Death. Taxes. Virus Protection?

If you think no conventional anti-virus application can stop the sprawl of e-mail contagions like the "Sir Cam" virus, you're right. That's why MessageLabs took its virus-stopping solution to the Net, and why it's issued a brash guarantee to stop all e-mail viruses.
Star Internet, a U.K.-based Internet service provider, last year spun off MessageLabs, its former in-house application development arm, to sell managed services and software independently. Who would have guessed that the spinoff, which specializes in e-mail content filtering at the Internet level, would become the first to debut a "100 percent virus protection guarantee"?

While taking the wrappings off its U.S. offices this week, MessageLabs introduced its first U.S. customer: Air Products and Chemicals, a Fortune 500 firm that operates in 30 countries and has annual revenue of $5.5 billion. The chemical company can't afford to shut its e-mail down from threat of e-mail-borne network ailments, so it became one of the first to take MessageLabs up on its guarantee -- which applies to both known and unknown viruses.

Jack Fekula, manager of systems integrity for Air Products, said, "Since working with MessageLabs we have experienced a 100 percent return on investment -- not a single virus coming into or leaving our organization."

And if that isn't enough to get ISPs thinking about what their leased line clients would think of such an offer, MessageLabs also debuted a 30-day free trial for new clients.

The opening of MessageLabs' U.S. offices coincided with the outbreak of the "SirCam" virus. MessageLabs announced that it stopped the first copy of "SirCam" on July 17 --about 18 hours before a viable fix was made available to public networks. The first copy of the virus was spotted in the United States and spread quickly over the Internet to 67 countries, concentrated in this country, the United Kingdom, and Mexico.

Scanning the Internet Cloud
Known as SkyScan AV, MessageLabs' system uses software in tandem with e-mail "control towers," all designed to filter and remove viruses instantly without noticeably slowing e-mail delivery. "Clients were concerned about latency," said Chris Chilton, the company's marketing vice president, "until they learned that a 1 (megabyte) file takes 1.2 seconds to go through the system."

"Traditional methods of virus scanning are outdated," Andrew Faris, MessageLabs' president of American operations, said. "The lag time between a virus being detected and signature files being made available from anti-virus vendors creates the possibility of an outbreak."

Conventional anti-virus vendors, like McAfee or Symantec, identify a virus outbreak and then create a signature file that tells various systems how to identify and eliminate the virus.

But creating and distributing the signature file takes time -- and downtime as a result of an e-mail viral infection costs companies money. MessageLabs aims to cut the time down to zero to save clients time, money, and worry. The catch? You must redirect your network's e-mail toward a MessageLabs "control tower."

Birth Control for Viruses
Hosting a tower is no small undertaking. Control towers are deployed in pairs, twinned but located at different sites, to ensure a working tower if one fails. The towers are linked at the domain name system level via Mail Exchange records. Open-source advocates will be pleased that the system employs Red Hat Linux 6.2 operating system software and uses qmail for its simple mail transfer protocol relay (SMTP, the protocol used to send e-mail between servers).

Each tower requires dedicated bandwidth of 100 megabytes per second to operate. The flow is handled by Cisco hardware, including dual load balancers, a 3640 router, and dual catalyst switches.

Each tower also has 26 Compaq SQL servers, each with 256 megabytes of RAM, hardware and disk monitoring, and adjoining temperature and fan monitors. A pair of servers connects each tower to MessageLabs' Global Operations Center in the U.K.; 23 servers scan and filter a customer's mail; and the 26th server acts as a "monitor" that coordinates the mail servers.

The system is designed to ensure that if a single server goes down, the entire system will continue to function, essentially treating each mail server as a hot-swappable component. It also takes care of imperfect client networks: if a client's mail server goes down, a tower can store up to three days' worth of mail, then send the e-mail when the client's server comes back online.

Since the system is Internet-based, it is compatible with any operating system. While the SkyScan system protects against e-mail borne viruses (which account for the vast majority), clients should also install "off-the-shelf" anti-virus solutions on every desktop to protect against viruses uploaded on floppy disks (unless eliminating floppy drives is practical).

Scanning Software
The SkyScan anti-virus scanning process begins by routing each e-mail through three commercially available anti-virus scanners. In any control tower right now MessageLabs uses either McAfee, F-Secure, or V-Find, but the company plans to test other scanners as well.

Next, e-mail goes to the SkyScan artificial intelligence program, dubbed Skeptic. Skeptic is a constantly evolving piece of software that is updated as many as 20 times a day by MessageLabs' anti-virus team.

The team teaches Skeptic how to recognize known viruses. But it also teaches the program to recognize code that employs known vulnerabilities in commercial software.

The team also tries to anticipate advances in e-mail virus architecture. For example, Skeptic was trained to recognize Java applications that used code from known .vbs viruses long before the Java-based viruses actually appeared on the Internet.

The team has taught Skeptic to search for obfuscation. In order to defeat signature files, some viruses add random characters with each new transmission, thus known as polymorphic or shape-changing viruses. Skeptic has had some success in identifying these viruses by recognizing the randomly generated characters from a known pattern of virus distribution.

Eye of the Virus
Staff at MessageLabs claim that they can actually see e-mail distribution patterns in real time because they have a "third eye" -- that is, access to an online collection of virus data called VirusEye, which allows them to study new viruses as they spread.

Data available on VirusEye include daily, monthly, and all-time archives of viruses stopped dead in their e-mail tracks, with additional information about each. Data are displayed in Top Trump format -- that is, like a European card game that employs easy-to-read statistics printed on playing cards.

Particularly intriguing is MessageLabs' geographical data about viruses. It publishes the top three infected nations for each e-mail bug. On July 19, at around 6:15 p.m. EST, MessageLabs reported that the top three nations carrying the "LoveLetterA" virus on its systems were the United Kingdom, the United States, and Taiwan. Clients can also view the statistical evidence about viruses removed from their networks in real time.

Sell It For More
Jos White, co-founder of Star Internet, says that some ISPs are finding that SkyScan services directly impact their bottom line.

"One of our major European customers offers an own-branded version of our service with every leased line sold," White said. "As soon as they offered the anti-virus service, sales jumped between 20 and 30 percent over the previous quarter, and the company was also able to raise its prices by more than 20 percent."

In the future, MessageLabs hopes to work with ISPs to create own-branded versions of its service that will utilize a "Scanned by MessageLabs" logo, in the same way that computer makers use the "Intel inside" logo to win customer trust. MessageLabs is also working on anti-spam and anti-porn products.

Services are priced depending on traffic, and discounts are available for high-volume user and those who host a control tower. The base fee is $2.50 per user per month.

Alex Goldman is associate editor of ISP-Planet, an site where this story first appeared.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.