Forefront Server Products

1
Forefront Server Products

• Ronald Beekelaar
• Beekelaar Consultancy
• ronald_at_beekelaar.com

2
Introductions

• Presenter Ronald Beekelaar
• MVP Windows Security
• MVP Virtual Machine Technology
• E-mail ronald_at_beekelaar.com
• Work
• Beekelaar Consultancy
• Security consultancy
• Forefront, IPSec, PKI
• Virtualization consultancy
• Create many VM-based labs and demos

3
Agenda

• Overview of Forefront Server
• Exchange Scanning
• E-mail Transport Scanning
• How Mail Store Scanning Works
• Mail Store Scanning Options
• File filtering
• Forefront Server Security Management Console
  (FSSMC)
• Forefront Security for SharePoint

4
Demo environment

• Specifications
• Three Win2003 R2 VMs Exchange 2007
  Forefront for Exchange Outlook 2003
  SharePoint Services 3.0 Forefront for
  SharePoint Forefront Management Console
  (beta)
• Memory 2 GB required

5
Forefront Security for Exchange Server includes
multiple scan engines from industry-leading
security firms, integrated in a single solution
to help businesses protect their Exchange
messaging environments from viruses, worms, and
spam.

• Ships with manages multiple antivirus engines
• Multi-layered protection in Exchange 2007
• File filtering and premium anti-spam protection

Comprehensive Protection

• Deep integration with Exchange Server
• Scanning innovations performance controls
• Maintains uptime and optimizes performance

Optimized Performance

• Easily manage configuration and operation
• Automated signature updates
• Reporting, notifications and alerts

Simplified Management
6
Forefront Security for Exchange

• History
• Sybari Antigen 8.0 for Exchange
• For Exchange 5.5 and Exchange 2003
• Microsoft Antigen 9.0 for Exchange
• For Exchange 2003
• Forefront Security 10.0 for Exchange
• For Exchange 2007

7
Multiple Scan Engines

• Forefront Security for Exchange Server integrates
  and ships with industry-leading antivirus scan
  engines from

• Each scan job in Forefront Security for Exchange
  Server can run up to five engines simultaneously

8
Multiple Scan Engines

• Engines from eight different vendors
• All delivered and licensed by Microsoft
• You can select a maximum of 5 (out of 8) engines
• NoteSince 16-Jan-2007, CA Vet and CA
  InoculateIT combined
• Customer benefits
• Rapid response to new threats
• Greater protection through diversity of
  anti-virus engines
• Continuous protection

9
Multiple Scan EnginesResults from AV-test.org
(2006)
10
Multiple Scan EnginesBias setting

• Available 8 engines
• Select max 5 engines (from 8)
• Bias setting how many used on single email (1..5)

A

• Max Certainty uses all selected engines (100)
  - 5
• Favor Certainty uses all available engines - 5
  or 4
• Neutral uses at least 50 of selected engines
  - 3
• Favor Performance uses up to 50 of selected
  engines - 3, 2 or 1
• Max Performance uses one engine for every scan
  - 1

11
Multiple Scan Engine Performance

• 3Sharp conducted analysis on the incremental
  impact of additional scan engineson performance
• FindingsThe additional protection offered by
  multiple engines greatly offsets the minimal
  impact to server performance

Scan Engines
12
Scan Engine Updates

• Forefront for Exchange polls for updates
• Available at
• http//forefrontdl.microsoft.com
• Share at another Forefront Server
• Share at Forefront Management Console (FSSMC)
• But NOT available at
• Antivirus vendor Web site (Norman, Sophos, etc)

13
Scan Mechanisms

• Scan for viruses - using scan engines
• Signature based
• File filtering - block specific attachments
• File name or content based
• Scan inside "containers" (zip, rar, doc, etc)
• Max 5 levels deep
• Re-creates rest of container-file, if virus
  detected

14
Exchange 2007 Roles
15
Scanning at Transport

• Transport scanning
• Try to minimize effect on Message Store
• Do not scan if scanned already - AV-stamp
• Inbound at Edge role (not at Mailbox role)
• Outbound at Hub role (not at Mailbox role)
• Internal at Hub role (not at Mailbox role)
• AV-stamp
• Antivirus header stamp is written to each email
  as it is first scanned(at Edge or Hub role)
• X-MS-Exchange-Organization-AVStamp-Mailbox
  MSFTFF100 0 0
• Checked by later scanning operations (at Hub or
  Store role)
• If found - mail is not re-scanned
• When mail is saved in the Store, antivirus stamp
  properties are savedas a MAPI property
• The header is stripped from the email

