Fingerprinting

From GWAVA4

Contents 1 Introduction 2 Switching between Services, Notes, Addresses, and Exceptions 3 Services 4 Notes 5 Defined Addresses 6 Exceptions 7 Filtering

Introduction

To block malware or potential policy violations, it is useful to filter on the actual contents of attachments. See also Attachment Filename filtering for an alternative filter method.

Attachment filename filtering operates on the filename. It thus can be bypassed by a knowledgeable or malicious user with a simple rename. Fingerprinting ignores the filename and attempts to identify the type of file by the contents.

Both have their uses. Specific file type blocking is an important feature of GWAVA that should be approached with the multiple mechanisms available. Often this is used as a preemptive measure against common virus types that may not be detectable immediately by your virus scanner until a signature update has been created and delivered to you. You might also have a policy in place to ensure certain objectionable or time wasting material is not delivered to your users.

---

Expand the folder for the server you want to configure, expand Manage scanners, expand the appropriate scanner, select Scanning configuration, then click on Fingerprinting.

Then make sure the "Enable Fingerprint event" checkbox is selected.

TIP: If you chose "Stop Viruses" when you installed your scanner, this section will already be configured for you and populated with common malware types (Windows Executables, for example) In addition, Attachment Filename filtering and Viruses will also be activated and configured.

NOTE: As you make changes to your configuration, the disk icon in the upper right corner of the page will become active and the words SAVE CHANGES will appear. Do not forget to click the icon to save your changes before moving to another page, or your changes will be lost. Some searching and filtering options will also warn you that you must SAVE your CHANGES or lose them.

In the above example, DOS Executables (usually, but not always with an EXE extension) will be blocked.

Switching between Services, Notes, Addresses, and Exceptions

You switch between viewing the associated services, notes, etc. for the entry by clicking on the scroll arrows ( or ).

Services

A service will be triggered when a message is received that has an attachment with the appropriately identified content type.

Block Messages - blocks the message.

Notify Sender - sends a notification message to the sender.

Notify Recipient - sends a notification message to the recipient.

Notify Administrator - sends a notification message to the administrator.

Notify Defined Address(es) - sends a notification message to the address(es) defined in the Address section (see "Addresses" below).

Quarantine Messages - stored the message in the Quarantine Management System (QMS). This is useful for future examination by the administrator or end users, and for releasing the message in the QMS system or in Digests. Quarantining a message does not necessarily imply the message is blocked.

NOTE: Multistate services are disabled by default. Choose the Preferences button on the upper right to enable or disable Multistate services.

Notes

You may enter notes associated with each entry for your own purposes by selecting Notes with the scroll arrows ( or ).

These notes have no effect on the processing of the entry; they are for your private use.

Defined Addresses

If you want to send a notification message to a specific group of individuals each time this entry triggers an event, you must do two things:

• Turn on the Notify Defined Address(es) service .
• Specify the address list in the Addresses section.

To add an address(es), select Addresses using the scroll arrows ( or ). Click the Edit button (). Type the appropriate user's address and click Add (). Repeat process to add additional addresses. Click OK () when finished. As always, save your changes!

Exceptions

You can create two types of exceptions for your fingerprinting types: Source Exceptions and Destination Exceptions. If you don't want your entry to apply to a particular source (From: ), then you create a source exception. If you don't want your entry to apply to a particular destination (To: ), then you create a destination exception. Both of these exception types will apply to inbound and outbound mail, thus you can create source exceptions for internal addresses, as well as external addresses. The same applies for destination exceptions.

To add an exception, select either Source Exceptions or Dest. Exceptions using the scroll arrows ( or ). Click the Edit button (). Type the desired address for your exception, then click Add (). Repeat process to add additional exceptions. Click OK () when finished. Save changes.

NOTE: If you want to see what exceptions a particular address or address pattern has been assigned, see Managing exceptions.

Filtering

You can choose which items to display by using the Filter. The default Filter is Show All, displaying all items. You can choose to display only items with specific attributes by selecting the desired attribute from the Filter drop down box. For example, if you want to only look at entries that have Administrator Notifications turned on, then select Administrator Notification under SERVICES in the drop down box (see image below). You can filter by each of the six services or by defined fields (Notes, Exceptions, etc).