Summary:

There are several ways that a virus can enter your organization both through a misconfigured EMF server and through other channels. This technote describes the different ways and suggestions on how to stop viruses from getting through. Tumbleweed recommends running a desktop virus scanner on the workstations within your organization to stop viruses introduced through these other channels.

Detailed Information:

** Virus Engine or Pattern Files are not current
EMF versions 4.5 and higher have push button updates for both pattern files and virus engine. Pattern files can and should be updated automatically at least once a week. You should monitor the Tumbleweed support bulletin for information on both virus engine updates and virus pattern updates, as well as information on how to protect your organization from new viruses. You can subscribe to Tumbleweed's product bulletin(s) from the Global Support Portal on the Tumbleweed website.

** Virus Policies are incorrect
A very common mistake when configuring virus policies is to forward a copy of the virus to a user mistakenly. There are two ways to do this. The most common is to check the box to "forward a clean copy of the message" and then to process the original message normally. This combination of options results in two copies of a message. One "clean copy" and the original infected copy. The recipient of the message will receive both copies, one of which includes the virus. The correct option here is to "forward a clean copy" and drop the original.

The policy can also be configured to send a notification, which can include the original message. The original message in this case contains the virus. EMF 6.0 and later has a new notification option "Don't send this notification if Email Firewall detected a virus in the message", which can be used in this case. Previous to 6.0, the correct option when sending a notification from a Virus Manager policy is to select the "include message header only" checkbox; this will avoid sending new copies of a virus infected message to other recipients.

Also important is where the virus policies are in effect in the Policy Directory. They are usually defined on the Internal folder. It is always worth a check using the EMF Find User function to determine if the virus policies were in effect on the passed message. Identify the From and To addresses of the passed message, and use the EMF Find User function to determine what user and/or domain records were in effect for that message:

• open EMF webadmin
• select the Directory menu item
• select Find User
• enter email address
• press Find

** A desktop virus scanner is being run on the EMF server
A desktop virus scanner will clean the temp files that we use to detect if a message is infected. You should not run a desktop virus scanner on the EMF server. You should however continue to run a desktop virus scanner on the workstations within your organization. See related article Desktop virus scanners on the EMF server on the right.

** Bypassing MMS using MX preferences or other routing issues
Another misconfiguration, although not a misconfiguration of EMF, is allowing mail to be routed around the EMF server. This can be done using DNS. For example, you might have 2 MX records for your organization, a 10 preference which would route mail to your EMF server, and a 20 preference which would route mail to your internal group mail server (bypassing EMF) if EMF is busy or unavailable. Although this might sound like a good idea from a failover perspective, it opens up another potential route for viruses and other undesired content to enter your organization.

** Floppy disk, network file transfer, or Internet download
These are the obvious, non-email channels that can introduce viruses, and are the main reasons you should continue to run virus scanning software on your users workstations.

** Internet Mail such as Yahoo Mail or HotMail
Many organizations allow access to web based Email systems such as Yahoo Mail or HotMail. Retrieving Email from these sources bypasses the EMF server and therefore does not provide virus detection.

** Users accessing personal POP or IMAP accounts over the Internet
Most Email clients can be configured to retrieve Email from personal POP or IMAP mailboxes on the Internet. This practice is very dangerous because it once again bypasses the EMF server, and therefore Email that is downloaded to the client is not scanned for viruses by the EMF server. The best way to stop users from accessing external mailboxes is to block off port 110 on your corporate firewall for POP and port 143 for IMAP.

** Other considerations
It's also common for different virus scanners to have differences in what they will detect and clean. For example, some virus scanners detect some jokes, such as coke.exe or joke_salary.a. These examples are not viruses and are thus not detected by EMF.

It is also not uncommon for EMF to clean the infected payload of a virus, yet leave enough harmless remnants that another virus scanner may pick up and detect as a virus. In such a case, EMF has successfully cleaned the virus and this should not be considered a problem.

Additional Information:

For more information regarding viruses and the EMF server, you can search the online knowledgebase using the keyword "virus". There are several technotes that provide different types of information that elaborate on topics discussed here. The Technical Forum is also a good outlet for questions and general discussions on virus related issues.