Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
Chapter 9 Anti-Virus
9-4
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
•
an on-line decompressor for scanning inside archive files
•
an OLE2 engine for detecting and disinfecting macro viruses
The Cisco IronPort appliance integrates with the virus engine using SAV
Interface.
Interface.
Virus Scanning
In broad terms, the engine’s scanning capability is managed by a powerful
combination of two important components: a classifier that knows where to look,
and the virus database that knows what to look for. The engine classifies the file
by type rather than by relying on the extension.
combination of two important components: a classifier that knows where to look,
and the virus database that knows what to look for. The engine classifies the file
by type rather than by relying on the extension.
The virus engine looks for viruses in the bodies and attachments of messages
received by the system; an attachment’s file type helps determine its scanning. For
example, if a message’s attached file is an executable, the engine examines the
header which tells it where the executable code starts and it looks there. If the file
is a Word document, the engine looks in the macro streams. If it is a MIME file,
the format used for mail messaging, it looks in the place where the attachment is
stored.
received by the system; an attachment’s file type helps determine its scanning. For
example, if a message’s attached file is an executable, the engine examines the
header which tells it where the executable code starts and it looks there. If the file
is a Word document, the engine looks in the macro streams. If it is a MIME file,
the format used for mail messaging, it looks in the place where the attachment is
stored.
Detection Methods
How viruses are detected depends on their type. During the scanning process, the
engine analyzes each file, identifies the type, and then applies the relevant
technique(s). Underlying all methods is the basic concept of looking for certain
types of instructions or certain ordering of instructions.
engine analyzes each file, identifies the type, and then applies the relevant
technique(s). Underlying all methods is the basic concept of looking for certain
types of instructions or certain ordering of instructions.
Pattern matching
In the technique of pattern matching, the engine knows the particular sequence of
code and is looking for an exact match that will identify the code as a virus. More
often, the engine is looking for sequences of code that are similar, but not
necessarily identical, to the known sequences of virus code. In creating the
descriptions against which files are compared during scanning, Sophos virus
researchers endeavor to keep the identifying code as general as possible so that –
using heuristics, as explained below – the engine will find not just the original
virus but also its later derivatives.
code and is looking for an exact match that will identify the code as a virus. More
often, the engine is looking for sequences of code that are similar, but not
necessarily identical, to the known sequences of virus code. In creating the
descriptions against which files are compared during scanning, Sophos virus
researchers endeavor to keep the identifying code as general as possible so that –
using heuristics, as explained below – the engine will find not just the original
virus but also its later derivatives.