16
A Quick Look At Transport ScanningHow It Works

• Inbound mail
• Scanned at the Edge or Hub role (whichever comes
  first)
• Outbound mail
• Scanned at the first Hub role
• Internal Mail
• Scanned at the first Hub role (not in the Store)
• Mail in Sent Items is not scanned
• Public Folder postings
• Not scanned on submission
  

17
Scanning - Inbound Mail
Edge Server
Hub Role
Mailbox Role
NO SCAN
NO SCAN
SCAN AV-STAMP
Client
Mailbox Role

• Mail scanned only onceat the Edge
• Saves processing loadon Hub and Mailbox servers

Public Folder
18
Scanning - Outbound Mail
Edge Server
Hub Role
Mailbox Role
SCAN AV-STAMP
NO SCAN
NO SCAN
Client
Mailbox Role

• On-submission scanning at the Mailbox server
  (store) is turned off by default
• Scan takes place at the Hub role
• Saves processing loadon Edge and Mailbox servers
  

Public Folder
19
Scanning - Internal Mail
Edge Server
Hub Role
Mailbox Role
NO SCAN
NO SCAN
SCAN AV-STAMP
Client
Mailbox Role

• Internal mail is routedthrough Hub role
• Saves processing loadon Mailbox servers

NO SCAN
Public Folder
20
Scanning at Store

• Store scanning
• Proactive scanning - off by default
• Scan on message submission to the store
• On-access scanning - on by default
• Scan when a message is accessed or viewed
• But do not scan if scanned before (looks at
  AV-stamp)
• Useful for Outbox, Sent-Items, Public Folders
• Background Scan - off by default
• Runs once a day
• Scan only message less than x days old (ignores
  AV-stamp)
• Manual Scan - off by default
• Runs on a set schedule or on demand (ignores
  AV-stamp)
• Quick Scan - off by default
• Easy way to run one-time manual scan (ignores
  AV-stamp)

21
Automatic ScanningBehavior Changes

• Scanning behavior changes in Exchange 2007

• Each scan job has separate settings, so scan
  behavior may vary in Exchange 2007

22
"Outbreak mode"

• Warning do not use, except with major outbreak
• Scan on Scanner Update setting
• Invalidates AV-stamp after each engine update
• Result
• Enables proactive (submission) scanning
• Scans each incoming message at store,even if
  just scanned on transport
• Scans each mail on access, if engine has been
  updated
• Conclusion
• Significant increase in amount of store
  scanning,but always scanned with latest engines

23
File Filtering

• Block file attachments, based on name (or
  content)
• Extension - file name or file content
• .exe, .vbs, etc
• Inbound/outbound/size
• .exe, .doc
• .mp35MB, 10MB
• Can also configure for "detect only"

24
File Filtering Zip File Behavior

• Forefront scans within ZIP and other compressed
  formats, deletes only the offending file and then
  repackages the ZIP

Custom deletion text
Filter Rules Delete .exeQuarantine
Container file before scan
25
Premium Anti-spam Protection

• Forefront Security for Exchange Server licenses
  and activates the premium anti-spam features for
  Exchange 2007
• Deployed on Exchange Edge or Hub server role
• Edge server can be deployed in front of Exchange
  2003 mailboxes
• Built upon base anti-spam in Exchange 2007,
  premium anti-spam protection adds
• Microsoft IP reputation filter service and
  automated updates
• Automated updates every 15 minutes for Microsoft
  Smartscreen spam heuristics, phishing Web sites
  and Intelligent Message Filter (IMF)
• Targeted spam signature data and automatic
  updates to identify latest spam campaigns
• Rights to use Exchange Hosted Services Filtering

26
Forefront Server Security Management Console
27
Microsoft Forefront Server Security Management
Console allows administrators to easily manage
Forefront Security for Exchange Server, Forefront
Security for SharePoint and Microsoft Antigen
installed on multiple servers across the
enterprise.
Centralizes management through the Web-based
console Automates signature updates for multiple
antivirus engines Generates comprehensive reports
Simplified Management
Provides outbreak response Rapidly distributes
signature and scan engine updates
Comprehensive Protection
Integration with Microsoft SQL Server 2005 and
Windows Server 2003 Redundancy maintains server
availability Support for Exchange 2007 CCR
clusters
Optimized Performance
28
FSSMC

• Forefront Server Security Management Console
  (FSSMC)provides - management - reporting
  - alerting/eventsfor the Forefront Server
  products
• This includes Antigen Server products,but not
  Forefront Client Security
• Successor to Antigen Enterprise Manager (AEM)
• Released October 2007
• Future "Stirling" management console covers
• Forefront Client
• Forefront Server
• Forefront Edge

