User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Email Security Appliance C680

321

322

323

324

325

326

327

328

329

330

12-5

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 12 Anti-Virus

McAfee Anti-Virus Filtering

configure these settings on a per-recipient basis using the Email Security Feature: the Mail Policies >

Incoming or Outgoing Mail Policies pages (GUI) or the

policyconfig -> antivirus command (CLI).

For more information on configuring these settings, see Configuring Virus Scanning Actions for Users,

page 12-7.

McAfee Anti-Virus Filtering

The McAfee® scanning engine:

• Scans files by pattern-matching virus signatures with data from your files.

• Decrypts and runs virus code in an emulated environment.

• Applies heuristic techniques to recognize new viruses.

• Removes infectious code from files.

Related Topics

• Pattern-Matching Virus Signatures, page 12-5

• Encrypted Polymorphic Virus Detection, page 12-5

• Heuristics Analysis, page 12-5

• When a Virus is Found, page 12-6

Pattern-Matching Virus Signatures

McAfee uses anti-virus definition (DAT) files with the scanning engine to detect particular viruses, types

of viruses, or other potentially unwanted software. Together, they can detect a simple virus by starting

from a known place in a file, then searching for a virus signature. Often, they must search only a small

part of a file to determine that the file is free from viruses.

Encrypted Polymorphic Virus Detection

Complex viruses avoid detection with signature scanning by using two popular techniques:

• Encryption. The data inside the virus is encrypted so that anti-virus scanners cannot see the

messages or computer code of the virus. When the virus is activated, it converts itself into a working

version, then executes.

• Polymorphism. This process is similar to encryption, except that when the virus replicates itself, it

changes its appearance.

To counteract such viruses, the engine uses a technique called emulation. If the engine suspects that a

file contains such a virus, the engine creates an artificial environment in which the virus can run

harmlessly until it has decoded itself and its true form becomes visible. The engine can then identify the

virus by scanning for a virus signature, as usual.

Heuristics Analysis

Using only virus signatures, the engine cannot detect a new virus because its signature is not yet known.

Therefore the engine can use an additional technique — heuristic analysis.