1 / 48

Protection and Control for Collaboration Servers Microsoft Forefront Security for SharePoint

Protection and Control for Collaboration Servers Microsoft Forefront Security for SharePoint. Lee Hickin CISSP Security Specialist lhickin@microsoft.com. Agenda. What is Forefront for SharePoint The Forefront Scan Jobs File filtering Topics of Interest ZIP file behavior Performance

hong
Download Presentation

Protection and Control for Collaboration Servers Microsoft Forefront Security for SharePoint

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Protection and Control for Collaboration ServersMicrosoft Forefront Security for SharePoint Lee Hickin CISSP Security Specialist lhickin@microsoft.com

  2. Agenda • What is Forefront for SharePoint • The Forefront Scan Jobs • File filtering • Topics of Interest • ZIP file behavior • Performance • End user experience • Large file support • Forefront and IRM • Forefront and Office 2007

  3. General information • Forefront Security for SharePoint provides three kinds of protection • Antivirus scanning of files/documents • File filtering • Document content keyword filtering • Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0 • Previous SharePoint versions supported by Antigen for SharePoint • Supports both 32- and 64-bit deployments

  4. Multi-engine Manager Microsoft AV Internet A B SharePoint Server Farm C Distributed protection Performance tuning Content filtering Central management D E SQL Data store

  5. Recent AV-Test.org results = less than 5 hours = bet 5 and 24 hours = more than 24 hours • Forefront engine sets and other vendors

  6. Forefront antivirus scanning • Forefront provides two scan jobs • Realtime Scan Job – scans any files being uploaded to or downloaded from SharePoint • Works with web browser or any other application accessing SharePoint • Provides proactive protection • Manual Scan Job – Scans all or part of SharePoint document library on demand • Scans can be scheduled • Can be used to scan with engines different than Realtime scan job

  7. The Forefront Realtime Scan Job • Realtime scanning always uses the VSAPI • Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console • This is why they are grayed out in the Forefront console Then click “Operations,” followed by “Antivirus” Click here to change settings

  8. SharePoint antivirus system settings • Scan documents on upload and Scan documents on download are separate settings that can be turned on or off • Best practices is to use both • Scanning Timeout is configurable • Default is 600 seconds • Number of scanning threads is configurable • Default is 10 threads, which is also the maximum • “Threads” are actually processes that will be spawned as needed

  9. Forefront virus detection actions • When Forefront detects a virus, several Actions are available • Skip: detect only – logs presence of virus but does not block or delete it • Not a secure setting! • Can be used for testing/evaluation purposes • Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked.

  10. Forefront virus detection actions • Block: prevent transfer – blocks file from being uploaded or downloaded without attempting to clean it • However, there is potential conflict between Forefront settings and SharePoint settings! SharePoint settings Forefront settings Who wins?

  11. VSAPI workflow • The ForefrontSPVsapi64.dll is registered with SharePoint • 32-bit version is ForefrontSPVsapi.dll • VSAPI interface contains three methods that are implemented by the dll • STDMETHOD Initialize • STDMETHOD Scan • STDMETHOD Clean

  12. VSAPI Interface details • STDMETHOD Initialize • SharePoint calls the ForefrontSPVsapi which returns the Forefront product string and version • STDMETHOD Scan • SharePoint calls the ForefrontSPVsapi to scan the passed in content and return the infection status and virus information (if any) • If “Attempt to Clean Infected Documents” has been selected in SharePoint, then Forefront returns MSOVSI_STATUS_CLEANABLE • SharePoint then calls the Clean Method to optimize performance

  13. VSAPI Interface details • STDMETHOD Clean • The Clean Method attempts to clean detected viruses found in files • It returns the infected status, virus information (e.g. virus name) and updates the output stream if viruses are cleaned • When Clean Method is called, ForefrontSPVsapi finds an available ForefrontRealtime process • Note that a separate process is called for cleaning • If the clean process fails, it is set to MSOVSI_STATUS_CLEAN_FAILED, and file is blocked • If the clean process succeeds, it is set to MSOVSI_STATUS_CLEAN, and file is allowed

  14. VSAPI Interface details • STDMETHOD Scan continued… • If “Attempt to Clean” is not selected, Forefront passes the content to an available Forefront Realtime process. • After this, the data stream can no longer be returned to SharePoint • At this point, files can no longer be cleaned because a cleaned file has no way to return to the SharePoint data stream • Therefore, only blocking is allowed if “Attempt to Clean” is turned off in SharePoint

  15. VSAPI Interface details • STDMETHOD Scan continued… • If the Scan Method returns MSOVIS_STATUS_INFECTED SharePoint notifies the user that the file is infected and displays virus information • File is blocked • No attempt is made to clean the file • If the content is clean, the status is set to MSOVSI_STATUS_CLEAN • File is allowed • If content cannot be processed due to time out or failure of the scan process, it is set to MSOVIS_STATUS_INFECTED

