Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
9-7
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter 9 Anti-Virus
Pattern-Matching Virus Signatures
McAfee uses anti-virus definition (DAT) files with the scanning engine to detect
particular viruses, types of viruses, or other potentially unwanted software.
Together, they can detect a simple virus by starting from a known place in a file,
then searching for a virus signature. Often, they must search only a small part of
a file to determine that the file is free from viruses.
particular viruses, types of viruses, or other potentially unwanted software.
Together, they can detect a simple virus by starting from a known place in a file,
then searching for a virus signature. Often, they must search only a small part of
a file to determine that the file is free from viruses.
Encrypted Polymorphic Virus Detection
Complex viruses avoid detection with signature scanning by using two popular
techniques:
techniques:
•
Encryption. The data inside the virus is encrypted so that anti-virus scanners
cannot see the messages or computer code of the virus. When the virus is
activated, it converts itself into a working version, then executes.
cannot see the messages or computer code of the virus. When the virus is
activated, it converts itself into a working version, then executes.
•
Polymorphism. This process is similar to encryption, except that when the
virus replicates itself, it changes its appearance.
virus replicates itself, it changes its appearance.
To counteract such viruses, the engine uses a technique called emulation. If the
engine suspects that a file contains such a virus, the engine creates an artificial
environment in which the virus can run harmlessly until it has decoded itself and
its true form becomes visible. The engine can then identify the virus by scanning
for a virus signature, as usual.
engine suspects that a file contains such a virus, the engine creates an artificial
environment in which the virus can run harmlessly until it has decoded itself and
its true form becomes visible. The engine can then identify the virus by scanning
for a virus signature, as usual.
Heuristics Analysis
Using only virus signatures, the engine cannot detect a new virus because its
signature is not yet known. Therefore the engine can use an additional technique
— heuristic analysis.
signature is not yet known. Therefore the engine can use an additional technique
— heuristic analysis.
Programs, documents or email messages that carry a virus often have distinctive
features. They might attempt unprompted modification of files, invoke mail
clients, or use other means to replicate themselves. The engine analyzes the
program code to detect these kinds of computer instructions. The engine also
searches for legitimate non-virus-like behavior, such as prompting the user before
taking action, and thereby avoids raising false alarms.
features. They might attempt unprompted modification of files, invoke mail
clients, or use other means to replicate themselves. The engine analyzes the
program code to detect these kinds of computer instructions. The engine also
searches for legitimate non-virus-like behavior, such as prompting the user before
taking action, and thereby avoids raising false alarms.
By using these techniques, the engine can detect many new viruses.