Heuristic virus scanning in virtual email appliance?

Hello Ren,

configure Heuristic scanning

what do you expect from such an option, why are you looking for it? Performance, detection rate (more or less "paranoid" assessment), or?

Christian

Hello Christian,

Basically, I want to know if the product does heuristic scanning or just pattern matching? I'm looking for the following heuristic scanning options but I can't seem to find them inside the console:

1. An option to turn it On/Off heuristic malware depending on when I need it

2. An option to adjust heuristic scanning agressiveness from say less aggressive to most aggressive (speed vs performance)

Also, I would like to know if SVEA can:

1. detect mass-mailing worms?

2. spyware/grayware?

3. packers?

4. infected macros?

5. Can it scan malware inside a compressed file? If yes, up to how many layers?

Thanks!

Hello Ren,

heuristic scanning or just pattern matching

which AV does still solely pattern matching (if by pattern you mean certain bit/byte sequences - not necessarily continuous though)? Scanning is not what it used to be.

speed vs performance

There's no Gold Standard but generally one doesn't want malware to get through. I understand aggressive as aiming for a low false negative rate.which is not the same as accuracy. It's the latter which usually requires deeper scanning and therefore more resources.

Can't answer in more detail right now, have to hurry (and anyway I'm not an appliance expert or an expert at all), you might want to read these Notes from SophosLabs. 

[Edit: adding more details]

Revisiting aggressive: Of course a low FNR alone is nonsense and useless you want a low FPR as well. Still you don't want to miss any positive samples (i.e. actual malware). Thus the scanning effort is bounded below by the requirement to detect all malware. Now we know this is not only impossible but also infeasible as the effort is bounded above. For optimum performance you'd try to identify positives first and then with "deeper" scanning weed out the false positives. Sophos (I am not Sophos BTW) won't give you an option which will reduce the sensitivity (true positive rate) and you could only trade less false positives off for higher speed. Better throughput but more rejected/discarded mails - is this what you have in mind?   

mass-mailing worms?

you mean the actual replicating code? Or that there's an ongoing a mass-mailing to your site?

packers?

yes, and self-decryption (not to be confused with encrypted attachments) and polymorphism as well

infected macros?

yes, executable code in general (please see for example Zero-day Windows exploit ... or Anatomy of a poisoned image)

compressed files?

yes, please note there are also the Unscannable and Suspect attachment categories

spyware/grayware?

gray is gray :smileyhappy:, please see Spyware and Adware for what is considered malicious and what not

The appliance is not the miracle cure and not a replacement for endpoint security. The AV Policy is just one step in the message flow, it has to be effective and efficient. Any "tuning" could have an adverse result when the environment (i.e. the amount and/or type of incoming messages) suddenly changes.   

Christian

Yeah that's exactly what I have in mind, I jusr thought that having an option to adjust heuristic level is quite good since it give you more control over the product. Thanks for providing explanations btw!

Hello interstellar,

more control

understandable - but real control means that you also assess the consequences of different settings. Not as simple as it might seem.

Christian