Symantec™ Security Gateways Reference Guide - Sawmill

114 Preventing attacksAntivirus (appliance only)Antivirus scanning has a client/server relationship. The SMTP, HTTP, and FTP proxies act as clients thatpass files to the antivirus scan server. The antivirus scan server can either be a licensed component of thelocal security gateway, or a licensed component of a remote security gateway. When you specify antivirusscanning for one of these proxies, files are passed by that proxy to the antivirus scan server. The antivirusscan server then scans the files for viruses and mail and container policy violations. Files that haveunrepairable infections or that violate the established policy are blocked, while clean files and infected filesthat are repaired are allowed to pass through.Virus detectionWhen Symantec engineers identify a new virus, information about the virus (a virus signature) is stored ina virus definitions file. Virus definitions files are updated periodically by means of Symantec’s automatedLiveUpdate feature. When the scan engine scans for viruses, it is searching for these virus signatures. Tosupplement detection of virus infections by virus signature, the scan engine includes Symantec’s patentedBloodhound technology, which heuristically detects new or unknown viruses based on the generalcharacteristics exhibited by known viruses.Bloodhound heuristic technologyResearchers at Symantec have developed two types of heuristics for Symantec AntiVirus. The first,Bloodhound, is capable of detecting upwards of 80 percent of new and unknown executable file viruses. Thesecond, Bloodhound-Macro, detects and repairs over 90 percent of new and unknown macro viruses. Thesestatistics are staggering considering the growth rate of computer viruses. Bloodhound requires minimaloverhead since it examines only programs and documents that meet stringent prerequisites. In most cases,Bloodhound can determine in microseconds whether a file or document is likely to be infected by a virus. Ifit determines that a file cannot be infected, it immediately goes on to the next file.Bloodhound and executable virusesBloodhound uses artificial intelligence (AI) to isolate and locate the various logical regions of each programit is told to scan. It analyzes the program logic in each of these components for virus-like behavior andsimulates this behavior to determine whether the program is a virus.Bloodhound and macro virusesSymantec Bloodhound-Macro technology uses a hybrid heuristic scheme to detect and repair more than 90percent of all new and unknown macro viruses automatically. For example, every time the scan enginescans a Microsoft Word document, Bloodhound-Macro sets up a complete virtual Microsoft Wordenvironment into which it loads the document. The macros contained in the document are run as theywould be in the word processing application. Bloodhound-Macro monitors the macros as they run andwatches for them to copy themselves from the host document to another virtual document. Bloodhound-Macro also stimulates the copied macros and verifies that they can further propagate.Norton AntiVirus Extension (NAVEX) technologyNAVEX is a technology that lets Symantec update the scan engine during routine virus definitions updates.That means no inline revisions or time-consuming upgrades are necessary to ensure that antivirusprotection stays current, regardless of platform, even against new virus threats.The scan engine is made up of dozens of complex search algorithms, CPU emulators, and other programlogic. The scan engine examines a file to determine whether the file contains viruses. The scan engine scansfiles and disks for virus fingerprints (unique sequences of bytes known to be contained in viruses). Thesefingerprints are stored in the virus definitions files downloaded each week. The scanning engine alsorepairs infected files.