Feeds

So how does Avecho's AV work?

If they told you, they'd have to kill you

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Review UK-based email filtering firm Avecho is something of the enfant terrible of the anti-virus world. Since forming 18 months ago, it has consistently attacked the scanner approach and business model of traditional AV firms.

Avecho argues that relying on scanning or heuristics (automatic detection) as a reliable method to protect against viral infection is doomed to failure. Instead, it has developed a signature-free anti-virus service - which combined with an anti-spam filter - promises to provide a "worry-free email service" from between £1 to £2.50 per in-box a month. The service is cheapest for customers who defect from rival services, such as MessageLabs.

Avecho started selling its services to small businesses before expanding into the enterprise and ISP market approximately a year ago.

Black box technology remains a mystery

Like MessageLabs, Avecho's Web-based service aims to stop all spam messages and email viruses before they reach a customer's network. MessageLabs uses a series of three AV scanners from leading suppliers along with its own heuristic scanner, Skeptic, to detect infected messages.

Avecho is not prepared to say how its GlassWall technology works, beyond claiming its server-based approach provides "absolute protection" from all email viruses. Avecho's marketing claims ("100 per cent protection", etc.) frequently come across as more than a little strident. Company sales execs are probably capable of talking varnish off a chair leg.

But what of the substance?

Avecho execs say they could tell us how the technology works, but then they'd have to kill us. Couldn't they explain it a bit and just rough us up, we asked? No, not even that.

Road test

So, instead of a slapping, Avecho gave us the use of a trial account, which we've used intermittently since last July. The anti-virus filtering side of the equation has always worked well, but it's only since Avecho gave us more control over spam filtering that we've been able to get the most out of the service.

Setting up Avecho's Web-based service was straightforward and akin to setting up any new Web-based email account. Once users have put in their details and paid via a secure server, they're able to administer the account.

Depending on the type of service, administrators can set up a number of email accounts. Email to existing email accounts can be re-routed to these new accounts using Avecho's Postman mail collection facility.

Multiple legacy email accounts can be re-routed through Avecho's filtering service in this way. Users can define how frequently email is checked.

Once the passwords and account details entered through this process are verified, users can pick up their email directly from the Web or via a desktop email client.

Tune up

Our experience suggests most users will have to fine-tune the spam filtering aspect of the service, although Avecho's virus-busting technology needs no adjustment.

The virusCENSOR (filtering) part of the Avecho.com service is fixed and requires no configuration. Avecho's GlassWall technology will not allow executable and binary files such as applications and installers to be received.

However, an administrator can allow users to receive these files. In such cases, files will have passed only through a traditional AV scanner, but not GlassWall.

The blocking options in spamCENSOR are trickier. Blocking options range from denying email to anyone not on a clean list, to allowing anything that isn't on a user's dirty list. We found the "allow any email unless the sender is blocked in my address book, or is in a public dirty list" option - which is less strict than the default setting - worked best for us.

Additionally, users can choose to reject image-only emails.

When we first tried the service, Avecho treated anything sent by blind carbon copy as spam. This crude rule meant all the press releases received through the account were automatically quarantined. Yes, we could retrieve them but the service became more trouble than it was worth, so we stopped using it.

Since November, Avecho has let users to specify they are happy to receive bcc emails.

Which is nice.

As a result, false positives have dropped from a thumping 20 per cent when we first used the service to around one per cent.

With the filtering sorted out we've been able to use the option of having Avecho quarantine suspected spam emails with a summary every 24 hours. The frequency of this summary email is user-defined.

This is an elegant approach. Instead of wading through scores of emails looking for a false positive there is only one to worry about. If the sender and subject line on a quarantined email looks legit it can be retrieved at the click of a button.

Some spam messages do evade Avecho's filter but using the service restricts their number to less than ten a day from more than 200 we'd receive in just one account (sans filtering). That's not quite as good as Spam Assassin but pretty close and some of the other features to Avecho's service make it a good choice, particularly for small businesses.

Holding back the viral tsunami

The email addresses of Reg hacks are widely published across the Net. The downside is that we get carpet-bombed by every mass mailer that scours infected users' PCs for fresh victims.

We're normally among the first to see mass mailers and Avecho's service did block a variety of such nasties before AV signature definition files were available. We're confident that - as advertised - no email viruses reached us through Avecho's service in all the time we've used it.

That's pretty good, but the service is far from perfect. Firstly there were a number of false virus positives. In one instance, I forwarded a set of three emails to my home address - which had already passed through Glasswall - to a second email account. They were blocked.

What's more, Avecho - like most AV vendors - insists on sending an email every time it catches a virus. Why not simply send a single email summarising emails blocked by virusCENSOR as with the spam summary?

Avecho is poor at filtering out auto-responder messages, which are a particular problem during outbreaks such as SoBig and MyDoom. You don't get infected, but you still get the tidal wave of spam associated with the epidemic.

To wrap up the niggles, another inconvenience: email collection from third-party accounts via Avecho became troublesome during SoBig last August. I fairness this was far less of a problem during last month's (even more) prolific MyDoom outbreak.

Improving - but not there yet

Everybody, if they're honest, would admint that anti-spam technology is immature. Avecho deserves credit for letting us look at the service - warts and all. Last summer we'd have said the anti-spam aspect of the service had serious shortcomings. Now, with further development, Avecho is worth serious consideration.

One neat trick with the Avecho service is the ability to retrieve any email sent to the account from an email vault even if it's been deleted or lost from a user's PC.

The availability of Avecho's website during the trial period was excellent and download times speedy. One of the advantages of using a Web-based approach is that email can be retrieved far more quickly than if you use a desktop-based spam filtering package.

The company is one of the few security firms to tailor its offering to small businesses where it should prove a winner. Enterprise and ISPs might also find the service attractive, although much here would depend on administrator functions which we did not test. ®

Pros

  • Protection from email viruses without signature updates

  • Easy-to-use Web-based approach

  • Fast email downloads

  • Tailored to the needs of SMEs

  • Email retrieval
Cons
  • Improving - but still far from perfect - spam filtering

  • False positives

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.