Avinti iSolation Server 1
Price: Starts at $20
It's in your inbox--an e-mail with an unfamiliar attachment from a trusted co-worker. Is it legitimate or has it been spawned by an e-mail spoofing worm that captured your address from an infected system? Some enterprises prohibit types of e-mail attachments, but that means blocking whole file classes and impeding operations for the sake of security. Others depend on resource-intensive gateway filters.
Avinti has come up with a clever idea to stop e-mail malware without necessarily prohibiting attachment types, but retaining network performance: the Avinti iSolation Server (AIS).
AIS is a gateway software product placed in front of any SMTP-based e-mail server. Running on Windows 2000/2003, the IIS SMTP virtual server intercepts all incoming e-mail messages and passes them through a simulated computer running Windows 2000, Microsoft Office, WinZip, Adobe Acrobat and other common applications.
The downside is that the current version is a only suited for small businesses and branch offices. Even with its recommended hardware and configurations (a 3 GHz Pentium 4 processor with 2 to 4 GB RAM), it can only process 500 externally generated e-mail messages per hour at the gateway, clearly ruling it out for even mid-sized organizations.
Nevertheless, it's a promising technology. The key advantage is its protection against malware during the critical time between when a virus is released and a signature is posted by AV vendors. Security managers can configure filters by proposed action (block, ignore or observe) and file extension through an easy-to-use interface. For example, e-mails with Word or Excel attachments can be immediately blocked, while text files are ignored, since they pose no risk.
AIS passes suspicious e-mails and attachments to its virtual machine, where it behaves as if it has reached its target. AIS monitors the activity in the virtual machine for abnormal behaviors such as self-replication, file system access and Microsoft Outlook address book lookup. It will unpack .zip files to discover malicious activity; security managers also have the option to block password-protected or encrypted .zip files. It blocks malicious e-mails, while letting harmless ones through.
To test AIS, we sent a variety of text and HTML e-mails and attachments--all of which were handled correctly. Both blocked and allowed e-mails were processed nearly instantaneously, while the processing of suspicious messages took up to 30 seconds. AIS assigns an ID to malicious e-mails and their attachments, so multiple copies are blocked without subsequent testing. Security managers can change default settings and track blocked e-mails and attachments through an administrative Web page. Details about blocked e-mails are easily retrieved by searching for the date, sender or recipient using the admin interface.
About the Author
Steven Weil is a contributor to Information Security magazine.
This review orginally appeared in Information Security magazine.