Release Notes

Version 3.2_4

Copyright ©1998 Content Technologies Ltd. All rights reserved

Revision 1.0

Disclaimer Information contained in this document is the commercial property of Content Technologies Ltd and is not to be disclosed to any third party without explicit permission of Content Technologies Ltd. MIMEsweeper is a trademark of Content Technologies Ltd. Trademarks of other companies are used for descriptive purposes only and are fully acknowledged.


Introduction


This release note includes updated information for the documentation provided with MIMEsweeper release 3.2. The information in this release note is more current than that found in the Administrator's Guide. The README.TXT file installed on disk may also contain last minute information.

This version of MIMEsweeper adds support for Microsoft Exchange with more than 246 mailboxes, as well as providing many enhancements and fixes to both MAILsweeper and WEBsweeper.

For more information on these enhancements, see the Administrator's Guide.

This release note also includes information on the following topics:

Both modules in this release are supported on Windows NT 4.0. The MAILsweeper module for SMTP, cc:Mail, Lotus Notes, and GroupWise are also supported on Windows NT 3.51.

MIMEsweeper version 3.2 is the last major release to be supported on Windows NT 3.51.
 

To aid the support process the INFO ZIP utilities have been included on the MIMEsweeper CD and are installed under the MSW\PROGRAM directory. These are Windows NT ZIP utilities that can deal with long filenames. They are unsupported and provided at no charge.

Info-ZIP's software (Zip, UnZip and related utilities) is free and can be obtained as source code or executables from various bulletin board services and Internet/WWW sites, including CompuServe's IBMPRO forum and ftp://ftp.cdrom.com/pub/infozip/.

Organisational changes

The MIMEsweeper team have de-merged from the Integralis Group and are now called Content Technologies Ltd. For further information see

http://www.mimesweeper.com.


Installation Notes


It is advisable to take a backup of the MIMEsweeper directory tree before performing an upgrade.

Avoid simply copying the tree elsewhere on your local disk, as the upgrade process will find the copy and try to upgrade it.
 

Quarantined messages may not be preserved during the upgrade process in some circumstances. This may happen with an upgrade from any previous version, but is most likely for users upgrading from version 2.3_1.

It is important that the machine running MIMEsweeper is not running an Anti-Virus tool which prevents infected files being written to the disk. This is because MIMEsweeper depends on being able to write temporary files to scan, which it then removes after use.

WEBsweeper

WEBsweeper's Authenticode validator will block files from publishers that are not trusted. Section 5 of the Administrator's Guide (Checking digital signatures) describes the required steps to configure WEBsweeper to trust files signed by a particular Software Publisher or Certificate Authority. Additionally, it is important that the Internet Explorer running on the WEBsweeper machine must be version 3.02, and must not be configured to use WEBsweeper as a proxy.

Note that the Internet Explorer running on the WEBsweeper machine must not be version 4 since this does not allow WEBsweeper to distinguish between a certificate which is not trusted and a file with no certificate. Further information can be found in the Technical Notes on the MIMEsweeper web-site.

Microsoft have released Version 2 of Authenticode. It is important to install the new version of Authenticode on the WEBsweeper computer, both to take advantage of significant new improvements in the security feature and to renew important Authenticode information that may have expired. Further information can be found at the URL:

http://www.microsoft.com/ie/security/?/ie/security/authentintl.htm

cc:Mail

With cc:Mail MAILsweeper systems, file system access problems are occasionally experienced when the service is logging on to Netware servers. It is recommended that a new user is set up for the MAILsweeper service, and that there are no other logons using this user.

Lotus have identified a patch for this problem. For more information see:

http://www.ccmail.com/support/ccregmod.htm

On a cc:Mail system, administrator addresses in the configuration file MIMESWP.CFG must be in the form "firstname surname"@PO. If they are given in the form "surname, firstname"@PO, MAILsweeper will fail to start with the error 10132 "Illegal address format encountered".

