Cisco Cisco Email Security Appliance C160 Mode D'Emploi
12-2
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 12 Anti-Virus
Sophos Anti-Virus Filtering
You can see how much time remains on the evaluation via the System Administration > Feature Keys
page or by issuing the
page or by issuing the
featurekey
command. (For more information, see
Scanning Messages with Multiple Anti-Virus Scanning Engines
AsyncOS supports scanning messages with multiple anti-virus scanning engines — multi-layer
anti-virus scanning. You can configure your Cisco appliance to use one or both of the licensed anti-virus
scanning engines on a per mail policy basis. You could create a mail policy for executives, for example,
and configure that policy to scan mail with both Sophos and McAfee engines.
anti-virus scanning. You can configure your Cisco appliance to use one or both of the licensed anti-virus
scanning engines on a per mail policy basis. You could create a mail policy for executives, for example,
and configure that policy to scan mail with both Sophos and McAfee engines.
Scanning messages with multiple scanning engines provides “defense in depth” by combining the
benefits of both Sophos and McAfee anti-virus scanning engines. Each engine has leading anti-virus
capture rates, but because each engine relies on a separate base of technology (discussed in
benefits of both Sophos and McAfee anti-virus scanning engines. Each engine has leading anti-virus
capture rates, but because each engine relies on a separate base of technology (discussed in
and
) for detecting viruses, the
multi-scan approach can be even more effective. Using multiple scanning engines can lead to reduced
system throughput, please contact your Cisco support representative for more information.
system throughput, please contact your Cisco support representative for more information.
You cannot configure the order of virus scanning. When you enable multi-layer anti-virus scanning, the
McAfee engine scans for viruses first, and the Sophos engine scans for viruses second. If the McAfee
engine determines that a message is virus-free, the Sophos engine scans the message, adding a second
layer of protection. If the McAfee engine determines that a message contains a virus, the Cisco appliance
skips Sophos scanning and performs actions on the virus message based on settings you configured.
McAfee engine scans for viruses first, and the Sophos engine scans for viruses second. If the McAfee
engine determines that a message is virus-free, the Sophos engine scans the message, adding a second
layer of protection. If the McAfee engine determines that a message contains a virus, the Cisco appliance
skips Sophos scanning and performs actions on the virus message based on settings you configured.
Sophos Anti-Virus Filtering
The Cisco appliance includes integrated virus-scanning technology from Sophos, Plc. Sophos
Anti-Virus provides cross-platform anti-virus protection, detection and disinfection.
Anti-Virus provides cross-platform anti-virus protection, detection and disinfection.
Sophos Anti-Virus provides a virus detection engine that scans files for viruses, Trojan horses, and
worms. These programs come under the generic term of malware, meaning “malicious software.” The
similarities between all types of malware allow anti-virus scanners to detect and remove not only viruses,
but also all types of malicious software.
worms. These programs come under the generic term of malware, meaning “malicious software.” The
similarities between all types of malware allow anti-virus scanners to detect and remove not only viruses,
but also all types of malicious software.
Virus Detection Engine
The Sophos virus detection engine lies at the heart of the Sophos Anti-Virus technology. It uses a
proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number
of objects with well-defined interfaces. The modular filing system used by the engine is based on
separate, self-contained dynamic libraries each handling a different “storage class,” for example, file
type. This approach allows virus scanning operations to be applied on generic data sources, irrespective
of type.
proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number
of objects with well-defined interfaces. The modular filing system used by the engine is based on
separate, self-contained dynamic libraries each handling a different “storage class,” for example, file
type. This approach allows virus scanning operations to be applied on generic data sources, irrespective
of type.
Specialized technology for loading and searching data enables the engine to achieve very fast scanning
speeds. Incorporated within it are:
speeds. Incorporated within it are:
•
A full code emulator for detecting polymorphic viruses
•
An on-line decompressor for scanning inside archive files
•
An OLE2 engine for detecting and disinfecting macro viruses
The Cisco appliance integrates with the virus engine using SAV Interface.