MEF filters malicious attachments by replacing the signature based virus filter found in Procmail with a data mining generated detection model. Procmail is a program that processes email messages looking for particular information in the headers or body of each message, and takes actions based on what it finds [1]. Currently the mail server supported is sendmail. MEF uses a procmail script to extract attachments from emails and save them temporarily based on their name. The script then runs the filter on each attachment.
The filter first decodes each binary and then examines the binary using a data mining classifier. It evaluates the attachment by comparing it to all the byte strings found with it to the byte-sequences contained in the detection model. The system calculates the probability of the binary being malicious, and if it is greater that its likelihood of being benign then the executable is labeled malicious. Otherwise, the binary is labeled benign. This is reported as a score back to Procmail, and then is used to either send the mail along untouched, or the entry is logged as the attack and email is wrapped with a warning. The log is a collection of information about the attachment. Exactly what this information is depends upon the configuration of the system.