1 / 40

Välkommen till Sommarkollo 2006

2006. Välkommen till Sommarkollo 2006. Microsoft Antigen. Lasse Pettersson www.humandata.se. med fokus på Antigen för Microsoft Exchange. Agenda. Antigen Solutions Antivirus Anti-spam Management Antigen för IM och Sharepoint DEMO Installation och konfigurering Q/A. IM and Documents.

micah
Download Presentation

Välkommen till Sommarkollo 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2006 Välkommen till Sommarkollo 2006

  2. Microsoft Antigen Lasse Pettersson www.humandata.se med fokus på Antigen för Microsoft Exchange

  3. Agenda Antigen Solutions Antivirus Anti-spam Management Antigen för IM och Sharepoint DEMO Installation och konfigurering Q/A

  4. IM and Documents Server Optimization LayeredDefenses Content Control Antigen Solutions Live Communications Server Viruses Worms Spam SharePoint Server E-mail ISA Server Exchange Servers Windows SMTP Server

  5. Single Vendor Solution • Same scan engine, heuristics • technology and signature files on all server and client platforms • Dependent on one AV lab for scan engine updates during virus or worm outbreaks • Queuing and delay during engine updates on mission critical servers (i.e. Exchange) • Multi-vendor Solution • Different scan engines, heuristics • technologies and signature files on server and client platforms • High acquisition and maintenance cost • Added filtering complexity AV AV AV AV AV AV AV AV AV AV AV AV AV Exchange Exchange Exchange AV AV AV E-mail Antivirus Approaches Internet Viruses Worms Spam ISA Servers Windows SMTP Servers Problem:Single Point of Failure Problem:Management/Cost

  6. Antivirus Antispam AV AV Policy Mgt AV Central Mgmt AV Multiple Engine Management One vendor, multiple technologies Internet Exchange Server/Windows SMTP Server

  7. Internet ISA Server Exchange Site 1 Exchange Front End Exchange Site 2 Exchange Public Folder Server Exchange Mailbox Server Antigen for Exchange • Protects Exchange Server 5.5, 2000, and 2003 • Detects and removes viruses in e-mail messages and attachments • Scans at SMTP stack (most processing intensive scans) • Scans real-time at Exchange information Store • Provides on-demand and scheduled scans of information store • Uses Microsoft-approved virus scanning API integration for Exchange 2000 and 2003 • Provides advanced content-filtering capabilities for messages and attachments • Integrates file filtering, keyword filtering and anti-spam at the SMTP routing level

  8. Scan Engine 2 Scan Engine 2 Scan Engine 3 Scan Engine 1 Scan Engine 4 Scan Engine 4 • Max Certainty: uses all engines (100%) • Favor Certainty: uses 75% of available engines • Neutral:uses approx. 50% of available engines • Favor Performance: uses 25% of available engines • Max Performance: uses one engine for every scan • Max Certainty:uses all engines (100%) • Favor Certainty: uses 75% of available engines • Neutral: uses approximately 50% of available engines • Favor Performance: uses 25% of available engines • Max Performance: uses one engine for every scan Antigen Multiple Engine Manager (MEM) Bias Settings * Engines used are not always the same. They are dynamically allocated from the available pool.

  9. Scanning Performance • Scanning at both the SMTP Stack and Exchange Store • SMTP: Provide maximum scanning protection (Max Certainty bias) • Exchange Store: Balance security with performance (Neutral bias) • In-memory scanning • Dynamic allocation of application memory improves server efficiency • Eliminates the burdensome process of spooling data to disk for virus scanning • Ability to increase number of available processes (scanning threads)

  10. Antigen AV Engine Partners Included “in the box” Additional Options ($) (2) Coming Soon: MS Antivirus

  11. Worm Removal • Fully purge all messages containing worms • Use Sybari Worm List (wormprge.dat) to purge any message that matches a known Worm virus • Create a custom Worm List with a single wildcard ( * ) to match all malicious code detected • Provide pre-emptive protection against unknown worms with file filter purge (size, type, extension, etc.) • The user receives nothing, not even a notification • Purged messages containing worms should not be quarantined • There is no value in the message • Reduces network bandwidth by removing un-needed messages.

  12. Content and File Filtering • Content Filtering • Scans messages for keywords in message body text • Offers whitelisting for trusted senders • Provides separate filters for inbound, outbound and internal • File filtering • Blocks a specific range of potentially dangerous file types by both extension and true file type • File types commonly blocked: EXE, COM, PIF, SCR, VBS, VBE, SHS, CHM, REG and BAT • Unpacks and repacks ZIP files, removing only the blocked file • Offers whitelisting for trusted senders • Provides separate filters for inbound, outbound and internal

  13. Antigen Message Processing Spam Filtering Content Filtering Attachment Scanning Body Scanning • Non-archive Files: • Worm Scanning • File Name Filtering • Virus Scanning • Archive/.zip Files: • File Name Filtering • Traverse the archive • Sender/Domain Filter • Subject Line Filter • Sender Whitelist Check • Spam Scanning • RBL Filter • Keyword Filtering • Virus Scanning

