Return to sender

Firewalls are a good first line of network defense, but they typically don't inspect connections for malicious code. Because of this, scanning e-mail as it enters the network has become an enterprise must.

Companies have traditionally looked to server-based solutions to fulfill their e-mail anti-virus needs. Such solutions integrate with an existing mail server and inspect e-mail content as it passes through. Today, e-mail scanners that act as stand-alone gateways are also available, thereby offering enterprises the option of blocking incoming viruses before they even touch the mail server. I tested both types of anti-virus scanners in this roundup.

Although gateway solutions require additional hardware, they are easier to configure and they leave the mail server unfettered. Server-based products typically scan mailbox stores in addition to incoming and outgoing e-mail messages, thereby providing an extra layer of protection. Products that scan mail stores can catch viruses that slip through the mail server before signatures are updated.

I tested solutions from GFI Software, Gordano, Network Associates, Sophos, Symantec, and Trend Micro, using the test virus developed by the European Institute for Computer Anti-Virus Research (EICAR) to mimic malicious code embedded in e-mail bodies, in uncompressed attachments, and in compressed attachments. The EICAR test virus is harmless, so it wouldn't pose a risk if it escaped my test network, but it provided a good test of each virus scanner's detection capabilities.

All of the solutions in this roundup use a signature database to detect viruses. The scanning engine compares an e-mail file against the database, which is essentially a list of known viruses and their footprints. When a virus is found, the program starts a treatment procedure. First, it attempts to remove the virus from the file. Failing this, the program quarantines the file or -- if the administrator chooses -- deletes the file, sending the administrator and the intended recipient an indication of what has happened.

All of these products are built on mature anti-virus scanning engines, so I wasn't surprised that each was capable of catching the simulated viruses I threw

at it. Although all six products performed on par with one another in terms of identifying viruses, one ultimately provides stronger protection than the rest, due to its use of multiple scanning engines.

Multiple scanning engines improve the chances of detection, of course, because any given virus may be listed in one vendor's signature database but not in another's. GFI MailSecurity uses three separate scanning engines to identify viruses. The rest of the solutions I tested rely on only one.

Not that the other products don't offer extras. All of the server-based solutions perform scanning of mail stores. And nearly all of the six solutions tested provide the ability to configure rules for alerting administrators of outbreaks.

Early warnings of a virus outbreak -- a high number of infected messages in a short amount of time -- can help administrators limit the damage by setting new policies on the firewall or mail server. An alert can typically take the form of an e-mail, an SNMP trap, a numeric page, or a Windows event log entry. Only Sophos MailMonitor lacked rules-based alerts.

GFI MailSecurity for Exchange/SMTP