Руководство Пользователя для Cisco Cisco Email Security Appliance C170
8-2
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 8 Anti-Virus
engine will be enabled, by default, for the default incoming and outgoing mail policies. For information
on enabling the feature beyond the 30-day evaluation period, contact your Cisco IronPort sales
representative. You can see how much time remains on the evaluation via the System Administration >
Feature Keys page or by issuing the
on enabling the feature beyond the 30-day evaluation period, contact your Cisco IronPort sales
representative. You can see how much time remains on the evaluation via the System Administration >
Feature Keys page or by issuing the
featurekey
command. (For more information, see the section on
working with feature keys in “Common Administrative Tasks” in the Cisco IronPort AsyncOS for Email
Daily Management Guide).
Daily Management Guide).
Multi-Layer Anti-Virus Scanning
AsyncOS supports scanning messages with multiple anti-virus scanning engines — multi-layer
anti-virus scanning. You can configure your Cisco IronPort appliance to use one or both of the licensed
anti-virus scanning engines on a per mail policy basis. You could create a mail policy for executives, for
example, and configure that policy to scan mail with both Sophos and McAfee engines.
anti-virus scanning. You can configure your Cisco IronPort appliance to use one or both of the licensed
anti-virus scanning engines on a per mail policy basis. You could create a mail policy for executives, for
example, and configure that policy to scan mail with both Sophos and McAfee engines.
Scanning messages with multiple scanning engines provides “defense in depth” by combining the
benefits of both Sophos and McAfee anti-virus scanning engines. Each engine has leading anti-virus
capture rates, but because each engine relies on a separate base of technology (discussed in
benefits of both Sophos and McAfee anti-virus scanning engines. Each engine has leading anti-virus
capture rates, but because each engine relies on a separate base of technology (discussed in
and
) for detecting viruses, the
multi-scan approach can be even more effective. Using multiple scanning engines can lead to reduced
system throughput, please contact your Cisco IronPort support representative for more information.
system throughput, please contact your Cisco IronPort support representative for more information.
You cannot configure the order of virus scanning. When you enable multi-layer anti-virus scanning, the
McAfee engine scans for viruses first, and the Sophos engine scans for viruses second. If the McAfee
engine determines that a message is virus-free, the Sophos engine scans the message, adding a second
layer of protection. If the McAfee engine determines that a message contains a virus, the Cisco IronPort
appliance skips Sophos scanning and performs actions on the virus message based on settings you
configured.
McAfee engine scans for viruses first, and the Sophos engine scans for viruses second. If the McAfee
engine determines that a message is virus-free, the Sophos engine scans the message, adding a second
layer of protection. If the McAfee engine determines that a message contains a virus, the Cisco IronPort
appliance skips Sophos scanning and performs actions on the virus message based on settings you
configured.
Sophos Anti-Virus Filtering
The Cisco IronPort appliance includes integrated virus-scanning technology from Sophos, Plc. Sophos
Anti-Virus provides cross-platform anti-virus protection, detection and disinfection.
Anti-Virus provides cross-platform anti-virus protection, detection and disinfection.
Sophos Anti-Virus provides a virus detection engine that scans files for viruses, Trojan horses, and
worms. These programs come under the generic term of malware, meaning “malicious software.” The
similarities between all types of malware allow anti-virus scanners to detect and remove not only viruses,
but also all types of malicious software.
worms. These programs come under the generic term of malware, meaning “malicious software.” The
similarities between all types of malware allow anti-virus scanners to detect and remove not only viruses,
but also all types of malicious software.
Virus Detection Engine
The Sophos virus detection engine lies at the heart of the Sophos Anti-Virus technology. It uses a
proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number
of objects with well-defined interfaces. The modular filing system used by the engine is based on
separate, self-contained dynamic libraries each handling a different “storage class,” for example, file
type. This approach allows virus scanning operations to be applied on generic data sources, irrespective
of type.
proprietary architecture similar to Microsoft’s COM (Component Object Model), consisting of a number
of objects with well-defined interfaces. The modular filing system used by the engine is based on
separate, self-contained dynamic libraries each handling a different “storage class,” for example, file
type. This approach allows virus scanning operations to be applied on generic data sources, irrespective
of type.
Specialized technology for loading and searching data enables the engine to achieve very fast scanning
speeds. Incorporated within it are:
speeds. Incorporated within it are:
•
a full code emulator for detecting polymorphic viruses