29
Support matrix and history
30
Supported Topology
Exchange 2007 Mailbox Server
Exchange 2007 Hub Server
Exchange 2000 or 2003 Routing Server
Exchange 2000 or 2003 Mailbox Server
Exchange 2007 Edge Server
Microsoft Office SharePoint Server 2007 or
Windows SharePoint Services 3.0
31
Minimum System Requirements
32
Feature Overview
33
Add a Server

• First step is to identify and add the Forefront
  orAntigen server
• Can be added directly or use the Browse feature
• Once added, the FSSMC Agent software must be
  installed on the target server by a job that will
  push and install the Agent
• Target server credentials are entered through the
  FSSMC console
• Installation progress and status shown on screen

34
Jobs Overview

• Jobs are management tasks that are run on demand
  or based on a schedule
• Deployment jobs
• Software, license files, templates
• Signature redistribution jobs
• Schedule reports
• General options
• Manual Scan Job
• Log retrieval

35
Job Signature Distribution

• A primary task for the FSSMC
• The FSSMC server serves as the central download
  agent for all scan engines and updates
• They are then distributed proactively to the
  Forefront and Antigen servers
• Engine updates are delivered to all servers. You
  cannot choose among them.
• Select the Update Schedule and choose the engines
  to download

36
Job Signature Distribution
Choose the scan engines for Forefront and
Antigen.
Set the time intervals and download path.
37
Automated Signature Updating
www.microsoft.com
Internet
Internet
Engine Partner Updates
ForefrontEngineAdaptor
38
Redundancy Signature Distribution

• The Backup server connects to Internet and
  retrieves the Forefront (FF) engine manifest file
• The Primary Server connects to the Internet and
  retrieves signature updates
• Primary notifies all FF clients that updates are
  available
• The Backup Server connects to Primary and
  compares file manifest to files available on
  Primary
• If files are newer, Backup copies them
• If Primary is out of date, Backup downloads from
  the Internet
• Backup notifies client machines that it also has
  signature updates
• Clients will pull signatures from Backup if they
  are more up to date

Internet
1
2
4
Primary
Backup
5
3
6
Forefront Servers
39
Auto-discovery of Exchange Servers

• A nightly scan of Active Directory searches for
  Exchange servers Compares discovered servers with
  known servers in the Forefront Server Security
  Management Console
• All previously undiscovered Exchange servers are
  highlighted on the screen and available via a
  daily report
• Forefront/Antigen can then be deployed to these
  servers

40
Auto-discovery of Exchange Servers (cont.)
At a Glance screen highlights newly discovered
servers.
41
Reporting At a Glance

• A system status screen showing key data points
  from the past 24 hours
• Virus statistics
• Skipped, cleaned, detected, blocked, etc.
• Spam statistics
• Skipped, purged, identified, etc.
• Antigen 9 only
• Filter Statistics
• File filters, keyword filters, subject line
  filters
• Top 5 Viruses
• Most Active Servers

42
Reporting Out-of-date engine and signature
version report

• Problem Security Admins want to be kept up to
  date of whether their systems are up-to-date.
  Out-of-date signatures and engines should be
  identified.
• Solution FSSMC makes it possible to view the
  signature and engine version on each managed
  server. It does not matter whether the server is
  updated by FSSMC or not.

43
Alert Management

• Example
• An alert can be sent when no virus activity is
  seen for a specified period of time
• A lack of virus detections can indicate a
  scanning failure
• Possible scan job crash
• Possibly misconfigured server

44
Reporting Out-of-date engine and signature
version report
Turns RED when there is no internet connection
45
Forefront Security for SharePoint
46
How Do Viruses Get to SharePoint?

• Today, viruses arrive primarily by accident not
  design
• User uploads document with embedded payload
• Possibly malicious user activity
• Risks in an extranet deployment
• User maps a network drive to \\server\sites\teamsi
  te
• If a user is infected by a virus that attempts to
  propagate to network shares, then the virus can
  propagate to SharePoint sites

Users
SharePoint Portal Server
SQL Document Library
47
Why SharePoint Antivirus?

