560 likes | 734 Vues
Antigen Threat and Vulnerability Mitigation Technologies. Erik De Bondt Sr. Technology and Solutions Advisor Microsoft Belgium and Luxembourg. Credits: Peter Eicher, Senior Product Manager. Session Objectives And Key Takeaways. Session Objective(s):
E N D
Antigen Threat and Vulnerability Mitigation Technologies Erik De Bondt Sr. Technology and Solutions Advisor Microsoft Belgium and Luxembourg Credits: Peter Eicher, Senior Product Manager
Session Objectives And Key Takeaways • Session Objective(s): • Gain a detailed understand of the scanning processes used in Antigen • Understand the various filtering options in Antigen and how they work • Key Takeaways • Knowledge of the SMTP and VSAPI scanning processes • Knowledge of Antigen performance • Knowledge of Antigen file filtering
Antigen Overview • Antigen is anti-virus, anti-spam, content and file filtering software protecting email at the SMTP layer and the Exchange store • Uses multiple anti-virus engines • Kaspersky Lab • Norman Data Defense • Sophos • Virus Busters • AhnLabs • Authentium Command • CA InoculateIT • CA VET Engines in highlighted italics are default engines The MS Antivirus engine will be provided in the first Microsoft-branded version of Antigen
Agenda • SMTP Scanning • Windows SMTP Event Sinks • SMTP Scanning Direction • SMTP Scanning Order
SMTP ScanningWindows SMTP Event Sinks • Simple Mail Transport Protocol service • Provides Internet Mail processing • Provided by Windows 2000 & Windows Server 2003 • Has extensible Event Sink architecture • Protocol Event Sink • Occurs during SMTP protocol conversation • Antigen uses to capture authenticated connection information • Transport EventSink • Occurs after SMTP message is received and being processed by SMTP service • Antigen uses to scan & update message
SMTP ScanningWindows SMTP Event Sinks Antigen Protocol Event Sink Antigen Transport Event Sink
SMTP ScanningSMTP scanning direction • Antigen provides three directions of scanning • Inbound– all messages relayed through an external server (i.e. Internet mail). • Outbound– any message where at least one recipient has an external address (not from your domains) • Internal– messages routed from one location within your organization to another • All recipients must be within your domain or else the message is treated as Outbound • The General Options panel has an Internal Address field to enter all internal domain information
SMTP ScanningSMTP scanning order • Filters are applied in a specific sequence • Designed for maximum performance Spam Filtering Content Filtering Attachment Scanning Body Scanning • Allowed Sender Checks • Spam Scanning • RBL Filter • Sender/Domain Filter • Subject Line Filter • Non-Archive Files: • Worm Scanning • File Filtering • Virus Scanning • Archive Files: • File Filtering • Traverse the archive • Keyword Filtering • Virus Scanning
Agenda • Exchange Store Scanning • Exchange VSAPI 2.5 • Background Scanning • Proactive Scanning • On-access Scanning • Antigen VSAPI Implementation • Antigen General Options
Exchange Store ScanningExchange VSAPI 2.5 • Virus Scanning API v 2.5 • Provided by Exchange 2000 and Exchange 2003 • Allows 3rd party products to “hook” into Exchange to scan message bodies and attachments • Provides Single Instance scanning • Marks messages scanned in an Exchange database table
Exchange Store ScanningExchange VSAPI 2.5 • VSAPI v 2.5 uses Global Thread Pooling to optimize server performance • The default number of scanning threads is 2 * <number of processors> + 1 • Number of threads is listed in the registry: • HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan\ScanningThreads • AV vendors may override this setting • Antigen does – details ahead
Exchange Store ScanningExchange VSAPI 2.5 • VSAPI provides three scanning modes • Background scanning – runs actively in the background looking for items that have not been scanned • Proactive scanning – scans as items are submitted to the Exchange store • On-access scanning – scans when a message is accessed. Also referred to as Real-time scanning
Exchange Store ScanningVSAPI Background Scanning • Uses one thread per database • Runs at below normal priority • Thread is activated when the store service is started and each time the virus scanning DLL is reloaded • Checks to see which folders have been scanned with the current version of AV software and re-scans if needed • Uses the ptagVirusScannerStamp to track AV version level
Exchange Store ScanningVSAPI Proactive Scanning • As messages are submitted to the Exchange store, they enter the global scanning queue • Items enter as low priority • Maximum of 30 entries in the queue • Scanned on a first in, first out (FIFO) basis • Overflow messages will go to the store unscanned • If an item is accessed while in queue, it is changed to high priority
Exchange Store ScanningVSAPI On-access Scanning • When a message is accessed, the virus scanning stamp is checked • If the item has been scanned by the most up-to-date AV version, it is not scanned • If the AV version has changed: • Access to the item is blocked • The message is submitted to the Global Scanning Queue with high priority • When AV scan is completed, the item can be opened
Exchange Store ScanningAntigen VSAPI implementation • Background Scanning • Turned off by default in Antigen for performance reasons • Given the frequency of engine updates in Antigen, this would create a large amount of re-scans • Antigen provides manual and scheduled scanning to allow re-scanning of the store • Offers better granularity and control • The VSAPI background options can be turned on via settings in the General Options panel
Exchange Store ScanningAntigen VSAPI implementation • Proactive Scanning • Works the same as VSAPI except… • Antigen manages the number of scanning threads via its own registry key and the AntigenRealtime.exe process • Default is two scanning threads per storage group • May be increased to four via registry key • HKLM\Software\Sybari Software\Antigen for Exchange\RealtimeProcessCount • Antigen “Realtime Scan Job” refers to the VSAPI Proactive Scan
