EXC306 - Microsoft Forefront Security

Efficient and Effective Virus Scanning for Microsoft Exchange

2007Nishkar MaharajTechnical SpecialistMicrosoft South Africa

Overview of Forefront Security for Exchange Server

Email Transport Scanning

How Mail Store Scanning Happens

Mail Store Scanning Options

Anti Spam Protection

File Filtering

Session Objectives and Agenda

A comprehensive line of business security products that helps you gain greater protection and secure access through deep integration and simplified management

Network EdgeNetwork EdgeServer ApplicationsServer ApplicationsClient And Server OSClient And Server OS

Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms, integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.

ComprehensiveComprehensive ProtectionProtection

OptimizedOptimizedPerformancePerformance

Simplified Simplified ManagementManagement

•

Ships with & manages multiple antivirus enginesMulti-layered protection in Exchange 2007File filtering and premium anti-spam protectionDeep integration with Exchange ServerScanning innovations & performance controlsMaintains uptime and optimizes performance

Easily manage configuration and operationAutomated signature updatesReporting, notifications and alerts

Microsoft Forefront Key Design Pillars

Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:

Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously

Internal Messaging and Collaboration Servers

A B C ED

The Multiple Engine Advantage

•Rapid response to new threats

•Fail-safe protection through redundancy

•Diversity of antivirus engines and heuristics

Response Time (in hours)Microsoft

Multi-engine SolutionOther Single

Engine Solutions

Forefront Set 1

Forefront Set 2

Forefront Set 3 Vendor A* Vendor B* Vendor C*

1006_stration_itw42.ex_ 0.92 0.92 0.92 3.72 3.12 7.05

1006_stration_itw43.ex_ 2.00 2.00 2.00 4.80 4.20 8.13

1006_stration_itw44.ex_ 0.00 0.00 0.00 5.60 2.00 7.58

1006_stration_itw45.ex_ 0.00 0.00 0.00 3.55 2.00 7.58

1006_stration_itw46.ex_ 0.00 0.00 0.00 2.75 2.20 6.78

1006_stration_itw47.ex_ 0.00 0.00 0.00 3.72 3.12 7.05

1006_stration_itw60.ex_ 0.00 0.00 0.00 0.00 4.64 6.32

1106_rbot_itw2090.ex_ 0.00 0.00 0.00 1739.10 0.00 298.64

1106_sdbot_itw1814.ex_ 0.00 0.00 0.00 1.00 0.00 0.00

1106_sdbot_itw1866.ex_ 0.00 0.00 0.00 26.80 1.00 35.27

1106_sdbot_itw1867.ex_ 0.00 0.00 0.00 14.00 12.84 23.14

1106_sdbot_itw1876.ex_ 0.00 0.00 0.00 468.60 306.82 430.801106_stration_itw124.ex_ 0.00 0.00 0.38 0.66 1.88 8.80

1206_bagle_itw137.ex_ 0.00 0.00 0.00 4.01 0.00 13.83

1206_bagle_itw141.ex_ 0.00 0.00 0.00 17.15 0.00 13.83

1206_puce_itw1.ex_ 0.00 0.00 0.00 0.00 0.00 1.00

1206_rbot_itw2038.ex_ 0.00 0.00 0.00 1026.27 0.00 0.00

1206_sdbot_itw1889.ex_ 0.00 0.00 0.00 128.28 255.20 63.96

AVTest.org, 2007

= less than 5 hours

= 5 to 24 hours

= more than 24 hours

* Includes beta signatures**0.00 denotes proactive detection

Scan Engines

• 3Sharp conducted in-depth analysis on the incremental impact of additional scan engines on performance

• Findings: the additional protection offered by multiple engines greatly offsets the minimal impact to server performance

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

C

D

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

Max Certainty: uses all engines (100%) Favor Certainty: uses all available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

A

B

Mailbox

ClientAccess

Unified Messaging

EdgeTransport

HubTransport

Enterprise networkOtherSMTP

Servers

•Mailbox

Routing Hygiene Routing Policy

Voice Messaging

PBX or VoIP

PublicFolders

Fax

Applications:OWA

Protocols:ActiveSync, POP, IMAP, RPC / HTTP …

Programmability:Web services, Web parts

INTERNET

Email Transport Scanning• New intelligent scanning

does not scan email that has already been scanned– By default, email scanned at

Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes

• Minimizes AV scanning overhead to maximize mail system performance– Significantly reduces scanning impact at the store– Can be turned off to allow scanning at all points

