Presentation is loading. Please wait.

Presentation is loading. Please wait.

Välkommen till Sommarkollo 2006 2006. med fokus på Antigen för Microsoft Exchange Microsoft Antigen Lasse Pettersson www.humandata.se.

Published byPhilippa Hunt Modified over 10 years ago

Similar presentations

Presentation on theme: "Välkommen till Sommarkollo 2006 2006. med fokus på Antigen för Microsoft Exchange Microsoft Antigen Lasse Pettersson www.humandata.se."— Presentation transcript:

1 Välkommen till Sommarkollo 2006 2006

2 med fokus på Antigen för Microsoft Exchange Microsoft Antigen Lasse Pettersson www.humandata.se

3 Agenda Antigen Solutions AntivirusAnti-spamManagement Antigen för IM och Sharepoint DEMO Installation och konfigurering Q/A

4 Antigen Solutions Live Communications Server SharePoint Server Exchange Servers ISA Server Windows SMTP Server VirusesWormsSpam IM and Documents E-mail Layered Defenses Server Optimization Content Control

5 ExchangeExchange Exchange VirusesWormsSpam E-mail Antivirus Approaches ISA Servers Windows SMTP Servers Internet AV AV AV AV AV AV AV AV Single Vendor Solution Same scan engine, heuristics Same scan engine, heuristics technology and signature files on all server and client platforms technology and signature files on all server and client platforms Dependent on one AV lab for scan engine updates during virus or worm outbreaks Dependent on one AV lab for scan engine updates during virus or worm outbreaks Queuing and delay during engine updates on mission critical servers (i.e. Exchange) Queuing and delay during engine updates on mission critical servers (i.e. Exchange) Problem: Single Point of Failure AV AV AV AV AV AV AV AV Multi-vendor Solution Different scan engines, heuristics Different scan engines, heuristics technologies and signature files on server and client platforms technologies and signature files on server and client platforms High acquisition and maintenance cost High acquisition and maintenance cost Added filtering complexity Added filtering complexity Problem: Management/Cost

6 Multiple Engine Management Internet Exchange Server/ Windows SMTP Server AV AV AV AV Antivirus Antispam Policy Mgt Central Mgmt One vendor, multiple technologies

7 Antigen for Exchange Protects Exchange Server 5.5, 2000, and 2003 Detects and removes viruses in e-mail messages and attachments Scans at SMTP stack (most processing intensive scans) Scans real-time at Exchange information Store Provides on-demand and scheduled scans of information store Uses Microsoft-approved virus scanning API integration for Exchange 2000 and 2003 Provides advanced content-filtering capabilities for messages and attachments Integrates file filtering, keyword filtering and anti-spam at the SMTP routing level ISA Server Exchange Front End Exchange Site 1 Exchange Site 2 Internet Exchange Public Folder Server Exchange Mailbox Server

8 Scan Engine 4 Scan Engine 2 Max Certainty: uses all engines (100%) Favor Certainty: uses 75% of available engines Neutral: uses approx. 50% of available engines Favor Performance: uses 25% of available engines Max Performance: uses one engine for every scan Antigen Multiple Engine Manager (MEM) Bias Settings Scan Engine 1 Scan Engine 4 Scan Engine 2 Scan Engine 3 Max Certainty: uses all engines (100%) Favor Certainty: uses 75% of available engines Neutral: uses approximately 50% of available engines Favor Performance: uses 25% of available engines Max Performance: uses one engine for every scan * Engines used are not always the same. They are dynamically allocated from the available pool.

9 Scanning Performance Scanning at both the SMTP Stack and Exchange Store SMTP: Provide maximum scanning protection (Max Certainty bias) Exchange Store: Balance security with performance (Neutral bias) In-memory scanning Dynamic allocation of application memory improves server efficiency Eliminates the burdensome process of spooling data to disk for virus scanning Ability to increase number of available processes (scanning threads)

10 Antigen AV Engine Partners Included “in the box” Additional Options ($) (2) Coming Soon: MS Antivirus

11 Worm Removal Fully purge all messages containing worms Use Sybari Worm List (wormprge.dat) to purge any message that matches a known Worm virus Create a custom Worm List with a single wildcard ( * ) to match all malicious code detected Provide pre-emptive protection against unknown worms with file filter purge (size, type, extension, etc.) The user receives nothing, not even a notification Purged messages containing worms should not be quarantined There is no value in the message Reduces network bandwidth by removing un-needed messages.

12 Content and File Filtering Content Filtering Scans messages for keywords in message body text Offers whitelisting for trusted senders Provides separate filters for inbound, outbound and internal File filtering Blocks a specific range of potentially dangerous file types by both extension and true file type File types commonly blocked: EXE, COM, PIF, SCR, VBS, VBE, SHS, CHM, REG and BAT Unpacks and repacks ZIP files, removing only the blocked file Offers whitelisting for trusted senders Provides separate filters for inbound, outbound and internal

13 Antigen Message Processing Spam Filtering Content Filtering Attachment Scanning Body Scanning Sender Whitelist Check Spam Scanning RBL Filter Sender/Domain Filter Subject Line Filter Non-archive Files: Worm Scanning File Name Filtering Virus Scanning Archive/.zip Files: File Name Filtering Traverse the archive Keyword Filtering Virus Scanning

14 Integrated Anti-spam Advanced Spam Manager option available with Antigen for SMTP Gateways or Antigen for Exchange servers Employs signature-based SpamCure anti-spam engine from Mail-Filters Works with heuristics-based Intelligent Message Filter (IMF) Real-time scanning and content filtering Enables administrators to create custom allow and block lists based on sender, domain and IP addresses

15 Spam Detection Methods SpamCure engine: the primary and most effective method SpamCure engine provided by third-party, Mail-Filters RBL lists: support for multiple external RBL services Message Body Keywords: used more for policy management, not very effective for spam Mailhost filtering: blocking based on sender, domain and IP (a good supplement but too reactive to use as primary method) Whitelisting: sender whitelisting to complement spam detection

16 SpamCure StarEngine –Spam Tricks Analysis and Response Spammer tricks are identified and neutralized The STAR engine removes the comments, so normalized message can be matched against signatures Bullet Signature Database – Human Editors create small, targeted signatures Based on specific, unique characteristics of a message (URL, phone number, specific text string, etc.) Targets the Spammer Bullets don’t catch just one spam message, they catch multiple spam from the same spammer A new signature is not required for each new spam message High catch rate with low false positives Signature-based approach ensures highly accurate detection www.contoso.com www.con to so.com

17 ASM and IMF together On the same server, IMF scans before ASM Each applies an SCL rating – the higher rating always wins (i.e. has more confidence) Mail that is rejected, deleted or archived by IMF will not make it to ASM Example: IMF archives SCL 7,8 and 9 ASM Spam set to 9 IMF SCL of 0-6 IMF Scan ASM Scan Archive Folder Pickup Folder If Admin moves message If SCL is 7,8,9 InboxJunk E- Mail Mail Store

18 Antigen Rapid Update Done by Microsoft Automated engine update process Polls engine vendor website for update Downloads vendor engine package Expands vendor engine package Creates Antigen Engine Update package containing Antigen engine adapter Runs tests against virus database Posts to secure Microsoft website Sends engine update notifications

19 On-site Scan Engine Updates Antigen polls for engine updates Administrator sets polling interval Administrator can force an engine update Single updating mechanism for all engines New antivirus/anti-spam engine package downloaded Package expanded Engine tested with EICAR test virus Current engine taken offline New engine swapped in New engine brought online All updates retrieved from Microsoft (not Vendors)

20 Scanner Updates: SEM Sybari Enterprise Manager (SEM) is specifically designed to distribute signatures Preferred method for multi-server customers SEM server downloads files, alerts remote Antigen servers, and they pull updates All scheduling set on SEM server Offloads update process to non-critical systems SEM server Signature servers Antigen server SEM Agent HTTP or FTP

21 Monitoring and Reporting SEM Analyzes incident trends and Antigen’s effectiveness in combating these incidents Data stored in MSDE or SQL Databases Provides central monitoring Outbreak Configuration and Alerts (SMTP/SNMP traps) Set per server, groups of servers, or enterprise Virus, spam and filter thresholds Failed engine updates

22 Monitoring and Reporting Reports include: Top X Viruses detected Engine update and version reports Traffic Reports Spam, Content, File Filtering, and Virus reports

23 Over 100 Events, Performance Counters and Services Monitored Monitors the state of Antigen and its key components Collects statistical data on scanning, detection and removal of messages and attachments Polls 5 Antigen Services - Provides timed events to poll systems for critical process health Key Tasks: Trigger scan engine updates Centralize storage and deployment of License files Import, export and deploy changes for key settings Initiate and/or schedule Manual Scan Jobs. Start/Stop control of Antigen services. MOM Integration Antigen Management Pack for MOM 2005

24 Antigen E-mail Security Goals Ensure protection against latest threats Ensure protection against latest threats –Multiple Engines, seamless updates Provide minimum Exchange server performance overhead/mail latency Provide minimum Exchange server performance overhead/mail latency –Bias settings, in-memory scanning Provide integrated antivirus/anti-spam/ content filtering functionality Provide integrated antivirus/anti-spam/ content filtering functionality –Antigen/ASM/IMF integration Alert administrators to outbreaks and failures Alert administrators to outbreaks and failures –SEM and MOM

25 Antigen for SharePoint Virus Protection for Document Libraries Real-time scanning of documents uploaded and downloaded from document library Manual and scheduled scanning of document library (supports both WSS and SPS) Content Policy Enforcement File filtering to block documents from being posted based on name match, file type or file extension Content filtering by keywords within documents for inappropriate words and phrases SQL Document Library SharePoint Server Document Users Document

26 How do viruses get to SharePoint? Today, viruses arrive by accident – not design User uploads a document with embedded payload Possibly malicious user activity Risk in an extranet deployment Windows XP user maps a network drive to \\server\sites\teamsite \\server\sites\teamsite If a user is infected by a virus that attempts to propagate to network shares, then the virus can propagate to SharePoint sites In the future, SharePoint may be explicitly targeted SQL document library SharePoint Portal Server Users Embedded virus Infectious Macro Hot buttons Trojans SQL based viruses=

27 Why SharePoint AV? Client and server AV don’t solve the problem Server AV may cause operational issues When server-based antivirus cleans or deletes infected files, backup and restore operations can fail due to missing or changed links Antigen avoids SharePoint site backup and restore failures (Smigrate.exe) by maintaining logical links to affected documents Desktop AV can’t clean the original infected document Desktop AV may detect the infection within the cached copy but cannot clean the stored copy in the SharePoint document library. Antigen cleans the document in the library, ensuring all posted and downloaded documents are safe.

28 Content and File Filtering Antigen document filtering targets Profane language Racial slurs “For your eyes only” information for upper management Confidential documents posted to the portal Extranet Out of Policy Content (MP3 or AVI files) Filters documents based on name match, wild card, file type or file extension Can also help eliminate new virus outbreaks before AV scan engine signature files are ready Filters body content for inappropriate keywords and phrases Maintains proper document versioning During manual scans, deleted files can be replaced with a customizable text file to maintain proper versioning within the SharePoint Document Management System

29 SharePoint Notification Alerts/notifications via customized web parts Summary Detailed list

30 Antigen for Instant Messaging Detects and removes viruses in IM conversations and file transfers Scans for SPIM, confidential information and inappropriate keywords in IMs and file transfers Allows creation of IM policies through whitelisting and IM/SMTP notifications Microsoft Office Communicator Windows Messenger Clients Live Communications Server Firewall Outside IM Clients

31 IM Vulnerabilities Files/URLs Executables, hot buttons, phishing Trojan viruses Steal IM info (buddy lists, passwords, log files) Steal info via IM (IP addresses, System Info) Remote control Classic worms Send files to designated “buddies” Blended threats Use IM to find vulnerable systems and spread faster Worm attack forces Reuters IM offline Published: April 14, 2005, 11:22 AM PDT CNET News.com Reuters has shut down its instant messaging system after suffering an onslaught from a new Kelvir worm, the company confirmed Thursday…The new variant attempted to spread by sending fake instant messages to people in contact lists on infected systems, a technique used by earlier Kelvir strains. The messages, crafted to look exactly like legitimate IM correspondence, attempted to lure people to a Web site where their computers would be infected with Kelvir, the representative said.fake instant messagesKelvir

32 IM Vulnerabilities Inappropriate Content Privacy Issues Profanity Legal risks SPIM Unsolicited content Phishing attacks

33 IM Virus Protection File transfer and message conversations are scanned for viruses. Integrates with SIP (Session Initiation Protocol) to provide real-time scanning Supports LCS 2005 Pooling, PIC, and encrypted conversations User notifications provided via Antigen IM “bot”

34 IM Content Protection Document filtering by type, size, and name Content filtering by customizable keywords can be configured for message conversations and document body text White listing exempts IM Names and addresses from content scanning of messages and documents SPIM dictionary of known spam words– customers can customize with their own spam dictionary Content filtering to block URLs from being sent

35 Collaboration Security Goals Ensure protection against latest threats Ensure protection against latest threats –Multiple Engines, seamless updates, support for SharePoint and LCS Provide policy enforcement against unwanted and inappropriate content Provide policy enforcement against unwanted and inappropriate content –File Filtering and Content Filtering within documents and IM conversations Provide integration with e-mail security for comprehensive protection across all messaging and collaboration platforms Provide integration with e-mail security for comprehensive protection across all messaging and collaboration platforms –Integration with Antigen for Exchange & ASM Alert administrators to outbreaks and failures Alert administrators to outbreaks and failures –SharePoint Web parts and IM user notifications

36 Microsoft Forefront provides greater protection and control over the security of your business’ network infrastructure by providing: A comprehensive line of information protection and access control products Integration with your existing IT infrastructure Simplified deployment, management, and analysis Technical and industry guidance Client & Server OS Edge Server Applications

37 Forefront Products PreviousCurrent Client Server Edge H2 2006 H1 2007H2 2007+ 2008

38 Roadmap 2006-2007 New Microsoft Antigen versions Full Security Review (SDL) Localization New product enhancements and features MSAV engine integration – 5 th standard Antigen for SharePoint and Live Server (LCS and IM) Antigen for Email security (E12 Exchange Support) ISA protection scanning and filtering

39 Antigen v9.0 Email Security New Features Microsoft Branding Microsoft Licensing Enhanced Support for Exchange Clusters Add administrator notification when current Access DB approaches 2 GB Granular Content notifications

40 www.microsoft.com/antigen

41 © 2005-06 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Välkommen till Sommarkollo 2006 2006. med fokus på Antigen för Microsoft Exchange Microsoft Antigen Lasse Pettersson www.humandata.se."

Similar presentations

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Microsoft Security Solutions A Great New Way of Making $$$ !!! Jimmy Tan Platform Strategy Manager Microsoft Singapore.

Microsoft Security Solutions A Great New Way of Making $$$ !!! Jimmy Tan Platform Strategy Manager Microsoft Singapore.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.

Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.

1 Panda GateDefender Performa Your First Line of Defense Product Presentation Name 2008.
Secure Messaging Nick Hall & James Clifford Microsoft.

Secure Messaging Nick Hall & James Clifford Microsoft.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
E-mail Protection Through Software and Services James Hamilton General Manager Microsoft Corporation.

Protection Through Software and Services James Hamilton General Manager Microsoft Corporation.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

Similar presentations

Ads by Google