Hi Ken: Yes, the behavior you are describing is how OutBreak Manager is designed. If your specified threshold is exceeded, then GroupShield will temporarily apply your desired rule(s) until the threat seems to be contained. Then, after executing your desired rules (notifying, downloading a latest DAT, etc.), and the number of messages has dropped off, then OBM will release the rule so that future mails can be delivered properly. This is because if you want to allow DOC attachments, but there was an outbreak, you would only want to temporarily block that file type until protection was updated. If it is a specific file name that is causing the problem (such as BADFILE.DOC), then the administrator can add that to the list of files to block.
If you would like to discuss this further, then please contact me. Regards. Robert Grupe, PE [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, 07 December, 2001 16:35 To: Exchange Discussions Subject: RE: Exchange / McAfee / ePolicy Orchestrator Question Robert, I have found Outbreak Manager to be flaky at best. Maybe I am not configuring it correctly. I have it set to trigger on 30 identical attachments detected within 5 minutes. It is to react automatically by blocking email with specific attachment name and then escalate to update DAT. The problem that I have is that it seems to start blocking the attachments for awhile. Then it will "unwind" the rule and release them and start letting them through again. I want it to stop them all and let me decide to start letting them in again. There seems to be no rhyme or reason to the way that it works. Ken Powell Systems Administrator Clark County Office of Budget and Information Services (OBIS) Vancouver, Washington [EMAIL PROTECTED] Voice: (360) 397-6121 x4658 Fax: (360) 759-6001 -----Original Message----- From: Grupe, Robert [mailto:[EMAIL PROTECTED]] Sent: Friday, December 07, 2001 3:59 AM To: Powell, Ken Subject: RE: Exchange / McAfee / ePolicy Orchestrator Question See responses below... Robert Grupe, PE [EMAIL PROTECTED] -----Original Message----- From: Fred W. Macondray Jr. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 05 December, 2001 18:45 To: Exchange Discussions Subject: Exchange / McAfee / ePolicy Orchestrator Question Hi All, Sorry this is slightly off topic, but NAI is obviously swamped by Goner and I just hung up after 30 minutes on hold as I have much to do around here. Questions: 1) How can I distribute the Extra.DAT files from McAfee that cover the Goner virus to NetShield and groupshield with ePO? Currently the released versions of GroupShield for Exchange only have reporting capabilities with ePO, but configuration & policy support will be included in the next releases. 2) Is necessary to distribute the EXTRA.DAT file with or do the DAT files with the same date contain the signature of Goner too? As answered on the list, the 4174 dats contained the signature and can be rollout via Superdat (this will update all McAfee products running on the machine) or through the AutoUpdate within the products. 3) Outbreak manager... what's the typical configuration? What do you use (assuming you use GroupShield). There is no typical configuration since the creation of rules depend on the throughput of the server, number of users etc. For example a rule would be x number of identical attachments in y time - x needs to be large enough that a innocent file sent to a number of users does not trigger but Goner would with y being short enough to be effective. Thanks in Advance, Fred Fred Macondray Systems Administrator Virtual Purchase Card, Inc. mailto:[EMAIL PROTECTED] http://www.virtualpurchasecard.com - "Guaranteed B2B Purchases" _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]