So how does Avecho's AV work?
If they told you, they'd have to kill you
Review UK-based email filtering firm Avecho is something of the enfant terrible of the anti-virus world. Since forming 18 months ago, it has consistently attacked the scanner approach and business model of traditional AV firms.
Avecho argues that relying on scanning or heuristics (automatic detection) as a reliable method to protect against viral infection is doomed to failure. Instead, it has developed a signature-free anti-virus service - which combined with an anti-spam filter - promises to provide a "worry-free email service" from between £1 to £2.50 per in-box a month. The service is cheapest for customers who defect from rival services, such as MessageLabs.
Avecho started selling its services to small businesses before expanding into the enterprise and ISP market approximately a year ago.
Black box technology remains a mystery
Like MessageLabs, Avecho's Web-based service aims to stop all spam messages and email viruses before they reach a customer's network. MessageLabs uses a series of three AV scanners from leading suppliers along with its own heuristic scanner, Skeptic, to detect infected messages.
Avecho is not prepared to say how its GlassWall technology works, beyond claiming its server-based approach provides "absolute protection" from all email viruses. Avecho's marketing claims ("100 per cent protection", etc.) frequently come across as more than a little strident. Company sales execs are probably capable of talking varnish off a chair leg.
But what of the substance?
Avecho execs say they could tell us how the technology works, but then they'd have to kill us. Couldn't they explain it a bit and just rough us up, we asked? No, not even that.
So, instead of a slapping, Avecho gave us the use of a trial account, which we've used intermittently since last July. The anti-virus filtering side of the equation has always worked well, but it's only since Avecho gave us more control over spam filtering that we've been able to get the most out of the service.
Setting up Avecho's Web-based service was straightforward and akin to setting up any new Web-based email account. Once users have put in their details and paid via a secure server, they're able to administer the account.
Depending on the type of service, administrators can set up a number of email accounts. Email to existing email accounts can be re-routed to these new accounts using Avecho's Postman mail collection facility.
Multiple legacy email accounts can be re-routed through Avecho's filtering service in this way. Users can define how frequently email is checked.
Once the passwords and account details entered through this process are verified, users can pick up their email directly from the Web or via a desktop email client.
Our experience suggests most users will have to fine-tune the spam filtering aspect of the service, although Avecho's virus-busting technology needs no adjustment.
The virusCENSOR (filtering) part of the Avecho.com service is fixed and requires no configuration. Avecho's GlassWall technology will not allow executable and binary files such as applications and installers to be received.
However, an administrator can allow users to receive these files. In such cases, files will have passed only through a traditional AV scanner, but not GlassWall.
The blocking options in spamCENSOR are trickier. Blocking options range from denying email to anyone not on a clean list, to allowing anything that isn't on a user's dirty list. We found the "allow any email unless the sender is blocked in my address book, or is in a public dirty list" option - which is less strict than the default setting - worked best for us.
Additionally, users can choose to reject image-only emails.
When we first tried the service, Avecho treated anything sent by blind carbon copy as spam. This crude rule meant all the press releases received through the account were automatically quarantined. Yes, we could retrieve them but the service became more trouble than it was worth, so we stopped using it.
Since November, Avecho has let users to specify they are happy to receive bcc emails.
Which is nice.
As a result, false positives have dropped from a thumping 20 per cent when we first used the service to around one per cent.
With the filtering sorted out we've been able to use the option of having Avecho quarantine suspected spam emails with a summary every 24 hours. The frequency of this summary email is user-defined.
This is an elegant approach. Instead of wading through scores of emails looking for a false positive there is only one to worry about. If the sender and subject line on a quarantined email looks legit it can be retrieved at the click of a button.
Some spam messages do evade Avecho's filter but using the service restricts their number to less than ten a day from more than 200 we'd receive in just one account (sans filtering). That's not quite as good as Spam Assassin but pretty close and some of the other features to Avecho's service make it a good choice, particularly for small businesses.
Holding back the viral tsunami
The email addresses of Reg hacks are widely published across the Net. The downside is that we get carpet-bombed by every mass mailer that scours infected users' PCs for fresh victims.
We're normally among the first to see mass mailers and Avecho's service did block a variety of such nasties before AV signature definition files were available. We're confident that - as advertised - no email viruses reached us through Avecho's service in all the time we've used it.
That's pretty good, but the service is far from perfect. Firstly there were a number of false virus positives. In one instance, I forwarded a set of three emails to my home address - which had already passed through Glasswall - to a second email account. They were blocked.
What's more, Avecho - like most AV vendors - insists on sending an email every time it catches a virus. Why not simply send a single email summarising emails blocked by virusCENSOR as with the spam summary?
Avecho is poor at filtering out auto-responder messages, which are a particular problem during outbreaks such as SoBig and MyDoom. You don't get infected, but you still get the tidal wave of spam associated with the epidemic.
To wrap up the niggles, another inconvenience: email collection from third-party accounts via Avecho became troublesome during SoBig last August. I fairness this was far less of a problem during last month's (even more) prolific MyDoom outbreak.
Improving - but not there yet
Everybody, if they're honest, would admint that anti-spam technology is immature. Avecho deserves credit for letting us look at the service - warts and all. Last summer we'd have said the anti-spam aspect of the service had serious shortcomings. Now, with further development, Avecho is worth serious consideration.
One neat trick with the Avecho service is the ability to retrieve any email sent to the account from an email vault even if it's been deleted or lost from a user's PC.
The availability of Avecho's website during the trial period was excellent and download times speedy. One of the advantages of using a Web-based approach is that email can be retrieved far more quickly than if you use a desktop-based spam filtering package.
The company is one of the few security firms to tailor its offering to small businesses where it should prove a winner. Enterprise and ISPs might also find the service attractive, although much here would depend on administrator functions which we did not test. ®
- Protection from email viruses without signature updates
- Easy-to-use Web-based approach
- Fast email downloads
- Tailored to the needs of SMEs
- Email retrieval
- Improving - but still far from perfect - spam filtering
- False positives
Sponsored: Are DLP and DTP still an issue?