Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
12-3
Cisco AsyncOS 9.5 for Email User Guide
Chapter 12 Anti-Virus
Sophos Anti-Virus Filtering
Virus Detection Engine
The Sophos virus detection engine lies at the heart of the Sophos Anti-Virus technology. It uses a
proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number
of objects with well-defined interfaces. The modular filing system used by the engine is based on
separate, self-contained dynamic libraries each handling a different “storage class,” for example, file
type. This approach allows virus scanning operations to be applied on generic data sources, irrespective
of type.
proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number
of objects with well-defined interfaces. The modular filing system used by the engine is based on
separate, self-contained dynamic libraries each handling a different “storage class,” for example, file
type. This approach allows virus scanning operations to be applied on generic data sources, irrespective
of type.
Specialized technology for loading and searching data enables the engine to achieve very fast scanning
speeds. Incorporated within it are:
speeds. Incorporated within it are:
•
A full code emulator for detecting polymorphic viruses
•
An on-line decompressor for scanning inside archive files
•
An OLE2 engine for detecting and disinfecting macro viruses
The Cisco appliance integrates with the virus engine using SAV Interface.
Virus Scanning
In broad terms, the engine’s scanning capability is managed by a powerful combination of two important
components: a classifier that knows where to look, and the virus database that knows what to look for.
The engine classifies the file by type rather than by relying on the extension.
components: a classifier that knows where to look, and the virus database that knows what to look for.
The engine classifies the file by type rather than by relying on the extension.
The virus engine looks for viruses in the bodies and attachments of messages received by the system; an
attachment’s file type helps determine its scanning. For example, if a message’s attached file is an
executable, the engine examines the header which tells it where the executable code starts and it looks
there. If the file is a Word document, the engine looks in the macro streams. If it is a MIME file, the
format used for mail messaging, it looks in the place where the attachment is stored.
attachment’s file type helps determine its scanning. For example, if a message’s attached file is an
executable, the engine examines the header which tells it where the executable code starts and it looks
there. If the file is a Word document, the engine looks in the macro streams. If it is a MIME file, the
format used for mail messaging, it looks in the place where the attachment is stored.
Detection Methods
How viruses are detected depends on their type. During the scanning process, the engine analyzes each
file, identifies the type, and then applies the relevant technique(s). Underlying all methods is the basic
concept of looking for certain types of instructions or certain ordering of instructions.
file, identifies the type, and then applies the relevant technique(s). Underlying all methods is the basic
concept of looking for certain types of instructions or certain ordering of instructions.
Related Topics
•
•
•
Pattern Matching
In the technique of pattern matching, the engine knows the particular sequence of code and is looking
for an exact match that will identify the code as a virus. More often, the engine is looking for sequences
of code that are similar, but not necessarily identical, to the known sequences of virus code. In creating
the descriptions against which files are compared during scanning, Sophos virus researchers endeavor to
keep the identifying code as general as possible so that – using heuristics, as explained below – the
engine will find not just the original virus but also its later derivatives.
for an exact match that will identify the code as a virus. More often, the engine is looking for sequences
of code that are similar, but not necessarily identical, to the known sequences of virus code. In creating
the descriptions against which files are compared during scanning, Sophos virus researchers endeavor to
keep the identifying code as general as possible so that – using heuristics, as explained below – the
engine will find not just the original virus but also its later derivatives.