Cisco Cisco Email Security Appliance C680 User Guide
8-4
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 8 Anti-Virus
Executables that are sent to the engine for scanning are run inside the emulator, which tracks the
decryption of the virus body as it is written to memory. Normally the virus entry point sits at the front
end of a file and is the first thing to run. In most cases, only a small amount of the virus body has to be
decrypted in order for the virus to be recognized. Most clean executables stop emulating after only a few
instructions, which reduces overhead.
decryption of the virus body as it is written to memory. Normally the virus entry point sits at the front
end of a file and is the first thing to run. In most cases, only a small amount of the virus body has to be
decrypted in order for the virus to be recognized. Most clean executables stop emulating after only a few
instructions, which reduces overhead.
Because the emulator runs in a restricted area, if the code does turn out to be a virus, the virus does not
infect the appliance.
infect the appliance.
Virus Descriptions
Sophos exchanges viruses with other trusted anti-virus companies every month. In addition, every month
customers send thousands of suspect files directly to Sophos, about 30% of which turn out to be viruses.
Each sample undergoes rigorous analysis in the highly secure virus labs to determine whether or not it
is a virus. For each newly discovered virus, or group of viruses, Sophos creates a description.
customers send thousands of suspect files directly to Sophos, about 30% of which turn out to be viruses.
Each sample undergoes rigorous analysis in the highly secure virus labs to determine whether or not it
is a virus. For each newly discovered virus, or group of viruses, Sophos creates a description.
Sophos Alerts
Cisco encourages customers who enable Sophos Anti-Virus scanning to subscribe to Sophos alerts on
the Sophos site at http://www.sophos.com/virusinfo/notifications/.
the Sophos site at http://www.sophos.com/virusinfo/notifications/.
Subscribing to receive alerts directly from Sophos will ensure you are apprised of the latest virus
outbreaks and their available solutions.
outbreaks and their available solutions.
When a Virus is Found
When a virus has been detected, Sophos Anti-Virus can repair (disinfect) the file. Sophos Anti-Virus can
usually repair any file in which a virus has been found, after which the file can be used without risk. The
precise action taken depends on the virus.
usually repair any file in which a virus has been found, after which the file can be used without risk. The
precise action taken depends on the virus.
There can be limitations when it comes to disinfecting, because it is not always possible to return a file
to its original state. Some viruses overwrite part of the executable program which cannot be reinstated.
In this instance, you define how to handle messages with attachments that could not be repaired. You
configure these settings on a per-recipient basis using the Email Security Feature: the Mail Policies >
Incoming or Outgoing Mail Policies pages (GUI) or the
to its original state. Some viruses overwrite part of the executable program which cannot be reinstated.
In this instance, you define how to handle messages with attachments that could not be repaired. You
configure these settings on a per-recipient basis using the Email Security Feature: the Mail Policies >
Incoming or Outgoing Mail Policies pages (GUI) or the
policyconfig -> antivirus
command (CLI).
For more information on configuring these settings, see
.
McAfee Anti-Virus Filtering
The McAfee® scanning engine:
•
Scans files by pattern-matching virus signatures with data from your files.
•
Decrypts and runs virus code in an emulated environment.
•
Applies heuristic techniques to recognize new viruses.
•
Removes infectious code from files.