LevelBlue Knowledge Base » Knowledgebase » McAfee for Marshal

How do WebMarshal license keys work?

Charles — Sun, 15 Mar 2026 20:09:45 GMT

This article applies to:

WebMarshal

Question:

How do WebMarshal license keys work?
How do you obtain a WebMarshal license keys?
How can I trial McAfee for Marshal?
How do I get a permanent key?
How long do trial keys work?

Procedure:

Trial Keys

After you download a trial version of WebMarshal (6.0 or above) from the Web, a trial key is generated as part of initial setup. Trial keys have a fixed duration of 30 days, which starts from the time of the key generation. Other than the expiration date, trial keys are not limited. If you have a need to trial the product for longer than 30 days, contact your LevelBlue Partner for a special extended trial key.

Permanent Keys

How do I get a Permanent Key?
Once you have purchased WebMarshal, you need to obtain a permanent key by requesting a key from within the product as follows:

In the WebMarshal Console, on the Tools menu, click Server Properties > License Info tab > Request Key.

The Server Properties window displays a request form. Complete the form.

It is helpful to include the customer account number or exact customer name from a previous purchase in the Additional Information. WebMarshal automatically sends the company name you entered at the time of installation, but company names often change.

When you submit the form, WebMarshal sends it to your LevelBlue Partner and LevelBlue.
Your WebMarshal permanent license key is typically tied to your Windows domain SID. WebMarshal determines the SID number and sends the request to LevelBlue to enable a key to be made.
You can expect a reply from LevelBlue, normally within two business days.
Access requirements:

WebMarshal 6.X or 7.X requires HTTP access to www.marshal.com from the workstation where the Console is running. It uses connection settings (such as proxy authentication) from the logged in user's profile in system settings. So if you can browse to www.marshal.com using Edge on the workstation, then the request should be successful.
If for some reason the key request fails, there is another option.
To perform the manual key request:

When you click Send Request, the SID information is copied to the Windows Clipboard.

Paste this information into a text file or email message.

Email it to keyrequests@trustwave.com.

If for some reason you are not able to access the request key window in WebMarshal, you can run the application SiteID.exe within the WebMarshal directory. (SiteID.exe is provided in WebMarshal 3.5 and above.)
Note: The following information should be included in the email you send: Email address of the supplier - if known, Contact Details of Person (Including: Name, Email address, Phone Number, Company Name, Address and any Additional information LevelBlue might need to process the request.)

What if WebMarshal is not a member of a domain?
Perform a key request as normal, mention in the Additional Information field that WebMarshal is not in a domain, and LevelBlue will allocate you a special permanent key.

What about additional installation locations or Disaster Recovery setups?

If you want an additional array for disaster recovery, or for processing at another gateway, you can use the same Permanent Key IF the Array Manager is joined to the same domain (assuming the key was based on the Windows domain). If the key does not work in the new location, you can request another permanent key; be sure to include comments about why the key is required. WebMarshal is licensed on the number of users, not the number of servers.
Note: For additional capacity, even over multiple gateways with different policy requirements, in most cases you should add processing nodes to a single array rather than creating new arrays.

Add-on Modules

How can I trial additional modules?

Bitdefender for Marshal, McAfee for Marshal, Sophos for Marshal, and the Web Filter Database are enabled by the standard trial keys. If you are an existing customer with a permanent key, please contact LevelBlue or your LevelBlue partner for a special time-limited full key to trial these items.

How can I get a permanent license for additional modules?

Bitdefender for Marshal, Sophos for Marshal, and McAfee for Marshal are licensed through the product key. If you have added a module to your license and received confirmation from LevelBlue, you can submit a key request to get an updated key.
The Web Filter Database is provisioned automatically by the Array Manager. Ensure the Array Manager service has web access. The provisioning process can take up to 24 hours to respond and download an initial database. You do not need to request a new key.
For any supported antivirus products that you purchase through other channels, no change to the WebMarshal key is required. Contact the reseller for license information. Other antivirus products supported by WebMarshal include Sophos (SAVI interface) and Symantec Antivirus Scan Engine.

Upgrading from Previous WebMarshal Versions

In general, version upgrades do not require a change in license key.

Notes

For help entering a license key in WebMarshal, see Q14384.

This article was previously published as:: NETIQKB29509; Marshal KB279

Updates fail due to SSL certificate issues

Charles — Tue, 20 Aug 2024 22:30:01 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange 7.X
HTTPS Certificates for Internet Access
Blended Threats licensing
Maintenance Check
McAfee for Marshal
Sophos for Marshal
Bitdefender for Marshal

Symptoms:

Installations cannot download updates for Automatic Updates (SpamCensor), or cannot validate Blended Threats or Maintenance
Logs show error Unable to get Local Issuer Certificate
Virus scanner updaters cannot perform updates or licensing checks
Error messages indicate SSL certificate validation errors
New installations may display a warning on installation
- Warning text similar to: The MailMarshal Update service and the Blended Threats Module require SSL certificates currently not installed on this system

Cause:

The most common cause of these symptoms is that required CA root certificates are not installed, so the SSL certificates used by LevelBlue websites cannot be validated.

LevelBlue uses certificates issued by several authorities, including Microsoft, DigiCert, and Let's Encrypt. All of the root certificates for these authorities are included by default in the Windows certificate store.

As of late 2024, Let's Encrypt certificates may be in use.

Currently supported Windows Servers that have the default set of root certificates already have the required certificates (ISRG Root X1). Windows 2012 servers may not have the required certificate.

As of mid 2023, DigiCert is issuing certificates from a new root certificate.

This change is required because some browsers will stop trusting older DigiCert roots in 2025. For more details see information from DigiCert.
For new certificates to be trusted, you must have the DigiCert Global Root G2 installed as a trusted root certificate in the Windows certificate store.
Windows Servers that have automatically installed required updates should already have installed the required certificate.
All certificates currently in use are issued from the new root certificate.

Also, you must allow access to Certificate Revocation List servers (such as http://crl3.digicert.com/ and http://c.lencr.org) to allow SSL connections to be validated.

