The Cisco appliance
includes integrated virus scanning engines from third party companies Sophos
and McAfee. You can obtain license keys for the Cisco appliance to scan
messages for viruses using one or both of these virus scanning engines, and
then configure your appliance to scan for viruses using either anti-virus
The McAfee and Sophos
engines contain the program logic necessary to scan files at particular points,
process and pattern-match virus definitions with data they find in your files,
decrypt and run virus code in an emulated environment, apply heuristic
techniques to recognize new viruses, and remove infectious code from legitimate
You can configure the
appliance to scan messages for viruses (based on the matching incoming or
outgoing mail policy), and, if a virus is found, to perform different actions
on the message (including “repairing” the message of viruses, modifying the
subject header, adding an additional X-header, sending the message to an
alternate address or mailhost, archiving the message, or deleting the message).
If enabled, virus
scanning is performed in the “work queue” on the appliance, immediately after
Anti-Spam scanning. (See
Email Pipeline and Security Services.)
By default, virus
scanning is enabled for the default incoming and outgoing mail policies.
with Multiple Anti-Virus Scanning Engines
scanning messages with multiple anti-virus scanning engines — multi-layer
anti-virus scanning. You can configure your Cisco appliance to use one or both
of the licensed anti-virus scanning engines on a per mail policy basis. You
could create a mail policy for executives, for example, and configure that
policy to scan mail with both Sophos and McAfee engines.
with multiple scanning engines provides “defense in depth” by combining the
benefits of both Sophos and McAfee anti-virus scanning engines. Each engine has
leading anti-virus capture rates, but because each engine relies on a separate
base of technology (discussed in
McAfee Anti-Virus Filtering
Sophos Anti-Virus Filtering)
for detecting viruses, the multi-scan approach can be even more effective.
Using multiple scanning engines can lead to reduced system throughput, please
contact your Cisco support representative for more information.
You cannot configure
the order of virus scanning. When you enable multi-layer anti-virus scanning,
the McAfee engine scans for viruses first, and the Sophos engine scans for
viruses second. If the McAfee engine determines that a message is virus-free,
the Sophos engine scans the message, adding a second layer of protection. If
the McAfee engine determines that a message contains a virus, the Cisco
appliance skips Sophos scanning and performs actions on the virus message based
on settings you configured.