Dr.Web for MIMEsweeper

Dr.Web for MIMEsweeper is installed on machines that run the MIMEsweeper content filter and functions as the first-level scenario recommended by ClearSwift.

The product is connected to MIMEsweeper as an anti-virus and anti-spam policy for checking mail; it filters viruses, spam and other unsolicited messages. If a threat is detected, Dr.Web for MIMEsweeper classifies a message according to policies assigned by ClearSwift MIMEsweeper and disarms the detected malicious object.

Key features

• Checks e-mails including archived attachments before they are processed by a mail server
• Cures infected objects
• Isolates infected and suspicious files in the quarantine
• Filters spam; filters messages according to black and white lists
• Operation logging
• Automatic updates

Advantages of Dr.Web anti-spam

• The anti-spam doesn’t require configuration or training. Unlike anti-spam solutions based on Bayesian filtering, it starts working as soon as the first message arrives, so the anti-spam doesn’t require daily training by the system administrator
• It detects spam messages regardless of their language
• No e-mail receipt delays
• Real-time e-mail filtering
• High-speed filtering with low consumption of system resources
• Scanning objects at any nesting level
• It can choose a processing technology for the target object depending on the message envelope or upon detection of blocking objects
• Messages that have been filtered out are placed in a separate folder so one can always check them to make sure that no false detection has occurred
• With the unique technologies there is no need for blacklists. No company will be discredited after it has been deliberately added to such a list
• Completely stand-alone: a constant connection to an external server or access to a database are not required which saves traffic significantly
• Doesn’t need to be updated more often than once in 24 hours – unique spam detection technologies based on several thousands of rules allow the anti-spam to stay up to date without frequent downloads of bulky updates

Vade Retro

Filtering of spam and other unsolicited messages is performed by a vaderetro plugin that uses its own library (Vade Retro). The library is updated regularly for better quality of filtering. High junk filtering productivity is combined with low consumption of system resources. This is the reason why Dr.Web anti-spam is able to operate efficiently on low-end hardware.

Depending on the results of the analysis each message receives the score from the VadeRetro library – an integer ranging from -10000 to +10000. The higher the score is, the more likely the message is to be spam.

The threshold value is set by the SpamThreshold parameter of the plugin configuration file. If the score equals the value of the SpamThreshold parameter or exceeds it, the message is considered to be spam.

Upon completion of a message analysis, Vade Retro may add (depending on the plugin settings) corresponding headers into the message.

Spam filtering technologies

The Dr.Web anti-spam analyzes messages using several thousands of rules which can be divided into several groups.

Heuristic analysis

A highly intelligent technology that empirically analyzes all parts of a message: header, body, and attachments. It allows detecting unknown types of spam. The heuristic analyzer is being constantly improved; new rules are frequently added. It allows detecting next generation spam messages even before a corresponding rule is created.

Counteraction filtering

The counteraction filtering is one of the most advanced and efficient technologies of Dr.Web anti-spam. It helps recognize techniques and tricks used by spammers to avoid detection.

HTML-patterns

Messages containing HTML code are compared with HTML patterns from the anti-spam library. Such comparison in combination with data on sizes of images typically used by spammers helps protect users against spam messages featuring HTML-code, which often contains online images.

Detection based on SMTP envelope

Detection of fake sender and receiver in an SMTP envelope and fake values of header fields is the latest trend in development of anti-spam technologies. A sender address contained in the received message is easy to fake and therefore should not be trusted. Yet unsolicited mail is not limited by spam. It also includes hoaxes or anonymous threats. Dr.Web anti-spam technologies allow to determine if an address is fake and mark the message as unsolicited. It saves traffic and protects employees from unwanted e-mails contents of which may have unpredictable impact on people's behaviour.

Semantic analysis

Words and phrases of a message are compared with words and phrases from the spam dictionary. All words, phrases and symbols are analyzed – both visible to the human eye and those hidden by spammer tricks.

Anti-scam technologies

Scams (as well as pharming messages – a type of scams) are the most dangerous type of spam. The most notorious example of scam is so-called “Nigerian” scams, loan scams, lottery and casino scams and false messages from banks and credit organizations. A special module of Dr.Web anti-spam is used to filter scams.