  16. Scanning decision tree IsSharePoint set toClean? DOCUMENT NO Pass to the Forefront scanner YES Call the Cleaning Method Is the file infected? YES NO Can file be cleaned? YES NO File blocked File loaded into library File cleaned and loaded into library File blocked

  17. Specific file behaviors on upload

  18. Specific file behaviors on download

  19. Realtime virus deletion text • When a file is deleted because it contains a virus, Forefront replaces it with a text file • File keeps name but gets a .txt extension • Deletion text is only used in Realtime scanning when replacing files within a ZIP file • The text file contains a configurable “Deletion Text” that can include system information • By default, the deletion text reads: Microsoft Forefront Security for SharePoint %State% a file since it was found to be infected. File name: "%File%“ Virus name: "%Virus%”

  20. Forefront Manual Scan Job • Manual Scan provides tree-view into document library • All or part of the library can be setfor scanning by using check boxes • Settings will not include new sites by default unless the top box is checked • Use Quick Scan to scan a particular part of the library

  21. Forefront Manual Scan Job • The Manual Scan uses a combination of the VSAPI and the SharePoint object model • Basically the same interface anything else uses to access a document in SharePoint • When not using the API, Forefront uses a COM object to navigate the SharePoint site(s), containers, folders and to retrieve content for scanning • Circumstances dictate which form of scanning will be used

  22. Forefront Manual Scan Job • The nature of the Manual Scan is determined by the Anti Virus Vendor ID (AVVendorID) • The AV ID is the current virus engine number as understood by Forefront • The AV ID is incremented every night during the database compaction process (2 a.m.) • The AV ID will also increment with each engine update if “Scan on Scanner Update” is activated • The AV ID increments when SharePoint system virus settings are changed • There is both a system-wide AV ID as well as an AV ID on each particular file in the library

  23. Forefront Manual Scan Job • The Manual Scan is also impacted by whether or not a file is listed as “infected” in the SharePoint database • This occurs when a virus is detected by the Realtime Scan during a download attempt • The file is not deleted, but it is marked as “infected” • Summarizing, the manual scan is impacted by • The system AV ID • The individual file AV ID • The infected status of the file

  24. Sidebar: viewing the AVVendorID • To view the AVVEndorID, use the following syntax: • stsadm –o getproperty –pnAVVendorID • Found in the directory: \Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN

  25. Forefront Manual Scan Job • There are problems in the VSAPI implementation of SharePoint that cause errant behavior in the Forefront Manual Scan process • Realtime Scanning is not affected • This behavior needs to be understood • Changes will not be implemented until both SharePoint and Forefront deliver fixes • Forefront service release tentative for August 2007 • SharePoint service release tentatively planned for March, 2008 • Problem may be corrected earlier with Hot Fixes

  26. Manual Scanning decision tree • If the System AV ID and File AV ID match Document AV ID matches system AV ID This is incorrect behavior! Note that the file becomes “invisible” to Forefront. Is file already marked as infected? YES NO Scanned by the Manual Scan (COM object) The file is not detected by Forefront and is not scanned

  27. Manual Scanning decision tree Is file already marked as infected? • If the System and File AV IDs do not match The file is not detected by Forefront and is not scanned Document AV ID does not match system AV ID YES NO This is incorrect behavior! VSAPI used to scan file Is a virus detected? Reported under Realtime Scan Job in Forefront NO YES Scanned again by Manual Scan Job Reported by Manual Scan Job

  28. Impact of API issues • Once a file has been detected as “infected,” it becomes “invisible” to the Manual Scan • Access to the file is blocked, as seen in this Program Log excerpt • The file will also be “invisible” to File Filter scans and keyword scans "WARNING: SPFile.OpenBinary failed (0x80041050) on "http://sydney/Shared Documents/eicar.com". It might be infected and blocked by SharePoint. Manual scan can't scan this document.”

  29. Impact of API issues • If a file has been detected as infected during download, it can no longer be removed by Forefront • User access to it will be blocked, but the infected file remains in the library • You would have to manually delete it • During a Manual Scan, many detected viruses may actually be detected by the Realtime Scan • This is especially likely if the Scan on Scanner Update option is used which frequently toggles the virus ID • Realize that scan job settings can be different

  30. Manual Scan Virus detection actions • Actions available to Manual Scan • Skip:detect only – logs presence of virus but does not block or delete it • Clean:repair document – Attempts to clean the file. If file cannot be cleaned, it is deleted • Delete:remove infection – deletes the file without attempting to clean it • Replaces deleted file with text file • File retains name and extension

