Embed Size (px)
Citation preview
Agenda
Overview of Forefront ServerExchange Scanning
E-mail Transport ScanningHow Mail Store Scanning WorksMail Store Scanning Options
File filteringForefront Server Security Management Console (FSSMC)Forefront Security for SharePoint
SpecificationsThree Win2003 R2 VMs + Exchange 2007 + Forefront for Exchange + Outlook 2003 + SharePoint Services 3.0 + Forefront for SharePoint + Forefront Management Console (beta)
Memory: 2 GB required
Demo environment
Microsoft Confidential
Market Recognition
Leader in Gartner E-mail Security Boundary Magic Quadrant
Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.
Comprehensive
Protection
Optimized
Performance
Simplified Management
•
• Ships with & manages multiple antivirus engines
• Multi-layered protection in Exchange 2007• File filtering and premium anti-spam
protection• Deep integration with Exchange Server• Scanning innovations & performance
controls• Maintains uptime and optimizes
performance• Easily manage configuration and operation
• Automated signature updates• Reporting, notifications and alerts
HistorySybari Antigen 8.0 for Exchange
For Exchange 5.5 and Exchange 2003
Microsoft Antigen 9.0 for ExchangeFor Exchange 2003
Forefront Security 10.0 for ExchangeFor Exchange 2007
Forefront Security for Exchange
Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:
Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously
Internal Messaging Servers
A B C ED
Multiple Scan Engines
Engines from eight different vendorsAll delivered and licensed by MicrosoftYou can select a maximum of 5 (out of 8) engines
Customer benefitsRapid response to new threatsGreater protection through diversity of anti-virus enginesContinuous protection
Ahn LabsAuthentium CommandCAKaspersky
Microsoft Norman SophosVirus Buster
Multiple Scan Engines
The Multiple Engine Advantage
Rapid response to new threats
Fail-safe protection through redundancy
Diversity of anti-virus engines and heuristics
Response Time (in hours)
Microsoft Multi-engine Solution
Other Single Engine Solutions
Forefront Set 1
Forefront Set 2
Forefront Set 3
Vendor A* Vendor B* Vendor C*
1006_areses_itw30.ex_ 0.00** 0.00 0.00 0.00 0.00 0.001006_areses_itw36.ex_ 0.00 0.00 0.00 1598.78 0.00 0.001006_areses_itw37.ex_ 0.00 0.00 0.00 0.00 52.30 175.451006_areses_itw41.ex_ 0.00 0.00 0.00 0.00 13.15 194.351006_mytob_itw590.ex_ 0.00 0.00 0.00 1332.17 0.00 0.00
1006_rontokbro_itw36.ex_ 0.00 0.00 0.00 0.00 0.00 613.401006_sdbot_itw1809.ex_ 0.00 0.00 0.00 9.97 166.07 270.391006_sdbot_itw1831.ex_ 65.95 52.23 41.78 59.43 1.00 46.381006_sdbot_itw1847.ex_ 56.54 56.54 204.79 416.27 29.92 85.321006_stration_itw101.ex_ 0.00 0.00 0.00 93.88 23.46 96.851006_stration_itw102.ex_ 0.00 0.00 0.00 26.00 28.05 30.831006_stration_itw42.ex_ 0.92 0.92 0.92 3.72 3.12 7.051006_stration_itw43.ex_ 2.00 2.00 2.00 4.80 4.20 8.131006_stration_itw44.ex_ 0.00 0.00 0.00 5.60 2.00 7.581006_stration_itw45.ex_ 0.00 0.00 0.00 3.55 2.00 7.581006_stration_itw46.ex_ 0.00 0.00 0.00 2.75 2.20 6.781006_stration_itw47.ex_ 0.00 0.00 0.00 3.72 3.12 7.051006_stration_itw60.ex_ 0.00 0.00 0.00 0.00 4.64 6.321106_rbot_itw2090.ex_ 0.00 0.00 0.00 1739.10 0.00 298.64
1106_sdbot_itw1814.ex_ 0.00 0.00 0.00 1.00 0.00 0.001106_sdbot_itw1866.ex_ 0.00 0.00 0.00 26.80 1.00 35.271106_sdbot_itw1867.ex_ 0.00 0.00 0.00 14.00 12.84 23.141106_sdbot_itw1876.ex_ 0.00 0.00 0.00 468.60 306.82 430.801106_stration_itw124.ex_ 0.00 0.00 0.38 0.66 1.88 8.801206_bagle_itw137.ex_ 0.00 0.00 0.00 4.01 0.00 13.831206_bagle_itw141.ex_ 0.00 0.00 0.00 17.15 0.00 13.83
1206_puce_itw1.ex_ 0.00 0.00 0.00 0.00 0.00 1.001206_rbot_itw2038.ex_ 0.00 0.00 0.00 1026.27 0.00 0.00
1206_sdbot_itw1889.ex_ 0.00 0.00 0.00 128.28 255.20 63.96AVTest.org, 2007
= less than 5 hours = 5 to 24 hours = more than 24 hours