Resolution:

To resolve this issue in most cases, you can take one of the following actions:

You may be able to install the certificates automatically by browsing to the affected site (such as https://mcafee.marshal.com) using Internet Explorer or Edge from an administrator account. Once you have successfully browsed to the site, try the updater functionality again.
You can manually retrieve the DigiCert Global Root G2 certificate from: https://www.digicert.com/kb/digicert-root-certificates.htm
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
- Previous generation certificates (validity starting before March 2023) are issued from the DigiCert Global Root CA certificate.
You can manually retrieve the ISRG Root X1 certificate from https://letsencrypt.org/certificates/.
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.

Once the root certificate is installed, all functions requiring web access should work.

Other possible causes:

Cause 2: Access through WebMarshal

If Web access for SEG/MailMarshal or a virus scanner updater is through a WebMarshal installation that is configured for HTTPS content inspection, it is possible that the root certificates are not installed for the account(s) used by the Engine service, Array Manager service, and/or virus updater services.

Note: This cause only applies when Web access is through a WebMarshal installation that has HTTPS content inspection enabled for the specific update sites. Inspection is disabled by default.

WebMarshal HTTPS Content Inspection uses a special locally generated root certificate. This certificate is installed into the user's certificate store by default. It is not available for service accounts by default.
WebMarshal makes an exception for the SpamCensor update site, but current versions do not make an exception for the Blended threats site.

Resolution - WebMarshal certificate:

To resolve this issue, on each SEG/MailMarshal server, manually install the WebMarshal root certificate using the Windows Certificate Management console:

Download the certificate from the WebMarshal.Home page of the WebMarshal installation.
Run Microsoft Management Console (MMC.exe)
Choose to add a snapin and select the Certificates snap in.
Choose to manage certificates for the Computer account.
Open Trusted Root Certification Authorities > Certificates.
Import the certificate.

Alternatively, you might choose to bypass the proxy completely, or disable HTTPS inspection, for the update URLs required by LevelBlue products

Cause 3: Access through a third party proxy

If Web access for MailMarshal/SEG or a virus scanner updater is through a third party proxy configured for HTTPS content inspection, you may need to complete further configuration.

Note: This cause only applies when Web access is through a third party proxy server that has HTTPS content inspection enabled.

The proxy server might not have the required CA certificates installed.
The certificate used for local re-encryption might not be installed on the MailMarshal servers.

Resolution - third party proxy:

To resolve this issue, consult the documentation for the third party proxy and ensure the following:

Verify that all CA certificates required are installed on the proxy server. See the list in resolution 1, above.
Verify that the certificate used for re-encryption (and any CA or intermediate certificates) are installed on the servers.
1. Obtain the certificate(s) required. See the list in the Manual Download section below.
2. On each server in the installation, run Microsoft Management Console (MMC.exe)
3. Choose to add a snapin and select the Certificates snap in.
4. Choose to manage certificates for the Computer account.
5. Import the certificate(s) to the appropriate locations. In most cases Windows will select the locations automatically.
Alternatively, you might choose to bypass the proxy completely for the update URLs required by LevelBlue products. See the documentation for the proxy server.

Additional technical details:

Some Windows releases install a very limited set of SSL CA certificates by default. Additional certificates are downloaded on demand.
- Windows Group Policy can be set to disable the on-demand downloads.

Manual download of certificates:

You can also manually download and install the required CA Certificates using the Windows Certificate Management console.

Install the certificates on Array Manager and Processing Node servers.

Download the root certificate
- DigiCert Global Root G2 (.pem) (right click, save as). See additional links and other formats at DigiCert Root Downloads.
- ISRG Root X1 (.pem) (right click, save as). See additional links and other formats at Let's Encrypt Chains of Trust.
- (Note: SecureTrust certificates that were previously used are no longer required.)
Run Microsoft Management Console (MMC.exe)
Choose to add a snapin and select the Certificates snap in.
Choose to manage certificates for the Computer account.
Open Trusted Root Certification Authorities > Certificates.
Import the root certificate.

Notes:

Verify your system clock is accurate. Certificates might be rejected if they are "out of date" according to the local system time.

If none of the above solutions resolve your issue, contact Technical Support for help in diagnosing and resolving the problem.

What versions of Marshal Anti-Virus and reporting solutions are currently supported by LevelBlue Technical Support?

Charles — Sun, 26 Nov 2023 18:14:08 GMT

This article applies to:

Bitdefender for Marshal
Kaspersky for Marshal
McAfee for Marshal
Sophos for Marshal
Marshal Reporting Console

Question:

What versions of Anti-Virus for Marshal plug-ins are currently supported by LevelBlue Technical Support?
What versions of Marshal Reporting Console are currently supported by LevelBlue Technical Support?

Information:

The following tables show the currently supported versions, planned dates of termination of support, and support end dates for discontinued versions.

Note: In this article "supported" refers to full product support as defined in LevelBlue support policy for the Marshal Product Line.

For "discontinued" versions, LevelBlue can often provide advice to help customers resolve issues. However, LevelBlue may recommend upgrade to a later version of the software.

If a reported problem requires remedial development work, LevelBlue will usually provide a fix only for the latest product version.

Upgrades to the current versions of these products are always free of charge to customers with a current maintenance contract.

All versions earlier than those listed are discontinued.

Bitdefender for Marshal

Notes:

The URL for Bitdefender signature updates changed as of March, 2022. Only version 1.2.0 can access the new update URL.

Software Version

Release Date
Support Status
Discontinued Date

1.2.0.1680
(64 bit only)

August 3, 2021
Active

1.1.2.1623
(64 bit only)

August 22, 2019
Discontinued
March 20, 2022

1.1.1.1564

November 9, 2017
Discontinued
March 20, 2022

Kaspersky for Marshal

END OF LIFE November 22, 2023: Kaspersky for Marshal is no longer sold or supported. The embedded license key has expired. This plugin cannot be initialized. Attempting to use it will cause the MailMarshal or WebMarshal product engines to stop.
Note that Sophos for Marshal is included in all subscriptions for MailMarshal and WebMarshal. For customers who desire a second virus scanner, the recommended option going forward is Bitdefender for Marshal.
- Customers with contracts for Kaspersky for Marshal extending beyond November are entitled to use Bitdefender for Marshal for the balance of the contract term. Contact your sales representative for assistance

McAfee for Marshal

Software Version

Release Date
Support Status
Discontinued Date

6.1.2.1564

November 9, 2017
Active

Note: New McAfee Engine updates will not be provided for 32 bit versions (except to support ECM). Customers MUST use a 64 bit version of MailMarshal or WebMarshal to receive the latest Engine versions that have continuing support from McAfee.