How It Works

• A secure antivirus header stamp is written to each email as it is first scanned at the Edge or Hub role– X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0

• This stamp is checked by subsequent scanning operations (Hub or Store) and if present, the mail is not re-scanned

• Upon submission to the Store, the antivirus stamp properties are added to a MAPI property and maintained– The header is stripped from the email

How It Works

• Inbound mail– Scanned at the Edge or Hub role

(whichever comes first)• Outbound mail

– Scanned at the first Hub role• Internal Mail

– Scanned at the first Hub role (not in the Store)– Mail in Sent Items is not scanned

• Public Folder postings– Not scanned on submission

How It WorksHow It Works

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

Mail scanned only once at the EdgeSaves processing load on Hub and Mailbox servers

INTERNET

Inbound MailInbound Mail

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

ClientSCAN and

STAMP

NO SCAN NO SCAN

NO SCAN

Outbound MailOutbound Mail

Internet

Internal mail is routed through Hub roleProactive scanning at the Mailbox server (store) is turned off by defaultSaves processing load on Mailbox servers

• There are five ways that a message in the Store can be scanned– Proactive Scanning

• Scan on message submission to the store– On-access Scanning

• Scan when a message is accessed (e.g. viewed)– Background Scan

• Runs once a day – Manual Scan

• Runs on a set schedule and/or on demand– Quick Scan

• Always an on demand scan

How Scanning HappensHow Scanning Happens

• Turned off by default• Can be activated via a registry key• Follows the settings of the Realtime Scan Job• Scans using

– AV engines– File filtering rules– Content filtering rules (subject line, sender-

domain)• If used, scans all mail without exceptions• If used, scans each message only once

Proactive Scanning OverviewProactive Scanning Overview

• Turned on by default• Follows the settings of the Realtime Scan Job• Scans using

– AV engines– File filtering rules– Content filtering rules (subject line, sender-domain)

• Scans only messages that have not been scanned before

• By default, scans only messages that are one day old or less (can be adjusted)

• Scans each message only once by default

On Access Scanning OverviewOn Access Scanning Overview

• Turned off by default• Must be enabled, then scheduled• There is no on demand use of Background Scan

• Follows the settings of the Realtime Scan Job• Scans using

• AV engines• File filtering rules• Content filtering rules (subject line, sender-domain)

• By default, scoped to scan only messages that are two days old or less, and only messages with attachments

Background Scan OverviewBackground Scan Overview

• Turned off by default– Must be enabled, then scheduled or used on demand

• Follows the settings of the Manual Scan Job• Scans using

– AV engines– File filtering rules– Content filtering rules (subject line, sender-domain)

• If used, scans all messages by default• Can be scoped to scan only specific mailboxes

or Public Folders

Manual Scan OverviewManual Scan Overview

• Turned off by default– Must be used on demand

• Scans using AV engines only• Does not follow any other Scan Job settings

– Engines and bias settings are set specifically for the Quick Scan

• If used, scans all messages by default• Can be scoped to scan only specific mailboxes

or Public Folders

Quick Scan OverviewQuick Scan Overview

• Standard mode– Background Scan to sweep the

store once each day, scanning only the most vulnerable files

– On-access protection for unscanned mail • Outbreak mode

– Re-scan on-access whenever scan engines update

• Ultimate security mode– Scan on submission to store– Re-scan on access whenever scan engines update– Continuous background scan with new signatures

Multiple optionsMultiple options

User Action Proactive Scanning on (Exchange 2000/2003 default)

Proactive Scanning off (Exchange 2007 default)

1. User attaches an infected file to an email and sends email.

Virus is detected in the Outbox by the Realtime Scan Job and deleted.

Virus is detected in the Outbound mail queue by the Transport Scan Job and deleted.

2. User checks Sent Items folder.

Virus is already deleted, detected in the Outbox by the Realtime Scan Job.

Mail is scanned by On Access scanning (Realtime Scan Job) and virus deleted.

Behavior ChangesBehavior Changes

Each scan job has separate settings, so scan behavior may vary in Exchange 2007Especially because scanning at Store may be stepped down in effectiveness

Scanning behavior changes in Exchange 2007

Increasing Scanning LevelsIncreasing Scanning Levels• The type and amount of store scanning can

be increased by the following options• Scan on Scanner Update• Proactive Scanning• DisableAVStamping registry key

• These options can be used individually or combined

• The Scan on Scanner Update option will increment the virus engine version number every time a scan engine is updated– Version count kept in Exchange database – Consider the number of engines in Forefront!

