Dr.Web - innovation IT-security solutions. Complex protection against Internet threats.

Dr.Web Mail Security Suite for Unix Appliance

Dr.Web Mail Security Suite for Unix Appliance for protection of mail services is implemented as a set of plugins that run simultaneously.

Key features

scan of incoming and outgoing messages for viruses and spa.
blocking and placing infected and suspicious objects to the Quarantine.
sending notifications and alerts on virus events to the system administrator or other selected users.
logging all activities of the solution and collecting of stats on its routines.
automatic updating of the virus database.
summary reports and statistics.

Success stories

A range of tasks that can be solved using the software depends on a set of loaded plugins At present the following plug-ins are available.

DrWeb

This plug-in checks e-mails for viruses by the Dr.Web engine. The scanning is made by the drWebd module. The messages are sent to drWebd being already parsed, that is why support of mime-parsing in the engine or in drWebd is not necessary. The plug-in is highly productive and its detection rate is very high.

Stable operation
Due to modular structure of Dr.Web for Unix mail servers and a special module responsible for the system efficiency it is almost impossible to disable the plug-in.

High response speed
Due to multi-threaded scanning technology the system’s response speed is very high. The files are scanned “on-the-fly” not waiting until earlier received messages are processed. This means end users receive e-mails almost in a moment!

High protection level
Huge virus database and constantly perfecting heuristic analyzer leave no chances for viruses, including micro viruses, Trojan Horses and other malware to penetrate into users’ computers via e-mails. Plug-in detects ill-intentional programs written for all platforms — Windows, Unix, DOS, including the objects which can infect files of Microsoft Office. Administrators can choose the types of files to be scanned, as well as reaction to detected threats — reporting, curing of infected objects, moving of suspicious objects to quarantine, renaming.

Correct check of archives and packed files
The DrWeb plug-in correctly checks the majority of existing formats of packed files and archives with any nesting level, including multi-volume and self-extracting, which is extremely important for e-mail systems. Dr.Web can process more than 1000 types of archives and packers.

Quarantine
The detected infected and suspicious files detected by the plug-in can be moved to the quarantine. Later they can be additionally scanned, cured or deleted.

Ease of administration
The flexibility of configuration files allows to customize parameters of the plug-in. Any action made by the plug-in is reflected in the log-files, which later can be analyzed. Handy alerting system allows administrators to quickly react to emerging threats.

Open source solution
Due to open structure of the product users can themselves develop additional modules using the DrWeb plug-in with the help of the open SDK and detailed documentation.

headersfilter

This plug-in filters messages by headers. It filters not only the message itself, but the attachments as well, if any. An administrator can add rules for filtering of e-mails. Regular expressions can be used when filtering rules are specified. Flexible settings of plug-in allow to implement any number of rules. Plug-in is almost invisible to the system and never overloads it functioning almost instantaneously.

Easy to use
Usage of regular expressions allows to adjust the system both to skip e-mails and to filter them. As the number of rules is unlimited, the system can be easily customized.

Open source solution
Due to open structure of the product users can themselves develop additional modules using the headersfilter plug-in with the help of the open SDK and detailed documentation.

Stable operation
Due to modular structure of the product and a special module responsible for the system efficiency it is almost impossible to disable the headersfilter plug-in.

Vaderetro

Vaderetro is the spam filtering plug-in that uses a library of its own (Vade Retro).
Depending on the analysis each message receives the score from the VadeRetro library – an integer ranging from -10000 to +10000. The less the score is, the more likely the message is to be "legitimate", i.e. not spam. The threshold is set by the SpamThreshold parameter of the plug-in the configuration file (if the score equals to the value of the SpamThreshold parameter or if it is greater than this value the message is considered to be spam).

Depending on its configuration the plugin may add one of the following headers to a message after analysis:

X-Drweb-SpamScore: n. n – the score given by the VadeRetro library.
X-Drweb-SpamState: b. b – yes for spam and messages with viruses and no for non-spam messages and bounces.
X-Drweb-SpamState-Num: s. s – classification results of the VadeRetro analysis. s can take the following values: 0, 1, 2 and 3. 0 – a message is not spam, 1 – a message is spam, 2 – a message contains a virus, 3 – a message is a bounce. This header is added if the value for the ddXDrwebSpamStateNumHeader parameter of the vaderetro plug-in configuration file is set to yes.
X-Drweb-SpamVersion: version. version – the version of the VadeRetro library. This header is added if the value for the AddVersionHeader parameter of the vaderetro plug-in configuration file is set to yes.