Exchange

IgnoreMailbox=<mailbox distributed name>

This directive can be used in EXCHANGE.CFG to configure MIMEsweeper to ignore specific mailboxes, that is, allow mail through unscanned.

One example where this is useful is if you have previously deinstalled one of the mail connectors from your Exchange server (for example the cc:Mail connector). The deinstall process leaves behind a mailbox for the connector, which MIMEsweeper cannot open, causing MIMEsweeper to fail to start with error 14011. If you notice an error in the logs similar to the following on start-up:

Error opening mailbox with email address: /
O=ORGANISATION/OU=SITE/CN=CONFIGURATION/
CN=CONNECTIONS/CN=CC:MAIL CONNECTOR (SERVER1) 
(0x8004011d)

Then you can add the following configuration entry in EXCHANGE.CFG as a work-around:

[Exchange]
IgnoreMailbox=/O=ORGANISATION/OU=SITE/
CN=CONFIGURATION/CN=CONNECTIONS/ CN=CC:MAIL 
CONNECTOR (SERVER1)

The mailbox name should appear all on one line. You can use this directive more than once to ignore multiple mailboxes.

In some circumstances the error can be cleared using the Microsoft Exchange Optimise utility.

SMTP

MAILsweeper Default Domain Setting

As MAILsweeper is acting as a relay to your existing email gateway, you should ensure the default domain is configured to be something other than your actual domain name.

For example, if your domain is myco.com, configure your default domain in the Domains tab to be msw.myco.com. If the default domain (indicated with a red dot) is a valid domain name then all mail addressed to that domain will have the domain section stripped off. MAILsweeper will attempt to deliver all messages locally and will fail.

MAILsweeper Routing settings

In some instances you may be required to send all non local outgoing mail to a specific mailhost, in addition to routing local incoming mail to the SMTP gateway. To do this you would add an additional route for
*.* <IP address/hostname> force.

However if this entry appears above the local domain route all mail will be sent to the outbound mailhost. Incoming mail will then loop continuously as it will be sent back to the MAILsweeper host, and back out again. This will eventually fail to be delivered as it will exceed the maximum number of permissible hops. The error message you will get is:

"Too many Received Headers." 

To rectify this ensure that the *.* route is the last route in the table.


Supported anti-virus products


This table lists the most recent versions of anti-virus tools proven to work with MIMEsweeper. This does not necessarily preclude other versions - for more information see the `It works with MIMEsweeper' page of the MIMEsweeper web-site at:

http://www.mimesweeper.com

Anti-virus tool Version
Cybec VET for MS-DOS 9.85
Cybec VET NT* 9.85
Dr. Solomon's for MS-DOS 7.88
Dr. Solomon's for Windows NT* 7.88
F-PROT Professional MS-DOS* 4.52
IBM Anti-Virus 4.0
McAfee for MS-DOS (Scan) 3.20
McAfee for Windows NT (Scan32) 3.0.3
McAfee for Windows NT Command Line (NTScan) 3.15
Norton AntiVirus for Windows NT

(Requires special interface software**)

4.0
NTSweep for Windows NT Command Line* 3.14
ThunderBYTE for MS-DOS* 8.08
DLL-based scanners
VALsweep* 3.14
Cyberbuster32* 5.0
 

*Supplied on CD for evaluation purposes.

**Supplied on CD under \UNSUPP directory.

ThunderByte

ThunderByte versions 8.01 and 8.02 do not function correctly with MIMEsweeper. The 8.05 version (and later) requires the ae and $w command line options. MIMEsweeper automatically adds these options for new installs. Users upgrading from a previous release of MIMEsweeper will have to add these options in the [TBAV] configuration section of VALIDATE.CFG for MAILsweeper, or HTTP.CFG and FTP.CFG for WEBsweeper, if they are using version 8.05 and later.

Vet NT

The Windows NT version of VET is now supported from version 9.5 onwards.

Existing MIMEsweeper users upgrading to MIMEsweeper 3.2 will need to add the /ext=* command line parameter if they are using VET NT 9.61 or later. New MIMEsweeper installs add this parameter automatically.

