.
UUENCODE - This is older, but still a common format. It is much less flexible than MIME. You might need to use it to
communicate with older e-mail programs.
BINHEX - This format is used on Macintosh computers, because the file format is not properly preserved using other
encoding formats. Even on the Mac, it is becoming less common.
The message is now ready to be sent. The GWIA drops the file into the SEND directory. The file now has
an eight character encoded name (S596D596.041 is one example). Later, a separate process of the GWIA
program attempts to contact the recipient's mail server. The success or failure of each transmission is
recorded in simple text files in the RESULT directory. (Two files in the RESULT directory correspond to
each file in the SEND directory. Both have identical filenames except for the first character. One file,
whose filename begins with "S", is an exact copy of the SEND file. The file starting with "R" is a transcript
of the actual transmission session. These can be very useful for debugging, and is utilized by Guinevere
for tracking 2xx, 4xx, and 5xx messages.)
If successful, the message is removed from the SEND directory as well as the RESULT directory.
If unsuccessful, the message is placed in the DEFER directory. GWIA will attempt to contact the recipient multiple
times over a four-day period before giving up.
Receiving a Message
This is similar to, but simpler than sending a message.
A mail server contacts the GWIA and initiates transmission.
If the transmission is successful, a GWIA process places the file in the RECEIVE directory.
A separate process eventually picks up the file and "reverse-translates" it from Internet format to
GroupWise format. The file is then passed to the domain's input queues (MYDOMAIN\WPCSOUT), and the
MTA routes the message to the appropriate GroupWise user.
Copyright © 2005 - All rights reserved.
117
Guinevere 3
Message Flow When Guinevere is Installed
The basic fundamental flow of messages remains the same when Guinevere is installed. The crucial
difference is that GWIA will pass messages first to Guinevere for analysis and processing before passing
them back to GWIA.
Setting the SMTP Services Directory parameter in NWADMIN/ConsoleOne, provides this opportunity. This
directory can be located on any volume, server, or directory that both GWIA and Guinevere have full
rights to. To keep it simple, it is recommended that the following location be adopted:
MYDOMAIN\WPGATE\GWIA\THIRD.
The THIRD directory has three directories of its own: SEND, RECEIVE, and RESULT. These will be referred
to as THIRD\SEND, THIRD\RECEIVE, and THIRD\RESULT to avoid confusing these directories with the SEND,
RECEIVE, and RESULT directories located below MYDOMAIN\WPGATE\GWIA.
Sending a Message
The beginning of this process behaves in exactly the same manner as when Guinevere is not installed: The
user sends the Internet message, it's translated to Internet message format from GroupWise message
format, and it is dropped in the SEND directory.
However GWIA never transmits messages to the Internet from the SEND directory. As far as GWIA is
concerned, files will continue to queue up indefinitely.
Guinevere has been waiting for new messages to come into the SEND directory. Guinevere analyzes the
file, performs any necessary actions, and (assuming the file is not infected) drops the file into the
THIRD\SEND directory.
GWIA picks up the file from the THIRD\SEND directory and transmits it to the recipient's mail server. The
results are placed in THIRD\RESULT. Unsuccessful transmission results in the file being placed in the
DEFER directory and cycle repeating until success or four days have elapsed.
Guinevere (as long as Clear Results is enabled) moves files from THIRD\RESULT to the RESULT directory.
GWIA can then process these.
Receiving a Message
The beginning of this process behaves in exactly the same manner as when Guinevere is not installed: A
mail server contacts GWIA and transmits the message, which is placed in THIRD\RECEIVE .
However, GWIA never removes the file(s) from the THIRD\RECEIVE directory. As far as GWIA is concerned,
files will continue to queue up indefinitely.
Guinevere has been waiting for new messages to come into the THIRD\RECEIVE directory. Guinevere
analyzes the file, performs any necessary actions, and (assuming the file is not infected) drops the file
into the RECEIVE directory.
