How Mail Security detects risks


Article ID: 181334


Updated On:


Mail Security for Microsoft Exchange




Mail Security uses the following tools to detect risks:


Symantec engineers track reported outbreaks of threats (such as viruses, Trojan horses, worms) to identify new threats. After a threat is identified, information about the threat (a signature) is stored in a definition file. This file contains information to detect and eliminate the threat. Mail Security searches for these signatures when it scans for threats.


Mail Security uses Symantec Bloodhound™ heuristics technology to scan for threats for which no known definitions exist. Bloodhound heuristics technology scans for unusual behavior such as self-replication to target potentially infected message bodies and attachments. Bloodhound technology is capable of detecting upwards of 80 percent of new and unknown executable file threats.

Bloodhound-Macro technology detects and repairs over 90 percent of new and unknown macro viruses. Bloodhound requires minimal overhead since it examines only message bodies and the attachments that meet stringent prerequisites. In most cases, Bloodhound can determine in microseconds whether a message or attachment is likely to be infected. If it determines that a file is not likely to be infected, it moves to the next file.

Container file decomposer

Mail Security contains a decomposer that extracts container files so that they can be scanned for risks. The decomposer attempts to extract container files until it reaches the base file or until it reaches its extraction limit. If the decomposer reaches the set limit before the base file is reached, the scanning process stops. Mail Security then logs the violation to the specified logging destinations, and the file is handled according to the Unscannable File Rule.

See About protecting your server from risks