Virus Blocking with MailMarshal and WebMarshal

Email is a major entry point for computer virus infection of business networks. Viruses such as Melissa and The Love Bug have caused millions of dollars of software and hardware damage, not to mention loss of company business, productivity and goodwill.

Traditional virus scanning products operate at the user workstation or network server and attempt to catch virus activity from infected files which are already present. This is an after-the-fact method of virus defense. MailMarshal and Postini Perimeter Manager provide a first line of defense as a guardian at your network's email gateway. WebMarshal or the Postini Perimeter Manager for Web Managed Service guard the "back door" of Web-based Email and other infected downloads.

MailMarshal and WebMarshal are not traditional antivirus products. Rather, they provide a framework by which one or more third-party antivirus products can be used to check e-mail messages, attachments, and Web downloads. MailMarshal will work with a variety of antivirus software, including:

• NetIQ Integrated McAfee (DLL)
• Norman (DLL)
• Panda (DLL)
• Sophos (DLL)
• Symantec Anti-Virus Scan Engine (DLL)
• McAfee Command Line Scanner
• Network Associates Netshield
• F-Secure
• NOD
• InnoculateIT 6.x
• VET
• (the latest updates to this list are available in a Knowledge Base article).

WebMarshal uses only DLL integrated scanning to enhance speed.

Both products can operate multiple AV scanners simultaneously. This gives added protection by covering users against update delays and weaknesses in any one product.

MailMarshal and WebMarshal also have an option of an integrated anti-virus scanner. Postini Perimeter Manager includes this as part of the outsourced service.

Virus scanners will often only detect existing viruses that they recognize by a signature. However, much virus damage is done by NEW, unknown viruses. The advantage of MailMarshal and WebMarshal lies in their ability to detect and block these new viruses. This is accomplished in a variety of ways:

• Marshal products have a lexical text censor, so they can detect keywords or phrases in messages and files. Companies often know the names or key words associated with new viruses (I love you, Life Stages, Melissa, Worm, etc.) before their virus scanners are updated. Email and Web administrators can very quickly set up a rule to detect and block new threats by these key words.
• Viruses may display random subject lines or attachment types, which can circumvent the keyword censor rule. However, these viruses contain basic code commands that are intrinsic to all forms of the virus. The text censor can be set up to detect harmful code commands within the virus (such as RegEdit, DeleteFile, WriteFile, etc.). Thus MailMarshal and WebMarshal can block unknown variants of a virus without specific instructions. This ability provides a proactive defense against future virus attacks.
• In extreme cases, MailMarshal or WebMarshal can block the attachment type used by a virus. Web and email borne viruses are typically included in files. An administrator can quickly create a rule to quarantine or block ALL instances of a particular file type (.EXE, .VBS, .SHS, etc.). There is no need to start and stop MailMarshal or WebMarshal to apply a new rule; once it has been created, the rule is applied on-the-fly to the next email or web request. Such file type blocking is an effective temporary measure until more specific information is received. Quarantined mail can then be re-scanned or released.