04-09-2017 09:27 PM
Hi friends,
Need a help.
We have deployed a ESAV C300v (for more than 1k emplyee) on ESXi platform. We did not purchased any license still, running the demo version.Before going to be purchased wanna to confirm that will I be able to enable both anti virus McAfee and Sophos in this virtual appliance C300v? To run both antivirus at a time what should I have/do ?
Appreciate your support.
thank you.
Jamshed
Solved! Go to Solution.
04-10-2017 05:15 AM
Yes - the ESA will run both AV engines at the same time. You will see them scan and act separately.
Examples:
Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 From: <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:09:28 2017 Info: MID 837 Message-ID '<c2a4cb$ma@120.local>'
Mon Apr 10 12:09:28 2017 Info: MID 837 Subject 'AV testing'
Mon Apr 10 12:09:28 2017 Info: MID 837 ready 37792 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:09:29 2017 Info: MID 837 interim AV verdict using McAfee VIRAL
Mon Apr 10 12:09:29 2017 Info: MID 837 antivirus positive 'W97M/Downloader.brm'
Mon Apr 10 12:09:29 2017 Info: Message aborted MID 837 Dropped by antivirus
Mon Apr 10 12:09:29 2017 Info: Message finished MID 837 done
Here, McAfee sees it viral, takes action first, and drops mail --- it never gets through the mail processing pipeline for Sophos to scan.
Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 From: <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:10:45 2017 Info: MID 838 Message-ID '<c2a4cb$me@120.local>'
Mon Apr 10 12:10:45 2017 Info: MID 838 Subject 'AV testing'
Mon Apr 10 12:10:45 2017 Info: MID 838 ready 670172 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using McAfee ENCRYPTED
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using Sophos VIRAL
Mon Apr 10 12:10:45 2017 Info: MID 838 antivirus positive 'Mal/DrodZp-A'
Mon Apr 10 12:10:46 2017 Info: Message aborted MID 838 Dropped by antivirus
Mon Apr 10 12:10:46 2017 Info: Message finished MID 838 done
Mon Apr 10 12:10:50 2017 Info: ICID 659 close
McAfee sees this file as encrypted. AV cannot see into an encrypted (password encrypted) file. However, since Sophos had this encrypted file previously marked as malicious, known in the IDE library - it takes the drop action.
Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 From: <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:11:46 2017 Info: MID 839 Message-ID '<c2a4cb$mi@120.local>'
Mon Apr 10 12:11:46 2017 Info: MID 839 Subject 'AV testing'
Mon Apr 10 12:11:46 2017 Info: MID 839 ready 301838 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:11:51 2017 Info: ICID 660 close
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using McAfee CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using Sophos CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 antivirus negative
Mon Apr 10 12:12:01 2017 Info: MID 839 queued for delivery
Mon Apr 10 12:12:01 2017 Info: Delivery start DCID 0 MID 839 to RID [0]
Mon Apr 10 12:12:01 2017 Info: Message done DCID 0 MID 839 to RID [0] [('X-IronPort-AV', 'E=McAfee;i="5800,7501,8493"; a="839"'), ('X-IronPort-AV', 'E=Sophos;i="5.37,182,1488844800"; \r\n d="xml\'?fdoc\'?scan\'72,145,208,48?rels\'72,145,208,48?jpg\'72,145,208,48,145?dict\'72,145,208,48,145?xps\'72,145,208,48,145,72,48";a="839"')]
Mon Apr 10 12:12:01 2017 Info: MID 839 RID [0] Response '/dev/null'
Mon Apr 10 12:12:01 2017 Info: Message finished MID 839 done
Both clean --- I have logheaders enabled to record the AV headers... so - they are included, showing the engine versions and IDEs.
Hope that helps.
-Robert
04-10-2017 05:09 AM
Hi Jamshed,
You can certainly enable both Sophos and McAfee scanning, it would increase the load on the appliance.
However, the amount of load would depend on factors such as mail flow, attachment sizes, etc.
You could request your accounts team to share trial licenses for the features and test it out in your environment before you purchase the licenses.
Thank You!
Libin Varghese
04-13-2017 03:05 AM
Thank you Libin
04-10-2017 05:15 AM
Yes - the ESA will run both AV engines at the same time. You will see them scan and act separately.
