Eight e-mail virus scanners tested
Facing a review of mail server antivirus packages, I feel like the air force guy in the old WWII movies. When his squadron is paraded in front of the head honcho who asks for a single volunteer to take a step forward to run a mission into enemy territory that will almost certainly end in death, everyone else in the line takes one step back and this poor schmuck is the only one who didn't think of doing that and is sent into the battle.
The server-based products in this case are those that scan both incoming and outgoing e-mail messages for an organisation. Nowadays it is a generally accepted fact of business life that many nasties find their way onto corporate networks via the e-mail system. Be it spam, worms, or viruses, each has its own way of potentially consuming and in some cases destroying valuable company resources -- either from the employees' time wasted deleting the unwanted messages through to viruses destroying data, consuming bandwidth, or compromising network security. Don't forget some worms not only self replicate but they can also contain malicious payloads set to launch immediately or lay dormant on your system waiting for specifically programmed trigger points such as application launches or dates to occour before launching.
The advent recently of faster and always-connected Internet links has led to an increase in these e-mail borne pests, enabling them to proliferate and replicate like never before. That combined with the plethora of tools available to download that enable script kiddies to get their hands on a particularly virulent outbreak, deconstruct it, and then reconstruct it with their own payload and release it doesn't help at all.
One of the best steps the humble network administrator can take to prevent this type of overwhelming attack from bringing the company to its knees is to install an antivirus (AV) application. We covered antivirus applications in November, however these were centralised server-based distribution platforms for individual client/server machine protection. The products in this review are more concerned with covering the e-mail server itself as a potential point for receiving and distributing these malicious applications.
So which does a company need: protection on each desktop or protection at the e-mail gateway point? The answer is both. These e-mail antivirus gateway applications are not trying to replace the existing methods of virus detection, quarantine, and removal, they are merely there to enhance the chances of a detection at the border before it enters the network as a whole. And with e-mail being the most economical and widespread method of distribution for these unwanted programs, it make sense to cover the point of incoming and outgoing mail. Malicious programs can still be introduced to the network either intentionally by a disgruntled employee or even unintentionally by employees via infected CD-ROMs, flash memory keys, or floppy disks, or even by the crafty hacker who has managed to discover a flaw in the network's security system. Individual local client/server antivirus applications are still recommended to run in conjunction with the products that we have on review here.
So why scan incoming e-mail if your desktops already have up-to-date AV definitions and applications installed on them?
The main reason for deploying an antivirus e-mail gateway application is that humans will always be humans. No matter how many times users are beaten about the head and threatened with written warnings for non-compliance with the e-mail usage policy, they still insist on opening attachments e-mailed to them from Aunty Lorna. They will still inevitably fall into the trap set that will result in a potential virus or worm outbreak.
Another reason is to allow the network administrators to monitor the potential e-mail virus traffic from a single point and enables them in most cases to quickly create policies/rules that can stop malicious data in its tracks. This is particularly advantageous when a new virus appears and the AV vendors haven't had time to update their definitions. The administrators can rely on their applied rules to assist in the control and containment of the virus and thereby reduce or remove any potential damage at that point.
Why scan outgoing e-mail, then? If not from a common point of courtesy that a company is doing its piece to reduce the spread and distribution of malicious applications, it also potentially saves money in reduced bandwidth by blocking these attachments going out in the first place.
It also enables you to save face as it protects you from being accused of allowing viruses to proliferate from your network to the outside world.
Antivirus applications will never pick up 100 percent of the viruses, worms, and Trojans that are out there, but administrators can make a big impact by being aware of how and why these malicious programs exist and then taking steps to stem the flow by putting in practical procedures to cope with these nasties. It may be as simple as deciding whether or not some employees need to receive executable files via e-mail attachment -- and then create a rule blocking e-mails containing *.exe attachments. Or at the very least stripping the attachment from the e-mail and letting the body go through (always considering the occasional false positive).
Clearswift MailSweeper 4.3 for SMTP
The right-hand window of the management console has shortcuts to wizards that allow the system administrator to complete the custom configuration of their new application, including adding licences, and information on adding third-party antivirus scanners.
The beauty of this application is that it has the ability to purchase and incorporate third-party developed antivirus support from F-Secure, Command, H+BEDV, and Sophos. Depending on what level of antivirus security you need, the package can scale without having to buy separate new applications.
Administration is via the same management console as the configuation. There is a very comprehensive reporting toolset provided under the main MailSweeper menu as well as excellent support for setting up policies and administrative alerts.
Overall a very neat and simple package with all the necessary custom configuration and administration tools well placed within the one interface.
| |||||
| Product | MAILsweeper for SMTP |
| Price | From AU$2,423 for 50 users (approx $48 per user) |
| Vendor | Clearswift |
| Phone | 02 9424 1200 |
| Web | www.clearswift.com.au |
| Interoperability | |
| Suports Exchange 2000 & 2003. | |
| Futureproofing | |
| Four engines supported. | |
| ROI | |
| Average price, but subscription to the engines is extra. | |
| Service | |
| Additional AU$606, or about $12 per user. | |
| Rating | |
Computer Associates eTrust Antivirus Gateway 7.0
The second module is the command centre that allows the administrator to view a snapshot of any or all of the following: Object Information List, Gateway(s) status, and the System Administration Activities.