Sophos for Marshal

Software Version

Release Date
Support Status
Discontinued Date

1.1.5.1710
(64 bit only)

March 15, 2022
Active

1.1.4.1679
(64 bit only)

August 3, 2021
Discontinued
September 1, 2022

1.1.3.1637
(64 bit only)

November 3, 2020
Discontinued
September 1, 2022

1.1.2.1564

November 9, 2017
Discontinued
March 22, 2022

Note: Release 1.1.5 includes significant updates for stability and performance. Customers are very strongly urged to upgrade.

Marshal Reporting Console

(previously known as MailMarshal Reporting Console)

Software Version

Release Date
Support Status
Discontinued Date

2.6.0.1469

September 13, 2018
Active

2.5.4.1263

December 5, 2013
Discontinued
September 1, 2022

Note:

Counterspy for Marshal and PestPatrol for Marshal have been discontinued. Signature updates for these scanners are no longer available.

What versions of Marshal Security products are currently supported by LevelBlue Technical Support?

Charles Creegan — Sun, 26 Nov 2023 18:02:27 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
MailMarshal SPE
MailMarshal SES
Marshal Reporting Console
WebMarshal
Bitdefender for Marshal
McAfee for Marshal
Sophos for Marshal
Other Products
- MailMarshal Appliance e10000
- MailMarshal Management Pack for MOM
- MailMarshal Management Pack for SCOM
- Marshal EndPoint Security
- Security Reporting Center
- Firewall Suite
- imMarshal for MSN
- Counterspy for Marshal
- Kaspersky for Marshal
- PestPatrol for Marshal

Question:

What versions of Content Security (Marshal) products are currently supported by LevelBlue Technical Support?

Information:

For full details about supported versions of current products, see the articles linked below:

Premises Email Security

Article Q20961 covers the following products:
- MailMarshal (SEG)
- MailMarshal ECM/MailMarshal Exchange
- Secure Email Server (SES)

Web Content Security

Article Q20962 covers WebMarshal.

Service Provider Email Security

Article Q20963 covers MailMarshal SPE.

Anti-Virus and Reporting

Article Q20964 covers the following products:
- Bitdefender for Marshal
- McAfee for Marshal
- Sophos for Marshal
- Marshal Reporting Console

Deprecated and Discontinued Products

e10000 (MailMarshal Node Appliance): End of support: March 31, 2011
EndPoint Security: End of support: May 1, 2013
MailMarshal Management Pack for MOM: End of support: May 1, 2013
MailMarshal Management Pack for SCOM: End of support: May 1, 2013
Security Reporting Center (Windows Version): End of support: December 31, 2009
Security Reporting Center (Solaris Version): Withdrawn
Firewall Suite: Withdrawn
imMarshal for MSN: Withdrawn
Counterspy for Marshal: End of support: January 1, 2014
Kaspersky for Marshal: End of support: November 22, 2023
PestPatrol for Marshal: End of support: January 1, 2014

This article was previously published as:: NETIQKB33882

How do I install McAfee for Marshal with MailMarshal?

Charles — Tue, 22 Aug 2023 20:40:15 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange

Question:

How do I install McAfee for Marshal with MailMarshal?

Procedure:

This article outlines instructions for downloading and installing McAfee for Marshal for MailMarshal.

As the McAfee for Marshal scanner module has a DLL interface, it has excellent performance and integrates seamlessly with MailMarshal. It also features integrated automatic updating of the latest virus signature files, making it easier for administrators to have up-to-the-minute protection.

Trial Customers
All MailMarshal trial keys are McAfee enabled and therefore no additional product key is required to trial McAfee for Marshal. Installation of McAfee for Marshal is the same for trial as existing customers.
Customers using a full (customer) Product Key
To trial the McAfee for Marshal module, contact LevelBlue or your LevelBlue Partner to obtain a special time-limited McAfee enabled key. Keep a record of your current full key for later use. After the trial period, you will need to enter a new McAfee enabled full key, or re-enter your previous full key.

Installation Steps

Obtain the separate McAfee for Marshal setup program from the LevelBlue website download page and install.
- Note: In SEG or ECM array installations, you must install McAfee for Marshal on all email processing nodes in the array.
After the software is installed, launch McAfee for Marshal configuration (this starts by default when you finish the installation wizard).
On the Signature Updates and Engine Updates tabs, choose the update method and if necessary enter proxy information or network credentials. See Help for more information.
- Note: If you have multiple servers using McAfee for Marshal, or another McAfee application that performs downloads, you can save bandwidth by performing the Internet download at a single location and pointing other servers to that location.
You can also change the update frequency for signature updates. The default is to check hourly.
You must download an initial set of definition files before the software can be used. If no proxy was required, the software will have started this update immediately. If you have made changes, to update, click the Start Update button from the Status tab.

MailMarshal Configuration

Once the software is installed, in the MailMarshal Configurator under Virus Scanners, add the McAfee for Marshal scanner. As part of this process, MailMarshal checks that the scanner is functioning.
Make sure you have a virus rule enabled (using the Rule condition "Where message contains a virus") The default rules provided with new installations of MailMarshal include virus rules you can simply enable.
Commit configuration.
Test by sending a harmless eicar test virus through MailMarshal. A sample Eicar.com test file (not a real virus) can be found in the install location, in the subfolder \Unpacking\avcheck.
- Note: Depending on other rules and installed software, the test email may be blocked before it is scanned for viruses. To ensure you test the scanner, you might need to change the order of rules.

Notes:

If more than one MailMarshal or WebMarshal product is installed on a server, only one copy of the McAfee for Marshal software is required. Each MailMarshal or WebMarshal product must have an appropriate key.

This article was previously published as:: NETIQKB29285; Marshal KB237

Folders to exclude from on-access malware scanning with McAfee for Marshal

Charles Creegan — Thu, 21 Apr 2022 01:29:16 GMT

This article applies to:

McAfee for Marshal

Question:

What folders must be excluded from resident anti-virus scanning when McAfee for Marshal is installed?