Examples:
Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 From: <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 ICID 658 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:09:28 2017 Info: MID 837 Message-ID '<c2a4cb$ma@120.local>'
Mon Apr 10 12:09:28 2017 Info: MID 837 Subject 'AV testing'
Mon Apr 10 12:09:28 2017 Info: MID 837 ready 37792 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:09:28 2017 Info: MID 837 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:09:29 2017 Info: MID 837 interim AV verdict using McAfee VIRAL
Mon Apr 10 12:09:29 2017 Info: MID 837 antivirus positive 'W97M/Downloader.brm'
Mon Apr 10 12:09:29 2017 Info: Message aborted MID 837 Dropped by antivirus
Mon Apr 10 12:09:29 2017 Info: Message finished MID 837 done
Here, McAfee sees it viral, takes action first, and drops mail --- it never gets through the mail processing pipeline for Sophos to scan.
Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 From: <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 ICID 659 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:10:45 2017 Info: MID 838 Message-ID '<c2a4cb$me@120.local>'
Mon Apr 10 12:10:45 2017 Info: MID 838 Subject 'AV testing'
Mon Apr 10 12:10:45 2017 Info: MID 838 ready 670172 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:10:45 2017 Info: MID 838 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using McAfee ENCRYPTED
Mon Apr 10 12:10:45 2017 Info: MID 838 interim AV verdict using Sophos VIRAL
Mon Apr 10 12:10:45 2017 Info: MID 838 antivirus positive 'Mal/DrodZp-A'
Mon Apr 10 12:10:46 2017 Info: Message aborted MID 838 Dropped by antivirus
Mon Apr 10 12:10:46 2017 Info: Message finished MID 838 done
Mon Apr 10 12:10:50 2017 Info: ICID 659 close
McAfee sees this file as encrypted. AV cannot see into an encrypted (password encrypted) file. However, since Sophos had this encrypted file previously marked as malicious, known in the IDE library - it takes the drop action.
Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 From: <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 ICID 660 RID 0 To: <robsherw@esa.av>
Mon Apr 10 12:11:46 2017 Info: MID 839 Message-ID '<c2a4cb$mi@120.local>'
Mon Apr 10 12:11:46 2017 Info: MID 839 Subject 'AV testing'
Mon Apr 10 12:11:46 2017 Info: MID 839 ready 301838 bytes from <robsherw@ubuntu.local>
Mon Apr 10 12:11:46 2017 Info: MID 839 matched all recipients for per-recipient policy <|__AV_ONLY__|> in the inbound table
Mon Apr 10 12:11:51 2017 Info: ICID 660 close
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using McAfee CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 interim AV verdict using Sophos CLEAN
Mon Apr 10 12:12:01 2017 Info: MID 839 antivirus negative
Mon Apr 10 12:12:01 2017 Info: MID 839 queued for delivery
Mon Apr 10 12:12:01 2017 Info: Delivery start DCID 0 MID 839 to RID [0]
Mon Apr 10 12:12:01 2017 Info: Message done DCID 0 MID 839 to RID [0] [('X-IronPort-AV', 'E=McAfee;i="5800,7501,8493"; a="839"'), ('X-IronPort-AV', 'E=Sophos;i="5.37,182,1488844800"; \r\n d="xml\'?fdoc\'?scan\'72,145,208,48?rels\'72,145,208,48?jpg\'72,145,208,48,145?dict\'72,145,208,48,145?xps\'72,145,208,48,145,72,48";a="839"')]
Mon Apr 10 12:12:01 2017 Info: MID 839 RID [0] Response '/dev/null'
Mon Apr 10 12:12:01 2017 Info: Message finished MID 839 done
Both clean --- I have logheaders enabled to record the AV headers... so - they are included, showing the engine versions and IDEs.
Hope that helps.
-Robert
04-11-2017 12:44 AM
Thank you so much.
But in the demo version I can see only Sophos antivirus is enabled. Is there any separate procedure to find available both (Sophos+ mcAfee) antivirus on ESAV C300v VM appliance ? If I purchase license will find both features ?
regards..
Jamshed
04-11-2017 05:04 AM
The device may have come with demo licenses for Sophos alone, you can request for demo licenses of McAfee as well from your accounts team.
Even when purchasing licenses you would need to mention which features are required based on your requirement.
- Libin V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide