2. Lee Hickin CISSP Security Specialist lhickin@microsoft.com

3. What is Forefront for SharePoint The Forefront Scan Jobs File filtering Topics of Interest ZIP file behavior Performance End user experience Large file support Forefront and IRM Forefront and Office 2007

4. Forefront Security for SharePoint provides three kinds of protection Antivirus scanning of files/documents File filtering Document content keyword filtering Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0 Previous SharePoint versions supported by Antigen for SharePoint Supports both 32- and 64-bit deployments

5. Internet A B C D E SharePoint Server Farm Distributed protection Performance tuning Content filtering Central management Microsoft AV Multi-engineManager SQL Data store

6. Forefront engine sets and other vendors Signature response times in hours MM/YY VIRUS FF Set 1FF Set 2FF Set 3FF Set 4FF Set 5 Vendor AVendor BVendor C 0406 Mytob.NQ@mm 1.531.00 3.079.9317.352.10 0406 Mytob.NQ@mm 1.001.121.00 28.0711.573.52 0406 Spybot!04C2 23.031.0023.0325.281.000.0029.9039.02 0406 Nugache.a 1.0025.451.00 34.1012.9048.05 0506 Numuen.F 0.0024.430.00 1.0010.3314.95 0506 Numuen.H 1.0031.721.00 103.83251.85114.78 0506 Numuen.G 3.158.203.15 1.00151.80468.97 0506 Banwarum.C@mm 87.471.0087.47 1.00116.7372.95129.25 0506 Banwarum.B@mm 12.051.001.82 1.00116.7322.4532.85 0506 Rbot!E905 0.00 1,141.78217.571.00 0606 Bagle.EG 0.00 7.320.00 0606 Bagle.EH@mm 0.001.250.00 18.430.00 0606 Bagle.EG@mm 0.003.620.00 1.000.0026.480.00 0606 Bagle.LY@mm 0.00 6.402.47 0706 Feebs.gen@mm 0.00 503.80 0706 Feebs.EU 0.001.000.00 52.30173.1738.97 0706 Virut.A 0.00 1,317.02 = less than 5 hours = bet 5 and 24 hours = more than 24 hours

7. Forefront provides two scan jobs Realtime Scan Job – scans any files being uploaded to or downloaded from SharePoint Works with web browser or any other application accessing SharePoint Provides proactive protection Manual Scan Job – Scans all or part of SharePoint document library on demand Scans can be scheduled Can be used to scan with engines different than Realtime scan job

8. Realtime scanning always uses the VSAPI Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console This is why they are grayed out in the Forefront console Click here to change settings Then click “Operations,” followed by “Antivirus”

9. Scan documents on upload and Scan documents on download are separate settings that can be turned on or off Best practices is to use both Scanning Timeout is configurable Default is 600 seconds Number of scanning threads is configurable Default is 10 threads, which is also the maximum “Threads” are actually processes that will be spawned as needed

10. When Forefront detects a virus, several Actions are available Skip: detect only – logs presence of virus but does not block or delete it Not a secure setting! Can be used for testing/evaluation purposes Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked.

11. Block: prevent transfer – blocks file from being uploaded or downloaded without attempting to clean it However, there is potential conflict between Forefront settings and SharePoint settings! SharePoint settings Forefront settings Who wins?

12. The ForefrontSPVsapi64.dll is registered with SharePoint 32-bit version is ForefrontSPVsapi.dll VSAPI interface contains three methods that are implemented by the dll STDMETHOD Initialize STDMETHOD Scan STDMETHOD Clean

13. STDMETHOD Initialize SharePoint calls the ForefrontSPVsapi which returns the Forefront product string and version STDMETHOD Scan SharePoint calls the ForefrontSPVsapi to scan the passed in content and return the infection status and virus information (if any) If “Attempt to Clean Infected Documents” has been selected in SharePoint, then Forefront returns MSOVSI_STATUS_CLEANABLE SharePoint then calls the Clean Method to optimize performance

14. STDMETHOD Clean The Clean Method attempts to clean detected viruses found in files It returns the infected status, virus information (e.g. virus name) and updates the output stream if viruses are cleaned When Clean Method is called, ForefrontSPVsapi finds an available ForefrontRealtime process Note that a separate process is called for cleaning If the clean process fails, it is set to MSOVSI_STATUS_CLEAN_FAILED, and file is blocked If the clean process succeeds, it is set to MSOVSI_STATUS_CLEAN, and file is allowed

15. STDMETHOD Scan continued… If “Attempt to Clean” is not selected, Forefront passes the content to an available Forefront Realtime process. After this, the data stream can no longer be returned to SharePoint At this point, files can no longer be cleaned because a cleaned file has no way to return to the SharePoint data stream Therefore, only blocking is allowed if “Attempt to Clean” is turned off in SharePoint