The third module is the audit viewer which allows the administrator to monitor what is going through the gateway that it is connected to and also filter that traffic report.
Overall it is a very scalable solution firmly aimed at larger organisations that have several e-mail gateways needing to be scanned. This application also fits into the larger Computer Associates eTrust product portfolio by allowing the company to operate in a similar environment for desktop, server, PDA, and groupware antivirus solutions as well as content management filters for gateways, thereby deploying a single vendor antivirus and content filter solution across the whole network.
| |||||
| Product | eTrust Secure Content Manager |
| Price | US$55 per user (approx AU$75 per user) |
| Vendor | Computer Associates |
| Phone | www.ca.com/eTrust |
| Web | 1800 22 4636 |
| Interoperability | |
| Supports all versions of Exchange and Notes/Domino. | |
| Futureproofing | |
| One integrated engine. | |
| ROI | |
| Most expensive at AU$75 per licence, but definition updates included for 12 months. | |
| Service | |
| Included for duration of subscription. | |
| Rating | |
F-Secure Antivirus for Exchange 200x v6.21
The configuration and monitoring is relatively straightforward for such a comprehensive package, and certainly nothing a relatively experienced administrator could not follow, particularly with the excellent support documentation. The menus are well laid out and the format is very logical making it a breeze to navigate to the desired point of tweaking.
The Download icon launches the F-Secure Infocentre that shows the operator the current status of updates to the definitions and any important monitor information in a graphical or text-based menu system which is also very easy to navigate.
Overall it is an amazingly configurable and customisable application that does not come with all the baggage usually associated with such applications. It is also very easy to install and look after and is certainly one to add to a shortlist, along with Computer Associates and Trend Micro if looking for a one-vendor company-wide antivirus solution across several platforms and operating systems.
| |||||
| Product | F-Secure Anti-Virus for Microsoft Exchange |
| Price | AU$4,257 for 100 users (approx $43 per user) |
| Vendor | Open Systems |
| Phone | 02 6261 4900 |
| Web | www.opensystems.com.au |
| Interoperability | |
| Suports Exchange 2000 & 2003. | |
| Futureproofing | |
| One integrated engine. | |
| ROI | |
| Average price, but includes definition updates for 12 months; continuing subscription costs are very reasonable. | |
| Service | |
| Included for duration of subscription. | |
| Rating | |
GFI MailSecurity Gateway v8.1
Also for the administrator is a simple GFI content security monitor which is a separate application that gives the operator the ability to monitor the log files and show the number of items processed, number of quarantined items, and number of blocked viruses. Below this is the text from the log file, showing date, time, and details of the logged event. There is also a comprehensive e-mail exploit engine and trojan/executable scanner.
The GFI solution with the option for multiple scan engines and their associated definitions is excellent. Certainly an application worthy of short listing for evaluation.
| |||||
| Product | GFI MailSecurity V8.1 |
| Price | AU$520 for 25 users, $3,555 for 500 users, $6195 for unlimited users (approx <$7 to="" $20="" per="" user)<="" td=""> |
| Vendor | GFI |
| Phone | 1800 22 55 43 |
| Web | www.gfi.com |
| Interoperability | |
| Supports all versions of Exchange. | |
| Futureproofing | |
| Four engines supported. | |
| ROI | |
| Cheapest solution, particularly unlimited-user version. Can work out to less than $7 per mailbox, plus subscription. | |
| Service | |
| Only three months included, after that 20 percent of yearly fee. | |
| Rating | |
Netbox Micro
It is one of the more complete and fully featured appliances a company of up to 150 staff could want. Since the demise of Cobalt and its RAQ series of network appliance servers once consumed by Sun, we are interested to see a decent new appliance vendor on the block, and homegrown too.
Since the Netbox incorporates its own mail server (including Web mail capabilities as well as traditional POP3 and SMTP) the antivirus option is very straightforward. Following a similar concept to several of the other packages here, the NetBox combines several third-party AV vendors' products into a single machine. There are four altogether, Clam (standard), Eset's NOD32 (optional subscription), Network Associates' Virus Scan (optional subscription), and Computer Associates' Innoculate IT.
Each package is set to check for new definitions every six hours, however Netbox has a very nifty way of updating its registered NetBoxes in the field with new AV definitions within a few minutes of them being released. Netbox HQ monitors the AV vendors for new releases every three minutes or so and as soon as a new update is released, NetBox downloads the update and pushes it out to all the registered NetBoxes. Having the NetBoxes registered like this also allows NetBox HQ to provide a dynamic DNS service to its clients who are on ADSL, ISDN, or cable, even 56Kbps Internet services that don't have static IP addresses. That way customers can still host and manage their own mail server in-house on their NetBox without having to go to the expense of having static IP addresses on their ISP connections.
