Our antivirus system scans all inbound and outbound emails using a multi-stage process. The process is broken down into the following four stages:
Stage 1: Restricted Attachments
Virus protection starts with scanning messages for dangerous types of file attachments. Dangerous files are those that can execute code, which can be used by malicious persons to spread viruses or do harm to your computer. Restricted file types include, but are not limited to, program files (.exe, .com), script files (.bas, .vbs, .js), and shortcuts to files (.lnk, .pif). When an email is sent or received that contains a restricted file attachment, the email is rejected and the sender receives a "bounced" email notification informing them of the restriction.
Stage 2: Normalization
This stage of the email antivirus process searches for email formatting vulnerabilities that can be used by viruses to hide from virus scanners. If any vulnerability is found, our system corrects the formatting of the message so that it can be thoroughly scanned for viruses. This is called "normalizing" the message, and most notably this process protects against all known Microsoft Outlook security threats.
Stage 3: Decompression
Next, if the email contains any compressed attachments such as zip files, the compressed attachments are temporarily unzipped so that the contents can be scanned for viruses. Many of today's viruses use compression as a way to sneak their way past virus scanners, sometimes even compressing themselves in several layers to try to hide from scanners. If an attachment cannot be decompressed, such as might be the case with password protected zip files, the original file is scanned for virus signatures that occur within compressed attachments.
Stage 4: Virus Scan
After the above preprocessing is complete, an email antivirus scanner is used to scan the email and all of its uncompressed attachments. Everything is scanned to ensure maximum protection against new virus threats. ClamAV (www.clamav.net) is the current scanner of choice, although our system was designed to be able to plug-in any virus scanner on the market, should the need to do so arise. Updated virus definitions are automatically pushed to our system. This gives our customers protection from new viruses within minutes. Virus definitions are updated hourly. In contrast, most desktop and server anti-virus programs are configured to check for new virus signatures only once per day.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License