In this FAQ we have tried to
collect some questions (and their respective answers) which are
often asked about Office-Logic products and the Norman virus
engine that is included with the products. We have tried to
group the questions in some main categories as seen below.
Hopefully this will be of help to the users of Office-Logic in
understanding Norman's Sandbox technology.
Note: Sandbox technology is
currently only available in Office-Logic InterChange.
Table of content
What is Norman
sandbox?
Sandbox is Norman's technology
for detecting new unknown viruses and malware, using a safe
virtual environment inside your computer, where the viruses are
allowed to reveal themselves without damaging your system.
Which viruses
does the sandbox detect?
The sandbox detects most types of
viruses. Since the sample we're testing for viral activity is
run on a simulated computer system in a simulated network, they
can either spread locally on the system, or try to infect other
machines. They can also use services of remote machines, like
SMTP, News, IRC, DNS etc.
Does it detect
ALL viruses?
No. The intention of the sandbox
is to detect current threats to your system. Legacy DOS COM
viruses and other non-executable viruses (like macros and
scripts) are not detected by the sandbox. The sandbox focuses on
detecting binary email and network worms, as these are the most
common and dangerous viruses at the present.
Is it safe?
Yes, since we're running
everything emulated, nothing is run on your real system. If a
virus or a trojan wants to delete all your system files, they
will delete the system files on the simulated hard-drive - not
your real one. Since we're using emulation, there is nothing to
break free from, so it's perfectly safe.
How much of my
resource does it use?
The sandbox module reuses modules
from our scanner engine, the emulator and virtual memory
manager. The software components of the sandbox are located in
our definition file (NVCBIN.DEF). The sandbox modules are less
than 160kb compressed. The memory requirement is about 4 MB pr.
scanning thread. Since we're running it through emulation, speed
is of great importance. On a 700MhZ PIII it emulates over a
million instructions per second. On a P4 2GhZ it emulates over 3
million instructions per second. We have designed the sandbox to
reduce the number of emulation cycles, especially on clean files
and this will be an ongoing effort. Tests done early in the
development phase showed that using the sandbox on all
executable files on a regular hard-drive increased the scanning
time with about 40%. Compared to the amount of work being done
using the sandbox and the benefits of detecting unknown advanced
worms and viruses, we do not consider speed a problem.
When the sandbox
detects a virus, what should I do?
When the sandbox detects a virus,
the name of the virus can be one of the following:
If the sandbox detects something
unknown, you should first make sure that your NVC installation
is completely up to date. This is accomplished automatically
(see How often does my
product check for updates? for
more information and to manually update). If your installation
is outdated, the Sandbox may have detected a virus that has
recently been added to the definition files. If the virus that
NVC detects still is one in the list above, we haven't seen it
before. Else we would have added regular detection of it. The
message sent to the user and/or the administrator (if so
configured) should always give a short analysis why it's a worm
or virus.
Where should I
and where can I enable the Norman Sandbox?
Norman Sandbox should be enabled
in the "Configure->Options->Virus" tab of the
Office-Logic product. Make sure that the box is checked for
"Scan using Norman Sandbox technology".
Does the sandbox
require updates?
Yes, the sandbox consists of
numerous software components, like kernel32, wsock32, msvcrt
etc. These are located in the binary definition file
(NVCBIN.DEF). We constantly work on improving these software
modules. The sandbox updates will be available through Norman
Internet Update on the same basis as other NVC modules.
It depends on the product.
Office-Logic InterChange checks our Virus Update Server every 3
hours. Office-Logic WebClean and MailS.W.A.T. check every 23
hours. You can also force an update by selecting
"File->Update virus definitions now" on the main
screen of the Console.
|