16. STDMETHOD Scan continued… If the Scan Method returns MSOVIS_STATUS_INFECTED SharePoint notifies the user that the file is infected and displays virus information File is blocked No attempt is made to clean the file If the content is clean, the status is set to MSOVSI_STATUS_CLEAN File is allowed If content cannot be processed due to time out or failure of the scan process, it is set to MSOVIS_STATUS_INFECTED

17. DOCUMENT Is SharePoint set to Clean? Call the Cleaning Method Can file be cleaned? File cleaned and loaded into library Pass to the Forefront scanner Is the file infected? File blocked File loaded into library YES NO YESNO

18. SharePoint SettingForefront SettingResultReported in Forefront as Single cleanable virus Clean Cleaned Do not cleanCleanBlockedCleaned CleanBlockBlocked Do not cleanBlockBlocked ZIP file with embedded cleanable virus Clean Cleaned Do not cleanCleanBlockedCleaned CleanBlockBlocked Do not cleanBlockBlocked ZIP file with embedded non-cleanable virus Clean Infected embedded file removed Removed Do not cleanCleanBlocked CleanBlockBlocked Do not cleanBlockBlocked

19. SharePoint SettingForefront SettingResultReported in Forefront as Single cleanable virus Clean Cleaned Do not cleanCleanBlockedCleaned (file is still infected) CleanBlockBlocked Do not cleanBlockBlockedBlocked (file is still infected) ZIP file with embedded cleanable virus Clean Cleaned Do not cleanCleanBlockedCleaned (file is still infected) CleanBlockBlocked Do not cleanBlockBlocked ZIP file with embedded non-cleanable virus Clean Blocked Do not cleanCleanBlocked CleanBlockBlocked Do not cleanBlockBlocked

20. When a file is deleted because it contains a virus, Forefront replaces it with a text file File keeps name but gets a.txt extension Deletion text is only used in Realtime scanning when replacing files within a ZIP file The text file contains a configurable “Deletion Text” that can include system information By default, the deletion text reads: Microsoft Forefront Security for SharePoint %State% a file since it was found to be infected. File name: "%File%“ Virus name: "%Virus%”

21. Manual Scan provides tree-view into document library All or part of the library can be set for scanning by using check boxes Settings will not include new sites by default unless the top box is checked Use Quick Scan to scan a particular part of the library

22. The Manual Scan uses a combination of the VSAPI and the SharePoint object model Basically the same interface anything else uses to access a document in SharePoint When not using the API, Forefront uses a COM object to navigate the SharePoint site(s), containers, folders and to retrieve content for scanning Circumstances dictate which form of scanning will be used

23. The nature of the Manual Scan is determined by the Anti Virus Vendor ID (AVVendorID) The AV ID is the current virus engine number as understood by Forefront The AV ID is incremented every night during the database compaction process (2 a.m.) The AV ID will also increment with each engine update if “Scan on Scanner Update” is activated The AV ID increments when SharePoint system virus settings are changed There is both a system-wide AV ID as well as an AV ID on each particular file in the library

24. The Manual Scan is also impacted by whether or not a file is listed as “infected” in the SharePoint database This occurs when a virus is detected by the Realtime Scan during a download attempt The file is not deleted, but it is marked as “infected” Summarizing, the manual scan is impacted by The system AV ID The individual file AV ID The infected status of the file

25. To view the AVVEndorID, use the following syntax: stsadm –o getproperty –pn AVVendorID Found in the directory: \Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN

26. There are problems in the VSAPI implementation of SharePoint that cause errant behavior in the Forefront Manual Scan process Realtime Scanning is not affected This behavior needs to be understood Changes will not be implemented until both SharePoint and Forefront deliver fixes Forefront service release tentative for August 2007 SharePoint service release tentatively planned for March, 2008 Problem may be corrected earlier with Hot Fixes

27. Is file already marked as infected? Scanned by the Manual Scan (COM object) The file is not detected by Forefront and is not scanned YES NO Document AV ID matches system AV ID If the System AV ID and File AV ID match This is incorrect behavior! Note that the file becomes “invisible” to Forefront.

28. Reported by Manual Scan Job Is file already marked as infected? VSAPI used to scan file The file is not detected by Forefront and is not scanned YES NO Document AV ID does not match system AV ID If the System and File AV IDs do not match Is a virus detected ? Reported under Realtime Scan Job in Forefront Scanned again by Manual Scan Job This is incorrect behavior! NO

29. Once a file has been detected as “infected,” it becomes “invisible” to the Manual Scan Access to the file is blocked, as seen in this Program Log excerpt The file will also be “invisible” to File Filter scans and keyword scans "WARNING: SPFile.OpenBinary failed (0x80041050) on "http://sydney/Shared Documents/eicar.com". It might be infected and blocked by SharePoint. Manual scan can't scan this document.”

30. If a file has been detected as infected during download, it can no longer be removed by Forefront User access to it will be blocked, but the infected file remains in the library You would have to manually delete it During a Manual Scan, many detected viruses may actually be detected by the Realtime Scan This is especially likely if the Scan on Scanner Update option is used which frequently toggles the virus ID Realize that scan job settings can be different

31. Actions available to Manual Scan Skip:detect only – logs presence of virus but does not block or delete it Clean:repair document – Attempts to clean the file. If file cannot be cleaned, it is deleted Delete:remove infection – deletes the file without attempting to clean it Replaces deleted file with text file File retains name and extension

32. Proactive protection of SharePoint by keeping out dangerous file types E.g. EXE, VBS, COM, PIF, SCR, etc. Used to block unwanted file types E.g. MP3, AVI, and other files that may present liability or storage issues Blocks based on file name as well as true file type Blocks based on file size and size/type combinations

33. SharePoint also supports file blocking, but performs only file extension checking Can be easily circumvented by changing the extension If SharePoint and Forefront rules overlap, SharePoint rule is applied first SharePoint file scanning requires less overhead and should be used in conjunction with Forefront Block the same list of files in both places Skip:detect mode can be used to inventory the library or understand real-time file storage patterns

34. Forefront can unpack and repack ZIPs and other container formats while removing the unwanted content Works with both AV engines and file filters Unwanted file is replaced with deletion text File name changed to original-file-name.txt This allows protection to be maintained without disrupting the valid files

35. Forefront Security for SharePoint uses the SharePoint anti-virus API which is optimized for SQL server Multi-threaded scanning allows up to ten documents to be scanned at the same time Minimizes end user wait time Scanning logic does not re-scan documents that have already been scanned

36. To save scanning cycles, files detected once as viruses are, by default, not scanned again when users attempt to download them and the same AV ID is in place The file will be blocked, but you will not see a virus detection event listed in Forefront Uploaded files are always scanned because their state cannot be known However, if the AV ID of the file and the system are different, the file is rescanned

37. When a file is blocked, the user receives an on-screen notification.

38. Due to limitations in the API, the notification always says Virus Found even when using a file filter or keyword filter Shows that it was a file filter Displays as if a virus

39. Forefront scans documents accessed via Explorer, but the user experience is unclear In a download scenario, the copy fails without any error – progress screen disappears In an upload scenario, the copy fails with a vague error message

40. Large file support has been added to the VSAPI in SharePoint 2007 The VSAPI hook can load and transfer pieces of the file on demand Forefront requests file data in chunks Maximum file size to be scanned is 2 GB If the file is larger than 2 GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTED The Virus Information string will note “Exceeded File Size”

41. Due to a bug in the current Forefront for SharePoint release, the “Exceeded File Size” blocking occurs at files of 128MB instead of 2 GB This is a known issue based on a mistaken hard-coded parameter Has already been identified and fixed A hotfix has not yet been created because there have been no customer issues raised yet Fix will be rolled into the first Service Pack

42. Information Rights Management applies RMS protection on documents on a per folder level, enforced by SharePoint VSAPI will decrypt documents automatically for Forefront Only applies to Realtime scanning Manual Scan can only scan IRM protected documents when VSAPI is called (as per previous discussion)

43. New Office DOCX document format supported in Forefront for SharePoint Can be scanned for viruses, file filtering, keyword filtering Format presents specific scanning challenges due to nature of format Current Antigen sees the Office 2007 format as a ZIP file Will be addressed in Antigen SP1 A new XML Navigator has been added to Forefront to properly handle these formats

44. File Filter listed as OPENXML in Forefront interface Filter is not able to distinguish between Word, Powerpoint, Excel, and so on, but sees all OpenXML files as the same type They can be distinguished by extension name.DOCX.PPTX.XLSX

45. When using the file type filter, Forefront detects it directly, as seen in this program log entry: Tue Jan 16 10:06:25 2007, "DIAGNOSTIC: workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)" Tue Jan 16 10:06:25 2007, "DIAGNOSTIC: The Realtime scanner is scanning the file named “TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine" Tue Jan 16 10:06:25 2007 ( 2492- 2620), "DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine" Tue Jan 16 10:06:25 2007 ( 2492- 2496), "INFORMATION: Realtime scan found virus: Folder: **During Cleaning** File: TESTFILE.docx Incident: FILE FILTER= *.* Scanner: FILE_FILTER_SCANNER State: Blocked"

46. If not blocking by file type, however, Forefront explodes the file into constituent XML parts DIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner is uncompressing file " DIAGNOSTIC: workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx- >[Content_Types].xml" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx- >.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx- >slide1.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx- >presentation.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx- >slideLayout7.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx- >theme1.xml [and so on…] Above sample log is highly edited for ease of viewing.

47. Forefront Security for SharePoint provides three kinds of protection Antivirus scanning of files/documents File filtering Document content keyword filtering Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0 Previous SharePoint versions supported by Antigen for SharePoint Supports both 32- and 64-bit deployments Available now for production deployment !

48. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.