Cisco Cisco Email Security Appliance C650 Guía Del Usuario
8-3
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 8 Anti-Virus
•
an on-line decompressor for scanning inside archive files
•
an OLE2 engine for detecting and disinfecting macro viruses
The Cisco IronPort appliance integrates with the virus engine using SAV Interface.
Virus Scanning
In broad terms, the engine’s scanning capability is managed by a powerful combination of two important
components: a classifier that knows where to look, and the virus database that knows what to look for.
The engine classifies the file by type rather than by relying on the extension.
components: a classifier that knows where to look, and the virus database that knows what to look for.
The engine classifies the file by type rather than by relying on the extension.
The virus engine looks for viruses in the bodies and attachments of messages received by the system; an
attachment’s file type helps determine its scanning. For example, if a message’s attached file is an
executable, the engine examines the header which tells it where the executable code starts and it looks
there. If the file is a Word document, the engine looks in the macro streams. If it is a MIME file, the
format used for mail messaging, it looks in the place where the attachment is stored.
attachment’s file type helps determine its scanning. For example, if a message’s attached file is an
executable, the engine examines the header which tells it where the executable code starts and it looks
there. If the file is a Word document, the engine looks in the macro streams. If it is a MIME file, the
format used for mail messaging, it looks in the place where the attachment is stored.
Detection Methods
How viruses are detected depends on their type. During the scanning process, the engine analyzes each
file, identifies the type, and then applies the relevant technique(s). Underlying all methods is the basic
concept of looking for certain types of instructions or certain ordering of instructions.
file, identifies the type, and then applies the relevant technique(s). Underlying all methods is the basic
concept of looking for certain types of instructions or certain ordering of instructions.
Pattern matching
In the technique of pattern matching, the engine knows the particular sequence of code and is looking
for an exact match that will identify the code as a virus. More often, the engine is looking for sequences
of code that are similar, but not necessarily identical, to the known sequences of virus code. In creating
the descriptions against which files are compared during scanning, Sophos virus researchers endeavor to
keep the identifying code as general as possible so that – using heuristics, as explained below – the
engine will find not just the original virus but also its later derivatives.
for an exact match that will identify the code as a virus. More often, the engine is looking for sequences
of code that are similar, but not necessarily identical, to the known sequences of virus code. In creating
the descriptions against which files are compared during scanning, Sophos virus researchers endeavor to
keep the identifying code as general as possible so that – using heuristics, as explained below – the
engine will find not just the original virus but also its later derivatives.
Heuristics
The virus engine can combine basic pattern matching techniques with heuristics – a technique using
general rather than specific rules – to detect several viruses in the same family, even though Sophos
researchers might have analyzed only one virus in that family. The technique enables a single description
to be created that will catch several variants of one virus. Sophos tempers its heuristics with other
methods, minimizing the incidence of false positives.
general rather than specific rules – to detect several viruses in the same family, even though Sophos
researchers might have analyzed only one virus in that family. The technique enables a single description
to be created that will catch several variants of one virus. Sophos tempers its heuristics with other
methods, minimizing the incidence of false positives.
Emulation
Emulation is a technique applied by the virus engine to polymorphic viruses. Polymorphic viruses are
encrypted viruses that modify themselves in an effort to hide themselves. There is no visible constant
virus code and the virus encrypts itself differently each time it spreads. When it runs, it decrypts itself.
The emulator in the virus detection engine is used on DOS and Windows executables, while polymorphic
macro viruses are found by detection code written in Sophos’s Virus Description Language.
encrypted viruses that modify themselves in an effort to hide themselves. There is no visible constant
virus code and the virus encrypts itself differently each time it spreads. When it runs, it decrypts itself.
The emulator in the virus detection engine is used on DOS and Windows executables, while polymorphic
macro viruses are found by detection code written in Sophos’s Virus Description Language.
The output of this decryption is the real virus code and it is this output that is detected by the Sophos
virus detection engine after running in the emulator.
virus detection engine after running in the emulator.