January 27, 2004 - 12:00
Novarg (also known as Mydoom and Mimail.R), the latest email virus to threaten the security of networks worldwide, highlights yet again that it is not enough to rely on antivirus protection alone. The time it takes for antivirus vendors to discover a virus and issue an update against a new virus is too long and allows ample room for infection and distribution. GFI’s Trojan and Executable Scanner, on the other hand, catches Novarg and other new viruses immediately - before their signatures are issued.
The difference between a virus engine and a Trojan and executable scanner
Because antivirus software is signature-based, it can only detect known viruses and Trojans, and is therefore unable to detect new viruses such as the Novarg as soon as they are released. GFI MailSecurity's Trojan and Executable Scanner takes a different approach: Rather than relying on signatures, it uses built-in intelligence to rate an executable’s risk level. It does this by disassembling the executable, detecting in real time what it might do, and comparing its actions to a database of malicious actions. This way, GFI MailSecurity can detect unknown viruses and Trojans before they enter the network - and before antivirus engine vendors have issued signatures against them.
“A couple of hours too late”
“If a vendor takes a couple of hours to issue an update against a new virus, this is often a couple of hours too late. By then, the damage is done. All it takes is for one machine on a network to be infected. The virus then propagates to that network and others, causing great damage,” explained David Vella, GFI MailSecurity Product Manager. “Organizations need to take a proactive approach to protecting themselves and should install gateway-level protection against one-off and unknown email threats and Trojans, as well as standard virus scanning software.”
It is for this reason that GFI MailSecurity for Exchange/SMTP - GFI’s email content security and antivirus product for Exchange and SMTP mail servers - incorporates a number of features against email threats, including the Trojan and Executable Scanner.
Novarg.A is reported to be infecting a vast number of computers. This worm is an executable that travels in the form of an email attachment, and it requires users to run the executable to be activated. The worm spoofs the email sender and the executable is usually compressed inside a zip file. It also launches a Denial of Service attack on www.sco.com and opens a backdoor on the infected computers. The GFI Trojan and Executable Scanner feature is able to catch Novarg.A because this infringes the scanner’s "CheckUPX" rule; the worm is compressed using a UPX packer, which indicates that such an executable might be malicious. Further information is available at http://www.gfi.com/news/en/novarg.htm.
About GFI MailSecurity for Exchange/SMTP
GFI MailSecurity for Exchange/SMTP is an email content checking, exploit detection, threats analysis and antivirus solution that removes all types of email-borne threats before they can affect an organization's email users. GFI MailSecurity's key features include multiple virus engines, to guarantee higher detection rate and faster response to new viruses; email content and attachment checking, to quarantine dangerous attachments and content; an exploit shield, to protect against present and future viruses based on exploits (e.g., Nimda, Bugbear); an HTML threats engine, to disable HTML scripts; a Trojan & Executable Scanner, to detect malicious executables; and more. Further information and a full evaluation version are available at http://www.gfi.com/mailsecurity/.
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. GFI has offices in the US, Malta, UK, Hong Kong and Australia which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.