McAfee for NT (SCAN32)

The versions of the GUI variant (SCAN32) later than 3.03 do not work with MIMEsweeper because they no longer return an error level indicating the result of the scan. However, the batch file McAfee.bat (in the unsupp directory) provides a workaround, see McAfeebat.txt for more info. The command-line variant (NTSCAN) does not suffer from this problem.

McAfee for NT (NTSCAN) and McAfee for DOS

Later versions require an extra MIMEsweeper configuration option, the TempFileType= directive (see Temporary filenames for validators on page 18 for details). This is because files with a non-executable extension (.EXE or .COM) are not checked for executable viruses. MIMEsweeper operates on temporary files with no extension. This option is required by version 3.15 and later. It is not required by 3.0.3.

New MIMEsweeper installations automatically enable this switch. Users upgrading their MIMEsweeper should add this option manually if they are using this version of McAfee.

McAfee for DOS 3.0.4 cannot be used with MIMEsweeper because it accesses the hard disc directly.

Norton

Special interface software is required to operate with MIMEsweeper - see NORTON1.TXT and NORTON2.TXT in the \UNSUPP directory on the MIMEsweeper CD-ROM.

This interface software is unsupported. The performance is poor due to limitations of interfacing to the Norton scanner.
 

The beeping can be disabled by starting up Norton Antivirus from the Start menu - selecting Options - clicking on the Alerts tab, and unchecking the sound audible alert box.

NTSweep for Windows NT Command Line

Version 3.07 exhibits a problem whereby over a period of time memory resources are exhausted (typically after about 11,000 scans), causing the PC to lock-up, or crash with a blue screen error message. This is actually due to a problem in Windows NT 4.0, for which there is a patch available from Microsoft. See article Q171180 in the Microsoft Knowlege Base for details: http://support/microsoft.com/support/kb/articles/q171/1/80.asp.

Sophos intend to work around this problem in a later version of NTSweep, so the patch will not be required. The preferred solution is to switch to the DLL-based version of NTSweep, which has the added benefit of improved performance.

CyberBuster and VALsweep

The CyberBuster and VALsweep DLL based scanners for MIMEsweeper 3.1 are not compatible with MIMEsweeper 3.2. New versions of these scanners are required.

Dr Solomon's for Windows NT

In version 7.78 the /NOMEM option was renamed to /NM and the

/DECRYPT/SILENT option should no longer be used. New installations of MIMEsweeper assume version 7.78 or later. If you have a version before 7.78 you should change the command line options in VALIDATE.CFG for MAILsweeper, and HTTP.CFG and FTP.CFG for WEBsweeper.

If you are upgrading an existing MIMEsweeper, your existing command line options will be preserved. If you later upgrade to 7.78 or later of Dr Solomon's, you should change your command line settings in the above files accordingly.

MIMEsweeper is incompatible with the /REPAIR option.
 


Additional Information


cc:Mail

Due to exceptions raised by the Lotus VIM library, cc:Mail MAILsweeper systems occasionally shut down. They can be restarted immediately, and will continue from where they left off. This can be achieved automatically by running the batch file CHECK.BAT, supplied in the \UNSUPP directory on the CD.

cc:Mail MAILsweeper could in some circumstances interpret bulletin board transfers as message transfers. This is due to incorrect information being returned by the Lotus VIM API. A configuration option "Ignore" has been added to the cc:Mail post office section, allowing bulletin board addresses to be ignored by MAILsweeper, using the syntax:

        Ignore=#Bulletin Board at Postoffice

For example:

        Ignore="#Test at PO1"

Exchange

Memory leak in MAPI DLLs

Because of a problem in the Microsoft MAPI DLLs, the amount of memory consumed by MIMEsweeper for Microsoft Exchange may increase gradually over time. Until Microsoft address this problem, the work-around is to periodically stop and restart the MAILsweeper service. The Microsoft Knowledge Base reference for the problem is Q169680.

