1 / 56

Antigen Threat and Vulnerability Mitigation Technologies

Antigen Threat and Vulnerability Mitigation Technologies. Erik De Bondt Sr. Technology and Solutions Advisor Microsoft Belgium and Luxembourg. Credits: Peter Eicher, Senior Product Manager. Session Objectives And Key Takeaways. Session Objective(s):

tale
Download Presentation

Antigen Threat and Vulnerability Mitigation Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Antigen Threat and Vulnerability Mitigation Technologies Erik De Bondt Sr. Technology and Solutions Advisor Microsoft Belgium and Luxembourg Credits: Peter Eicher, Senior Product Manager

  2. Session Objectives And Key Takeaways • Session Objective(s): • Gain a detailed understand of the scanning processes used in Antigen • Understand the various filtering options in Antigen and how they work • Key Takeaways • Knowledge of the SMTP and VSAPI scanning processes • Knowledge of Antigen performance • Knowledge of Antigen file filtering

  3. Antigen Overview • Antigen is anti-virus, anti-spam, content and file filtering software protecting email at the SMTP layer and the Exchange store • Uses multiple anti-virus engines • Kaspersky Lab • Norman Data Defense • Sophos • Virus Busters • AhnLabs • Authentium Command • CA InoculateIT • CA VET Engines in highlighted italics are default engines The MS Antivirus engine will be provided in the first Microsoft-branded version of Antigen

  4. Agenda • SMTP Scanning • Windows SMTP Event Sinks • SMTP Scanning Direction • SMTP Scanning Order

  5. SMTP ScanningWindows SMTP Event Sinks • Simple Mail Transport Protocol service • Provides Internet Mail processing • Provided by Windows 2000 & Windows Server 2003 • Has extensible Event Sink architecture • Protocol Event Sink • Occurs during SMTP protocol conversation • Antigen uses to capture authenticated connection information • Transport EventSink • Occurs after SMTP message is received and being processed by SMTP service • Antigen uses to scan & update message

  6. SMTP ScanningWindows SMTP Event Sinks Antigen Protocol Event Sink Antigen Transport Event Sink

  7. SMTP ScanningSMTP scanning direction • Antigen provides three directions of scanning • Inbound– all messages relayed through an external server (i.e. Internet mail). • Outbound– any message where at least one recipient has an external address (not from your domains) • Internal– messages routed from one location within your organization to another • All recipients must be within your domain or else the message is treated as Outbound • The General Options panel has an Internal Address field to enter all internal domain information

  8. SMTP ScanningSMTP scanning order • Filters are applied in a specific sequence • Designed for maximum performance Spam Filtering Content Filtering Attachment Scanning Body Scanning • Allowed Sender Checks • Spam Scanning • RBL Filter • Sender/Domain Filter • Subject Line Filter • Non-Archive Files: • Worm Scanning • File Filtering • Virus Scanning • Archive Files: • File Filtering • Traverse the archive • Keyword Filtering • Virus Scanning

  9. Agenda • Exchange Store Scanning • Exchange VSAPI 2.5 • Background Scanning • Proactive Scanning • On-access Scanning • Antigen VSAPI Implementation • Antigen General Options

  10. Exchange Store ScanningExchange VSAPI 2.5 • Virus Scanning API v 2.5 • Provided by Exchange 2000 and Exchange 2003 • Allows 3rd party products to “hook” into Exchange to scan message bodies and attachments • Provides Single Instance scanning • Marks messages scanned in an Exchange database table

  11. Exchange Store ScanningExchange VSAPI 2.5 • VSAPI v 2.5 uses Global Thread Pooling to optimize server performance • The default number of scanning threads is 2 * <number of processors> + 1 • Number of threads is listed in the registry: • HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan\ScanningThreads • AV vendors may override this setting • Antigen does – details ahead

