iliadmin1 Absent Member.
Absent Member.
1124 views

HELP! Scan a Groupwise Post Office

So My Unitrends appliance just alerted me after an incremental backup that the "predictive analytics engine" has detected anomalies on my Groupwise server (SLES 12 SP3, Grouwpise 2018) which probabilistically matches the behavior of systems impacted by Ransomware. I need to check the mailboxes and really the entire server. I don't have Gwava (we use Mimecast), and I have no alerts of bad messages going to Mimecast or anything tagged from the firewall, which also scans in and out (everything). But I still need to do this just to be sure. Can I install ClamAV on the server and run some scans? I thought I saw somewhere ClamAV was actually part of SLES12? Is that correct? Anybody have it installed/using it on SLES12 and with Groupwise?

Kind regards,

Val

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: HELP! Scan a Groupwise Post Office

On 26.11.2018 23:54, iliadmin wrote:
>
> So My Unitrends appliance just alerted me after an incremental backup
> that the "predictive analytics engine" has detected anomalies on my
> Groupwise server (SLES 12 SP3, Grouwpise 2018) which probabilistically
> matches the behavior of systems impacted by Ransomware. I need to check
> the mailboxes and really the entire server. I don't have Gwava (we use
> Mimecast), and I have no alerts of bad messages going to Mimecast or
> anything tagged from the firewall, which also scans in and out
> (everything). But I still need to do this just to be sure. Can I
> install ClamAV on the server and run some scans? I thought I saw
> somewhere ClamAV was actually part of SLES12? Is that correct? Anybody
> have it installed/using it on SLES12 and with Groupwise?


Simple answer: Groupwise is compressed and encrypted. That means:

1. You see a false alarm.
2. You can't scan Groupwise without software specifically designed for
Groupwise.
3. BTW: ClamAV isn't in any whatsoever remote way a serious AV scanner.
It's a toy at best.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
iliadmin1 Absent Member.
Absent Member.

Re: HELP! Scan a Groupwise Post Office

Ok so I did some digging and it appears clamav is in the package list for SLES 12 ?

Would I install this package using zypper ?
something like sudo zypper install clamav ?

I think I read I have to use freshclam to update the definitions.....

Then it's something like sudo clamscan -ri (directory....or possibly just scan then entire server? Is this a fast or slow program?

I have absolutely no experience with clamav outisde of it being on a mac with a GUI, so I need some help on installing, configuring, scanning (not finding much documentation
useful to SLES).

Thanks!

Kind regards,

Val



ER..Skip all this. I just saw Massimo's post. Only reason I mentioned clamav is because it was suggested. Again, didn't know much about it and am ALWAYS glad to learn! I appreciate the feedback.
I have (just got) GW Enterprise. Messaging..can I install GWAVA and set it up just as a scanner an nothing more?

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
Knowledge Partner
Knowledge Partner

Re: HELP! Scan a Groupwise Post Office

If it behaves the way it did when it was "plain" GWAVA: yes. And that's the only way to go.
From what i understand you got the warning on doing a "regular" scan over the PO's filesystem. If so, it's for sure a false positive. You should NEVER run a GW-unaware virusscan against GW data, this also applies to remote and caching mailboxes where AV software is the #1 reason for corruption. GW data has to be excluded from any sort of GW-unaware AV scans.
0 Likes
Knowledge Partner
Knowledge Partner

Re: HELP! Scan a Groupwise Post Office

iliadmin wrote:

> So My Unitrends appliance just alerted me after an incremental backup
> that the "predictive analytics engine" has detected anomalies on my
> Groupwise server (SLES 12 SP3, Grouwpise 2018) which probabilistically
> matches the behavior of systems impacted by Ransomware.


I have no experience with the Unitrends appliance but systems impacted
by Ransomware usually have encrypted files and the Unitrends appliance
is likely issuing this warning because it has encountered encrypted
files in your GroupWise system.

Did you ever stop to consider, that because GroupWise stores its email
in its Post Office in an encrypted format, this warning might be
expected?

Because GroupWise stores its email in an encrypted format, virus scans
are useless: they will never find a matching signature. Moreover, as
the files are scanned they may become locked which in turn makes them
inaccessible to GroupWise and can cause corruption of the GroupWise
database.

I would investigate what type of anomalies might cause those warnings.

If your GWIA has SSL enabled for incoming email, your scan at the
firewall may also not be able to detect virus either.

Your best protection is to install Secure Messaging Gateway (GWAVA) and
have it scan incoming email as it is received.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: HELP! Scan a Groupwise Post Office

Hi.

On 27.11.2018 01:14, iliadmin wrote:
> I have (just got) GW Enterprise. Messaging..can I install GWAVA and set
> it up just as a scanner an nothing more?


Yes. Secure Messaging Gateway (the successor to the product Gwava) can
scan Groupwise Post Offices (or individual Mailboxes) on Demand via IMAP
(unfortunately IMAP only, Gwava originally used a more reliable
interface) and a trusted app key.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
iliadmin1 Absent Member.
Absent Member.

Re: HELP! Scan a Groupwise Post Office

Thanks Kevin, Massimo and Mathias for your input/feedback! I appreciate it very much.

The GW server/po was not scanned. Prior to posting this I did contact Unitrends because an analysis of the environment here and an issue with some backups prompted me to wonder if this was a false positive. Even so, I am still required to do my due diligence to ensure it is/is not an issues, and thus my inquiry to the forum on scanning the Post Office.

We've been using Groupwise and Unitrends for a number of years and it has never alerted like this before. I am pretty sure it is due to an anomaly with different backups of the post office server (long story I won't get into here).

I will add to my huge to do list figuring out how to setup the Secure Messaging Gateway and use it to scan only for messages inbound and outbound from all sources including webaccess and mobility. Seems like the best solution. My 3rd party mail security company does scan everything in and out and I trust them based on past results, so I have no compelling reason to ditch them and move to a different product at this time. But I can always add this layer as extra "eyes".

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
Knowledge Partner
Knowledge Partner

Re: HELP! Scan a Groupwise Post Office

iliadmin wrote:

> My 3rd party mail security company does scan
> everything in and out and I trust them based on past results, so I
> have no compelling reason to ditch them and move to a different
> product at this time. But I can always add this layer as extra
> "eyes".


I assume you mean SMTP email? Are you suggesting they also scan
internal email sent from a GroupWise client directly to your post
office?

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
iliadmin1 Absent Member.
Absent Member.

Re: HELP! Scan a Groupwise Post Office

They scan mail coming both outbound and inbound.

I want to be able to execute a scan for incident response from inside our network. It seems I can do that with Secure Messaging Gateway.

I'm all set here, thanks everyone for your help! I greatly appreciate it.

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.