1 / 30

VIRUS AND SPY PROTECTION ARCHITECTURE

VIRUS AND SPY PROTECTION ARCHITECTURE. Agenda. In this module Processes and services Product components Message flow during various scan operations. PROCESSES AND SERVICES. AVCS Processes. F-Secure Management Agent

cianna
Download Presentation

VIRUS AND SPY PROTECTION ARCHITECTURE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VIRUS AND SPY PROTECTION ARCHITECTURE

  2. Agenda • In this module • Processes and services • Product components • Message flow during various scan operations

  3. PROCESSES AND SERVICES

  4. AVCS Processes • F-Secure Management Agent • fameh32.exe, fch32.exe, fsih32.exe, fsnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsguidll.exe • F-Secure Virus & Spy Protection • fsav32.exe, fsaw.exe, fsgk32.exe, fsgk32st.exe, fsdfwd.exe, fsqh.exe, fsrw.exe, fssm32.exe • F-Secure Automatic Update Agent • fsbwsys.exe, F-Secure Automatic Update.exe

  5. Processes: FSMA • fsm32.exeF-Secure Manager, displays the F- tray icon • fsma32.exeF-Secure Management Agent (Service) • fsmb32.exe Message Broker, processes communication between the different modules & products • fsnrb32.exe Handles the communication between the hosts and the PMS • fameh32.exe Alert and Messaging Handler, handles alert and log forwarding • fch32.exe Configuration Handler, reads the base policy files and writes the incremental policy files • fsih32.exe Installation Handler. Launches ilaunchr.exe during installations

  6. Processes: Virus & Spy Protection • fsav32.exe Anti-Virus Handler • fsaw.exe F-Secure Ad-Watch (Browser Control) • fsdfwd.exe Anti-Virus Firewall Deamon. Redirects e-mails to the Scanner Manager (Service) • fsqh.exe Handles object quarantine • fsgk32.exe Gatekeeper Handler. Receives real-time scan requests from the Gatekeeper • fsgk32st.exe Gatekeeper Handler Starter (Service) • fsrw.exe F-Secure Reg-Watch (System Control) • fssm32.exe Scanner Manager. Manages scanning engines

  7. Virus & Spy Protection Services • F-Secure Management Agent Environment • NET STOP/START FSMA: fameh32.exe, fsaw.exe, fch32.exe, fsih32.exe, fnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsdfwd.exe, fsrw.exe, fsguidll.exe • F-Secure Gatekeeper Environment • NET STOP/START FSGKHS: fsgk32.exe, fsgk32st.exe, fssm32.exe • F-Secure Automatic Update Environment • NET STOP/START FSBWSYS:fsbwsys.exe, F-Secure Automatic Update.exe

  8. PRODUCT COMPONENTS

  9. Product Components Desktop Email Client Browser Control Browser HTTP Scanning Module User Interfaces Services Management Agent Anti-Virus Handler System Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver Internet Email Server

  10. 4 2 1 5 Real-Time Scanning:Clean File Desktop Email Client User Interfaces Browser Control Services Management Agent Anti-Virus Handler System Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control 3 AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver Internet Email Server

  11. 6 4 5 2 1 7 Real-Time Scanning:Infected File Desktop Email Client User Interfaces Browser Control Services Management Agent Anti-Virus Handler System Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon 3 System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver Internet Email Server

  12. Gatekeeper Driver • fsgk.sys, fsrec.sys and fsfilter.sys • Provides the low-level file I/O for the user mode scanning (kernel mode) • Intercepts and postpones file I/O request • Posts scan request to Gatekeeper Handler (file or boot sector) • Denies file access if file is infected • Does not participate in the actual scanning Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  13. Gatekeeper Handler • fsgk32.exe • Handles communication between Kernel and user mode • Receives real-time scan requests from Gatekeeper driver • Assigns scanning tasks to Scanner Manager, sends databases to Scanner Manager • Starts and initializes Scanner Manager • Enables GKH API through FSMA • Manages policies interface Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  14. Scanner Manager • fssm32.exe • Manages scan engines (sending scanning requests), isolated from framework • Upon finding an infection, ScannerManager will decide which action to take • Implements ”Black-listing” of files that caused crash of a scan engine to prevent crash-loops, etc. • Calls System Clean-up Module and Spyware Quarantine when disinfection selected • Handles locked files Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  15. Scanning Engines • dffpi.dll, avpproxy.dll, fslfpi.dll and lsse.dll • Perform the actual scanning of files as requested by the Scanner Manager • Scanning engines are DLLs loaded into scanner manager’s process space (provides a ”sandbox” environment) • Orion is a binary scanning engine • AVP Proxy is a binary scanning engine with an a large virus history coverage • Libra is macro and script virus engine • Draco handles spyware, tracking cookie removal and hosts file protection Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  16. System Clean-Up Module • fssc.fsd • Handles special virus-specific cleanup actions. • Called by Scan Manager every time an infection needs to be removed (disinfected) • Calls secondary action lists • Changes secondary action behaviour Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  17. 4 1 2 Detection Detection 3 3 Clean File HKEY_LOCAL_M… File w/ Virus HKEY_LOCAL_M… Trojan 4 5 Removal 5 Clean File Spyware File Spyware File Clean File Spyware File Spyware File Manual Scan:Virus vs. Spyware Desktop Email Client User Interfaces Browser Control Services System Clean-up Module Anti-Virus Handler File System Scanner Manager Registry AVP Draco Orion Libra Spyware Quarantine File System