  12. Exchange Store ScanningExchange VSAPI 2.5 • VSAPI provides three scanning modes • Background scanning – runs actively in the background looking for items that have not been scanned • Proactive scanning – scans as items are submitted to the Exchange store • On-access scanning – scans when a message is accessed. Also referred to as Real-time scanning

  13. Exchange Store ScanningVSAPI Background Scanning • Uses one thread per database • Runs at below normal priority • Thread is activated when the store service is started and each time the virus scanning DLL is reloaded • Checks to see which folders have been scanned with the current version of AV software and re-scans if needed • Uses the ptagVirusScannerStamp to track AV version level

  14. Exchange Store ScanningVSAPI Proactive Scanning • As messages are submitted to the Exchange store, they enter the global scanning queue • Items enter as low priority • Maximum of 30 entries in the queue • Scanned on a first in, first out (FIFO) basis • Overflow messages will go to the store unscanned • If an item is accessed while in queue, it is changed to high priority

  15. Exchange Store ScanningVSAPI On-access Scanning • When a message is accessed, the virus scanning stamp is checked • If the item has been scanned by the most up-to-date AV version, it is not scanned • If the AV version has changed: • Access to the item is blocked • The message is submitted to the Global Scanning Queue with high priority • When AV scan is completed, the item can be opened

  16. Exchange Store ScanningAntigen VSAPI implementation • Background Scanning • Turned off by default in Antigen for performance reasons • Given the frequency of engine updates in Antigen, this would create a large amount of re-scans • Antigen provides manual and scheduled scanning to allow re-scanning of the store • Offers better granularity and control • The VSAPI background options can be turned on via settings in the General Options panel

  17. Exchange Store ScanningAntigen VSAPI implementation • Proactive Scanning • Works the same as VSAPI except… • Antigen manages the number of scanning threads via its own registry key and the AntigenRealtime.exe process • Default is two scanning threads per storage group • May be increased to four via registry key • HKLM\Software\Sybari Software\Antigen for Exchange\RealtimeProcessCount • Antigen “Realtime Scan Job” refers to the VSAPI Proactive Scan

  18. Exchange Store ScanningAntigen VSAPI implementation • On-access Scanning • Antigen disables re-scanning on every change of scanner • Done for performance reasons due to frequency of engine updates • The VSAPI on-access options can be turned on via settings in the General Options panel • Antigen “Realtime Scan Job” includes the VSAPI on-access scanning

  19. Exchange Store ScanningAntigen General Options • Scan on ScanJob update • Will rescan previously scanned files if Scan job settings are made, e.g. Bias settings or engine choices changed • Enable Background Scan if ‘Scan on ScanJob Update’ Enabled • Will initiate background scan every time a ScanJob setting is changed

  20. Exchange Store ScanningAntigen General Options • Scan on Scanner Update • Will rescan previously scanned files if any scan engine has updated since the last time the message was scanned (includes on-access and proactive) • Enable Background Scan if ‘Scan on Scanner Update’ Enabled • Will initiate background scan every time a scan engine is updated

  21. Agenda • In Memory Scanning • Overview • Limitations • Size Restriction Settings

  22. EXE Memory Allocation Scanning Process In Memory ScanningOverview • Antigen uses memory space to open attachments, rather than spooling to disk • Delivers faster performance • Memory is dynamically allocated based on the size of the message and attachment EXE 432kb Return to Pool Available Memory Pool

  23. In Memory ScanningLimitations • Antigen uses a maximum of 3GB of memory • This is the largest available addressable memory space in a 32-bit system • 4GB total, but 1GB is reserved for the OS • What happens if the file size exceeds the amount of available memory? • There are various configurable settings to handle this….