Information:

McAfee for Marshal signatures or Engines could trigger detection as malicious by resident virus scanners.

If you perform on-access or periodic virus scanning on the server, exclude the McAfee for Marshal DATFiles and Engine folders from scanning.

For current supported (64 bit) versions, by default the folders are located as follows:

C:\Program Files\Trustwave\McAfee for Marshal\DATFiles
C:\Program Files\Trustwave\McAfee for Marshal\Engine

What ports need to be open in my firewall for the McAfee for Marshal Virus Scanner?

Charles — Sun, 27 Feb 2022 20:06:00 GMT

This article applies to:

McAfee for Marshal version 6.x

Question:

What ports need to be open in my firewall for the McAfee for Marshal Virus Scanner?

Information:

The table below details the various ports used by the McAfee for Marshal updater software.

The table below details the various ports used by McAfee for Marshal for direct connections. These ports must be available on every processing server where the McAfee for Marshal package is installed.

If you use an active web filtering device upstream of the processing server (such as WebMarshal), you must configure it to pass this traffic.

Port	Direction	Destination	Required for Versions	Explanation
tcp/80	Outbound	http://crl.trustwave.com/	6.1 and above	HTTPS connection validation for the engine download site requires access to the Certificate Revocation List over HTTP. This site is hosted on a CDN. IP addresses will differ by geographical location and are subject to change without notice.
tcp/80	Outbound	http://update.nai.com/Products/CommonUpdater	6.X	McAfee for Marshal 6.x uses this site by default to download new virus signature files.
tcp/443	Outbound	https://mcafee.marshal.com/updates	6.1 and above	McAfee for Marshal uses this site to download new McAfee engine files. As of 28 February 2022, the IP address of this server is within the block 20.81.78.232/29 Note that the name resolution of all required servers is subject to change. Port 443 (HTTPS) is required from version 6.1
tcp/80	Outbound	http://mcafee.marshal.com/updates	6.0	McAfee for Marshal uses this site to download new McAfee engine files. As of 28 February 2022, the IP address of this server is within the block 20.81.78.232/29 Note that the name resolution of all required servers is subject to change.
udp/53 tcp/53	Outbound	DNS servers specified in OS configuration	All	McAfee for Marshal must have external DNS access to resolve the domains listed above.

Notes:

McAfee for Marshal 5.x updates are no longer available.
The software can use a HTTP proxy such as WebMarshal to access HTTP/S sites.

3510 - Fatal virus scanner error (MMEngine error)

Charles Creegan — Fri, 01 May 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
Malware scanner plugins

Symptoms:

Event ID: 3510
Type: Error
Source: MMEngine (MailMarshal SMTP) or MEXEngine (MailMarshal Exchange)
Description: Fatal virus scanner error

Causes:

The MailMarshal Engine is configured to use an integrated virus or malware scanner (such as McAfee for Marshal), but the integrated component is no longer licensed.

This event could occur if a license key that enables the plugin is replaced with a key that does not support this plugin. For instance, trial keys generated by the product installer support all scanners that are licensed through LevelBlue, but customer keys only support the scanners if they have been purchased.

Note:

Contact LevelBlue for licensing information, or change the configuration to stop using this scanner.

Supported Releases Policy for the Marshal Product Line

Charles Creegan — Fri, 01 May 2020 00:00:00 GMT

This article applies to:

MailMarshal Secure Email Gateway (SEG)
WebMarshal
MailMarshal ECM (MailMarshal Exchange)
MailMarshal Service Provider Edition
Virus Scanner plug-ins
Marshal Reporting Console

Question:

What is the supported releases policy for SEG, ECM, WebMarshal, and virus scanner plug-ins?
What is the policy on End of Support for the LevelBlue Marshal Product Line?

Information:

Definitions:

Major release: A release containing many new features or a change in architecture (for example, SEG 8.0).
Feature release: A release containing some new features and enhancements (for example, SEG 8.1.0).
Point release: A release containing maintenance updates and small enhancements to existing features (for example, SEG 8.1.3).
Supported: Full product support as defined in LevelBlue support policy for the Marshal Product Line.
- For "discontinued" versions, LevelBlue can often provide advice to help customers resolve issues. However, LevelBlue may recommend upgrade to a later version of the software.
- Upgrades to the current versions of these products are always free of charge to customers with a current maintenance contract.

Policy:

LevelBlue will support each product release for two years, or until the release of the second following feature release, whichever is shorter.

For the current feature release, normally all point releases are supported.
For a previous feature release, only the last point release is supported.
When a major release is issued, LevelBlue may support the last two feature releases of the previous major release for an extended period.

LevelBlue will publish the dates of end of support of each release at least two months in advance of the effective date. For lists of supported versions and end of support, see the related articles linked below.

Hotfixes:

If a customer encounters an issue with a point release that is older than the latest point release for that version, they will be required to upgrade to the latest point release before a hotfix is issued.

Examples:

With the release of WebMarshal 6.12.3:

LevelBlue will continue to support 6.12.1 and 6.11.2.
LevelBlue will announce end of support for 6.11.1.

With the release of WebMarshal 7.0.0:

LevelBlue will continue to support WebMarshal 6.11.2 as well as 6.12.3 until further notice.
LevelBlue will announce end of support for 6.12.1 and 6.12.2.

Notes:

Customers should plan for a yearly upgrade cycle to take advantage of new features and to ensure their software is supported.

MailMarshal (SEG) or ECM is not reporting the name of the virus detected

Charles Creegan — Wed, 01 Apr 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange

Symptoms:

SEG or ECM is not reporting the name of the virus detected
The notification email received does not report the name of the virus when a message is quarantined in the virus folder
Only the %VirusName% or {VirusName} parameter is displayed
Reports show the name of the virus scanning rule, not the virus name

Causes:

The %VirusName% or {VirusName} variable only works for the virus scanners that use the special DLL interface to SEG or ECM.

With current supported versions of SEG, and ECM/MailMarshal Exchange 7.X, the following scanners have a special DLL interface:

McAfee for Marshal
Sophos for Marshal
Bitdefender for Marshal

The following scanners formerly supported are no longer supported

Panda
Kaspersky
Sophos (SAVI) (no 64-bit version is available)
Symantec Antivirus Scan Engine (Interface no longer supported)

Virus scanners that are run from the command line interface cannot return this variable. They only return a number to SEG that indicates whether the scan was successful or not.

