Steps before the virus scan
Because viruses usually try to spread as spam, most email viruses are blocked by our anti-spam technologies before they are scanned with our antivirus engine. Thanks to this resource-saving and intuitive setup, even viruses that are not yet detected by virus scanners are usually safely quarantined or completely rejected.
Checking the attachments:
Viruses usually try to spread in executable attachments of e-mails. In the web interface you have the possibility to manage restrictions for file extensions and thus select which extension should be blocked by the filter by default. If you enable this option and block dangerous file extensions, no more potentially dangerous attachments should be accepted by mail.
Additionally we operate the open source antivirus framework "ClamAV", which updates their virus definitions every 30 minutes. In addition to the ClamAV databases, we have added additional data sets from several external partners, specialized in email virus problems, to ensure optimal real-time protection against the latest virus attacks. Our internal reputation systems also help with virus scanning and provide optimal protection against spam, malware, phishing and viruses.
We regularly review various commercial antivirus engines and analyze false-negatives to see if other engines could deliver a different result. Unfortunately, email viruses are blocked by most commercial antivirus engines only after receiving the message and therefore do not provide additional security at the SMTP gateway level. It is also important that an antivirus program is installed on the end user, as it will later access the message and give anti-virus vendors more time to update their signatures.
We actively analyze virus emails to continuously improve our detection and catch zero-day viruses. Sandboxing is used in our environments for this purpose, but we do not integrate real-time sandboxing into our scanning processes. Suppliers often advertise such technologies, but there is practically no good sandboxing system that contributes to the efficiency of scanning SMTP gateways in real time. When rewriting URLs that refer to a sandbox environment, you introduce a "scan delay" because the URL can be scanned again if the user tries to access it, and there is a chance that the commercial antivirus engine will have a signature for it by then. However, our engine will never change the content of the email, as this would damage DKIM and could lead to corruption of messages. URL rewriting/filtering should be done directly at the endpoint to protect the URL from such threats.