  31. File Filtering • Proactive protection of SharePoint by keeping out dangerous file types • E.g. EXE, VBS, COM, PIF, SCR, etc. • Used to block unwanted file types • E.g. MP3, AVI, and other files that may present liability or storage issues • Blocks based on file name as well as true file type • Blocks based on file size and size/type combinations

  32. File Filtering • SharePoint also supports file blocking, but performs only file extension checking • Can be easily circumvented by changing the extension • If SharePoint and Forefront rules overlap, SharePoint rule is applied first • SharePoint file scanning requires less overhead and should be used in conjunction with Forefront • Block the same list of files in both places • Skip:detect mode can be used to inventory the library or understand real-time file storage patterns

  33. ZIP file behavior • Forefront can unpack and repack ZIPs and other container formats while removing the unwanted content • Works with both AV engines and file filters • Unwanted file is replaced with deletion text • File name changed to original-file-name.txt • This allows protection to be maintained without disrupting the valid files

  34. Performance features • Forefront Security for SharePoint uses the SharePoint anti-virus API which is optimized for SQL server • Multi-threaded scanning allows up to ten documents to be scanned at the same time • Minimizes end user wait time • Scanning logic does not re-scan documents that have already been scanned

  35. Performance features • To save scanning cycles, files detected once as viruses are, by default, not scanned again when users attempt to download them and the same AV ID is in place • The file will be blocked, but you will not see a virus detection event listed in Forefront • Uploaded files are always scanned because their state cannot be known • However, if the AV ID of the file and the system are different, the file is rescanned

  36. End user experience • When a file is blocked, the user receives an on-screen notification.

  37. End user experience • Due to limitations in the API, the notification always says Virus Foundeven when using a file filter or keyword filter Displays as if a virus Shows that it was a file filter

  38. Mapped drive support • Forefront scans documents accessed via Explorer, but the user experience is unclear In an upload scenario, the copy fails with a vague error message In a download scenario, the copy fails without any error – progress screen disappears

  39. Large File Support • Large file support has been added to the VSAPI in SharePoint 2007 • The VSAPI hook can load and transfer pieces of the file on demand • Forefront requests file data in chunks • Maximum file size to be scanned is 2 GB • If the file is larger than 2 GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTED • The Virus Information string will note “Exceeded File Size”

  40. Large File Support Bug • Due to a bug in the current Forefront for SharePoint release, the “Exceeded File Size” blocking occurs at files of 128MB insteadof 2 GB • This is a known issue based on a mistaken hard-coded parameter • Has already been identified and fixed • A hotfix has not yet been created because there have been no customer issues raised yet • Fix will be rolled into the first Service Pack

  41. Forefront and IRM • Information Rights Management applies RMS protection on documents on a per folder level, enforced by SharePoint • VSAPI will decrypt documents automatically for Forefront • Only applies to Realtime scanning • Manual Scan can only scan IRM protected documents when VSAPI is called (as per previous discussion)

  42. Forefront and Office 2007 • New Office DOCX document format supported in Forefront for SharePoint • Can be scanned for viruses, file filtering, keyword filtering • Format presents specific scanning challenges due to nature of format • Current Antigen sees the Office 2007 format as a ZIP file • Will be addressed in Antigen SP1 • A new XML Navigator has been added to Forefront to properly handle these formats

  43. Forefront and Office 2007 • File Filter listed as OPENXML in Forefront interface • Filter is not able to distinguishbetween Word, Powerpoint, Excel,and so on, but sees all OpenXML files as the same type • They can be distinguished by extension name • .DOCX • .PPTX • .XLSX

  44. Forefront and Office 2007 • When using the file type filter, Forefront detects it directly, as seen in this program log entry: Tue Jan 16 10:06:25 2007, "DIAGNOSTIC: workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)" Tue Jan 16 10:06:25 2007, "DIAGNOSTIC: The Realtime scanner is scanning the file named “TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine" Tue Jan 16 10:06:25 2007 ( 2492- 2620), "DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine" Tue Jan 16 10:06:25 2007 ( 2492- 2496), "INFORMATION: Realtime scan found virus: Folder: **During Cleaning** File: TESTFILE.docx Incident: FILE FILTER= *.* Scanner: FILE_FILTER_SCANNER State: Blocked"

  45. Forefront and Office 2007 • If not blocking by file type, however, Forefront explodes the file into constituent XML parts DIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner is uncompressing file " DIAGNOSTIC: workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->[Content_Types].xml" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->slide1.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->presentation.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->slideLayout7.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->theme1.xml[and so on…] Above sample log is highly edited for ease of viewing.

  46. Summary • Forefront Security for SharePoint provides three kinds of protection • Antivirus scanning of files/documents • File filtering • Document content keyword filtering • Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0 • Previous SharePoint versions supported by Antigen for SharePoint • Supports both 32- and 64-bit deployments • Available now for production deployment !

  47. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related