Reporting on viruses by name

In Marshal Reporting Console, if you are using a DLL interface scanner you can report on viruses by name.

For each virus block rule, ensure that the rule logs a classification. The Description field of the classification must contain the {VirusName} variable.
- By default SEG or ECM includes a classification "Contains a Virus" that you can use for this purpose.
In Reporting Group configuration (SEG/MailMarshal [Manager] properties > Reporting tab, or MailMarshal Exchange properties > Reporting Groups), include this classification in the Virus Scanning group.
To ensure that viruses are not counted more than once in reports, remove other classifications or folders from the Virus Scanning Reporting Group.

This article was previously published as:: NETIQKB29183; Marshal KB133

How do I upgrade to the latest version of the McAfee for Marshal software?

Charles Creegan — Wed, 01 Apr 2020 00:00:00 GMT

This article applies to:

McAfee for Marshal
Marshal Integrated McAfee Antivirus
MailMarshal Exchange 5.1.1 and upwards
MailMarshal (SEG)
WebMarshal

Question:

How do I upgrade to the latest version of the McAfee for Marshal software?

Procedure:

McAfee for Marshal with the latest McAfee Engine is available for download from the LevelBlue Support site. It is available to all customers who have a support contract for McAfee for Marshal as a plug-in to any of the products listed above.

Note: Before performing the upgrade, back up the configuration for each Marshal product.

To upgrade to the latest McAfee for Marshal software:

Go to the McAfee for Marshal download page: https://support.levelblue.com/Anti-virus/mcafee.asp
Review the supported version information. Some older versions of Marshal products are not supported.
Download the installer.
To perform the upgrade, run the installer and follow the wizard prompts.
Note that you must perform the upgrade on each MailMarshal Exchange server, each MailMarshal SMTP email processing server, and/or each WebMarshal processing server.

This article was previously published as:: NETIQKB29673; Marshal KB486

MailMarshal is blocking all messages with zip attachments as virus infected

Charles Creegan — Wed, 01 Apr 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
McAfee for Marshal

Symptoms:

MailMarshal is blocking all messages with zip attachments as virus infected.
All messages with zipped attachments report a scanner error, which triggers the Block Virus rule.
Error: 'Virus scanner ERROR ... unexpected error: File is locked or access denied.'

Causes:

The issue appears to be caused by double backslash (\\) characters in the path of the file being scanned by McAfee for Marshal. You will most likely see entries similar to the one below in the MailMarshal Engine logs:

MSMcAfee.dll: Scanning file 'C:\Program Files\Marshal\MailMarshal\\T3\U2\MsgHeader.txt'

The double backslash is usually present when there is no defined location for unpacking and virus scanning in the MailMarshal Server configuration.

Reply:

To address this issue, you will need to define a location for message unpacking and virus scanning:

Stop all the MailMarshal services. (Note: If the problem exists on a node that also serves as an Array Manager, you will need to stop the Array Manager service as well.)
On the problem MailMarshal node, run the MailMarshal Server Tool.
Go to Folders | Location For Unpacking and Virus Scanning.
Add a valid folder location for unpacking. The default location (version 8.0) is C:\Program Files\Trustwave\Secure Email Gateway\Unpacking.
- For full details of the location for each version, see article Q10832.
Click OK or Apply. Do NOT choose to move files when prompted.
Restart the MailMarshal services

If the resolution above is not appropriate for your installation, please refer to the following alternative workaround:

It is possible to allow all these messages to be scanned properly by configuring the Block Virus rule not to quarantine messages in the event of these scanner errors. However, LevelBlue recommends that you create separate rules to handle the anti-virus errors in a more appropriate fashion. The suggested rules for this workaround are listed below.

Create all three of these rules for correct handling of virus scanning results:

RULE 1 - should block messages if, and only if, the result is 'Contains Virus'. Uncheck all the other options in the Virus Scan Rule Condition.
Standard Rule: Block Virus When a message arrives Where message is incoming Where the result of a virus scan, when scanning with all scanners, is 'Contains Virus' Send a 'Virus In' notification message And move the message to 'Virus'
RULE 2 - This is the rule that handles the error 'File is locked or access denied'. Note that these zip files are still scanned normally and truly infected files will still be detected as normal. This rule basically records that the error occurred and allows the message to continue processing.
Standard Rule: Virus - Unexpected error When a message arrives Where message is incoming Where the result of a virus scan, when scanning with all scanners, is 'Unexpected Error' Copy the message to 'Virus - Unexpected Error' And pass message to the next rule for processing.
RULE 3 - handles the other problem files that your scanner may encounter. Note that with errors like 'Password Protected' and 'Corrupt File', normal virus scanning is not performed and for that reason, these message should not be allowed through. They should not, however, be labelled as viruses. Sending a notification to end users indicating these messages are infected may cause some confusion. Instead, use a notification that indicates the true nature of the problem, perhaps suggesting to resend without password protection.
Standard Rule: Virus - Unable to scan When a message arrives Where message is incoming Where the result of a virus scan, when scanning with all scanners, is 'Password Protected' or 'Corrupt File' or 'Signatures Out Of Date' or 'Could Not Unpack Or Analyze' Send a 'Virus - unable to scan' notification message And move the message to 'Virus - Error'

This article was previously published as:: NETIQKB42907

How do I manually update virus definitions for McAfee for Marshal?

Charles Creegan — Sun, 15 Mar 2020 00:00:00 GMT

This article applies to:

MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
WebMarshal
McAfee for Marshal

Question:

How do I manually update virus definitions for McAfee for Marshal?

Procedure:

You can manually update the virus definitions using the Update Now option in the McAfee for Marshal configuration tool. From the Start menu:

For SEG, select Start | MailMarshal SEG| McAfee for Marshal Configuration.
For ECM, select Start | MailMarshal ECM| McAfee for Marshal Configuration.
For WebMarshal, select Start | WebMarshal | McAfee for Marshal Configuration.

In the McAfee for Marshal configuration tool, click Start Update.

When the update is complete, click OK.

