Feeds

So how does Avecho's AV work?

If they told you, they'd have to kill you

  • alert
  • submit to reddit

SANS - Survey on application security programs

Review UK-based email filtering firm Avecho is something of the enfant terrible of the anti-virus world. Since forming 18 months ago, it has consistently attacked the scanner approach and business model of traditional AV firms.

Avecho argues that relying on scanning or heuristics (automatic detection) as a reliable method to protect against viral infection is doomed to failure. Instead, it has developed a signature-free anti-virus service - which combined with an anti-spam filter - promises to provide a "worry-free email service" from between £1 to £2.50 per in-box a month. The service is cheapest for customers who defect from rival services, such as MessageLabs.

Avecho started selling its services to small businesses before expanding into the enterprise and ISP market approximately a year ago.

Black box technology remains a mystery

Like MessageLabs, Avecho's Web-based service aims to stop all spam messages and email viruses before they reach a customer's network. MessageLabs uses a series of three AV scanners from leading suppliers along with its own heuristic scanner, Skeptic, to detect infected messages.

Avecho is not prepared to say how its GlassWall technology works, beyond claiming its server-based approach provides "absolute protection" from all email viruses. Avecho's marketing claims ("100 per cent protection", etc.) frequently come across as more than a little strident. Company sales execs are probably capable of talking varnish off a chair leg.

But what of the substance?

Avecho execs say they could tell us how the technology works, but then they'd have to kill us. Couldn't they explain it a bit and just rough us up, we asked? No, not even that.

Road test

So, instead of a slapping, Avecho gave us the use of a trial account, which we've used intermittently since last July. The anti-virus filtering side of the equation has always worked well, but it's only since Avecho gave us more control over spam filtering that we've been able to get the most out of the service.

Setting up Avecho's Web-based service was straightforward and akin to setting up any new Web-based email account. Once users have put in their details and paid via a secure server, they're able to administer the account.

Depending on the type of service, administrators can set up a number of email accounts. Email to existing email accounts can be re-routed to these new accounts using Avecho's Postman mail collection facility.

Multiple legacy email accounts can be re-routed through Avecho's filtering service in this way. Users can define how frequently email is checked.

Once the passwords and account details entered through this process are verified, users can pick up their email directly from the Web or via a desktop email client.

Tune up

Our experience suggests most users will have to fine-tune the spam filtering aspect of the service, although Avecho's virus-busting technology needs no adjustment.

The virusCENSOR (filtering) part of the Avecho.com service is fixed and requires no configuration. Avecho's GlassWall technology will not allow executable and binary files such as applications and installers to be received.

However, an administrator can allow users to receive these files. In such cases, files will have passed only through a traditional AV scanner, but not GlassWall.

The blocking options in spamCENSOR are trickier. Blocking options range from denying email to anyone not on a clean list, to allowing anything that isn't on a user's dirty list. We found the "allow any email unless the sender is blocked in my address book, or is in a public dirty list" option - which is less strict than the default setting - worked best for us.

Additionally, users can choose to reject image-only emails.

When we first tried the service, Avecho treated anything sent by blind carbon copy as spam. This crude rule meant all the press releases received through the account were automatically quarantined. Yes, we could retrieve them but the service became more trouble than it was worth, so we stopped using it.

Since November, Avecho has let users to specify they are happy to receive bcc emails.

Which is nice.

As a result, false positives have dropped from a thumping 20 per cent when we first used the service to around one per cent.

With the filtering sorted out we've been able to use the option of having Avecho quarantine suspected spam emails with a summary every 24 hours. The frequency of this summary email is user-defined.

This is an elegant approach. Instead of wading through scores of emails looking for a false positive there is only one to worry about. If the sender and subject line on a quarantined email looks legit it can be retrieved at the click of a button.

Some spam messages do evade Avecho's filter but using the service restricts their number to less than ten a day from more than 200 we'd receive in just one account (sans filtering). That's not quite as good as Spam Assassin but pretty close and some of the other features to Avecho's service make it a good choice, particularly for small businesses.

Holding back the viral tsunami

The email addresses of Reg hacks are widely published across the Net. The downside is that we get carpet-bombed by every mass mailer that scours infected users' PCs for fresh victims.

We're normally among the first to see mass mailers and Avecho's service did block a variety of such nasties before AV signature definition files were available. We're confident that - as advertised - no email viruses reached us through Avecho's service in all the time we've used it.

That's pretty good, but the service is far from perfect. Firstly there were a number of false virus positives. In one instance, I forwarded a set of three emails to my home address - which had already passed through Glasswall - to a second email account. They were blocked.

What's more, Avecho - like most AV vendors - insists on sending an email every time it catches a virus. Why not simply send a single email summarising emails blocked by virusCENSOR as with the spam summary?

Avecho is poor at filtering out auto-responder messages, which are a particular problem during outbreaks such as SoBig and MyDoom. You don't get infected, but you still get the tidal wave of spam associated with the epidemic.

To wrap up the niggles, another inconvenience: email collection from third-party accounts via Avecho became troublesome during SoBig last August. I fairness this was far less of a problem during last month's (even more) prolific MyDoom outbreak.

Improving - but not there yet

Everybody, if they're honest, would admint that anti-spam technology is immature. Avecho deserves credit for letting us look at the service - warts and all. Last summer we'd have said the anti-spam aspect of the service had serious shortcomings. Now, with further development, Avecho is worth serious consideration.

One neat trick with the Avecho service is the ability to retrieve any email sent to the account from an email vault even if it's been deleted or lost from a user's PC.

The availability of Avecho's website during the trial period was excellent and download times speedy. One of the advantages of using a Web-based approach is that email can be retrieved far more quickly than if you use a desktop-based spam filtering package.

The company is one of the few security firms to tailor its offering to small businesses where it should prove a winner. Enterprise and ISPs might also find the service attractive, although much here would depend on administrator functions which we did not test. ®

Pros

  • Protection from email viruses without signature updates

  • Easy-to-use Web-based approach

  • Fast email downloads

  • Tailored to the needs of SMEs

  • Email retrieval
Cons
  • Improving - but still far from perfect - spam filtering

  • False positives

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.