* Includes beta signatures**0.00 denotes proactive detection
Multiple Scan EnginesBias settingAvailable: 8 enginesSelect: max 5 engines (from 8)Bias setting: how many used on single email (1..5)
• Max Certainty: uses all selected engines (100%) - 5 • Favor Certainty: uses all available engines - 5 or 4• Neutral: uses at least 50% of selected engines - 3• Favor Performance: uses up to 50% of selected engines - 3, 2 or
1• Max Performance: uses one engine for every scan - 1
A
B
Scan Engines
Multiple Scan Engine Performance
3Sharp conducted analysis on the incremental impact of additional scan engineson performance
Findings:The additional protection offered by multiple engines greatly offsets the minimal impact to server performance
Scan Egine Updates
Forefront for Exchange polls for updatesAvailable at:
http://forefrontdl.microsoft.comShare at another Forefront ServerShare at Forefront Management Console (FSSMC)
But NOT available at:Antivirus vendor Web site (Norman, Sophos, etc)
Scan Mechanisms
Scan for viruses - using scan enginesSignature based
File filtering - block specific attachmentsFile name or content based
Scan inside "containers" (zip, rar, doc, etc)Max 5 levels deepRe-creates rest of container-file, if virus detected
Transport scanningTry to minimize effect on Message StoreDo not scan if scanned already - AV-stamp
Inbound: at Edge role (not at Mailbox role)Outbound: at Hub role (not at Mailbox role)Internal: at Hub role (not at Mailbox role)
AV-stampAntivirus header stamp is written to each email as it is first scanned(at Edge or Hub role)
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0Checked by later scanning operations (at Hub or Store role)
If found - mail is not re-scannedWhen mail is saved in the Store, antivirus stamp properties are savedas a MAPI property
The header is stripped from the email
Scanning at Transport
A Quick Look At Transport ScanningHow It WorksInbound mail
Scanned at the Edge or Hub role (whichever comes first)
Outbound mailScanned at the first Hub role
Internal MailScanned at the first Hub role (not in the Store)Mail in Sent Items is not scanned
Public Folder postingsNot scanned on submission
Edge ServerINTERNET
Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN+ AV-
STAMP
NO SCAN NO SCAN
Mail scanned only onceat the EdgeSaves processing loadon Hub and Mailbox servers
Scanning - Inbound Mail
Edge ServerINTERNET
Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN+ AV-STAMP
NO SCAN NO SCAN
On-submission scanning at the Mailbox server (store) is turned off by defaultScan takes place at the Hub roleSaves processing loadon Edge and Mailbox servers
Scanning - Outbound Mail
Edge ServerINTERNET
Hub Role Mailbox Role
Mailbox Role
Public Folder
Client
SCAN+ AV-
STAMP
NO SCAN NO SCAN
NO SCAN
Internal mail is routedthrough Hub roleSaves processing loadon Mailbox servers
Scanning - Internal Mail
Store scanningProactive scanning - off by default
Scan on message submission to the storeOn-access scanning - on by default
Scan when a message is accessed or viewedBut do not scan if scanned before (looks at AV-stamp)
Useful for: Outbox, Sent-Items, Public FoldersBackground Scan - off by default
Runs once a dayScan only message less than x days old (ignores AV-stamp)
Manual Scan - off by default Runs on a set schedule or on demand (ignores AV-stamp)
Quick Scan - off by default Easy way to run one-time manual scan (ignores AV-stamp)
Scanning at Store
Automatic ScanningBehavior Changes
Scanning behavior changes in Exchange 2007
User Action Proactive Scanning on (Exchange 2000/2003 default)
Proactive Scanning off (Exchange 2007 default)
1. User attaches an infected file to an email and sends email.
Virus is detected in the Outbox by the Realtime Scan Job and deleted.
