E-mail Virus Protection as Certain as Death and Taxes

By Alex Goldman | Jul 24, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/808621/Email-Virus-Protection-as-Certain-as-Death-and-Taxes.htm

United Kingdom-based Star Internet originally spun off MessageLabs, its former in-house application development arm, in order to sell managed services and software. Who would have guessed that the Managed Service Provider (MSP) specializing in Internet-level e-mail content filtering services would some day shock the online world by debuting a "100 percent virus protection guarantee."

MessageLabs took the wrappings off its U.S. offices and introduced its first U.S. customer Monday. Operating in 30 countries worldwide, Air Products and Chemicals, Inc. is a Fortune 500 firm with annual revenue totaling $5.5 billion. The chemical company can't afford downtime due to e-mail borne network ailments, so it has become one of the first to leverage MessageLabs' guarantee -- which applies to both known and unknown viruses.

Explained Jack Fekula, manager of systems integrity for Air Products, "Since working with MessageLabs we have experienced a 100 percent return on investment -- not a single virus coming into or leaving our organization."

The opening of MessageLabs' U.S. offices coincided with the outbreak of the "SirCam" virus. MessageLabs announced that it stopped the first copy of "SirCam" on July 17 -- about 18 hours before a viable fix was made available to public networks. The first copy of the virus was spotted in the U.S. and spread quickly over the Internet to 67 countries -- hitting the U.K., U.S., and Mexico the hardest.

Scanning the Internet cloud
MessageLabs' software-plus-control-tower solution -- known as SkyScan AV -- filters and removes viruses in real time without slowing e-mail delivery noticeably. "Clients were concerned about latency," said Chris Chilton, vice president of marketing for MessageLabs, "until they learned that a 1MB file takes 1.2 seconds to go through the system."

Andrew Faris, MessageLabs president of American operations, said its anti-virus solution as truly revolutionary for e-mail correspondence.

"Traditional methods of virus scanning are outdated," Faris said. "The lag time between a virus being detected and signature files being made available from anti-virus vendors creates the possibility of an outbreak scenario."

Conventional anti-virus vendors, like McAfee or Symantec, identify a virus outbreak and then create a signature file that tells various systems how to identify and eliminate the virus.

But creating and distributing the signature file takes time -- and downtime as a result of an e-mail viral infection costs companies money. MessageLabs cuts the time-frame down to zero and saves clients both time, money, and worry. Of course, there is a catch -- you must redirect your network's e-mail toward a MessageLabs control tower.

Birth control for viruses
Hosting a tower is no small undertaking. Control towers are deployed in pairs -- twinned but located at different sites -- to ensure fault tolerant redundancy. The towers are linked at the DNS level via Mail Exchange (MX) records. Open-source advocates will be pleased to hear that the system employs Red Hat Linux 6.2 and uses qmail for its SMTP relay.

Each tower requires dedicated bandwidth of 100 Mbps to operate. The flow is handled by dual Cisco load balancers, a Cisco 3640 router, and dual Cisco Catalyst (2924) Switches. Each tower also has 26 Compaq ProLiant dual-CPU servers with 256 MB of RAM, hardware and disk monitoring, and adjoining temperature and fan monitors.

A pair of SQL servers connect the tower to MessageLabs' Global Operations Center in the U.K -- 23 Mail Servers perform scanning and filtering -- and the 26th server acts as a "monitor," coordinating the Mail Servers.

The system is designed to ensure that if a single server goes down, the entire system will continue to function, essentially treating each Mail Server as a hot-swappable component. It also takes care of imperfect client networks: if a client's mail server goes down a Tower can store up to three days' worth of mail and sending the e-mail when the client's server is back online.

Since the system is Internet-based, it is compatible with any Operating System (OS). MessageLabs reminds clients, however, that while the SkyScan system protects against e-mail borne viruses -- which account for the vast majority of viruses -- clients should also install "off-the-shelf" anti-virus solutions on every desktop to protect against viruses uploaded on floppy disks (unless removing floppy drives is practical).

Software
The SkyScan Anti-Virus scanning process begins by routing each e-mail through three commercially available anti-virus scanners. In any control tower, you might find MessageLabs using McAfee, F-Secure, and V-Find, but will usually be testing other scanners, too.

Next, e-mail goes to the SkyScan Artificial Intelligence (AI) program, dubbed Skeptic. Skeptic is a constantly-evolving piece of software that is updated as many as 20 times a day by MessageLabs' Anti-Virus team. The team teaches Skeptic how to recognize known viruses -- and much more.

The team searches for known viruses. It also teaches the AI program to recognize code utilizing known vulnerabilities in commercial software.

The team tries to anticipate advances in e-mail virus architecture. For example, Skeptic was trained to recognize Java applications that used code from known .vbs viruses long before the Java-based viruses actually appeared on the Internet.

The team has taught Skeptic to search for obfuscation. In order to defeat signature files, some viruses are designed to add random characters with each new transmission -- otherwise known as polymorphic viruses or shape-changing e-mail afflictions. Skeptic has had some success in identifying these viruses by recognizing the randomly generated characters from a known pattern of virus distribution.

Virus experts at MessageLabs claim that they can actually see e-mail distribution patterns in real time because they have a third eye. Technicians have real-time access to VirusEye, MessageLabs' Web collection of virus data, so they can study new viruses as they spread.

The eye of the virus
Data available on VirusEye includes daily, monthly, and all-time archives of viruses stopped dead in their e-mail tracks, as well as information about each virus. Virus data is displayed in Top Trump format -- like the a European card game that employs easy-to-read statistics printed on playing cards.

Particularly intriguing is MessageLabs' geographical data about viruses. It publishes the top three infected nations for each e-mail bug. On July 19, 2001, at around 6:15 PM EST, MessageLabs reported that the top three nations carrying the "LoveLetterA" virus on its systems were the U.K., U.S., and Taiwan. MessageLabs' clients can also view the statistical evidence about viruses removed from their networks in real time, too.

Sell it for more
Jos White, co-founder of Star Internet, says that some ISPs are finding that SkyScan services directly impact their bottom line.

"One of our major European customers offers an own-branded version of our service with every leased line sold," white said. "As soon as they offered the anti-virus service, sales jumped between 20 and 30 percent over the previous quarter, and the company was also able to raise its prices by more than 20 percent."

In the future, MessageLabs hopes to work with ISPs to create own-branded versions of its service that will utilize a "Scanned by MessageLabs" logo in the same way that computers use Intel's "intel inside" logo to win customer trust. MessageLabs is also working on anti-spam and anti-porn products, so stay tuned to this sales channel for developing news.

Services are priced depending on traffic, and discounts are available for volume and also to those who host a control tower. The base fee is $2.50 per user per month.