Administration is handled via a well-defined, clear and logical Web browser interface. There is a plethora of extra configuration tools and administration options available to the operator, including the ability to manually set name, type, and text blocking rules so even before the scanners come into play most nasties can be fended off.
We were extremely impressed by the NetBox, which is fully designed and assembled in Australia. The design engineers are all Australians and the product is really first class and is set at an affordable price. While not for the truly enormous enterprise, up to 150 users would definitely get a lot of mileage by putting in a machine like this, particularly if IT staff resources are at a premium, this box would take a lot of the weekly burdens away from the IT administrator.
| |||||
| Product | NetBox Micro |
| Price | AU$3,276 (one box can serve up to 150 users) |
| Vendor | Oxcoda |
| Phone | 1300 737 060 |
| Web | www.netbox.biz |
| Interoperability | |
| Can intercept all mail at the gateway and scan or apply rules to traffic. | |
| Futureproofing | |
| Four engines supported. | |
| ROI | |
| Well priced considering the features included, and the time saved on IT administration if deployed well. | |
| Service | |
| 12-month replacement warranty; extended warranty available. | |
| Rating | |
NetIQ MailMarshal for Exchange v5.0
Once the automatic configuration has been completed the administrator can then control the application through the management console.
One of the impressive features of this application is its support for antivirus engines -- no fewer than 12 bvendors are supported as well as an option for a -custom" scanner. This is a well-designed application with very good features and it is also very easy to install, configure, and administer. All in all, a very polished package with excellent third-party antivirus scanning support built in.
| |||||
| Product | MailMarshal |
| Price | US$1,295 for 75 users (approx $22 per user) |
| Vendor | NetIQ |
| Phone | 02 9959 2313 |
| Web | www.netiq.com |
| Interoperability | |
| Suports Exchange 2000 & 2003. | |
| Futureproofing | |
| Twelve plus a -custom" engine supported. | |
| ROI | |
| Average price and definitions included for 12 months. | |
| Service | |
| Choice of maintenance agreements. | |
| Rating | |
Sophos MailMonitor for Exchange
Interestingly while on that topic, something we had never really given thought to before is that the scheduling is once every hour, but not necessarily on the hour. If everyone polled for updates exactly on the hour, the load on the Sophos update servers would be enormous. To get around this, Sophos injects a randomisation that allows the downloads to be staggered, which saves their servers and bandwidth and evens out the stresses on them.
Sophos has obviously put a lot of research and effort into this application and then made a very user friendly interface packed with features particularly for the administrator to monitor the status of the system and set the custom parameters for that particular environment.
| |||||
| Product | MailMonitor for Exchange 1.7.1 |
| Price | AU$34.65 per user for 100-199 users; $29.26 per user for 200-499 users |
| Vendor | Sophos |
| Phone | 02 9409 9100 |
| Web | www.sophos.com.au |
| Interoperability | |
| Suports Exchange 2000 & 2003. | |
| Futureproofing | |
| One integrated engine. | |
| ROI | |
| Average price and definitions included for 12 months. | |
| Service | |
| Included for duration of subscription. | |
| Rating | |
Trend Micro ScanMail v6.2 for Microsoft Exchange
The automatic update system is very easy to set up for both the core module and the definitions (down to checks once every hour). The Web interface is quite user friendly and logically laid out.
In conclusion, this is a very easy package to install, configure, and administer. While Trend Micro may not have as many platforms supported as F-Secure, it certainly is another worthy consideration for a enterprise-wide single vendor antivirus application.
| |||||
| Product | ScanMail Version 6.2 |
| Price | Approx AU$15 per user for 100 users |
| Vendor | Trend Micro |
| Phone | 02 9870 4888 |
| Web | www.trendmicro.com |
| Interoperability | |
| Supports all versions of Exchange and Notes/Domino. | |
| Futureproofing | |
| One integrated engine. | |
| ROI | |
| Second-cheapest solution at around $15 per user. | |
| Service | |
| 25 percent of yearly licence cost. | |
| Rating | |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||
Interoperability
What operating systems and mail servers will the antivirus software support?
Futureproofing
Does the scanner support multiple antivirus engines from different vendors?
ROI
What will the software cost, including subscription to virus definition updates and support costs?
Service
What support is provided as standard and how much will ongoing support end up costing you?
Best solution: Best choices are GFI MailSecurity and F-Secure Anti-Virus. Both are very easy to install, configure, and administer on an Exchange 2000 server. Their incorporation of several third-party virus engines and their administration monitoring facilities are excellent.
Take your pick! With the variety of tools available in this category and their broad reach, we simply can't give a Editor's Choice award this month. However, an honorable mention must certainly go to NetBox for its network e-mail appliance which is suited for businesses up to 150 users.
| |||||