Notes:

If you want to update the virus definitions from local files, you can configure the McAfee for Marshal updater to use a local file or share. To ensure anti-virus protection, Marshal strongly recommends that you configure automatic updating of virus definition files.

This article was previously published as:: NETIQKB40092

Old engine file can't be deleted after engine update

Charles Creegan — Sun, 01 Mar 2020 00:00:00 GMT

This article applies to:

McAfee for Marshal 6.X
MailMarshal (SEG)
MailMarshal ECM/MailMarshal Exchange
WebMarshal

Symptoms:

After the McAfee Engine is updated, the previous version of the file Mcscan32.dll cannot be deleted.

Causes:

When McAfee for Marshal updates the McAfee scanning engine, the new version of the engine DLL is placed in a new directory. The old file remains in place.
The MailMarshal or WebMarshal Engine and other services use the new McAfee engine, but they may continue to hold a lock on the old file.

Resolution:

It is generally not necessary to take any action. The file will be removed later.

If you want to delete the old McAfee engine file and it is locked, restart Marshal services as necessary using the Windows Services control panel on the server.

MailMarshal (SEG) or MailMarshal Exchange Engine and Controller services
WebMarshal Engine, Controller, Array Manager, and/or Node Controller services (depending on version and server role)

Using McAfee for Marshal with no web access

Charles — Mon, 18 Feb 2019 16:25:09 GMT

This article applies to:

McAfee for Marshal 6.X

Question:

How can I update McAfee for Marshal if the SEG, ECM, or WebMarshal server does not have HTTP or FTP access?
Installing McAfee for Marshal without web access leaves the product in an unuseable state as it cannot update itself.

Background:

By default, McAfee for Marshal contacts both McAfee and LevelBlue websites to get updates for Signatures and Engines respectively. At least one update is required before the product will run and provide scanning service.

If web access is not available from the SEG, ECM, or WebMarshal server you can update in a number of other ways.

Recommended Procedures:

You can use any one of the following methods to obtain the signature updates automatically. Once you have configured the access, click Start Update on the Status tab of the McAfee for Marshal configuration tool.

(Recommended) Use a proxy server to access the internet. Configure the proxy information on both the Signature Updates and Engine Updates tabs of the McAfee for Marshal configuration tool.
Copy files from a network share:
- Either: Install an additional copy of McAfee for Marshal on a server that has web access and that can be reached by network share from the SEG, ECM, or WebMarshal server. Configure the share locations for DAT and Engine files on the respective tabs of the McAfee for Marshal configuration tool.
  - Note that with McAfee for Marshal 6.1 and above, the McAfee for Marshal software only installs where a supported version of SEG, ECM, or WebMarshal is also present, and a valid license key is required for updates.
- Or: If you have another McAfee application performing updates, use a local network share to connect to the location where the other application stores the updates. Configure the share locations for DAT and Engine files on the respective tabs of the McAfee for Marshal configuration tool.

Notes:

If none of the automatic options are possible, you can manually copy the files as follows:

Install an additional copy of McAfee for Marshal on any computer that has web access. Allow the initial update to complete.
- Note that with McAfee for Marshal 6.1 and above, the McAfee for Marshal software only installs where a supported version of SEG, ECM, or WebMarshal is also present, and a valid license key is required for updates.
Copy the DATFiles and Engine folders to a local directory on the MailMarshal or WebMarshal server.
Configure the local directory locations for DAT and Engine files on the respective tabs of the McAfee for Marshal configuration tool. Click Start Update on the Status tab of the McAfee for Marshal configuration tool to retrieve the files.

If you rely on manual copying, be aware that your virus protection is diminished because updates will not be as timely.

FTP service terminating:

Be aware that FTP download of signatures from McAfee (NAI) terminates May 31, 2019.

Locations of downloaded McAfee update files

Charles Creegan — Mon, 18 Feb 2019 16:23:06 GMT

This article applies to:

McAfee for Marshal 6.X

Question:

Where are downloaded McAfee update files stored by the McAfee for Marshal Updater?
What location can I use to copy McAfee signature update files from one McAfee for Marshal installation to another by UNC, local file path, FTP, or HTTP?
What location can I use to copy McAfee engine update files from one McAfee for Marshal installation to another by UNC, local file path, FTP, or HTTP?

Information:

If you want to use a single instance to download from the Internet, and have other instances retrieve files locally, there are two locations to note. Both are sub-folders of the McAfee for Marshal installation.

By default the McAfee for Marshal installation location (current versions) is C:\Program Files\Trustwave\McAfee for Marshal

Signature files are stored in the DATFiles sub-folder of the McAfee for Marshal installation. To update signature files, point the other updaters to this location (by default, C:\Program Files\Trustwave\McAfee for Marshal\DATFiles). The files are named as avvdat-xxxx.zip where xxxx is the McAfee signature version.
Engine files are stored in the Engine sub-folder of the McAfee for Marshal installation. To update engine files, point the other engine updaters to this location (by default, C:\Program Files\Trustwave\McAfee for Marshal\Engine). The Engine sub-folder will include:
- An additional sub-folder for each engine update. These folders are named in the form
  Update-x.xxx.x.xxxx (showing the engine version)
- A file named EngineVersion.ini This file directs the updater to retrieve the update from the correct sub-folder.

Notes:

If you are using UNC, set up a shared folder such as \\updateserver\McAfeeforMarshal
If you are using HTTP or FTP, set up the HTTP or FTP server (such as IIS) with virtual directories that map to the appropriate folders.

Marshal scanner plug-in compatibility with Microsoft "Meltdown" security patch

Charles Creegan — Wed, 10 Jan 2018 12:57:18 GMT

This article applies to:

Bitdefender for Marshal
McAfee for Marshal
Sophos for Marshal

Question:

Are the Marshal virus scanner plug-ins compatible with the Microsoft security update for "Meltdown" (January 3, 2018)?

Information:

Yes, the Marshal virus scanner plug-ins are safe to use on systems where the Microsoft security update is applied.

The four scanner manufacturers have confirmed their engines are compatible with the security update.
LevelBlue has performed basic testing of the scanner integration with SEG and WebMarshal. LevelBlue has not done any performance testing.

Notes:

To apply the Microsoft security update you might need to take manual action.