A separate GWIA process eventually picks up the file and "reverse-translates" it from Internet format to
GroupWise format. The file is then passed to the domain's input queues (MYDOMAIN\WPCSOUT), and the
MTA routes the message to the appropriate GroupWise user.
Using Message Flow for Debugging Purposes
Once you understand the message flow, it is very easy to trap selected messages for examination. This
allows mail administrators to check "problem" messages and resolve any issues that crop up with them. All
you have to do is stop Guinevere temporarily by exiting it. Files will be stored in the queues and you may
examine them at your leisure. Use this for:
Diagnosing messages that ABEND the server
or crash Guinevere.
Sending in a problem message to Guinevere
technical support.
Undelivered messages.
Unusual circumstances
Copyright © 2005 - All rights reserved.
118
Guinevere 3
Appendix 3: Pattern Matching
Guinevere uses powerful pattern-matching algorithms to provide maximum flexibility. Pattern Matching is
useful for: setting up multiple signature files, mail filters, user exceptions, et cetera. These case
insensitive pattern matches are performed against the entries you create in: Mail FiltersUser Exceptions
A more simplified algorithm is used in Attachment Blocking (basically just the straight DOS batch file
syntax) Pattern matching has changed a bit in Guinevere. For customers of previous versions, who used
<PIPE>,<LBRACK>,<RBRACK>, reading the following is particularly important, namely because it is not
necessary anymore.
Normally, pattern matching is straightforward. Use * and ? like you are used to....(e.g. *free* matches
anything with "free" in it.)
The special matching operators are:
? Any single character
[charlist] Any single character in charlist.
Zero or more characters
[!charlist] Any single character not in
charlist.
# Any single digit (0-9)
A group of one or more characters (charlist) enclosed in brackets ([ ]) can be used to match any single
character in string and can include almost any character code, including digits. By using a hyphen (-) to
separate the upper and lower bounds of the range, charlist can specify a range of characters.
For example, [A-Z] results in a match if the corresponding character position in string contains any letters
in the range A-Z. Multiple ranges can be included within the brackets without delimiters.
In the Miscellaneous section of the Configuration Program, there is a Test a Pattern option. This can be
used to test matches. The interface, pictured below, is straightforward, with two entry fields and a
button to run the test.
Special Cases
Because the [,],?,#,* characters are used as special operators, they must be specified in strings.
To match the left bracket ([), question mark (?), number sign (#), and asterisk (*), enclose them in
brackets.
e.g. [ ---> [[]
? ---> [?] # ---> [#]
* ---> [*]
The right bracket (]) CANNOT be used within a group to match itself, but it can be used outside a group as
an individual character.
Examples
Example 1.Look for anything with free in it: Pattern 1. *free*
Example 2. Look for anything with [free] in it: Pattern 2. *[[]free]*
Example 3. Look for anything with # sign in it (e.g. My hot website is #1): Pattern 3. *[#]*
Example 4. Look for anything with 4 ???? in a row: Pattern 4. *[?][?][?][?]*
Copyright © 2005 - All rights reserved.
119
Guinevere 3
Appendix 4: Fingerprinting
This appendix provides more detail on how the fingerprinting algorithm works, and various caveats.
Fingerprinting does work very well, and false positives are very rare, but a little understanding of the
concept goes a long way.
Fingerprinting works by looking for certain signature bytes. When there are four or five of these, the
chance of misidentifying (due to random bytes happening to be in the wrong place) is small. It is actually
more favorable than that, because the signatures must usually be located in a very specific location.
For probably 85 of the 100 or so types fingerprinted by Guinevere then, the fingerprinting reliability
approaches 100. Assuming random distribution (which is NOT a correct assumption, generally more
favorable):
# of bytes
How often false positive occurs
1
1 in 256
2
1 in 65536
3
Approx 1 in 16 million
4
Approx 1 in 4 billion
5
Approx 1 in 100 billion
For a few items, there are only one or two bytes used as signature. This makes the chance of
misidentifying the attachment considerably higher. In most of these cases, Guinevere then looks for
extensions that correspond to the common types and assigns a higher “confidence” if these correlate. It’s
important to realize that the fingerprinting is generally independent of the filename – the extension will
be used (if relevant) only if useful.
