HELP! Scan a Groupwise Post Office

So My Unitrends appliance just alerted me after an incremental backup that the "predictive analytics engine" has detected anomalies on my Groupwise server (SLES 12 SP3, Grouwpise 2018) which probabilistically matches the behavior of systems impacted by Ransomware. I need to check the mailboxes and really the entire server. I don't have Gwava (we use Mimecast), and I have no alerts of bad messages going to Mimecast or anything tagged from the firewall, which also scans in and out (everything). But I still need to do this just to be sure. Can I install ClamAV on the server and run some scans? I thought I saw somewhere ClamAV was actually part of SLES12? Is that correct? Anybody have it installed/using it on SLES12 and with Groupwise?

Kind regards,

Val
  • On 26.11.2018 23:54, iliadmin wrote:
    >
    > So My Unitrends appliance just alerted me after an incremental backup
    > that the "predictive analytics engine" has detected anomalies on my
    > Groupwise server (SLES 12 SP3, Grouwpise 2018) which probabilistically
    > matches the behavior of systems impacted by Ransomware. I need to check
    > the mailboxes and really the entire server. I don't have Gwava (we use
    > Mimecast), and I have no alerts of bad messages going to Mimecast or
    > anything tagged from the firewall, which also scans in and out
    > (everything). But I still need to do this just to be sure. Can I
    > install ClamAV on the server and run some scans? I thought I saw
    > somewhere ClamAV was actually part of SLES12? Is that correct? Anybody
    > have it installed/using it on SLES12 and with Groupwise?


    Simple answer: Groupwise is compressed and encrypted. That means:

    1. You see a false alarm.
    2. You can't scan Groupwise without software specifically designed for
    Groupwise.
    3. BTW: ClamAV isn't in any whatsoever remote way a serious AV scanner.
    It's a toy at best.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • Ok so I did some digging and it appears clamav is in the package list for SLES 12 ?

    Would I install this package using zypper ?
    something like sudo zypper install clamav ?

    I think I read I have to use freshclam to update the definitions.....

    Then it's something like sudo clamscan -ri (directory....or possibly just scan then entire server? Is this a fast or slow program?

    I have absolutely no experience with clamav outisde of it being on a mac with a GUI, so I need some help on installing, configuring, scanning (not finding much documentation
    useful to SLES).

    Thanks!

    Kind regards,

    Val



    ER..Skip all this. I just saw Massimo's post. Only reason I mentioned clamav is because it was suggested. Again, didn't know much about it and am ALWAYS glad to learn! I appreciate the feedback.
    I have (just got) GW Enterprise. Messaging..can I install GWAVA and set it up just as a scanner an nothing more?
  • If it behaves the way it did when it was "plain" GWAVA: yes. And that's the only way to go.
    From what i understand you got the warning on doing a "regular" scan over the PO's filesystem. If so, it's for sure a false positive. You should NEVER run a GW-unaware virusscan against GW data, this also applies to remote and caching mailboxes where AV software is the #1 reason for corruption. GW data has to be excluded from any sort of GW-unaware AV scans.
  • iliadmin wrote:

    > So My Unitrends appliance just alerted me after an incremental backup
    > that the "predictive analytics engine" has detected anomalies on my
    > Groupwise server (SLES 12 SP3, Grouwpise 2018) which probabilistically
    > matches the behavior of systems impacted by Ransomware.


    I have no experience with the Unitrends appliance but systems impacted
    by Ransomware usually have encrypted files and the Unitrends appliance
    is likely issuing this warning because it has encountered encrypted
    files in your GroupWise system.

    Did you ever stop to consider, that because GroupWise stores its email
    in its Post Office in an encrypted format, this warning might be
    expected?

    Because GroupWise stores its email in an encrypted format, virus scans
    are useless: they will never find a matching signature. Moreover, as
    the files are scanned they may become locked which in turn makes them
    inaccessible to GroupWise and can cause corruption of the GroupWise
    database.

    I would investigate what type of anomalies might cause those warnings.

    If your GWIA has SSL enabled for incoming email, your scan at the
    firewall may also not be able to detect virus either.

    Your best protection is to install Secure Messaging Gateway (GWAVA) and
    have it scan incoming email as it is received.

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • Hi.

    On 27.11.2018 01:14, iliadmin wrote:
    > I have (just got) GW Enterprise. Messaging..can I install GWAVA and set
    > it up just as a scanner an nothing more?


    Yes. Secure Messaging Gateway (the successor to the product Gwava) can
    scan Groupwise Post Offices (or individual Mailboxes) on Demand via IMAP
    (unfortunately IMAP only, Gwava originally used a more reliable
    interface) and a trusted app key.

    CU,
    --
    Massimo Rosen
    Micro Focus Knowledge Partner
    No emails please!
    http://www.cfc-it.de
  • Thanks Kevin, Massimo and Mathias for your input/feedback! I appreciate it very much.

    The GW server/po was not scanned. Prior to posting this I did contact Unitrends because an analysis of the environment here and an issue with some backups prompted me to wonder if this was a false positive. Even so, I am still required to do my due diligence to ensure it is/is not an issues, and thus my inquiry to the forum on scanning the Post Office.

    We've been using Groupwise and Unitrends for a number of years and it has never alerted like this before. I am pretty sure it is due to an anomaly with different backups of the post office server (long story I won't get into here).

    I will add to my huge to do list figuring out how to setup the Secure Messaging Gateway and use it to scan only for messages inbound and outbound from all sources including webaccess and mobility. Seems like the best solution. My 3rd party mail security company does scan everything in and out and I trust them based on past results, so I have no compelling reason to ditch them and move to a different product at this time. But I can always add this layer as extra "eyes".
  • iliadmin wrote:

    > My 3rd party mail security company does scan
    > everything in and out and I trust them based on past results, so I
    > have no compelling reason to ditch them and move to a different
    > product at this time. But I can always add this layer as extra
    > "eyes".


    I assume you mean SMTP email? Are you suggesting they also scan
    internal email sent from a GroupWise client directly to your post
    office?

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • They scan mail coming both outbound and inbound.

    I want to be able to execute a scan for incident response from inside our network. It seems I can do that with Secure Messaging Gateway.

    I'm all set here, thanks everyone for your help! I greatly appreciate it.