• Because the Transport Scan version number is always 1, messages arrive in the store with out-of-date scan status

• Scan on Scanner Update setting also activates Proactive Scanning– Will flip registry key to 1

Scan on Scanner UpdateScan on Scanner Update

Scan on Scanner Update ImpactScan on Scanner Update Impact• When activated, Scan on Scanner Update

causes the following behavior changes• All messages will be scanned at the store upon

arrival or submission» This includes messages just scanned in Transport

• All messages will be re-scanned on access following an update to any Forefront engine signatures

• The Scan on Scanner Update option ensures that mail is always scanned with the most recent signatures

• This will significantly increase the amount of scanning done in the store

• This is a highly secure setting designed to be used in outbreak scenarios, such as:– A virus has gotten loose in the network– A new in-the-wild virus is rapidly spreading

• Keep in mind that even if one engine updates, all selected engines will re-scan

Scan on Scanner UpdateScan on Scanner Update

• Scan on Scanner Update turns on Proactive Scanning in order to spread out the scanning load on the server

• If Proactive Scanning were not turned on, unscanned messages would build up during periods of inactivity (such as overnight) and then set off a potentially disruptive spike is on-access scanning when messages are accessed– For example, at the start of the workday when many

employees have built-up significant unread emails

Why Turn On Proactive Scanning?Why Turn On Proactive Scanning?

Incremental Background Scanning• Ability to scope background scanning

allows for daily “sweep” of store with latest updates

• Scan only messages delivered in the past– 4, 6, 8, 12, 18 hours– 1, 2, 3, 4, 5, 7, 30 days

• Combines security and performance– The most dangerous messages are scanned– The bulk of the store does not get scanned

repeatedly for no reason

Premium Anti-spam Protection

• Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007

• Deployed on Exchange Edge or Hub server role– Edge server can be deployed in front of

Exchange 2003 mailboxes• Built upon base anti-spam in Exchange 2007,

premium anti-spam protection adds:– Microsoft IP reputation filter service and automated updates– Automated updates for Microsoft Smartscreen spam heuristics, phishing

Web sites and Intelligent Message Filter (IMF)– Targeted spam signature data and automatic updates to identify latest

spam campaigns

File Filtering• A key part of any mail protection strategy• File filtering proactively blocks

a specific range of potentially dangerous file types whether or not a signature exists– Suggested files to block: EXE,

COM, PIF, SCR, VBS, SHS, CHM and BAT – Some users will block the same

file types that are blocked by Outlook 2003• See Outlook online help for list

• Search for specific files by name, e.g. “resume.doc”– Wildcards supported, e.g. “*resume*.doc”– Each * represents 250 characters

• File filters can be Inbound or Outbound– <in>*.exe, <out>*.doc

• Files can be blocked based on size, and size/name/type/direction combinations– <in>*.mp3>2mb– <out>*.mp3>5mb– <in>*.*>10mb

Setting Up File FiltersSetting Up File Filters

File Filtering Actions

• Every filter or filter list can have a separate action applied, offering great flexibility– Skip: Detect only – logs the event but does

not block or alter the message• Not a secure setting!• Useful for monitoring and discovery purposes• Allows for pre-testing of new rules without end

user impact– Delete: Remove contents – removes the

attachment only and replaces with the customized deletion text

– Purge: Eliminate message – deletes both the attachment and the message body• End user receives nothing

Filter Rules: Delete *.exeQuarantine

File Filtering – Zip File Behavior

Container file before scan

EXE DOC

JPGBMP

Container file after scan

TXT DOC

JPGBMP

Custom deletion text

Quarantine

EXE

• Forefront scans within ZIP and other compressed formats, deletes only the offending file and then repackages the ZIP

Common Management Infrastructure and Common Management Infrastructure and PlatformPlatform

Summary• Comprehensive protection against the latest

threats• Optimized performance to keep mail moving• Simplified management to ease the IT burden• An integral part of Microsoft Forefront™• Visit

http://www.microsoft.com/forefront/serversecurity – Download evaluation software and VHD’s

ResourcesTechnical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx

Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet

Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

Thank you

http://www.microsoft.com/southafrica/ucs/2007

Q&A