Cisco Cisco Email Security Appliance C650 Guía Del Usuario
12-4
Cisco AsyncOS 9.5 for Email User Guide
Chapter 12 Anti-Virus
Sophos Anti-Virus Filtering
Heuristics
The virus engine can combine basic pattern matching techniques with heuristics – a technique using
general rather than specific rules – to detect several viruses in the same family, even though Sophos
researchers might have analyzed only one virus in that family. The technique enables a single description
to be created that will catch several variants of one virus. Sophos tempers its heuristics with other
methods, minimizing the incidence of false positives.
general rather than specific rules – to detect several viruses in the same family, even though Sophos
researchers might have analyzed only one virus in that family. The technique enables a single description
to be created that will catch several variants of one virus. Sophos tempers its heuristics with other
methods, minimizing the incidence of false positives.
Emulation
Emulation is a technique applied by the virus engine to polymorphic viruses. Polymorphic viruses are
encrypted viruses that modify themselves in an effort to hide themselves. There is no visible constant
virus code and the virus encrypts itself differently each time it spreads. When it runs, it decrypts itself.
The emulator in the virus detection engine is used on DOS and Windows executables, while polymorphic
macro viruses are found by detection code written in Sophos’s Virus Description Language.
encrypted viruses that modify themselves in an effort to hide themselves. There is no visible constant
virus code and the virus encrypts itself differently each time it spreads. When it runs, it decrypts itself.
The emulator in the virus detection engine is used on DOS and Windows executables, while polymorphic
macro viruses are found by detection code written in Sophos’s Virus Description Language.
The output of this decryption is the real virus code and it is this output that is detected by the Sophos
virus detection engine after running in the emulator.
virus detection engine after running in the emulator.
Executables that are sent to the engine for scanning are run inside the emulator, which tracks the
decryption of the virus body as it is written to memory. Normally the virus entry point sits at the front
end of a file and is the first thing to run. In most cases, only a small amount of the virus body has to be
decrypted in order for the virus to be recognized. Most clean executables stop emulating after only a few
instructions, which reduces overhead.
decryption of the virus body as it is written to memory. Normally the virus entry point sits at the front
end of a file and is the first thing to run. In most cases, only a small amount of the virus body has to be
decrypted in order for the virus to be recognized. Most clean executables stop emulating after only a few
instructions, which reduces overhead.
Because the emulator runs in a restricted area, if the code does turn out to be a virus, the virus does not
infect the appliance.
infect the appliance.
Virus Descriptions
Sophos exchanges viruses with other trusted anti-virus companies every month. In addition, every month
customers send thousands of suspect files directly to Sophos, about 30% of which turn out to be viruses.
Each sample undergoes rigorous analysis in the highly secure virus labs to determine whether or not it
is a virus. For each newly discovered virus, or group of viruses, Sophos creates a description.
customers send thousands of suspect files directly to Sophos, about 30% of which turn out to be viruses.
Each sample undergoes rigorous analysis in the highly secure virus labs to determine whether or not it
is a virus. For each newly discovered virus, or group of viruses, Sophos creates a description.
Sophos Alerts
Cisco encourages customers who enable Sophos Anti-Virus scanning to subscribe to Sophos alerts on
the Sophos site at http://www.sophos.com/virusinfo/notifications/.
Subscribing to receive alerts directly from Sophos will ensure you are apprised of the latest virus
outbreaks and their available solutions.
the Sophos site at http://www.sophos.com/virusinfo/notifications/.
Subscribing to receive alerts directly from Sophos will ensure you are apprised of the latest virus
outbreaks and their available solutions.
When a Virus is Found
When a virus has been detected, Sophos Anti-Virus can repair (disinfect) the file. Sophos Anti-Virus can
usually repair any file in which a virus has been found, after which the file can be used without risk. The
precise action taken depends on the virus.
usually repair any file in which a virus has been found, after which the file can be used without risk. The
precise action taken depends on the virus.
There can be limitations when it comes to disinfecting, because it is not always possible to return a file
to its original state. Some viruses overwrite part of the executable program which cannot be reinstated.
In this instance, you define how to handle messages with attachments that could not be repaired. You
to its original state. Some viruses overwrite part of the executable program which cannot be reinstated.
In this instance, you define how to handle messages with attachments that could not be repaired. You