• File Server AV does not provide the level of
  protection needed to prevent SharePoint-related
  infections
• Desktop AV is not enough to solve the problem
• Desktop AV may detect infection within the cached
  copy, but cannot clean the stored copy in the
  document library
• Forefront Security for SharePoint cleans the
  document in the library, ensuring all posted and
  downloaded documents are safe
• Signature distribution is often slow and
  problematic, and never contains five scanning
  engines

48
Forefront Antivirus Scanning

• Forefront provides two types of scan jobs
• Realtime Scan Job Scans any files being
  uploaded to or downloaded from SharePoint
• Works with web browser or any other application
  accessing SharePoint
• Provides proactive protection
• Manual Scan Job Scans all or part of SharePoint
  document library on demand
• Scans can be scheduled
• Can be used to scan with engines different than
  Realtime scan job

49
Forefront Realtime Scan Job

• Realtime scanning always uses the VSAPI
• Basic Realtime scan settings are centrally
  configured through the SharePoint interface, not
  the Forefront console

Then click Operations, followed by Antivirus
Click here to change settings
50
Virus - user experience
51
Realtime Scan Virus Detection Actions

• When Forefront detects a virus, several Actions
  are available
• Skip detect only Logs presence of virus, but
  does not block or delete it
• Not a secure setting!
• Can be used for testing/evaluation purposes
• Clean repair document Attempts to clean the
  file. If file cannot be cleaned, it is blocked
• Delete block document GOOD CHOICE !!

52
Realtime Virus Deletion Text

• When a file is deleted because it contains a
  virus, Forefront replaces it with a text file
• File keeps name, but gets a .txt extension
• Deletion text is only used in Realtime scanning
  when replacing files within a ZIP file
• The text file contains a configurable Deletion
  Text that can include system information
• By default, the deletion text reads

Microsoft Forefront Security for SharePoint
State a file since it was found to be
infected. File name "File Virus name
"Virus
53
Forefront Manual Scan Job

• Manual Scan provides tree-view into document
  library
• All or part of the library can be
  set for
  scanning by using
  check boxes
• Settings will not include new
  sites by default
  unless the top box is checked
• Use Quick Scan to scan a particular part of the
  library

54
File Filtering Forefront vs. SharePoint

• SharePoint also supports file blocking, but
  performs only file extension checking
• Will not catch a file if extension is changed to
  a an approved file extension
• If SharePoint and Forefront rules overlap,
  SharePoint rule is applied first
• SharePoint file scanning requires less overhead
  and should be used in conjunction with Forefront
• Block the same list of files in both places
• Skip detect mode can be used to inventory the
  library or understand real-time file storage
  patterns

55
Large File Support

• Large file support has been added to the VSAPI in
  SharePoint 2007
• The VSAPI hook can load and transfer pieces of
  the file on demand
• Forefront requests file data in chunks
• Maximum file size that can be scanned is 2GB
• If the file is larger than 2GB, then the
  ForefrontService will return a value of
  MSOVSI_STATUS_INFECTED
• The Virus Information string will note Exceeded
  File Size

56
VSAPI 1.4 Architecture

• The SharePoint process (AVM) reads and writes to
  the DB
• AV engines do not have to interact with DB
• VSE returns results and the AVM takes action,
  e.g. block, clean, etc.

SharePoint Front End
Antivirus Manager (AVM)
SharePoint DB
COM Layer
Antivirus Vendor Component
Virus Scan Engine (VSE)
57
SharePoint API integration

• Utilizes the SharePoint Virus API to scan files
  during upload and download
• Optimized for performance in a SQL environment
• Files are not rescanned if engines have not been
  updated
• Up to ten simultaneous scanning threads to help
  ensure users are not delayed waiting for
  documents to scan
• Automatic integration with SharePoint Information
  Rights Management (IRM) to scan protected files
  on the fly

58
Troubleshooting Tips

• FSCUtility.exe
• FSCUtility /status - Gives an on-screen report
  showing the status of Forefront Security and the
  server
• FSCUtility /disable - Disables Forefront Security
  dependencies
• FSCUtility /enable - Enables Forefront Security
  dependencies
• FSCDiag
• Programlog.txt
• Event Logs
• Perfmon Counters
• MOM Packs
• Forum http//forums.microsoft.com/Forefront/defau
  lt.aspx?ForumGroupID275SiteID41

59
Microsoft Operations Manager

• Over 100 Events, Performance Counters, and
  Services Monitored
• Monitors the state of Forefront.
• Collects statistical data on scanning, detection,
  and removal of messages and attachments
• Polls Forefront Services - Provides timed events
  to poll systems for critical process health
• Key Tasks
• Triggers scan engine updates
• Centralizes storage and deployment of license
  files
• Imports, exports and deploys setting changes
• Initiates and/or schedules manual scan jobs
• Starts/Stops control of Forefront services

60
QA