This problem only applies to Servers with more than 240 active mailboxes. The increase is approximately 100 bytes per message, or 1 MB for every 10,000 messages.We recommend that the MAILsweeper service is restarted every 50,000 messages or so (ie. 5 MB). Obviously how frequently this needs to be performed depends on how busy your Exchange server is. Note that the Exchange server does not need to be restarted.

See technote on the MIMEsweeper Web site which describes how to schedule a regular stop and restart of the MAILsweeper service.

New mail notification

If enabled, the Exchange client new mail notification (beep, change cursor, show message box) occurs as soon as new mail is received. There will be a short delay before the message appears in the Inbox while MIMEsweeper scans the mail. The Read mail now button on the new mail notification message box should not be used as it is possible to view the message before MIMEsweeper has finished scanning it. This problem can be avoided by installing the Personal Folders service on the Exchange client; in this case the new mail notification does not occur until the message appears in the Personal Folder, which is after MIMEsweeper has scanned the message.

Inbox Assistant/Out of Office Assistant rules

MIMEsweeper intercepts incoming mail before it reaches the user's inbox. A side-effect of this is that any rules defined for new mail in the Inbox Assistant or Out of Office Assistant are not executed. A work-around for this is to disable the MIMEsweeper intercept. This means that new mail is scanned shortly after it has arrived in the user's inbox. Whilst this enables the rules to execute, it also means that there is the potential for new mail to be viewed before MIMEsweeper has finished scanning it.

Disabling the intercept

There are two reasons to disable the MIMEsweeper intercept:

1. When deinstalling MIMEsweeper
2. To enable Inbox Assistant/Out of Office Assistant rules

When deinstalling MIMEsweeper, it is important to remove the intercept, otherwise no email will reach the recipients' Inbox. This can be achieved using the Untarget utility with the ALL command line option (see next page), or by setting the ClearInterceptOnShutdown=TRUE directive in the EXCHANGE.CFG configuration file before starting the MAILsweeper service for the last time.

For example:

[Exchange]
...
ClearInterceptOnShutdown=TRUE

To enable Inbox Assistant/Out of Office Assistant rules to operate, use the Untarget utility (see below). You will also need to set the InterceptOnStartup=FALSE directive in the EXCHANGE.CFG configuration file to stop the MAILsweeper service re-enabling the intercept the next time it is restarted,for example:

[Exchange]
..
InterceptOnStartup=FALSE
ClearInterceptOnShutdown=FALSE

The Untarget utility (untarget.exe)

This utility, found in the \UNSUPP folder on the MIMEsweeper CD-ROM, can be used to disable the MIMEsweeper intercept.

With the intercept removed, MIMEsweeper will start scanning the mail shortly after it has arrived in the user's Inbox, hence there is a short window of time in which the user can view the mail before MIMEsweeper has finished scanning it.
 

Untarget can be executed with the MAILsweeper service started or stopped. Any pending messages will be moved immediately to the user's Inbox. MAILsweeper will start scanning mail as it arrives in the Inbox. The syntax of the Untarget command is:

UNTARGET profilename password [ALL]

or

UNTARGET profilename NONE [ALL]

where profilename is the name of the profile used by MIMEsweeper (default "MAILsweeper"), and password is the NT password of the primary NT account of the mailbox used by MIMEsweeper (in practice, this is rarely required, so try a password of "NONE" first). The ALL option should only be used when Untarget is being executed as part of the MIMEsweeper deinstallation process; it removes the intercept from system mailboxes (for example, connectors) as well as user mailboxes.

Adding legal disclaimers (AME)

Please note these can only be added to internal mail. This facility is not available for mail to the internet connector of an exchange system.

