E-mail Virus Protection as Certain as Death and Taxes - Page 2

Birth control for viruses
Hosting a tower is no small undertaking. Control towers are deployed in pairs -- twinned but located at different sites -- to ensure fault tolerant redundancy. The towers are linked at the DNS level via Mail Exchange (MX) records. Open-source advocates will be pleased to hear that the system employs Red Hat Linux 6.2 and uses qmail for its SMTP relay.

Each tower requires dedicated bandwidth of 100 Mbps to operate. The flow is handled by dual Cisco load balancers, a Cisco 3640 router, and dual Cisco Catalyst (2924) Switches. Each tower also has 26 Compaq ProLiant dual-CPU servers with 256 MB of RAM, hardware and disk monitoring, and adjoining temperature and fan monitors.

A pair of SQL servers connect the tower to MessageLabs' Global Operations Center in the U.K -- 23 Mail Servers perform scanning and filtering -- and the 26th server acts as a "monitor," coordinating the Mail Servers.

The system is designed to ensure that if a single server goes down, the entire system will continue to function, essentially treating each Mail Server as a hot-swappable component. It also takes care of imperfect client networks: if a client's mail server goes down a Tower can store up to three days' worth of mail and sending the e-mail when the client's server is back online.

Since the system is Internet-based, it is compatible with any Operating System (OS). MessageLabs reminds clients, however, that while the SkyScan system protects against e-mail borne viruses -- which account for the vast majority of viruses -- clients should also install "off-the-shelf" anti-virus solutions on every desktop to protect against viruses uploaded on floppy disks (unless removing floppy drives is practical).

Software
The SkyScan Anti-Virus scanning process begins by routing each e-mail through three commercially available anti-virus scanners. In any control tower, you might find MessageLabs using McAfee, F-Secure, and V-Find, but will usually be testing other scanners, too.

Next, e-mail goes to the SkyScan Artificial Intelligence (AI) program, dubbed Skeptic. Skeptic is a constantly-evolving piece of software that is updated as many as 20 times a day by MessageLabs' Anti-Virus team. The team teaches Skeptic how to recognize known viruses -- and much more.

The team searches for known viruses. It also teaches the AI program to recognize code utilizing known vulnerabilities in commercial software.

The team tries to anticipate advances in e-mail virus architecture. For example, Skeptic was trained to recognize Java applications that used code from known .vbs viruses long before the Java-based viruses actually appeared on the Internet.

The team has taught Skeptic to search for obfuscation. In order to defeat signature files, some viruses are designed to add random characters with each new transmission -- otherwise known as polymorphic viruses or shape-changing e-mail afflictions. Skeptic has had some success in identifying these viruses by recognizing the randomly generated characters from a known pattern of virus distribution.

Virus experts at MessageLabs claim that they can actually see e-mail distribution patterns in real time because they have a third eye. Technicians have real-time access to VirusEye, MessageLabs' Web collection of virus data, so they can study new viruses as they spread.