Additionally, at the beginning of the "Subject:" field of messages classified as spam, or those containing a virus, the vaderetro plug-in can add the following:

X-IS-SPAM, value YES/NO
X-SPAM-SCORE, a number of points given to the message by VadeRetro
X-SPAM-AGENT, the version of the VadeRetro library
X-SPAM-DETAILS, a detailed description of spam returned by the VadeRetro library
X-SPAM-STATE, current status of a message.

Anti-virus scan of e-mail
Filtering mail for viruses, spyware, adware, suspicious programs, hack tools and jokers is performed by the Dr.Web anti-virus plugin. High productivity of filtering is combined with low system requirements, so the solution runs perfectly virtually on any server hardware.

Stability
The modular structure of the mail service protection system and a special operation control plugin ensure that the anti-virus plugin is always running, so malware can't disable it.

Rapid response

Dr.Web is not an anti-virus only!
Dr.Web successfully detects, cures or removes viruses and all types of malicious objects, including rootkits, mail and network worms, file viruses, Trojan programs, spyware, adware, hacker tools, paid dialers and joke programs.

Unique non-signature detection technology
The Origins Tracing™ technology has been added to traditional signature scan and heuristic analysis. It significantly improves detection of yet unknown viruses. Malicious objects detected using the new technology get the .Origin extension to their names.

Correct scan of archived and packed files
Dr.Web correctly checks the majority of existing formats of packed files and archives with any nesting level, including multi-volume and self-extracting, which is extremely important for e-mail systems. Dr.Web recognizes over 1000 types of archives and packers.

Very frequent updates of the virus database
Updates to the Dr.Web virus database are released as soon as new entries are added – up to several times per hour. "Hot" add-ons are released as soon as a new piece of malware is caught and analyzed. Dr.Web global monitoring network collects samples of new viruses from all over the world. Updates are delivered to customers from several updating servers located in different parts of the globe.

Dr.Web has the most compact virus database
That’s why files are scanned quickly, sparing hard drive disk space and RAM, as well as Internet traffic for downloading of the updates is almost instantaneous. Just one entry in the Dr.Web virus database allows detecting dozens, or hundreds, or even thousands of similar viruses.

Quarantine
Infected and suspicious objects detected by the plugin can be placed to the Quarantine so later one can try to retrieve useful information, cure or delete quarantined messages.

Easy administration
Flexible configuration system allows configuring anti-virus plug-in the way you need. All actions of the plugin are logged so you can analyze system behaviour and bottlenecks. The system promptly notifies an administrator so he can perform required tasks in a timely manner.

Efficient filtering of spam
The Vaderetro plugin filters out spam messages from user mail using its own library (Vade Retro). The library is updated regularly, so the quality of filtering is constantly improving as well.

High performance filtering
Dr.Web Anti-spam scans over 100 messages on-the-fly in one second (1.9GHz Pentium 4 CPU)), which means it will scan 8.64 million messages in 24 hours!

The anti-spam doesn’t require training!
Unlike anti-spam solutions based on Bayesian filter Dr.Web Anti-spam for Unix mail servers doesn’t require any initial training before one is able to use it. The anti-spam starts working as soon as the first message is received!

Intelligent spam detection system
Different technologies are used for different types of undesired mail – spam, phishing-, pharmingг-, scamming-, bounce-messages to ensure yet higher detection probability.

Stand-alone anti-spam saves traffic
The stand-alone anti-spam analyzer module doesn’t require a connection to an external server or access to a database which also saves traffic.

The unique technologies!
The unique filtering technology doesn’t require a block list, so a company can’t be discredited by deliberate adding it to the list.

Regular updates
Anti-spam updates are released on daily basis and downloaded by Dr.Web automatic update utility. The unique technologies allow staying up-to-date with latest filtering evasion techniques applied by spammers with only one update in 24 hours and, therefore, save your traffic.

Spam filtering technologies

The anti-spam technologies consist of several thousands of rules which can be divided into several groups.

Heuristic analysis
A highly intelligent technology that empirically analyzes all parts of a message: header, message body, etc. Not only the message itself, but its attachment is analyzed. The heuristic analyzer is being constantly improved; new rules are frequently added.

Counter-reaction
The counter-reaction technique is one of the most advanced and efficient technologies of Dr.Web anti-spam. It helps counteract techniques and tricks used by spammers to avoid detection.