  24. In Memory ScanningSize restriction settings • Maximum container file size: largest container file size Antigen will attempt to clean or repair in the event that it discovers an infected or corrupted file • 26 MB by default • Antigen will report deleted files as “LargeInfectedContainerFile” virus. • Can be set in General Options

  25. In Memory ScanningSize restriction settings • Maximum nested attachments:the maximum nested attachments that can appear in MSG, TNEF, MIME, and Uuencoded files. • The default is 30 • If the maximum is exceeded, the file is marked for deletion and Antigen will send a notification stating that an “ExceedinglyNested” virus was found. • Can be set in General Options

  26. In Memory ScanningSize restriction settings • Maximum nested compressed files:the maximum nested depth for a compressed file. • Default value is 5 nestings. • Value of 0 allows infinite nesting. • If it should exceed the maximum, the entire file is marked for deletion and Antigen will send a notification stating that an “ExceedinglyNested” virus was found. • Can be set in General Options

  27. In Memory ScanningSize restriction settings • Maximum container scan time:the number of milliseconds that Antigen will scan a compressed attachment before reporting it as a “ScanTimeExceeded” virus. • This setting in intended to prevent Denial of Service risk from “Zip of Death” attacks. • The default value is 120,000 milliseconds (two minutes). • Can be set in General Options

  28. In Memory ScanningSize restriction settings • Maximum Compressed Archive File Size:the maximum compressed size for a file within a zip archive. • Default is 20MB • Files deleted and reported as “Corrupted Compressed File” • Set via registry key: HKLM\SOFTWARE\ Sybari Software\Antigen for Exchange\ MaxCompressedArchiveFileSize

  29. In Memory ScanningSize restriction settings • Maximum Uncompressed File Size:the maximum uncompressed file size for a file within a zip archive. • Default is 100MB • Files deleted and reported as “Corrupted Compressed File” • Set via registry key: HKLM\SOFTWARE\ Sybari Software\Antigen for Exchange\ MaxUnCompressedFileSize

  30. In Memory ScanningZip attacks – a side note • Zip attacks can run up CPU utilization to 100% and block mail processing, or overrun available memory or disk space • Zip of Death – zipping a file over and over, as much as 1,000 times or more • Causes memory or disk outage, or CPU spike • Zip expansion attack – one or more large, simple, uniform files are zipped • E.g. a 100MB txt file consisting of all zeros can zip to 560kb • Causes memory or disk outage, or CPU spike

  31. Agenda • Performance Bias Settings • Engine Bias Settings • SMTP Scan Job • Realtime Scan Job

  32. Performance Bias Settings • The Bias setting controls how many engines are applied to each message • Max Certainty: uses all engines (100%) • Favor Certainty: uses 75% of available engines • Neutral: uses approximately 50% of available engines • Favor Performance: uses 25% of available engines • Max Performance: uses one engine for every scan

  33. Performance Bias Settings • Engine selection is based on engine performance rankings, last signature update time and occasional round-robin • Additional notes about Engine Bias • When using Max Certainty, all mail will be queued while a scan engine is being updated • This is because Max Certainty requires all engines to scan each mail • If you wish to continue scanning during engine updates, set to Favor Certainty • Keep in mind that the engine being updated will not scan mail during the update cycle

  34. Performance Bias SettingsSMTP Scan Job • Best practice is to provide maximum scanning protection at the SMTP scan job • Configure Bias to Max Certainty if possible • If necessary, increase number of available processes (scanning threads) through registry setting • HKLM\Software\Sybari Software\Antigen for Exchange • Set “InternetProcessCount” between 2 and 8 • Proceed gradually and with caution! Settings above 4 are very rare. • Each process consumes memory

  35. Performance Bias SettingsRealtime Scan Job • Best security practice is to provide maximum scanning protection at every level • Realistically, lower settings are used at the store • Configure Bias to Neutral and monitor performance • If necessary, increase number of available processes (scanning threads) through registry setting • HKLM\Software\Sybari Software\Antigen for Exchange • Set “RealtimeProcessCount” between 2 and 4 • Proceed gradually and with caution!