Detecting Attachments Sent As Shortcuts

Using an Exchange client, it is possible to send an email attachment as a shortcut. This means that a reference to the attachment's file location is embedded in the mail, not a copy of the file itself. Clearly this is only a viable option when the intended recipient shares a common file store with the email originator. As the email contains only the file location, not a copy of the file itself, MIMEsweeper is unable to scan the attachment. To counter this, however, MIMEsweeper provides the option of blocking all mail containing shortcut attachments. This is not enabled by default. To enable this option, edit VALIDATE.CFG as follows:

First, ensure the attribute validator is enabled in the [Validation] section:

[Validation]
...
ValidateAttributes=VALATTR

Next, add a test for the shortcut attribute to the [ValidateAttributes] section:

[ValidateAttributes] 
...
Shortcut=AttachedShortcut==1

Then, in MIMESWP.CFG, add a disposal action to the [Disposal] section:

[Disposal]
...
Shortcut=BlockShortcut

Finally, define the actions for the new disposal action by adding a new section to MIMESWP.CFG:

[BlockShortcut]
Quarantine=BlockQuarantine
Inform=ShortcutList

This example also sends an inform message, so an inform section is also required:

[ShortcutList]
FromAdr=%SERVER%
ToAdr=%ADMIN%
Subject=A message with a shortcut attachment was 
blocked.
Body=C:\MSW\Config\BLOCK.TXT

SMTP

Blocking mail with overlength name fields

These messages are designed to exploit the latest email security flaw,

found in Microsoft's Outlook and Netscape Mail. Further information on this security flaw can be found at

www.ciac.org/ciac/bulletins/i-077a.shtml

To block these messages with MAILsweeper, alter the configuration

as follows (these examples assume that MIMEsweeper is installed in

the default directory C:\MSW):

1. Add a line to the [ValidateAttributes] section in VALIDATE.CFG:

LongName=AttachmentNameLength>200

2. Add a line to the [Disposal] section in MIMESWP.CFG, immediately before the HaveSize=BlockSize entry:

LongName=BlockName

3. Add the following sections to the file MIMESWP.CFG:

[BlockName]
Inform=NameList
Quarantine=BlockQuarantine

[NameList]
FromAdr=%SERVER%
ToAdr=%ADMIN%
Subject=A message with a long attachment name was blocked.
Body=C:\MSW\CONFIG\BLKNAME.TXT

4. Create a new file C:\MSW\CONFIG\BLKNAME.TXT with the following lines:

A mail message with subject "%SUBJECT%" has been blocked
from being delivered, because it contained an attachment
with a long name, and this represents a potential security
threat.

The message was sent from %SENDER% to the following:
%RCPTS%

5. Stop and restart the MAILsweeper service to bring the changes into effect.

Forwarding mail addressed to the local host

By default, incoming mail addressed to user@local.host.name, where local.host.name is the host name of the MIMEsweeper PC, will be treated the same as incoming mail addressed to the default local domain, ie. it will be stored locally, not forwarded using the routing and alias table.

This presents a problem when the MIMEsweeper PC is shared with a mail server: MIMEsweeper should forward mail that is addressed to the local host name to the mail server. To this end, a new parameter has been added to the MIMEsweeper configuration: IgnoreLocalHostNames. When this parameter is set (it is not set by default), MIMEsweeper treats mail addressed to the local host name the same as mail to any other non-local domain, that is, it is forwarded using the routing and alias tables.

This parameter can only be set using the Registry Editor. The Registry path is:

HKEY_LOCAL_MACHINE\SOFTWARE\Content Technologies\MIMEsweeper

You should create a new DWORD value as follows:

IgnoreLocalHostNames = 1

To return to the default behaviour, delete the value or set it to zero.

MAILsweeper Console `Misc' Property Page

In the `Reject all incoming mail from these hosts', `Accept mail for relay from these hosts', and `Accept mail for relay to these domains' fields, an exclamation mark (!) can be used to indicate an exception to a group of addresses/domains specified using the wildcard character. An exception should only be used when it is followed by a group of addresses, never on its own.

For example, to specify `everything except spammer.com', specify the following:

!spammer.com, *

Temporary file names for validators

In the name of increased performance, some anti-virus tools will only scan for executable viruses in files with executable extensions (*.EXE, *.COM).

This presents a problem because MIMEsweeper operates on temporary files with no extension. Often the AV tool provides a command line option to enable scanning of all file types, in which case MIMEsweeper enables the option. Where no such command line option exists, MIMEsweeper must rename the temporary file before calling the AV tool. This is the purpose of the TempFileType= configuration directive in VALIDATE.CFG.

