Knowledge Base » Blog Archive » Virus scanning

Virus scanning

November 29th, 2018

Viruses, malware and other online threats often spread via email, therefore it is important to virus-scan emails before they arrive to the mail-client of a user. nettigritty’s Antispam Cloud actively blocks both spam AND its malicious attachments such as viruses, malware, ransomware, spyware and so on.

Pre-virusscan blocks
Due to the fact that viruses generally try to spread as spam emails, the majority of email viruses are already blocked as spam before they reach our antivirus technologies. Thanks to this setup, even viruses not yet known to virus scanners are safely put away in quarantine or rejected outright.

Attachment filtering
Email viruses typically try to spread as executable attachment. On the “Attachment restrictions” page you can control what attachments should be blocked by default. Here you can also select to block password-protected archive attachments, block potentially unwanted attachments, and to block attachments that contain hidden executables. With these options enabled, potentially dangerous attachments are no longer accepted via email.

Antivirus engine
As additional antivirus measures, we run a combination of different technologies to protect you against malware. This includes the open-source ClamAV antivirus framework, which is enhanced with additional datasets specialized in detecting zero-day email viruses provided by several external partners. We combine such external data with our internally generated data, which is generated both automatically and provided by our analyst team. By combining various different technologies, we can ensure real-time, optimal protection against the latest virus outbreaks. All our internal spam reputation systems (including fuzzy fingerprinting) also contribute to virus scanning to ensure optimal protection against not only spam, but also malware, phishing, and viruses.

It always remains important to run antivirus on the endpoint as well, as the delay between the actual email processing and the user opening the message allows other antivirus vendors more time to update their signatures.

Based on any false negative virus reports received, our systems will automatically adjust and our analyst team can run in-depth analysis in case of issues. Most of the reports are messages that bypassed filtering due to explicit whitelisting of senders/recipients matching the virus email.

Sandboxing
We actively analyze virus emails to continuously improve our detection and catch zero-day viruses. Sandboxing is utilized in our central environments for analyses, however we do not integrate real-time sandboxing in our scanning processes. Often vendors advertise applying such technology, however practically there is no good sandboxing system that will contribute to the effectiveness for real-time SMTP gateway scanning.

When analyzing executable attachments, sandboxing would allow to execute the attachment to analyze its behavior and detect malicious activity. This process typically would take a few minutes, hence significantly delaying the delivery of email. We’ve found no significant statistical evidence of the effectiveness of this method, whilst it has significant resource costs. Instead, as email should not be used to distribute executables, nettigritty’s Antispam Cloud has built-in technology to quarantine or drop ANY email that includes an attachment with executable content (including non-malicious executables). This is the default configuration. As no executable files are delivered to the destination mailserver, the scanning process would not benefit from any sandboxing technology.

When analyzing URLs, browser sandboxing would allow to to catch malicious behavior of websites. nettigritty’s Antispam Cloud applies real-time data of malicious URLs, to effectively block such content. This information is received from various sources that detected such malicious websites through sandboxing services (or otherwise). Additionally, we have a build-in optional feature allowing to automatically download website content to check for executables, and to block such content. This process does not require sandboxing, as the block is done for any executable content (including non-malicious executables).

Finally Sandboxing can be used to protect an end-point by rewriting the URLs to a Sandboxing HTTP(S) streaming service. Besides the legal/privacy concerns of such services, our engines will never modify the body of the email (as that would break DKIM and can cause corruption of messages). We do support delivery of the email to a third-party sandboxing service supporting SMTP though, which could apply such URL rewrites.

Instead, the best security practice is to use local endpoint security to protect against executables and malicious activity on websites. This avoids missing malicious code which hides from central scanning/sandboxing services, additionally the process benefits from the “execution delay” so antivirus engines are more likely to have received a signature by that time to block the content.