Yep I was leaving 2013 out of the discussion --- touché :P
But ---- you are correct again my friend no store scanning in 2013 --- until some genius writes EWS code for that :) From: [email protected] [mailto:[email protected]] On Behalf Of Adam Farage Sent: Tuesday, April 22, 2014 8:32 PM To: [email protected] Subject: RE: [Exchange] RE: Antivirus placement - Exchange 2010 Mr. Cosca, we meet again! :D (I see you have been hiding until I wrote something you could troll on). The VSAPI on the Store level in Exchange 2013 has been removed, thus my recommendation. That and the number of threads opened up by some AV companies (I will not name names here) simply eat up the performance itself... I mean, there has to be a reason why MSFT Exchange Product Group (or the "O365 Product Group" is the title now I think) took it out.. ;) _____ From: [email protected] <mailto:[email protected]> To: [email protected] <mailto:[email protected]> Subject: RE: [Exchange] RE: Antivirus placement - Exchange 2010 Date: Tue, 22 Apr 2014 20:22:04 -0400 Dont really have anything to add to this one :) I just love trolling Adams emails. Pretty much agree with all that is said here. The only exception would be (like it or not) it is a good idea to have AV at the store level. Leave it disabled as previously mentioned, but it is a nice insurance policy to be able to do cleanup once updated definitions are released. From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Adam Farage Sent: Tuesday, April 22, 2014 8:15 PM To: [email protected] <mailto:[email protected]> Subject: RE: [Exchange] RE: Antivirus placement - Exchange 2010 Thats insane, that you cannot block any attachments. >From the standpoint of anti-virus / anti-malware and anti-spam protection I take a pretty simple approach: - Block any attachment that is not a common Office type file, and block this at the smarthost / SMTP gateway (I usually see Exchange Online Protection, EOP or IronPort). So we let through .doc, .docx, .pdf, .xls, .xlsx, .ppt, and .pptx. We *do* typically block .rar/.zip unless the client throws a shitstorm complaining about it. - Antivirus placement is a big discussion usually.. and in my opinion place it on the HUB/EDGE portion. If you are doing AV scanning on the transport pipeline, the likelihood you will receive a virus at the store level is little to none. - File level AV all around, just make sure your exclusions are correct.. and man are there a lot of them ;) Doing AV scanning using VSAPI (on the mailbox layer) in my opinion has caused multiple issues such as performance, and data corruption. Stuff I rather stay away from. _____ Date: Tue, 22 Apr 2014 20:01:51 -0400 Subject: Re: [Exchange] RE: Antivirus placement - Exchange 2010 From: [email protected] <mailto:[email protected]> To: [email protected] <mailto:[email protected]> You can't block *ANY* attachments? That can't be right. On Tue, Apr 22, 2014 at 7:25 PM, Kurt Buff <[email protected] <mailto:[email protected]> > wrote: Your results are more the outcome of your settings to block certain attachments than to the Barracuda's prowess in AV detection. I am not allowed to block attachments, we have a 410, and I regularly see infectious emails come through. Whenever I get an unexpected email with an attachment, I submit the attachment to http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx and to https://malwr.com/ and regularly see results that make me shudder... Those submissions are in parallel to my submission to virustotal, and invariably the attachment has already been scanned, and nobody has a signature for it. Mostly, I get these from China (or at least the emails use Chinese character sets.) Kurt On Tue, Apr 22, 2014 at 4:13 PM, Kennedy, Jim <[email protected] <mailto:[email protected]> > wrote: > > "Email AV gateway appliance (vm or physical) (Trend, Barracuda, etc.)" > > Specifically a Cuda. Only one email virus in a decade of using them. I block > exe's, password protected zips and the usual suspect file types with it, > that certainly helps. > > > ________________________________ > From: [email protected] <mailto:[email protected]> [[email protected] <mailto:[email protected]> ] on > behalf of Stringham, Steven [[email protected] <mailto:[email protected]> ] > Sent: Tuesday, April 22, 2014 5:53 PM > To: [email protected] <mailto:[email protected]> > Subject: [Exchange] Antivirus placement - Exchange 2010 > > Antivirus software and Exchange 2010 where should I put it? I am looking > at this as a performance, security balancing act. So, my thoughts are where > do you folks put it. A little poll please > > > > ____ AntiSpam outside service before my internal systems see it. > > > > ____ Email AV gateway appliance (vm or physical) (Trend, Barracuda, etc.) > > > > ____ Edge Gateway role servers > > > > ____ Hub Transport servers > > > > ____ Mailbox servers > > > > > > Personally, I think this is a bit of an all of the above type thing, but, > where would you put AV for Email. > > > > And, do you use separate brands for different spots? > > > > Thanks > > Steven Stringham > > > > > > > ________________________________ > > This message and any attachments are intended only for the use of the > individual or entity to which they are addressed. If the reader of this > message or an attachment is not the intended recipient or the employee or > agent responsible for delivering the message or attachment to the intended > recipient you are hereby notified that any dissemination, distribution or > copying of this message or any attachment is strictly prohibited. If you > have received this communication in error, please notify us immediately by > replying to the sender. The information transmitted in this message and any > attachments may be privileged, is intended only for the personal and > confidential use of the intended recipients, and is covered by the > Electronic Communications Privacy Act, 18 U.S.C. §2510-2521. > > In accordance with Internal Revenue Service Circular 230, we advise you that > if this message or any attachments contains any tax advice, such tax advice > was not intended or written to be used, and it cannot be used, by any > taxpayer for the purpose of avoiding penalties that may be imposed on the > taxpayer.
