Clearswift Malware Protection

Anti-Malware

The Clearswift Secure Gateways provide a number of ways to eliminate the risk of malware entering or proliferating around an organization.

The primary methods of malware detection will be performed through the use of Sophos and Kaspersky Anti-Virus.

In the independent AV-Test “Protection against 0-day malware attacks, inclusive of web and e-mail threats”, both Anti-Virus vendors scored perfect scores against 0-day malware attacks.

table1

Whilst they seem identical, deploying both can yield a significant improvement. Internal testing for March 2017 saw that although both AV engines detected 72% of traffic simultaneously, each vendor detected some malware that the other engine missed.

These results are delivered by a number of technologies employed by most Anti-Virus vendors
• Signatures – regular updates of latest AV definitions
• Cloud Lookup – realtime checks of file signatures to see if they match any newly discovered malware
• Heuristics – AV engines inspect the files for similarities with samples of known malicious files
• Behavioural – Will run the file in an emulator briefly to try and understand what the application is doing. This is how “Sandboxes” work, but they will run the application for much longer (as much as 15 minutes to scan a file).

The Gateways also employ other features to help detect malicious object.

True File Types

The Gateways recognizes over 200 file formats by their file structure and not necessarily by name. This means that if someone renames a file “Nasty Virus.Exe” to “Safe File.txt” and if the Gateway was configured to block Executables, then it would still block the file.

Active Code Detection

The Gateways can look at HTML, PDF, Office and OpenOffice formats and see if the files contain references to active code which could be used to attack a system. These files will typically be blocked.

Structural Sanitization

The deep content inspection engine looks at the file formats and verifies the format, so if someone concatenates a Text file to an image file, the Gateway can still detect this scenario and if configured can block the file being transmitted.

Message Sanitization

The Secure Email Gateway (SEG) can be configured to perform numerous operations to reduce the chances of malware entering a company
• Attachments can be removed
• URL’s can be removed
• Active script in message bodies can be removed
• HTML based messages can be stripped so that only plain text messages can be delivered

Outbreak Filters

The SEG also features Outbreak Detection which is another service feed that is provided to aid the Anti-Virus defences by detecting messages that have been found to carry malware.