Windows Update only offers the security update to systems where a specific registry value is present.
The plug-ins do not set this registry value. If you have a resident virus scanner on the server, it might set the value.
Even when the value has been set, Windows Update might not install the update depending on the options you selected. You might need to select the update, or install it manually from the Microsoft Update Catalog.
For more information, see Microsoft KB 4056897 (Windows 2008 R2) or other related Microsoft articles.

Additions to Release Notes for McAfee for Marshal 6.1

Charles Creegan — Wed, 08 Nov 2017 16:24:17 GMT

This article applies to:

McAfee for Marshal 6.1

Question:

What are the Release Notes for McAfee for Marshal 6.1?

Information:

The Release Notes included with the McAfee for Marshal installation are accurate as of the date of publication. The current release is 6.1.2.1564, released November 9, 2017.

This article provides any information generated after that date.

64-bit support:

A 64-bit version of McAfee for Marshal 6.1 is available to support MailMarshal 8.X and above, and WebMarshal 7.X.
The 32-bit version of McAfee for Marshal 6.1 supports SEG 7.X, ECM 7.X, and WebMarshal 6.X in both 32-bit and 64-bit environments.
64-bit and 32-bit versions can co-exist on the same server.

Installation order:

When migrating from SEG 7.X to MailMarshal 8.X, or from WebMarshal 6.X to 7.X, to avoid engine downtime, install 64-bit McAfee for Marshal and ensure that signatures are up to date before migrating the main product.

What Virus Scanners are supported by WebMarshal?

Charles Creegan — Mon, 06 Nov 2017 22:11:44 GMT

This article applies to:

WebMarshal

Question:

What Virus Scanners are supported by WebMarshal?
How do I use Anti-Virus scanners with WebMarshal?
How do I install and set up my anti-virus scanner supported by WebMarshal?

Information:

WebMarshal can virus scan file downloads and uploads. If a virus is found, the download or upload can be blocked and a warning page displayed, indicating that a virus was found.

Note: Upload scanning is not supported when WebMarshal is run as a Web filter plug-in to ISA Server. This includes virus scanning uploads.

WebMarshal only supports virus scanners that have a special WebMarshal DLL interface.

Available scanners:

Bitdefender for Marshal (WebMarshal 6.12 and above)
Included in the WebMarshal download on the trial or upgrade download pages of this site.
McAfee for Marshal
Available on the trial or upgrade download pages of this site.
Sophos for Marshal
Available on the trial or upgrade download pages of this site.
Sophos Anti Virus (SAV Interface)
http://www.sophos.com/
(Not available with WebMarshal 7.X - 64 bit integration is not provided)
- For customers upgrading to WebMarshal 7 who are currently licensed for Sophos (SAVI), LevelBlue has agreed with Sophos to provide Sophos for Marshal, at no cost, for the remaining life of the customer's existing SAVI license.
- At the next renewal, to continue using Sophos for Marshal, customers must purchase Sophos for Marshal licensing from LevelBlue on normal terms.
- To take advantage of this offer, customers (or partners) should contact their LevelBlue account manager. Proof of the SAVI license is required, such as the original order confirmation.
Symantec Anti-Virus Scan Engine
(Not available with WebMarshal 7.X - 64 bit integration is not provided)
http://www.symantec.com/

Note that Norman products are no longer supported. The products are discontinued by the developer.

Installing and Setting up the Anti-Virus Scanner

The virus scanner should be installed on each WebMarshal processing server according to the manufacturer's instructions.

WebMarshal uses a temporary folder during virus scanning and this folder must be excluded from any resident virus scanning. See documentation for your version of WebMarshal

The way you exclude folders from resident scanning is specific to each scanner.

Bitdefender for Marshal, McAfee for Marshal and Sophos for Marshal
- These scanners are specifically designed to work with WebMarshal and do not require exclusion setup.
Sophos Anti Virus
1. From the Options menu, select Exclusion List.
2. The Sophos on access scanner (InterCheck) will exclude any files on this list, by default. You can check this in the InterCheck settings, under the Exclusion tab.

Setting up the Virus Scanner in WebMarshal

Once the virus scanner has been installed and set up on the WebMarshal server, it needs to be installed in WebMarshal.

In the WebMarshal Console, select Rule Elements (or Policy Elements) and right click Virus Scanners.
Select New Scanner, and from the list provided, select the required virus scanner.
If necessary, create a content rule to run the virus scanner. WebMarsahl default rules include virus scanning rules. Your rule should look similar to this:

When a web request is received
For any User
And where addressed to any URL
Except where the URL is a member of Sites Excluded From Virus Scanning
Where the result of the virus scan is Contains Virus; Unexpected Error
Block Access and display FileBlockedVirus page
Or Abort Download of this file and display FileAbortedVirus page
Send a notification e-mail to the administrator
And do not process any further rules

For more information about setting up virus scanning rules, refer to the chapter, Virus Scanners, in the WebMarshal manual or contact Technical Support at https://support.levelblue.com/.

Notes:

For performance reasons, by default WebMarshal does not virus scan HTML and text files. You can enable scanning of these files. See the WebMarshal Console, Download Options tab of WebMarshal Server Properties.

This article was previously published as:: NETIQKB29171; Marshal KB226

Additions to Release Notes for McAfee for Marshal 6.0

Charles Creegan — Wed, 07 Oct 2015 19:44:32 GMT

This article applies to:

McAfee for Marshal 6.0

Question:

What are the Release Notes for McAfee for Marshal 6.0?

Information:

The Release Notes included with the McAfee for Marshal installation are accurate as of the date of publication. The current release is 6.0.4.8606, released December 14, 2009.

This article provides any information generated after that date.

An issue has been identified with installation of the 6.0.3 release. See article Q12951. To resolve the issue, use 6.0.4.

Operating System Support:

McAfee for Marshal is tested and supported on all Windows versions where the SEG, ECM, and WebMarshal products are supported. In addition to the versions mentioned in Release Notes, this includes Windows 2008 R2, Windows 2012 and 2012 R2, Windows 7 and Windows 8 (32 and 64 bit versions where available).

Server 2016 and Windows 10 will also be supported.