  14. Integrated Anti-spam • Advanced Spam Manager option available with Antigen for SMTP Gateways or Antigen for Exchange servers • Employs signature-based SpamCure anti-spam engine from Mail-Filters • Works with heuristics-based Intelligent Message Filter (IMF) • Real-time scanning and content filtering • Enables administrators to create custom allow and block lists based on sender, domain and IP addresses

  15. Spam Detection Methods • SpamCure engine: the primary and most effective method • SpamCure engine provided by third-party, Mail-Filters • RBL lists: support for multiple external RBL services • Message Body Keywords: used more for policy management, not very effective for spam • Mailhost filtering: blocking based on sender, domain and IP (a good supplement but too reactive to use as primary method) • Whitelisting: sender whitelisting to complement spam detection

  16. SpamCure • StarEngine –Spam Tricks Analysis and Response • Spammer tricks are identified and neutralized • The STAR engine removes the comments, so normalized message can be matched against signatures • Bullet Signature Database – Human Editors create small, targeted signatures • Based on specific, unique characteristics of a message (URL, phone number, specific text string, etc.) • Targets the Spammer • Bullets don’t catch just one spam message, they catch multiple spam from the same spammer • A new signature is not required for each new spam message • High catch rate with low false positives • Signature-based approach ensures highly accurate detection www.con <random-comments> www.contoso.com so.com to <comments>

  17. IMF Scan ASM Scan Pickup Folder Inbox Junk E-Mail Archive Folder ASM and IMF together • On the same server, IMF scans before ASM • Each applies an SCL rating – the higher rating always wins (i.e. has more confidence) • Mail that is rejected, deleted or archived by IMF will not make it to ASM • Example: IMF archives SCL 7,8 and 9 ASM Spam set to 9 Mail Store IMF SCL of 0-6 If SCL is 7,8,9 If Admin moves message

  18. Antigen Rapid Update • Done by Microsoft • Automated engine update process • Polls engine vendor website for update • Downloads vendor engine package • Expands vendor engine package • Creates Antigen Engine Update package containing Antigen engine adapter • Runs tests against virus database • Posts to secure Microsoft website • Sends engine update notifications

  19. On-site Scan Engine Updates • Antigen polls for engine updates • Administrator sets polling interval • Administrator can force an engine update • Single updating mechanism for all engines • New antivirus/anti-spam engine package downloaded • Package expanded • Engine tested with EICAR test virus • Current engine taken offline • New engine swapped in • New engine brought online • All updates retrieved from Microsoft (not Vendors)

  20. HTTP or FTP Scanner Updates: SEM • Sybari Enterprise Manager (SEM) is specifically designed to distribute signatures • Preferred method for multi-server customers • SEM server downloads files, alerts remote Antigen servers, and they pull updates • All scheduling set on SEM server • Offloads update process to non-critical systems Signature servers Antigen server SEM Agent SEM server Antigen server

  21. Monitoring and Reporting • SEM Analyzes incident trends and Antigen’s effectiveness in combating these incidents • Data stored in MSDE or SQL Databases • Provides central monitoring • Outbreak Configuration and Alerts (SMTP/SNMP traps) • Set per server, groups of servers, or enterprise • Virus, spam and filter thresholds • Failed engine updates

  22. Monitoring and Reporting • Reports include: • Top X Viruses detected • Engine update and version reports • Traffic Reports • Spam, Content, File Filtering, and Virus reports

  23. MOM IntegrationAntigen Management Pack for MOM 2005 • Over 100 Events, Performance Counters and Services Monitored • Monitors the state of Antigen and its key components • Collects statistical data on scanning, detection and removal of messages and attachments • Polls 5 Antigen Services - Provides timed events to poll systems for critical process health • Key Tasks: • Trigger scan engine updates • Centralize storage and deployment of License files • Import, export and deploy changes for key settings • Initiate and/or schedule Manual Scan Jobs. • Start/Stop control of Antigen services.

  24. Antigen E-mail Security Goals • Ensure protection against latest threats • Multiple Engines, seamless updates • Provide minimum Exchange server performance overhead/mail latency • Bias settings, in-memory scanning • Provide integrated antivirus/anti-spam/ content filtering functionality • Antigen/ASM/IMF integration • Alert administrators to outbreaks and failures • SEM and MOM

  25. Virus Protection for Document Libraries Real-time scanning of documents uploaded and downloaded from document library Manual and scheduled scanning of document library (supports both WSS and SPS) Content Policy Enforcement File filtering to block documents from being posted based on name match, file type or file extension Content filtering by keywords within documents for inappropriate words and phrases Antigen for SharePoint SQL Document Library Document SharePoint Server Document Users

