Technical Notes

These tech notes have been prepared to assist you with some common issues concerning use of GWAVA. For more information, see our Product Documentation.

Technote 1 - Message Flow
Technote 2 - Scan Order
Technote 3 - GWAVA Uninstall
Technote 4 - Configuring Notify Options
Technote 5 - How GWAVA Reinitializes on the fly
Technote 6 - Fields in ARCHIVE.CSV
Technote 7 - Switching to Bindery Mode
Technote 8 - NGW VSCAN CONTROLLER Error
Technote 9 - AV NLM Troubleshooting
Technote 10 - AV NLM Troubleshooting

If your issue is not covered in these tech notes, please contact Tech Support.

---

Technote 1 - Message Flow
The message file starts life in

\MSLOCAL\GWINPROGqueuenumber.

Further clarification:
1a. In UNC, the MTA of the domain had gotten it there by picking it up from either its children's PO (<postofficedirectory>\WPCSIN\queuenumber) or another domain stuck it into <domaindirectory>\WPCSIN\queuenumber.

1b. In IP it would have "magically" gotten there, from a directory flow point of view.

2. The GWMTA maintaining the domain will place the message into <domain>\MSLOCAL\GWVSCAN\queuenumber via a simple file copy.

3. GWMTA tells the GWMTAVS about this.

4. GWMTAVS calls VS.NLM (aka GWAVA). GWAVA requests some info, and as it does so, it is decrypted.

5. When attachments, body text are requested, it passes a path name which is always there somewhere under gwvscan\vsxx.

6. There is a fork here depending on GWAVA's tests:
    a. Accepted. GWAVA likes it and tells the MTAVS
    b. Rejected. It violates one of GWAVA's rules, and GWAVA tells the MTAVS

7. GWMTAVS in either case was responsible for the initial creation and will be responsible for the final deletion of ALL files under GWVSCAN. At this point it'll wipe them out.

8a. GWMTAVS passes an OK to the MTA, the MTA copies to either the <postoffice> dir\ WPCSOUT\OFS\QUEUENUMBER (if PO is child of this domain) or to <nextdomaininpath>\WPCSIN\queuenumber (if it needs to go to another domain).

8b. GWMTAVS says no way. MTA should whack the file, and create a status message to that effect. The status message will flow either to <postoffice>\WPCSOUT\OFS\queuenumber (PO is child of this domain) or to <nextdomainpath>\wpcsin\queuenumber (if it needs to flow to another directory).

Outgoing to GWIA:
Flow is same until 8 and will remain the same even there until we get to/from the parent domain of the GWIA.

8a. GWIAParentMTA sticks it in <gwiaparentdomain>\wpgate\gwia\domain\WPGATE\gwia\WPCSOUT\<id>\0-7, where ID is a randomly determined name....the rest of the flow is beyond the scope of discussion here.

Incoming from GWIA:
The beginning of the flow is beyond our scope. Safe to say the gwia sticks stuff into <gwiaparentdomain>\wpgate\gwia\wpcsin\<queuenumber>. The GWIAParentMTA picks it up.

Note:
queuenumber = 0 to 7 and has the usual meaning as with GW:
    0 Live interactive requests
    1 Other interactive requests
    2 High priority messages
    3 High priority status responses
    4 Normal priority messages
    5 Normal priority status responses
    6 Low priority messages
    7 Low priority status responses

Top


Technote 2 - Scan Order
The GWAVA 3.x scan order is completely customizable so GWAVA can run any test, in any order you want. This is accomplished in the "Advanced -> Scan Task Order" menu by highlighting a particular test and then clicking on the up and down arrows to adjust the scan order. By default, GWAVA 3.x will run all tests for statistical purposes. Even if a message fails the first test, all of the other tests will be performed. It is possible that a message might then be blocked for multiple reasons (i.e. blocked because it was a virus and because it was a PIF file). GWAVA 3.x also allows you to stop processing when any given filter fires on a message by double-clicking the filter name in the "Advanced -> Scan Task Order" dialog and generating a STOP sign. This means GWAVA will stop scanning a message if any filter with a stop sign fires on a message.

The GWAVA 1.x and 2.x scan order is hard coded and designed to minimize CPU utilization:

1. Scan by address bypass
2. Source address block
3. Recipient address block
4. Content filter subject
5. Message body scan
6. Antispam

Then the attachment scans follow:

1. Oversize
2. Attachment type block
3. Content filter
4. Virus scan

The order of test is from least CPU intensive to most CPU intensive.

Top


Technote 3 - GWAVA Uninstall
Uninstalling GWAVA is easy. Here is the procedure:

1. Unload the MTA
2. Edit the MTA Startup file and remove the last six or seven lines in the file (all beginning with " /VS ")
3. Reload the MTA
4. At the server console prompt, manually unload GWAVAPOA.NLM, ANTISPAM.NLM, VSMTPAGT.NLM, SQUASH.NLM, NZIP.NLM
5. Delete <DOMAIN>\GWAVA
6. Delete SYS:SYSTEM\GMTACFG.*
7. Delete SYS:SYSTEM\VS.NLM
8. Delete SYS:SYSTEM\VSMTPAGT.NLM
9. Delete SYS:SYSTEM\SQUASH.NLM and SYS:SYSTEM\NZIP.NLM and SYS:SYSTEM\ANTISPAM.NLM and GWAVAPOA.NLM
10. Delete SYS:SYSTEM\GWMTAVS.*
11. From the Control Panel of your Windows workstation, uninstall GWAVA
12. Delete C:\PROGRAM FILES\BEGINFINITE

Top


Technote 4 - Configuring Notify Options

1. Unload the MTA
2. UNLOAD VSMTPAGT.NLM
3. Delete all files in \GWAVA\SMTPQ
4. GWAVA 2.x includes a feature that allows you to login to GWIA prior to relaying. This secure authentication eliminates the need for relay exceptions.
5. In the "Notify Options" of the GWAVA Manager, Select the "Advanced" button. Enter the IP address of GWIA in the top field, and then set the SMTP Authentication to LOGIN. Enter any valid GroupWise user name and password.
6. That's it. Get rid of your relay exceptions. GWAVA will now use that user name and password to authenticate to GWIA.
7. Re-Load the MTA.

