Cisco Cisco Email Security Appliance C160 用户指南
12-5
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 12 Anti-Virus
McAfee Anti-Virus Filtering
configure these settings on a per-recipient basis using the Email Security Feature: the Mail Policies >
Incoming or Outgoing Mail Policies pages (GUI) or the
Incoming or Outgoing Mail Policies pages (GUI) or the
policyconfig -> antivirus
command (CLI).
For more information on configuring these settings, see
.
McAfee Anti-Virus Filtering
The McAfee® scanning engine:
•
Scans files by pattern-matching virus signatures with data from your files.
•
Decrypts and runs virus code in an emulated environment.
•
Applies heuristic techniques to recognize new viruses.
•
Removes infectious code from files.
Related Topics
•
•
•
•
Pattern-Matching Virus Signatures
McAfee uses anti-virus definition (DAT) files with the scanning engine to detect particular viruses, types
of viruses, or other potentially unwanted software. Together, they can detect a simple virus by starting
from a known place in a file, then searching for a virus signature. Often, they must search only a small
part of a file to determine that the file is free from viruses.
of viruses, or other potentially unwanted software. Together, they can detect a simple virus by starting
from a known place in a file, then searching for a virus signature. Often, they must search only a small
part of a file to determine that the file is free from viruses.
Encrypted Polymorphic Virus Detection
Complex viruses avoid detection with signature scanning by using two popular techniques:
•
Encryption. The data inside the virus is encrypted so that anti-virus scanners cannot see the
messages or computer code of the virus. When the virus is activated, it converts itself into a working
version, then executes.
messages or computer code of the virus. When the virus is activated, it converts itself into a working
version, then executes.
•
Polymorphism. This process is similar to encryption, except that when the virus replicates itself, it
changes its appearance.
changes its appearance.
To counteract such viruses, the engine uses a technique called emulation. If the engine suspects that a
file contains such a virus, the engine creates an artificial environment in which the virus can run
harmlessly until it has decoded itself and its true form becomes visible. The engine can then identify the
virus by scanning for a virus signature, as usual.
file contains such a virus, the engine creates an artificial environment in which the virus can run
harmlessly until it has decoded itself and its true form becomes visible. The engine can then identify the
virus by scanning for a virus signature, as usual.
Heuristics Analysis
Using only virus signatures, the engine cannot detect a new virus because its signature is not yet known.
Therefore the engine can use an additional technique — heuristic analysis.
Therefore the engine can use an additional technique — heuristic analysis.