Exchange Store ScanningAntigen VSAPI implementation • On-access Scanning • Antigen disables re-scanning on every change of scanner • Done for performance reasons due to frequency of engine updates • The VSAPI on-access options can be turned on via settings in the General Options panel • Antigen “Realtime Scan Job” includes the VSAPI on-access scanning
Exchange Store ScanningAntigen General Options • Scan on ScanJob update • Will rescan previously scanned files if Scan job settings are made, e.g. Bias settings or engine choices changed • Enable Background Scan if ‘Scan on ScanJob Update’ Enabled • Will initiate background scan every time a ScanJob setting is changed
Exchange Store ScanningAntigen General Options • Scan on Scanner Update • Will rescan previously scanned files if any scan engine has updated since the last time the message was scanned (includes on-access and proactive) • Enable Background Scan if ‘Scan on Scanner Update’ Enabled • Will initiate background scan every time a scan engine is updated
Agenda • In Memory Scanning • Overview • Limitations • Size Restriction Settings
EXE Memory Allocation Scanning Process In Memory ScanningOverview • Antigen uses memory space to open attachments, rather than spooling to disk • Delivers faster performance • Memory is dynamically allocated based on the size of the message and attachment EXE 432kb Return to Pool Available Memory Pool
In Memory ScanningLimitations • Antigen uses a maximum of 3GB of memory • This is the largest available addressable memory space in a 32-bit system • 4GB total, but 1GB is reserved for the OS • What happens if the file size exceeds the amount of available memory? • There are various configurable settings to handle this….
In Memory ScanningSize restriction settings • Maximum container file size: largest container file size Antigen will attempt to clean or repair in the event that it discovers an infected or corrupted file • 26 MB by default • Antigen will report deleted files as “LargeInfectedContainerFile” virus. • Can be set in General Options
In Memory ScanningSize restriction settings • Maximum nested attachments:the maximum nested attachments that can appear in MSG, TNEF, MIME, and Uuencoded files. • The default is 30 • If the maximum is exceeded, the file is marked for deletion and Antigen will send a notification stating that an “ExceedinglyNested” virus was found. • Can be set in General Options
In Memory ScanningSize restriction settings • Maximum nested compressed files:the maximum nested depth for a compressed file. • Default value is 5 nestings. • Value of 0 allows infinite nesting. • If it should exceed the maximum, the entire file is marked for deletion and Antigen will send a notification stating that an “ExceedinglyNested” virus was found. • Can be set in General Options
In Memory ScanningSize restriction settings • Maximum container scan time:the number of milliseconds that Antigen will scan a compressed attachment before reporting it as a “ScanTimeExceeded” virus. • This setting in intended to prevent Denial of Service risk from “Zip of Death” attacks. • The default value is 120,000 milliseconds (two minutes). • Can be set in General Options
In Memory ScanningSize restriction settings • Maximum Compressed Archive File Size:the maximum compressed size for a file within a zip archive. • Default is 20MB • Files deleted and reported as “Corrupted Compressed File” • Set via registry key: HKLM\SOFTWARE\ Sybari Software\Antigen for Exchange\ MaxCompressedArchiveFileSize
In Memory ScanningSize restriction settings • Maximum Uncompressed File Size:the maximum uncompressed file size for a file within a zip archive. • Default is 100MB • Files deleted and reported as “Corrupted Compressed File” • Set via registry key: HKLM\SOFTWARE\ Sybari Software\Antigen for Exchange\ MaxUnCompressedFileSize
In Memory ScanningZip attacks – a side note • Zip attacks can run up CPU utilization to 100% and block mail processing, or overrun available memory or disk space • Zip of Death – zipping a file over and over, as much as 1,000 times or more • Causes memory or disk outage, or CPU spike • Zip expansion attack – one or more large, simple, uniform files are zipped • E.g. a 100MB txt file consisting of all zeros can zip to 560kb • Causes memory or disk outage, or CPU spike
Agenda • Performance Bias Settings • Engine Bias Settings • SMTP Scan Job • Realtime Scan Job
Performance Bias Settings • The Bias setting controls how many engines are applied to each message • Max Certainty: uses all engines (100%) • Favor Certainty: uses 75% of available engines • Neutral: uses approximately 50% of available engines • Favor Performance: uses 25% of available engines • Max Performance: uses one engine for every scan
Performance Bias Settings • Engine selection is based on engine performance rankings, last signature update time and occasional round-robin • Additional notes about Engine Bias • When using Max Certainty, all mail will be queued while a scan engine is being updated • This is because Max Certainty requires all engines to scan each mail • If you wish to continue scanning during engine updates, set to Favor Certainty • Keep in mind that the engine being updated will not scan mail during the update cycle
Performance Bias SettingsSMTP Scan Job • Best practice is to provide maximum scanning protection at the SMTP scan job • Configure Bias to Max Certainty if possible • If necessary, increase number of available processes (scanning threads) through registry setting • HKLM\Software\Sybari Software\Antigen for Exchange • Set “InternetProcessCount” between 2 and 8 • Proceed gradually and with caution! Settings above 4 are very rare. • Each process consumes memory
Performance Bias SettingsRealtime Scan Job • Best security practice is to provide maximum scanning protection at every level • Realistically, lower settings are used at the store • Configure Bias to Neutral and monitor performance • If necessary, increase number of available processes (scanning threads) through registry setting • HKLM\Software\Sybari Software\Antigen for Exchange • Set “RealtimeProcessCount” between 2 and 4 • Proceed gradually and with caution!