The rest of this appendix will concentrate on discussing common fingerprinting signatures, and possible
issues.
Identifying Executable Files
Broadly speaking, there are three types of executable files:
COM type executables (normally with COM extension)
DOS EXE executables (normally with EXE extension)
Windows EXE executables (normally EXE, SCR, OCX, DLL, CPL, VXD, SYS, ACM extensions – probably others.)
(All the infamous virus spoofs of the past have really consisted of creating one of these types of files, and
then changing the extension)
Now, a DOS EXE executable always must have its first two bytes start with MZ or ZM, or the EXE will fail
to run. However, that does in theory give a 1 in 65536 of misidentifying the attachment (That’s
excessively pessimistic really because virtually all file format creators know to avoid this particular
signature at the beginning of the file!). Any file with the signature is identified as DOS EXE (low
confidence). If, in addition, the extension is EXE, Guinevere identifies the item as DOS EXE (high
confidence).
Now a Windows executable always has the DOS EXE signature. In addition to this, it has an additional 2byte signature of PE, LE, or NE. Again, if this signature is altered, the program will not run correctly.
Since this is a total of 4 bytes, it is quite reliable and unlikely to be misidentified. Notice that SCR
(screensavers), OCX (ActiveX), CPL (control panel), VXD (drivers) and DLL (Dynamic linked libraries)
actually have the SAME internal structure. Thus Guinevere will identify any item with the Windows
executable signature as Windows Executable, but if they have these extensions, it further sub classifies
the identification.
Finally, there is a COM file. COM files are actually nearly impossible to identify reliably. There is no
standard header for a COM file – they merely consist of assembly language code loaded and executed
directly. Guinevere looks for several common one-byte signatures (only somewhat reliable) and assigns
the identification “COM (low confidence)”. If in addition the extension is .COM, the file is identified as
Copyright © 2005 - All rights reserved.
120
Guinevere 3
“COM (high confidence)”. So COM files have a moderate chance of causing false positives and/or false
negatives, to which we not aware of any technology available anywhere that can do better. The
mitigating factors (sounding like an MS Security Bulletin) are that a true COM file (as opposed to, say an
EXE renamed to COM) cannot be more than 64K in size AND cannot call on Windows APIs. This makes these
rare for modern viruses.
OLE2 Structured Storage Files
Several types of common documents are stored in OLE2 format. Among these are:
Virtually all Microsoft Office Documents (Word, Excel, etc)
Some WordPerfect Documents
Some Adobe Documents
OLE2 files can be thought of as a special archive format, because they actually have files stored inside the
main container file, complete with a directory, although they are not necessarily compressed internally.
Identifying a generic OLE2 file is easy – there is a 4 byte signature at the beginning of the file, that if
spoofed prevents the file from being opened. Therefore, Guinevere starts by labeling the file “Generic
OLE2 Compound Document”
Guinevere then reverse engineers the OLE2 format, and reads its internal “archive” directory. From this
Guinevere can subclass the identification further and identify the document as say, Microsoft Word, or
Microsoft PowerPoint.
Macros in Word and Excel are fairly reliably detected because they have specific directory names. This is
not the case with PowerPoint and Visio, which is why there is no classification option for PowerPoint
documents (with Macros) as distinct from PowerPoint documents without macros.
Is it possible to alter these signatures? Not from my testing it has not been. It must be acknowledged
however, that MS Office documents in particular seem rife with security vulnerabilities, to which the best
defense is constant patching.