Top


Technote 5 - How GWAVA Reinitializes on the Fly
The GWAVA Configuration Manager creates ~RESET.TMP in <domain>\gwava. VS.NLM checks for the existence of this files every 60 seconds.

Top


Technote 6 - Fields in ARCHIVE.CSV
These are the fields in <DOMAIN>\GWAVA\ARCHIVE\ARCHIVE.CSV:

• Archive time
• Archived file name
• Message originator
• Subject
• # of attachments
• Total message size

Top


Technote 7 - Switching to Bindery Mode
In the MISCELLANEOUS section of the GWAVA Configuration Manager, change the user name from the distinguished NDS name (like .admin.company) to just ADMIN (or whatever user name you are using), and remove anything in the "MTA Server & Context" field so that it is blank.

Make sure that the container(s) that house your user and NetWare server object are set as Bindery Context(s) on your GWAVA server. For example:

     .O=COMPANY
     .OU=SERVERS.O=COMPANY

Unload and re-load the MTA.

Top

Technote 8 - NGW VSCAN CONTROLLER Error
When the MTA unloads, the <domain>\MSLOCAL\GWVSCAN\VS00 - VSxx directories are deleted by GWMTAVS.NLM. This results in all the deleted files in these directories to be shifted to \DELETED.SAV. In certain cases, the volume of deleted files can slow the unloading of the MTA and generate the following message on the MTA screen "Waiting for task NWG-VSCAN CONTROLLER to Complete". The system may also becomes unresponsive during this I/O intensive process.

It is not feasible to set the <domain>\MSLOCAL\GWVSCAN\VS00 - VSxx directories to "Purge Immediate" because GWMTAVS.NLM deletes them on every unload. Global purging can be set in order to eliminate this message. This may or may not be necessary depending on your environment.

Procedure:

1. At the Server console prompt, type the following command: SET IMMEDIATE PURGE OF DELETED FILES = ON
2. Confirm through the "SET" menus that immediate purge is enabled
3. Map a drive to the root of the Volume that houses your GroupWise Domain directory
   Right-click on the mapped drive letter
   Click on "Purge Files"
   Click on "Purge Subdirectories" Button
   Wait until all purgeable files are purged

The MTA should now unload normally

Top

Technote 9 - AV NLM Troubleshooting
Please follow the instructions on Configuring your AV NLM in the GWAVA Manual. It is important that your AV NLM be set up properly especially, the directory exclusions. Note: This technote does not apply to CA eTrust InoculateIT.

TEST EXCLUSIONS:

1. Download the EICAR.COM test virus from www.eicar.org.
   
2. Copy EICAR.COM to <DOMAIN>\GWAVA\VWORK. If the file is not detected and deleted (or if it is detected but not completely deleted) from VWORK, check your AV settings and directory exclusions.
   
3. Copy EICAR.COM to <DOMAIN>\MSLOCAL\GWVSCAN. If the file is detected, check your directory exclusions.

If your AV NLM detects and deletes the virus in step 2, and ignores the virus in step 3, then the problem may be related to GWAVA or rights. Send the following file for analysis to support@gwava.com:

<DOMAIN>\GWAVA\CONFIG\GMTACFG.INI

The MTA should now unload normally
Top

Technote 10: How to solve the GroupWise 7.0.2 vulnerability as fast and complete as possible
By Uli Neumann

Introduction:

Novell has reported a vulnerability in GroupWise 7.0.2 and 6.5 SP6 which affects all Clients and Agents for GroupWise. Novell recommends to update all Agents and Clients as soon as possible to close this security hole. The problem that many IT administrators face is that they have to deal with remote locations, laptops running GroupWise, multiple GroupWise systems, various platforms (Windows, Linux, Macintosh) and different clients (Windows Client, WebAccess, Outlook Connector, Linux and Macintosh Clients). Novell recommends to Update all Agents prior to update all Clients, and lock out all clients dated older than May 22, 2007. This is easy to do in a small installation, but if you have hundreds or thousands of users, it is very difficult to find all old clients. Y ou can find more details about this security vulnerabilty here:

Solution:
Redline can help you to analyze your GroupWIse Agent versions as well as all Client versions with this new Redline Business Report.

Before you can run this report, you need to install it on your Control Center server:

1. Copy rlrep_vul702.nlm (NetWare) or rlrep_vul702.so (Linux) to the folder /opt/beginfinite/redline/bin.
   
2. Copy Vulnerability702VersionCheck.xml to the folder /opt/beginfinite/redline/conf/reports.
   
3. Unload the Control Center.
4. Load the Control Center.

You need to Unload the Control Center for this report, because it uses a binary file to analyze the agent versions.

Now you can select this new Business Report in the Control Center:

The first part of the Report shows all GroupWise Domain Agents, Post Offices Agents, WebAccess Agents and Internet Agents which are not updated to 7.0.2 HP dated May 22nd , 2007 or newer.

The second part lists all users and IP addresses from where someone logged into the system with a client that is not Version 7.0.2 HP or newer.

Based on this report you can update your remaining agents and clients.

As soon as all Agents and Clients are updated to the newer version, you should lock out older clients in ConsoleOne. This needs to be done for every Post Office in ConsoleOne.

Top