Anti-Virus Scanning Overview
The Cisco appliance includes integrated virus scanning engines from third party companies Sophos and McAfee. You can obtain license keys for the Cisco appliance to scan messages for viruses using one or both of these virus scanning engines, and then configure your appliance to scan for viruses using either anti-virus scanning engine.
The McAfee and Sophos engines contain the program logic necessary to scan files at particular points, process and pattern-match virus definitions with data they find in your files, decrypt and run virus code in an emulated environment, apply heuristic techniques to recognize new viruses, and remove infectious code from legitimate files.
You can configure the appliance to scan messages for viruses (based on the matching incoming or outgoing mail policy), and, if a virus is found, to perform different actions on the message (including “repairing” the message of viruses, modifying the subject header, adding an additional X-header, sending the message to an alternate address or mailhost, archiving the message, or deleting the message).
If enabled, virus scanning is performed in the “work queue” on the appliance, immediately after Anti-Spam scanning. (See Email Pipeline and Security Services.)
By default, virus scanning is enabled for the default incoming and outgoing mail policies.
Your Cisco appliance
ships with a 30-day evaluation key for each available anti-virus scanning
engine. You enable the evaluation key by accessing the license agreement in the
System Setup Wizard or Security Services > Sophos/McAfee Anti-Virus pages
(in the GUI) or running the
systemsetup commands (in the CLI). Once you have
accepted the agreement, the Anti-Virus scanning engine will be enabled, by
default, for the default incoming and outgoing mail policies. For information
on enabling the feature beyond the 30-day evaluation period, contact your Cisco
sales representative. You can see how much time remains on the evaluation via
Administration > Feature Keys page or by issuing the
featurekey command. (For more information, see
Scanning Messages with Multiple Anti-Virus Scanning Engines
AsyncOS supports scanning messages with multiple anti-virus scanning engines — multi-layer anti-virus scanning. You can configure your Cisco appliance to use one or both of the licensed anti-virus scanning engines on a per mail policy basis. You could create a mail policy for executives, for example, and configure that policy to scan mail with both Sophos and McAfee engines.
Scanning messages with multiple scanning engines provides “defense in depth” by combining the benefits of both Sophos and McAfee anti-virus scanning engines. Each engine has leading anti-virus capture rates, but because each engine relies on a separate base of technology (discussed in McAfee Anti-Virus Filtering and Sophos Anti-Virus Filtering) for detecting viruses, the multi-scan approach can be even more effective. Using multiple scanning engines can lead to reduced system throughput, please contact your Cisco support representative for more information.
You cannot configure the order of virus scanning. When you enable multi-layer anti-virus scanning, the McAfee engine scans for viruses first, and the Sophos engine scans for viruses second. If the McAfee engine determines that a message is virus-free, the Sophos engine scans the message, adding a second layer of protection. If the McAfee engine determines that a message contains a virus, the Cisco appliance skips Sophos scanning and performs actions on the virus message based on settings you configured.