Further notes:

When upgrading from McAfee for Marshal version 5.100 or 5.200, all MailMarshal or WebMarshal services will be restarted. Schedule the installation at an appropriate time of day to minimize disruption.
The current McAfee engine installed by this version of McAfee for Marshal is 5.3.00.
McAfee has declared End of Life for the version 5.1.00 engine as of January 2008, and for the 5.2.00 engine as of January 2009. Marshal urges all customers to upgrade to McAfee for Marshal 6.X as soon as possible.
Note that this version will automatically download future engine updates. Manual upgrade will no longer be required to maintain the McAfee engine.
After an engine update, you may not be able to delete the old engine (McScan32.DLL). For more information, see LevelBlue Knowledgebase article Q12218.

WebMarshal Engine fails to start

Charles — Mon, 12 Jan 2015 17:09:12 GMT

This article applies to:

WebMarshal
Virus scanning

Symptoms:

WebMarshal Engine fails to start.
When opening the WebMarshal Console an error occurs.
Error: 'Unable to connect to LocalHost: 0x0080005 - Server execution failed.'
An error occurs in the NT Event Viewer application log.
Error: 'Failed to create Eicar.com test virus file. This typically happens because a virus scanner is operating.'

Causes:

WebMarshal supports virus scanning of uploads and downloads.

WebMarshal uses a temporary folder during virus scanning and this folder must be excluded from any resident virus scanning by other products.

By default in version 3.7.5.x, this folder is the temp folder located at C:\Program Files\Marshal\WebMarshal\Temp\.

By default in version 6.x, this folder is the temp folder located at C:\Program Files\Marshal\WebMarshal\Temp\ (and any subfolders) on the Array Manager server and each processing node server.

In version 6.5 and above, the location can be customized. See article Q12249.

Information:

Ensure that the WebMarshal\Temp folder is excluded from scanning by your server virus scanner. See your virus scanner product documentation for information about excluding folders from scanning.

For more information, contact Technical Support at https://support.levelblue.com/.

This article was previously published as:: NETIQKB29350; Marshal KB187

McAfee for Marshal engine stopping unexpectedly

Charles Creegan — Wed, 13 Jan 2010 15:51:00 GMT

This article applies to:

McAfee for Marshal 6.x

Symptoms:

McAfee for Marshal engine stops unexpectedly during MailMarshal SMTP configuration reload

Resolution:

Upgrade to the latest version of McAfee for Marshal. This issue was first fixed in McAfee for Marshal 6.0.3.8294 (October 22, 2009).

McAfee for Marshal 6.0.3 upgrade issue

Charles Creegan — Mon, 14 Dec 2009 14:09:00 GMT

This article applies to:

McAfee for Marshal 6.0.3

Symptoms:

Upgraded to McAfee for Marshal 6.0.3
Symptoms fixed by this upgrade continue to occur

Causes:

When the McAfee for Marshal (MfM) 6.0.3 upgrade is installed while MailMarshal or WebMarshal services are running and scanning items, a required DLL file cannot be upgraded because it is locked.
The installer does not alert you to this locked file.

Resolution:

The preferred resolution is to download and install McAfee for Marshal 6.0.4, released December 14, 2009.

You can also ensure that McAfee for Marshal 6.0.3 is properly installed by following these steps:

Stop the MailMarshal and/or WebMarshal engine services on the affected server and ensure these services are stopped.
Run the MfM installer and select Repair. Allow installation to complete.
Start the engine services.

Notes:

If you have not yet upgraded MfM, to avoid the issue install McAfee for Marshal 6.0.4.

How Do I Use EXTRA.DAT files with McAfee for Marshal?

Charles Creegan — Thu, 04 Dec 2008 01:25:00 GMT

This article applies to:

McAfee for Marshal version 5.1.0.0 and above
MailMarshal SMTP
MailMarshal Exchange
WebMarshal

Question:

How Do I Use EXTRA.DAT files with McAfee for Marshal?

Procedure:

The McAfee for Marshal virus scanning product can use McAfee EXTRA.DAT files.

To use an extra.dat with McAfee for Marshal:

Download the extra.dat. You can obtain specific extra.dat files from https://www.webimmune.net/extra/getextra.aspx
Save the extra.dat to %INSTALL PATH%\DATFiles\avvdat-xxxx-files where:
- %INSTALL PATH% is the McAfee for Marshal installation path, typically C:\Program Files\Marshal\McAfee for Marshal
- xxxx is the highest numbered of the similar folders present.
For example: C:\Program Files\Marshal\McAfee for Marshal\DATFiles\avv-4578-files
Restart the MailMarshal and/or WebMarshal engine services to initialise the new extra.dat file.

This extra.dat file will continue to be used until a new set of Dat files is downloaded, or for 14 days (Extra.dat files expire after a maximum of 14 days).

Notes:

In MailMarshal SMTP installations with multiple email processing nodes, you must save the extra.dat file and restart the engine on each node.
General information about extra.dat is available from the McAfee on-line help site.

Updates to Release Notes for McAfee for Marshal 5.200

Charles Creegan — Thu, 04 Dec 2008 01:15:00 GMT

This article applies to:

McAfee for Marshal 5.200

Question:

What are the Release Notes for McAfee for Marshal?

Information:

McAfee for Marshal 5.200 has been replaced by McAfee for Marshal 6.0.1. Marshal strongly urges customers to update McAfee for Marshal to version 6.0 as soon as possible.
For more information see LevelBlue Knowledgebase article Q12192.

The Release Notes included with the McAfee for Marshal installation are accurate as of the date of publication (December 18, 2007). This article provides any information generated after that date.

Important note:

McAfee has declared End of Support for the McAfee 5.2.00 Anti-Virus Scanning Engine, effective January 31, 2009. Installations using McAfee Engine version 5.2.00 will not be supported by McAfee after that date. Installations using earlier versions of the McAfee Engine are not supported as of the date of this article.

For more information, see http://www.mcafee.com/uk/smb/support/customer_service/end_life.html.

Software Version	Release Date	Support Status	Discontinued Date
1.2.0.1680 (64 bit only)	August 3, 2021	Active
1.1.2.1623 (64 bit only)	August 22, 2019	Discontinued	March 20, 2022
1.1.1.1564	November 9, 2017	Discontinued	March 20, 2022