Agenda • Automated Engine Updates • Updating the server • Engine update process on the server • Rapid Update engine packaging
Scan EngineUpdating the server • Timely scan engine updating is critical to successful antivirus protection • All engines are packaged into Antigen format and provided by Microsoft • They are not downloaded from the engine vendors • Scan engine Adapters provide a single interface into Antigen and handle engine-specific behaviors • Antigen automatically polls for engine updates • Administrator sets polling interval • Every 15 minutes in the shortest interval • Each engine has its own schedule • Administrator can manually initiate an engine update
Scan EngineUpdating the server • Updates can be retrieved via HTTP or FTP directly by the Antigen server • For multi-server environments: • One Antigen server can download and others can pull updates via UNC share • Sybari Enterprise Manager provides point of download and distribution for multiple servers • Single point of management
Scan EngineEngine update process on the server • Single updating mechanism for all engines • New engine package downloaded to server • Package expanded • Engine tested with EICAR test virus • Current engine taken offline • New engine swapped in • New engine brought online
Scan Engine UpdatingRapid Update engine packaging • Automated engine update posting process • Poll engine vendor website for update • Download vendor engine package • Expand vendor engine package • Create Antigen Engine Update package containing Antigen engine adapter • Run automated test with a set of viruses • Post to Sybari/Microsoft website • Send engine update notifications
Agenda • File Filtering • Overview • Setting up file filters • File filter actions • File filtering behavior with ZIP files • Tips
File FilteringOverview • A key part of any mail protection strategy • File filtering proactively blocks a specific range of potentially dangerous file types whether or not a signature exists • Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT • Some users will block the same file types that are blocked by Outlook 2003, a much longer list • See Outlook online help for list
File FilteringSetting up file filters • Antigen blocks by extension and true file type • Can’t fool filter by simple change of extension • Each is configured differently Use *.exe and All Types of files to block anything named *.exe Use *.* and EXEFILE to block any executable file no matter what it is named
File FilteringSetting up file filters • Search for specific files by name, e.g. “resume.doc” • Wildcards supported, e.g. “*resume*.doc” • Each * represents 250 characters • File filters can be Inbound or Outbound • <in>*.exe, <out>*.doc • Files can be blocked based on size, and size/name/type/direction combinations • <in>*.mp3>2mb • <out>*.mp3>5mb <in>*.*>10mb
File FilteringActions • Every filter or filter list can have a separate action applied, offering great flexibility • Skip:Detect only – logs the event but does not block or alter the message • Not a secure setting! • Useful for monitoring and discovery purposes • Allows for pre-testing of new rules without end user impact • Delete:Remove contents – removes the attachment only and replaces with the customized deletion text
File FilteringActions • Purge:Eliminate message – deletes both the attachment and the message body • End user receives nothing • Identify: Tag message – inserts text into subject line, inserts text into message header, or applies SCL rating to message • Note: only one subject line or header text phrase is available for all filters, e.g. spam, keyword, file, etc. • SCL rating would route message to Junk E-Mail folder – not very useful for file filtering
Filter Rules: Delete *.exeQuarantine TXT DOC EXE DOC BMP JPG BMP JPG Container file after scan EXE Quarantine File FilteringZIP file behavior • Antigen will scan within ZIP and other compressed formats and delete only the offending file and then repackage the ZIP Custom deletion text Container file before scan
File FilteringArchive types supported • Antigen navigates the following archive types • PKZip (.zip) • Java archive (.jar) • GNU Zip (.gzip) • TNEF (winmail.dat) • Structure Storage (.doc) • MIME (.eml) • SMIME (.eml) • UUEncode (.uue) • Unix Tape Archive (.tar) • RAR archive (.rar)
File FilteringTips • When creating file filters, more specific is more efficient • For example, to log resume.doc files Creating a filter for resume.doc with a file type of DOCFILE is more efficient Creating a filter for resume.doc with a file type of ALL TYPES is less efficient
Agenda • Spam Scanning • Overview • Detection methods • SpamCure engine • Junk Mail folders • SpamCure and IMF together