Pictures and Multimedia
These all have long (and thus reliable) signatures (3-6 bytes), the only major exception being Windows
Bitmap files (BMP), which only have 2 byte signatures. Again, we assign BMP (low confidence) as the
initial identifier, and then if the extension is BMP assign high confidence. MPEG movies and MP3, sadly,
only have about 11 bits (1.5 bytes) of reliable header info, which is why there is no fingerprint option for
them.
Archives
Archives that are not self-extracting will be identified. Self-Extracting archives will be classified as DOS or
Windows executables.
Copyright © 2005 - All rights reserved.
121
Guinevere 3
A Closer Look at the Fingerprinting Options
If you understand the previous discussion (more or less), it’s now time to look at the fingerprinting
options again and see what some of them mean in more detail: Assume Enable Fingerprinting has been
enabled, Guinevere scans all file attachments using the algorithm described above. Of course, this is
more performance intensive then simply checking the extension with standard Attachment Blocking.
If the recursion option is off (recommended), only the first level of files decoded will be fingerprinting. If
the recursion option is on, all levels will be decoded. Now, you only have one level of files unless you
have an archive file (e.g. a ZIP) that has been decompressed. Thus, it is rarely necessary to enable
recursion except when very strict policies are in place. Again, it takes an additional toll in performance to
do so.
Skip Files with a TXT extension. If a file ends in .TXT, even if it is a virus, it is not going to execute. So
there are three reasons to skip files with TXT extensions:
Enhance performance
Generally a waste of time
Arguably the most prone to misidentification because of a random series of bytes that happens to coincide with a
document signature.
Moving to the pull-down menu, there are three options:
Block all forms of DOS and Windows executables
Block selected list below. Don't guess much
Block selected list below. Guess a little more.
The first option requests Guinevere to block all types of executables. It auto selects the appropriate COM
and EXE options, but it does a little more than that - In the main fingerprinting routine, it exits early,
after checking whether they are COM/EXE. So this is a faster option than would otherwise be available by
simply selecting these items manually from the list.
The next option blocks only the selected items. By “guessing” we really mean “is it OK to look at the
extension for more information”. This option will only look at the extension to further sub classify (e.g. a
Windows EXE header might be sub classified as a Windows DLL), not to change the identification entirely.
(e.g. a Word Document suddenly is identified as a BMP file just because it has a BMP extension)
The final option is not terribly useful right now. Very few fingerprinting options use them. This is for VERY
unreliable formats, where if the extension does not match, who knows what it is. (These include Notes
databases, DBASE files, and Organizer databases).
Copyright © 2005 - All rights reserved.
122
Guinevere 3
Appendix 5: Compression Formats
Many file attachments are compressed before being sent across the Internet. To properly scan these
attachments for viruses, one of two things must be in place:
The anti-virus program can itself possess the ability to scan within compressed archives. In fact, most AV programs do
tout this capability. In testing Guinevere, however, it was found that most AV programs' ability to scan compressed
files was simply unreliable, though the quality thereof has steadily improved over the years. (If you disagree, feel free
to enable your anti-virus program's compressed file scanning capabilities and disable Guinevere's by editing
VIRTHRD.BAT).
Support for many common compression formats must be provided by Guinevere. The decompression options are
provided in the Decompression Engine, which can be configured in the Miscellaneous section of the Configuration
Program. By default for performance enhancement, only ZIP archives are decompressed.
Below, the status of support for common compressed file formats and any known issues is listed. Note
that EXE files are also checked for these compression formats.
Zip - ZIP files are fully supported via the internal decompression engine.
Z, GZ, TGZ - GZIP files are fully supported via the internal decompression engine.
TAR - This is not a compression format, but is used by Unix machines to archive files. TAR files are fully supported via
the internal decompression engine
RAR - RAR files are fully supported via the internal decompression engine.
CAB - This is also known as the MSZIP format, and is used to distribute many Microsoft patching programs and file
libraries. CAB files are fully supported via the internal decompression engine.
