The new Virus Outbreak Filters feature, first discussed in June, has proven very effective at stopping new email worms in the period between their release into the wild and when anti-virus companies release signatures to detect them, the company said.
According to IronPort’s senior VP of worldwide marketing Tom Gillis, the system recognized MyDoom.O five hours before virus definitions were released, and stopped 40,000 instances from reaching one beta customer, a Fortune 500 company.
The feature leverages SenderBase, the database that matches IP addresses to their email sending history. The software recognizes wormlike deviations from normal behavior and instructs C-Series devices to quarantine mail that match these deviant patterns.
For example, .pif files are rarely legitimately sent as email attachments, but many worms use them to infect computers. So, for example, if SenderBase sees lots of similar .pif files coming from hosts that have never sent mail before, it can assume a worm is in play.
It’s a more coarse filter, but the actions it takes are more benign, Gillis said. The system only quarantines suspect mail, rather than deleting it. Administrators can choose when to release the quarantined mail, after virus definitions are available.
The new version also has a web-based management console that enables administrators to set up group and individual user policies based on their identity in an LDAP director, Gillis said. Reporting via SQL has also been added.
IronPort says it has 600 customers, including 75 of the Fortune 500 and six of the top 10 North American ISPs on its books. The firm also has a key partnership with Microsoft Corp around IronPort’s Bonded Sender reputation service.
While other email security providers, particularly those using the hosted service model, now count their customer bases in the thousands, Gillis said these firms are mainly going for medium sized firms, while IronPort is targeting the high-end first.
IronPort is modeling itself on firewall maker NetScreen Technologies, Gillis said, by trying to build a strong brand with the large technology users before trying to extend that brand to the small and medium-sized companies.