Of the list of AV tools supported by MIMEsweeper, the only ones currently requiring this option are McAfee for Windows NT Command Line (NTScan) 3.15 and later, and McAfee for MS-DOS (Scan) 3.15 and later.

The following excerpt from VALIDATE.CFG is the section for McAfee for Windows NT Command Line:

[McAfeeNT]
PerformIf=ContainerClass==Executable
PerformIf=ContainerClass==Document
PerformIf=ContainerClass==Text
PerformIf=ContainerClass==Binary
ExeName=C:\VIRUSCAN\NTSCAN.EXE
CmdLine=%s /NODDA /NOBEEP /NOCOMP /ALL /REPORT %s
FilePos=0
LogPos=1
TempFileType=exe
0=SUCCESS
1=SCANFAILED
13=VIRUSPRESENT

The TempFileType= directive ensures the temporary file has a .EXE extension before being passed to the AV tool.

URL blockers

The sample URL blocker can be used to block multiple URLs by loading multiple instances of the sample. However, due to a limitation of the sample, it is necessary to copy the DLL to a new file with a different name. This is intended only as an example of the functionality that can be provided by a URL blocker.

For example:

[URLBlockers]
Instance1=C:\Msw\Program\UBK_Demo.dll
Instance2=C:\Msw\Program\UBK_Dem2.dll

[Instance1]
BlockURL=http://www.first_URL_to_block
BlockMessage=Access to the first_URL_to_block is 
not permitted

[Instance2]
BlockURL=http://www.second_URL_to_block
BlockMessage=Access to the second_URL_to_block is 
not permitted


Viewing the Documentation


The Administrator's Guide and Release Notes are provided on the MIMEsweeper CD-ROM in HTML format, in the directory \DOC.

The Administrator's Guide comes in several files. Opening the file MANUAL.HTM will bring the front page into the default browser for the system, and the remainder of the guide can be accessed from there.

These Release Notes are in a file called RELNOTES.HTM in the \DOC directory.


Enhancements in 3.2 release


The following list summarises the enhancements made to MIMEsweeper:


Problems solved in 3.2_4 release


Exchange

WEBsweeper

MSW

NMAWNT

SMTP

Install

UUE

VALsweep


Problems solved in 3.2_3 release


ARJ

SMTP

MIME

VALHTML


Problems solved in 3.2_2 release


WSW

        ftp://user one:password@ftpsite/


should be:

        ftp://user%20one:password@ftpsite/

ARJ

CDA

Image

SMTP

VALHTML

Exchange

NWA


Problems solved in 3.2_1 release


Many problems have been solved in this release. The more commonly occurring ones are listed here:

General

SMTP

cc:Mail

Notes

WSW

CDA

GZIP

ZIP

UUE

BINHEX

MIME

NWA

LEX

INSTALL


Known product limitations


Since MIMEsweeper is a security product, any known limitations will not be reported in these release notes.

If problems are being experienced, contact technical support at your local office for assistance.


\UNSUPP directory


The following are available from the \UNSUPP directory on the CD. All items are supplied as unsupported utilities.

Check \\MyMachine 60

This batch file also requires the two programs SLEEP.EXE and NETSVC.EXE, which are also in this directory.


Example files


Example files are provided as follows:

SITEBLK.TXT is a configuration file for Lexical Analysis to enable WEBsweeper to block access to sites with inappropriate material.

Because this file has been configured to block Web sites found to contain material of an offensive nature, it contains strong language and may offend.
 

EXPLIST.TXT is a sample configuration file for Lexical Analysis to demonstrate the basic principles.

MAILsweeper for cc:Mail example post offices. For further information see the file ccmpo_eg.txt.

AUTHFILE.TXT is a sample AMUcheck file. There is one for each mail system.

PICSMAP.CFG is a sample PICs rating file for WEBsweeper.

Sample SMTP messages.



msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.