ARJ - ARJ is not freely distributable, except in a severely limited form (UNARJ.EXE, which does not support long
filenames, overwriting existing files, or redirection of the output directory). Therefore, if you want to support scanning
of ARJ files, you must purchase ARJ from the manufacturer at <http://www.arjsoft.com>. Then, uncomment the lines
in VIRTHRD.BAT that refer to ARJ files.
LHA/LZH, ZOO, ARC, JAR - These are all relatively rare compression formats. You can add support for these formats by
obtaining decompression products for these formats and editing VIRTHRD.BAT appropriately.
SIT, SEA - StuffIt is the de facto standard on the Macintosh. The manufacturer has provided an excellent free utility
<http://www.aladdinsys.com/> that is capable of handling many compression formats including SIT and SEA. However,
their command line SIT decompressor is very old, and they apparently have no plans to update it. Therefore, this
format is not supported.
BZ2 - This is an up-and-coming mostly Unix-based tool. There is a command line for Win32.
ACE - Not currently supported.
Copyright © 2005 - All rights reserved.
123
Guinevere 3
Appendix 6: Creating the Services Directory
The following procedure may be of assistance for creating the Service Directory. This will require that you
exit and restart the GWIA. You may therefore wish to wait until a time that your users are less likely to be
using the GWIA.
Setting necessary information in NWADMIN (GroupWise 5.2/5.5)
Step 1
Start by launching the version of NWADMIN that you use to administer GroupWise (you do not need to do
this from the Guinevere computer). This is NWADMN95 for GW 5.2 and NWADMN32 for GW 5.5.
Step 2
Choose Tools, GroupWise View. Now locate your GWIA object. This might be named GWIA,. SMTP,
Internet, or whatever you named the object when you installed the GWIA. Double-click the object to
open it. What you do next depends on whether you are running GroupWise 5.2 or GroupWise 5.5.
Step 3
Follow the procedure needed for your version of GroupWise
GroupWise 5.2: Select the Advanced Settings tab on the right. Now scroll down the list box until you see the "SMTP
services directory (for third party use)" setting. Click it once.
GroupWise 5.5: Select the Server Directories sheet. Click the Advanced button. You'll see a box for the SMTP Service
Queues Directory.
GroupWise 6.0/6.5: Launch ConsoleOne. Go to the GroupWise View, and find the GWIA object. Open it up, and click
the Server Directories Tab. Now click Advanced.
Step 4
For All Versions
Enter the UNC path to the service directory. Do not use a mapped drive (remember this is running on a
server). Typically, you want the service directory to be named THIRD and be a subdirectory of your GWIA
directory. An example: in a server named GWTEST, on the SYS volume is a directory called MJBPRI
(containing the primary domain), and at MJBPRI\WPGATE\GWIA is the GWIA subdirectory. Please type:
\\GWTEST\SYS\MJBPRI\WPGATE\GWIA\THIRD
Click OK and exit NWADMIN/ConsoleOne.
Step 5
Restarting the GWIA.
Before restarting the GWIA, take the time to manually create the service directory (THIRD). GWIA will not
do this automatically.
Now exit and restart the GWIA. This is typically done by walking over to the server GWIA is running on,
switching to the GWIA screen, and hitting F7. The GWIA should unload fairly quickly. Now reload the GWIA
by typing "gwia" at the server prompt.
Verify that the GWIA has automatically created the following subdirectories underneath the service
directory: SEND, RECEIVE, RESULT. If it has not, repeat your actions in this section carefully. Remember
you must already have created the service directory; GWIA will not do this for you.
Copyright © 2005 - All rights reserved.
124
Guinevere 3
Contact Technical Support
Your copy of Guinevere includes 30 days or three incidents (whichever comes first) of complimentary
technical support. For all of your support and purchasing needs, please visit our home page at
www.gwava.com.
100 Alexis Nihon, Suite 500
Montreal, QC Canada H4M 2P1
Tel: +1 801 772 1880 in North America
E-mail: support@gwava.com
Copyright © 2005 - All rights reserved.
125
Download PDF
Similar pages