Technical spam filtering

Automatic e-mail notifications or bounces are designed to notify a user if a failure in operation of a mail system occurs (e.g the message couldn’t be delivered at the specified address). Similar messages can be used by criminals. For example, a worm or ordinary spam can get to a computer as a notification. A special module of Dr.Web anti-spam detects such unwanted messages.

How it works

Description

Easy installation and configuration

The scenario wizard of Dr.Web for MIMEsweeper allows the most up-to-date filtering scenarios to be created automatically (Type 1 in the ClearSwift classification system).

Flexible configuration

When the plugin detects an infected object, it attempts to cure it or removes it if curing hasn’t been enabled. If an e-mail has several files attached (even if archived), the plugin will disarm only infected attachments. If malicious code is found in the message body, the message will be moved to the quarantine. Clean messages and attachments are directed to a recipient unchanged. Messages that can’t be disarmed by the Dr.Web plugin are marked as infected and go to the quarantine.

DEP compatibility

Dr.Web for MIMEsweeper supports Data Execution Prevention (DEP) which lets additional checks of RAM to be run and prevents the execution of malicious code. A user doesn’t need to change DEP settings, which in turn prevents malware from using Windows’ exception processing mechanism.

Logging

The Dr.Web plugin registers errors and all events in the Event Log and in its own text log. These include the plugin’s start and stop, module parameters, virus detection notifications for each infected message, and information about each virus and the detection of spam.

Quarantine

Infected and suspicious objects detected by the plugin can be placed in the quarantine for subsequent retrieval of useful information, curing, or deletion.

Notifications

Depending on scenario settings, the content filter can add into the header or body of the message—information about scan results and actions performed by the plugin into the header or body of the message.

Updating

Always up-to-date

• Updating over the Internet, whether automatically or according to a schedule, doesn’t require user interference. Updating can also be launched manually.
• Updating is very quick even if a slow Internet connection is used.
• Updating servers are always available.
• Updates can be retrieved from an HTTP server.
• In most cases, there is no need to reboot the system to complete updating; Dr.Web starts using the updated modules and latest virus definitions right away
• Updates are small (50-200KB).
• To save traffic the anti-virus can be set to update virus databases only However, enabling this option is not recommended. To counter the latest threats, Dr.Web undergoes constant refinement. New features are incorporated in updated modules of an anti-virus package and are downloaded from Doctor Web's server automatically during regular updating sessions.
• You can also reduce traffic by downloading updates as archived files A special data-compression algorithm used by Doctor Web allows reducing size of downloaded updates. Patch files are used to deliver minor additions and fixes for virus database or program modules. The special compression algorithm applied to such patches dramatically reduces the amount of transferred data.

Virus monitoring service

• The Doctor Web virus monitoring service collects samples of malicious programs all over the Internet to create antidotes and release updates as soon as analyses are completed — as often as several times per hour.
• As soon as an update is released, users can retrieve it from several servers located at various points of the globe.
• To avoid false positives an update is tested over a huge number of uninfected files before it is released.
• The intelligent system automatically adds entries for similar viruses into the database, ensuring the prompt neutralization of emerging threats.

System requirements

• Windows 2000 Server (SP4) or higher.
• Windows Server 2003 or higher.

Unique engine features

• Scans archived files at any nesting level
• Reliable detection of packed objects (even if the compression format is unknown to Dr.Web), their detailed analysis aimed at exposing hidden threats
• Leader in detecting and neutralizing complex rootkits (Shadow.based (Confiсker), MaosBoot, Rustock.C, Sector)
• Intelligent memory scan technologies allow viruses to be blocked in the RAM before replicating themselves to the hard drive, making it less likely for malware to exploit the vulnerability of a third-party application or the operating system
• Dr.Web can detect and neutralize viruses that can be found only in RAM and do not exist as files on disks, e.g. Slammer or CodeRed

Detection of unknown threats

• FLY-CODE is a unique universal decompression technology enabling Dr.Web to unpack data that has been compressed with unknown packers
• The cutting-edge, non-signature scan technology Origins Tracing™ ensures the high probability that viruses unknown to Dr.Web will be detected
• The heuristic analyzer, whose analyses are based on criteria that is typical of various groups of malicious programs, detects most known threats

Licensing

Types of licenses

• Per number of protected users.
• Per server license – unlimited scanning of server traffic for as many as 3,000 protected users.

License options

• Anti-virus
• Anti-virus + Anti-spam

Dr.Web for MIMEsweeper is also available in Dr.Web bundles for small and medium companies.