Virus is detected in the Outbound mail queue by the Transport Scan Job and deleted.
2. User checks Sent Items folder.
Virus is already deleted, detected in the Outbox by the Realtime Scan Job.
Mail is scanned by On Access scanning (Realtime Scan Job) and virus deleted.
Each scan job has separate settings, so scan behavior may vary in Exchange 2007
"Outbreakmode"
Warning: do not use, except with major outbreakScan on Scanner Update setting
Invalidates AV-stamp after each engine updateResult:
Enables proactive (submission) scanningScans each incoming message at store,even if just scanned on transport
Scans each mail on access, if engine has been updated
Conclusion:Significant increase in amount of store scanning,but always scanned with latest engines
File Filtering
Block file attachments, based on name (or content)Extension - file name or file content
*.exe, *.vbs, etc
Inbound/outbound/size<in>*.exe, <out>*.doc*.mp3>5MB, *>10MB
Can also configure for "detect only"
Filter Rules: Delete *.exeQuarantine
File Filtering – Zip File Behavior
Forefront scans within ZIP and other compressed formats, deletes only the offending file and then repackages the ZIP
Container file before scan
EXE DOC
JPGBMP
Container file after scan
TXT DOC
JPGBMP
Custom deletion text
Quarantine
EXE
Premium Anti-spam Protection
Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007Deployed on Exchange Edge or Hub server role
Edge server can be deployed in front of Exchange 2003 mailboxes
Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds:
Microsoft IP reputation filter service and automated updatesAutomated updates every 15 minutes for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF)Targeted spam signature data and automatic updates to identify latest spam campaignsRights to use Exchange Hosted Services Filtering
Forefront for Exchange
DEMO
Forefront Server Security Management Console
Centralizes management through the Web-based console
Automates signature updates for multiple antivirus engines
Generates comprehensive reports
Microsoft® Forefront™ Server Security Management Console allows administrators to easily manage Forefront Security for Exchange Server, Forefront Security for SharePoint® and Microsoft Antigen installed on multiple servers across the enterprise.
Provides outbreak responseRapidly distributes signature and scan engine updates
OptimizedPerformance
Comprehensive
Protection
Integration with Microsoft SQL Server™ 2005 and Windows Server® 2003
Redundancy maintains server availabilitySupport for Exchange 2007 CCR clusters
Simplified Management
Forefront Server Security Management Console Features
Central management console Deploys and configures Forefront/Antigen Security for Exchange and SharePoint environments
Automates signature updates across the enterprise
Scans for and pulls updates for multiple antivirus enginesDistributes updates to all Forefront/Antigen servers
SharePoint Servers
Exchange Servers
Exchange 2007 Edge
Server
Exchange 2007 Hub Server
Exchange 2000 or 2003 Routing Server
Exchange 2007 Mailbox Server
Exchange 2000 or 2003 Mailbox Server
Microsoft Office SharePoint Server 2007 or Windows SharePoint Services 3.0
Forefront Server Security Management Console
DMZ servers not supported
Supported Topology
Jobs Overview
Jobs are management tasks that are run on demand or based on a schedule
Deployment jobsSoftware, license files, templates
Signature redistribution jobsSchedule reportsGeneral optionsManual Scan JobLog retrieval
Job – Signature Distribution
Set the time intervals and
download path.
Choose the scan engines for Forefront
and Antigen.
Real-time threat prevention featuresMulti-layer anti-spam and anti-virusCustomized content and policy enforcement
Uninterrupted e-mail accessibilityRapid recovery from unplanned disasters and network outagesThirty-day rolling historical e-mail store
Full e-mail encryption No public and private key managementGateway, policy-based e-mail encryption
E-mail retention for help with compliance and e-discoveryCustomized report generation for help demonstrating complianceFully indexed, searchable archive
Exchange Hosted Services
Global Network
Hosted antivirus & antispam
Internet
Exchange Hosted Filtering
DEMO
Flexible licensing with multiple choicesStandalone offerings to meet specific needsSuites provide enhanced value and effectively meet broader security needs in one simple purchase.Products available on Open, Select & EA
Standalone Offerings
Enterprise CAL Suite
Exchange Enterprise CAL
Forefront Security Suite
Forefront Client Security
Forefront for Exchange Server
Forefront for SharePoint
Antigen for IM
Exchange Hosted Filtering
Other Server CALs
Q&A
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