  36. Agenda • Automated Engine Updates • Updating the server • Engine update process on the server • Rapid Update engine packaging

  37. Scan EngineUpdating the server • Timely scan engine updating is critical to successful antivirus protection • All engines are packaged into Antigen format and provided by Microsoft • They are not downloaded from the engine vendors • Scan engine Adapters provide a single interface into Antigen and handle engine-specific behaviors • Antigen automatically polls for engine updates • Administrator sets polling interval • Every 15 minutes in the shortest interval • Each engine has its own schedule • Administrator can manually initiate an engine update

  38. Scan EngineUpdating the server • Updates can be retrieved via HTTP or FTP directly by the Antigen server • For multi-server environments: • One Antigen server can download and others can pull updates via UNC share • Sybari Enterprise Manager provides point of download and distribution for multiple servers • Single point of management

  39. Scan EngineEngine update process on the server • Single updating mechanism for all engines • New engine package downloaded to server • Package expanded • Engine tested with EICAR test virus • Current engine taken offline • New engine swapped in • New engine brought online

  40. Scan Engine UpdatingRapid Update engine packaging • Automated engine update posting process • Poll engine vendor website for update • Download vendor engine package • Expand vendor engine package • Create Antigen Engine Update package containing Antigen engine adapter • Run automated test with a set of viruses • Post to Sybari/Microsoft website • Send engine update notifications

  41. Agenda • File Filtering • Overview • Setting up file filters • File filter actions • File filtering behavior with ZIP files • Tips

  42. File FilteringOverview • A key part of any mail protection strategy • File filtering proactively blocks a specific range of potentially dangerous file types whether or not a signature exists • Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT • Some users will block the same file types that are blocked by Outlook 2003, a much longer list • See Outlook online help for list

  43. File FilteringSetting up file filters • Antigen blocks by extension and true file type • Can’t fool filter by simple change of extension • Each is configured differently Use *.exe and All Types of files to block anything named *.exe Use *.* and EXEFILE to block any executable file no matter what it is named

  44. File FilteringSetting up file filters • Search for specific files by name, e.g. “resume.doc” • Wildcards supported, e.g. “*resume*.doc” • Each * represents 250 characters • File filters can be Inbound or Outbound • <in>*.exe, <out>*.doc • Files can be blocked based on size, and size/name/type/direction combinations • <in>*.mp3>2mb • <out>*.mp3>5mb <in>*.*>10mb

  45. File FilteringActions • Every filter or filter list can have a separate action applied, offering great flexibility • Skip:Detect only – logs the event but does not block or alter the message • Not a secure setting! • Useful for monitoring and discovery purposes • Allows for pre-testing of new rules without end user impact • Delete:Remove contents – removes the attachment only and replaces with the customized deletion text

  46. File FilteringActions • Purge:Eliminate message – deletes both the attachment and the message body • End user receives nothing • Identify: Tag message – inserts text into subject line, inserts text into message header, or applies SCL rating to message • Note: only one subject line or header text phrase is available for all filters, e.g. spam, keyword, file, etc. • SCL rating would route message to Junk E-Mail folder – not very useful for file filtering

  47. Filter Rules: Delete *.exeQuarantine TXT DOC EXE DOC BMP JPG BMP JPG Container file after scan EXE Quarantine File FilteringZIP file behavior • Antigen will scan within ZIP and other compressed formats and delete only the offending file and then repackage the ZIP Custom deletion text Container file before scan

  48. File FilteringArchive types supported • Antigen navigates the following archive types • PKZip (.zip) • Java archive (.jar) • GNU Zip (.gzip) • TNEF (winmail.dat) • Structure Storage (.doc) • MIME (.eml) • SMIME (.eml) • UUEncode (.uue) • Unix Tape Archive (.tar) • RAR archive (.rar)

  49. File FilteringTips • When creating file filters, more specific is more efficient • For example, to log resume.doc files Creating a filter for resume.doc with a file type of DOCFILE is more efficient Creating a filter for resume.doc with a file type of ALL TYPES is less efficient

  50. Agenda • Spam Scanning • Overview • Detection methods • SpamCure engine • Junk Mail folders • SpamCure and IMF together

More Related