Cisco Cisco Email Security Appliance C650 Guía Del Usuario
12-5
Cisco AsyncOS 8.5 for Email User Guide
Chapter 12 Anti-Virus
McAfee Anti-Virus Filtering
Encrypted Polymorphic Virus Detection
Complex viruses avoid detection with signature scanning by using two popular techniques:
•
Encryption. The data inside the virus is encrypted so that anti-virus scanners cannot see the
messages or computer code of the virus. When the virus is activated, it converts itself into a working
version, then executes.
messages or computer code of the virus. When the virus is activated, it converts itself into a working
version, then executes.
•
Polymorphism. This process is similar to encryption, except that when the virus replicates itself, it
changes its appearance.
changes its appearance.
To counteract such viruses, the engine uses a technique called emulation. If the engine suspects that a
file contains such a virus, the engine creates an artificial environment in which the virus can run
harmlessly until it has decoded itself and its true form becomes visible. The engine can then identify the
virus by scanning for a virus signature, as usual.
file contains such a virus, the engine creates an artificial environment in which the virus can run
harmlessly until it has decoded itself and its true form becomes visible. The engine can then identify the
virus by scanning for a virus signature, as usual.
Heuristics Analysis
Using only virus signatures, the engine cannot detect a new virus because its signature is not yet known.
Therefore the engine can use an additional technique — heuristic analysis.
Therefore the engine can use an additional technique — heuristic analysis.
Programs, documents or email messages that carry a virus often have distinctive features. They might
attempt unprompted modification of files, invoke mail clients, or use other means to replicate
themselves. The engine analyzes the program code to detect these kinds of computer instructions. The
engine also searches for legitimate non-virus-like behavior, such as prompting the user before taking
action, and thereby avoids raising false alarms.
attempt unprompted modification of files, invoke mail clients, or use other means to replicate
themselves. The engine analyzes the program code to detect these kinds of computer instructions. The
engine also searches for legitimate non-virus-like behavior, such as prompting the user before taking
action, and thereby avoids raising false alarms.
By using these techniques, the engine can detect many new viruses.
When a Virus is Found
When a virus has been detected, McAfee can repair (disinfect) the file. McAfee can usually repair any
file in which a virus has been found, after which the file can be used without risk. The precise action
taken depends on the virus.
file in which a virus has been found, after which the file can be used without risk. The precise action
taken depends on the virus.
Occasionally, there can be limitations when it comes to disinfecting files because it is not always
possible to return a file to its original state. Some viruses overwrite part of the executable program which
cannot be reinstated. In this instance, you define how to handle messages with attachments that could
not be repaired. You configure these settings on a per-recipient basis using the Email Security Feature:
the Mail Policies > Incoming or Outgoing Mail Policies pages (GUI) or the
possible to return a file to its original state. Some viruses overwrite part of the executable program which
cannot be reinstated. In this instance, you define how to handle messages with attachments that could
not be repaired. You configure these settings on a per-recipient basis using the Email Security Feature:
the Mail Policies > Incoming or Outgoing Mail Policies pages (GUI) or the
policyconfig -> antivirus
command (CLI). For more information on configuring these settings, see
.