  26. Embedded virus • Infectious Macro • Hot buttons • Trojans • SQL based viruses = How do viruses get to SharePoint? • Today, viruses arrive by accident – not design • User uploads a document with embedded payload • Possibly malicious user activity • Risk in an extranet deployment • Windows XP user maps a network drive to \\server\sites\teamsite • If a user is infected by a virus that attempts to propagate to network shares, then the virus can propagate to SharePoint sites • In the future, SharePoint may beexplicitly targeted Users SharePoint Portal Server SQL document library

  27. Why SharePoint AV? • Client and server AV don’t solve the problem • Server AV may cause operational issues • When server-based antivirus cleans or deletes infected files, backup and restore operations can fail due to missing or changed links • Antigen avoids SharePoint site backup and restore failures (Smigrate.exe) by maintaining logical links to affected documents • Desktop AV can’t clean the original infected document • Desktop AV may detect the infection within the cached copy but cannot clean the stored copy in the SharePoint document library. • Antigen cleans the document in the library, ensuring all posted and downloaded documents are safe.

  28. Content and File Filtering • Antigen document filtering targets • Profane language • Racial slurs • “For your eyes only” information for upper management • Confidential documents posted to the portal Extranet • Out of Policy Content (MP3 or AVI files) • Filters documents based on name match, wild card, file type or file extension • Can also help eliminate new virus outbreaks before AV scan engine signature files are ready • Filters body content for inappropriate keywords and phrases • Maintains proper document versioning • During manual scans, deleted files can be replaced with a customizable text file to maintain proper versioning within the SharePoint Document Management System

  29. SharePoint Notification • Alerts/notifications via customized web parts • Summary • Detailed list

  30. Antigen for Instant Messaging • Detects and removes viruses in IM conversations and file transfers • Scans for SPIM, confidential information and inappropriate keywords in IMs and file transfers • Allows creation of IM policies through whitelisting and IM/SMTP notifications Outside IM Clients Firewall Live Communications Server Microsoft Office Communicator Windows Messenger Clients

  31. IM Vulnerabilities • Files/URLs • Executables, hot buttons, phishing • Trojan viruses • Steal IM info (buddy lists, passwords, log files) • Steal info via IM (IP addresses, System Info) • Remote control • Classic worms • Send files to designated “buddies” • Blended threats • Use IM to find vulnerable systems and spread faster Worm attack forces Reuters IM offlinePublished: April 14, 2005, 11:22 AM PDTCNET News.com Reuters has shut down its instant messagingsystem after suffering an onslaught from a new Kelvir worm, the company confirmed Thursday…The new variant attempted to spread by sending fake instant messages to people in contact lists on infected systems, a technique used by earlier Kelvir strains. The messages, crafted to look exactly like legitimate IM correspondence, attempted to lure people to a Web site where their computers would be infected with Kelvir, the representative said.

  32. IM Vulnerabilities • Inappropriate Content • Privacy Issues • Profanity • Legal risks • SPIM • Unsolicited content • Phishing attacks

  33. IM Virus Protection • File transfer and message conversations are scanned for viruses. • Integrates with SIP (Session Initiation Protocol) to provide real-time scanning • Supports LCS 2005 Pooling, PIC, and encrypted conversations • User notifications provided via Antigen IM “bot”

  34. IM Content Protection • Document filtering by type, size, and name • Content filtering by customizable keywords can be configured for message conversations and document body text • White listing exempts IM Names and addresses from content scanning of messages and documents • SPIM dictionary of known spam words– customers can customize with their own spam dictionary • Content filtering to block URLs from being sent

  35. Collaboration Security Goals • Ensure protection against latest threats • Multiple Engines, seamless updates, support for SharePoint and LCS • Provide policy enforcement against unwanted and inappropriate content • File Filtering and Content Filtering within documents and IM conversations • Provide integration with e-mail security for comprehensive protection across all messaging and collaboration platforms • Integration with Antigen for Exchange & ASM • Alert administrators to outbreaks and failures • SharePoint Web parts and IM user notifications

  36. Client & Server OS Edge Server Applications Microsoft Forefront provides greater protection and control over the security of your business’ network infrastructure by providing: • A comprehensive line of information protection and access control products • Integration with your existing IT infrastructure • Simplified deployment, management, and analysis • Technical and industry guidance

  37. 2008 Forefront Products Previous Current H1 2007 H2 2007+ H2 2006 Client Server Edge

  38. Roadmap 2006-2007 • New Microsoft Antigen versions • Full Security Review (SDL) • Localization • New product enhancements and features • MSAV engine integration – 5th standard • Antigen for SharePoint and Live Server (LCS and IM) • Antigen for Email security (E12 Exchange Support) • ISA protection scanning and filtering

  39. Antigen v9.0 Email Security New Features • Microsoft Branding • Microsoft Licensing • Enhanced Support for Exchange Clusters • Add administrator notification when current Access DB approaches 2 GB • Granular Content notifications

  40. www.microsoft.com/antigen

More Related