Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
9-5
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter 9 Anti-Virus
Heuristics
The virus engine can combine basic pattern matching techniques with heuristics
– a technique using general rather than specific rules – to detect several viruses in
the same family, even though Sophos researchers might have analyzed only one
virus in that family. The technique enables a single description to be created that
will catch several variants of one virus. Sophos tempers its heuristics with other
methods, minimizing the incidence of false positives.
– a technique using general rather than specific rules – to detect several viruses in
the same family, even though Sophos researchers might have analyzed only one
virus in that family. The technique enables a single description to be created that
will catch several variants of one virus. Sophos tempers its heuristics with other
methods, minimizing the incidence of false positives.
Emulation
Emulation is a technique applied by the virus engine to polymorphic viruses.
Polymorphic viruses are encrypted viruses that modify themselves in an effort to
hide themselves. There is no visible constant virus code and the virus encrypts
itself differently each time it spreads. When it runs, it decrypts itself. The
emulator in the virus detection engine is used on DOS and Windows executables,
while polymorphic macro viruses are found by detection code written in Sophos’s
Virus Description Language.
Polymorphic viruses are encrypted viruses that modify themselves in an effort to
hide themselves. There is no visible constant virus code and the virus encrypts
itself differently each time it spreads. When it runs, it decrypts itself. The
emulator in the virus detection engine is used on DOS and Windows executables,
while polymorphic macro viruses are found by detection code written in Sophos’s
Virus Description Language.
The output of this decryption is the real virus code and it is this output that is
detected by the Sophos virus detection engine after running in the emulator.
detected by the Sophos virus detection engine after running in the emulator.
Executables that are sent to the engine for scanning are run inside the emulator,
which tracks the decryption of the virus body as it is written to memory. Normally
the virus entry point sits at the front end of a file and is the first thing to run. In
most cases, only a small amount of the virus body has to be decrypted in order for
the virus to be recognized. Most clean executables stop emulating after only a few
instructions, which reduces overhead.
which tracks the decryption of the virus body as it is written to memory. Normally
the virus entry point sits at the front end of a file and is the first thing to run. In
most cases, only a small amount of the virus body has to be decrypted in order for
the virus to be recognized. Most clean executables stop emulating after only a few
instructions, which reduces overhead.
Because the emulator runs in a restricted area, if the code does turn out to be a
virus, the virus does not infect the appliance.
virus, the virus does not infect the appliance.
Virus Descriptions
Sophos exchanges viruses with other trusted anti-virus companies every month.
In addition, every month customers send thousands of suspect files directly to
Sophos, about 30% of which turn out to be viruses. Each sample undergoes
rigorous analysis in the highly secure virus labs to determine whether or not it is
a virus. For each newly discovered virus, or group of viruses, Sophos creates a
description.
In addition, every month customers send thousands of suspect files directly to
Sophos, about 30% of which turn out to be viruses. Each sample undergoes
rigorous analysis in the highly secure virus labs to determine whether or not it is
a virus. For each newly discovered virus, or group of viruses, Sophos creates a
description.