  18. Anti-Virus Handler • fsav32.exe • Handles on-demand scans • Decides when is it be necessary to ask the user to restart the computer • When such a decision has been made, an appropriate message will be sent to FSMUIAV • Gatekeeper Handler will notify AVH about situations when a need to restart a computer arises • Posts alerts to FSMA (which will forward the alerts as specified in its policy) • Delivers database updates Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  19. fsm32.exe F-Secure Manager (FSM) manages the GUI plug-ins fsmuiav.dll Shows a dialog or message box to the user, asking the computer to be restarted when necessary. Invokes Scan Wizard and provides it with required information fsuipx.dll System Control UI Proxy Communication link between F-Secure System Control and GUI fsawfsm.dll Ad-Watch plug-in Communication link between F-Secure Browser Control and GUI Loads F-Secure Browser Control (fsaw.exe) User Interfaces

  20. Spyware Quarantine • fsqrt.dll • Generic component of F-Secure scanning services (currently only spyware) • Scanners communicate with quarantine via FSSM • Provides storage for removed objects (XML based database) • Relies on Access Control Lists (ACLs) and user rights • User needs administrative rights to clean system and add or restore objects Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  21. 1 3 5 2 6 Email Scanning:Sending Email (SMTP) Desktop Email Client User Interfaces Browser Control Services Management Agent Anti-Virus Handler System Clean-up Module Scanner Manager Spyware Quarantine 4 Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver Internet Email Server

  22. 1 6 3 5 2 Email Scanning:Receiving Email (POP & IMAP) Desktop Email Client User Interfaces Browser Control Services Management Agent Anti-Virus Handler System Clean-up Module Scanner Manager Spyware Quarantine 4 Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver Internet Email Server

  23. Firewall Driver • fsdfw.sys • Catches all new outgoing e-mail connections and re-routes them to the E-Mail Scanning Module Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  24. Firewall Deamon and Email Scanning Module • fsdfwd.exe • Starts F-Secure E-Mail Scanning Module (FSAVES) • Receives re-routed e-mails from firewall engine • fsmirror.dll • Detects possible e-mails being transmitted (either sent or received) and stores them temporary for scanning • Sends e-mail path or memory address (depending on size) to F-Secure Scanner Manager (FSSM) module which starts scanning in the following order Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  25. Registry Watch (System Control) • fsrw.exe • Does the actual registry monitoring • Communicates with GUI through System Control UI Proxy (fsuipx.dll) • Loaded through FSMA interface Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  26. 1 Browser Control Desktop Email Client Browser Control Browser HTTP Scanning Module User Interfaces Services Management Agent Anti-Virus Handler Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver

  27. Ad-Watch (Browser Control) • fsaw.dll • Lavasoft Ad-Watch module • Does the actual blocking for IE Shield and Pop-up Blocker features • Framework integration through F-Secure Browser Control (fsaw.exe) • Settings, database and license handling • Communication with GUI • Loaded through FSM interface • Running as user account Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  28. 1 2 Web Traffic Scanning Desktop Email Client Browser Control Browser HTTP Scanning Module User Interfaces Services Management Agent Anti-Virus Handler System Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control 3 AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Kernel Firewall Driver Gatekeeper Driver

  29. HTTP Scanner • fslsp.dll, fshttp.dll • Loaded into the process space of the applications that uses HTTP (they are hooked into the WinSock DLL) • HTTP scanner uses Scanner Manager for scanning via Gatekeeper Email Client Browser Control Browser HTTP Scanning Module User Interfaces Management Agent Anti-Virus Handler Clean-up Module Scanner Manager Spyware Quarantine Firewall Daemon System Control AVP Draco Email Scanning Module Gatekeeper Handler Orion Libra Firewall Driver Gatekeeper Driver Email Server

  30. Summary • In this module • Processes and services • Product components • Message flow during various scan operations

More Related