The firm will today announce the third-quarter release of Virus Outbreak Filters, an addition to its email security appliances that, IronPort says, can prevent customers being hit by new viruses before virus definitions have been released.
IronPort director of product marketing Ambika Gadre said that the system analyzes traffic patterns in SenderBase, a database that IronPort claims collects information about 25% of the internet’s email traffic.
IronPort says it can analyze this data to create a baseline model of what email traffic looks like, and then analyze deviations from this base as a means to detect new email virus outbreaks.
Based on this data, the appliances use a scoring system to figure out the likelihood that incoming email contains viruses. The devices then quarantine the email until Sophos Plc, which IronPort uses for anti-virus, has released a virus signature.
Gadre estimated that the Virus Outbreak Filters can stop worms four to six hours before anti-virus firms have released their definitions. She said that the system is 95% to 100% effective at catching outbreaks, but had no details about false positives.
The notion of false positives doesn’t quite exist because we’re taking no definitive actions, she said. It’s a much more coarse filter, and because it’s coarse, we take a benign action, only quarantining.
Administrators will have a number of ways of reducing false positives, she said. They can manually check quarantined mail, they can set the quarantine score threshold, and they can create exception lists of recipients, she said.