HTML-patterns
Messages containing HTML code are compared with a list of known patterns from the anti-spam library. Such comparison, in combination with data on sizes of images typically used by spammers, helps protect users against spam messages featuring HTML-code, which often contains online images.

Semantic analysis
During a semantic analysis words and phrases of a message are compared with words and phrases typical of spam. A special dictionary is used for the analysis. All words, phrases and symbols are analyzed – both those visible to the human eye and those masqueraded by the technical tricks of spammers.

Anti-scamming technology
Scam (as well as pharming messages – a type of scam-messages) is the most dangerous type of spam, including the so-called “Nigerian” scams, loan scams, lottery and casino scams and false messages from banks and credit organizations. A special module of Dr.Web anti-spam is used to filter scams.

Technical spam filtering
So-called bounces are delivery-failure messages sent by a mail server. An actual recipient of a bounce is not necessarily a sender of an undelivered message; such a message could be sent by a mail worm. Therefore bounces are as unwanted as spam A special module of Dr.Web anti-spam filters such messages as unwanted.

Active protection against hackers and spammers
Functionality of present-day corporate mail filtering systems is limited because they have to be integrated in mailing systems. Dr.Web Mail Security Suite for Unix Appliances can be installed on a separate server, so mail filtering system becomes more stable, a company that uses the solution enhances its security and saves traffic..

Depending on network architecture, Dr.Web Mail Security Suite for Unix Appliance can be installed in the demilitarized zone (DMZ) or in the local area network of a company. The protected server can be placed in the demilitarized zone so that a mail server is not connected to the Internet directly; In this case even if a hacker succeeds in compromising a server, he won’t get access to sensitive information. Besides, placing Dr.Web Mail Suite for Unix Appliance outside the company network won’t allow a third party to receive information about the application installed on the server which also increases overall security of a network.

Active protection against spam
It is not only the message content that distinguishes spam from normal messages but also SMTP session parameters. Typically a spam message has a large number of recipients or a fake sender address. During a spam attack a lot of messages are sent using one IP-address, or using a fake sender address.

Dr.Web Mail Security Suite for Unix Appliance allows an administrator to restrict the following parameters of an SMTP session :

max number of recipients;
max number of SMTP-connections for one IP-address;
max number of messages in one session;
maximum number of Received headers in a message;
max number of errors in one session;
message max size.

IP-validity verification
One of the properties of a spam message is an invalid sender IP. Spammers have to hide their servers (or spam-bots – compromised user workstations) to avoid getting into the Internet block list.
Dr.Web Mail Security Suite for Unix Appliance allows verifying IP validity thus providing:

Sender authentication;
Check if a sender host is included in the Protected Domains list using PTR and A requests;
Check if a connecting IP-address is included in white or black lists of IP-addresses and domain names;
Check if hosts and IP-addresses of a sender or a recipient have matching DNS, A and MX entries;
Comparing a host IP-address and a connected host;
Lookup an address in RBL/DNSBL blacklists.

Protection against attacks by hackers and spammers
Dr.Web Mail Security Suite for Unix Appliance allows configuring protection against typical attacks directed at a mail server including protection against passive attacks such as PLAIN, LOGIN and active attacks performed without a dictionary search.

Protection against spamtraps
Spamtraps are created in order to find out spammer e-mail addresses. Dr.Web smtp-proxy allows checking if a recipient is a spamtrap, if so – a message won't be sent at the address..

Correct processing of malformed messages
It is well known that some mail clients do not form mail messages in a proper way. Spam programs have the same flaw. Dr.Web Mail Security Suite for Unix Appliance allows blocking messages with empty sender fields; however, it recognizes malformed messages from known mail clients, so no false detections occur.

Saving Internet traffic
Dr.Web Mail Security Suite for Unix Appliance also resolves a problem of high Internet traffic which is especially relevant both for companies with employees carelessly attaching large files to their e-mail and cause mail servers malfunction or companies that become a target for spam attacksв.

Restricted open mail relay
Spammers often used open mail relays - SMTP servers that allow anyone to relay e-mail though them. If a company needs to run such a server, Dr.Web Mail Security Suite for Unix Appliance can be used to create a list of allowed domains to relay e-mail t.

Company \| News&Events \| Send a virus \| Online scanner \| Privacy policy \|	More www-resources:
	www.av-desk.com www.freedrweb.com	pda.drweb.com estore.drweb.com