Antigen Threat and Vulnerability Mitigation Technologies

1
Antigen Threat and Vulnerability Mitigation
Technologies

• Erik De Bondt
• Sr. Technology and Solutions Advisor
• Microsoft Belgium and Luxembourg

Credits Peter Eicher, Senior Product Manager
2
Session Objectives And Key Takeaways

• Session Objective(s)
• Gain a detailed understand of the scanning
  processes used in Antigen
• Understand the various filtering options in
  Antigen and how they work
• Key Takeaways
• Knowledge of the SMTP and VSAPI scanning
  processes
• Knowledge of Antigen performance
• Knowledge of Antigen file filtering

3
Antigen Overview

• Antigen is anti-virus, anti-spam, content and
  file filtering software protecting email at the
  SMTP layer and the Exchange store
• Uses multiple anti-virus engines

• Kaspersky Lab
• Norman Data Defense
• Sophos
• Virus Busters

• AhnLabs
• Authentium Command
• CA InoculateIT
• CA VET

Engines in highlighted italics are default engines

• The MS Antivirus engine will be provided in the
  first Microsoft-branded version of Antigen

4
Agenda

• SMTP Scanning
• Windows SMTP Event Sinks
• SMTP Scanning Direction
• SMTP Scanning Order

5
SMTP ScanningWindows SMTP Event Sinks

• Simple Mail Transport Protocol service
• Provides Internet Mail processing
• Provided by Windows 2000 Windows Server 2003
• Has extensible Event Sink architecture
• Protocol Event Sink
• Occurs during SMTP protocol conversation
• Antigen uses to capture authenticated connection
  information
• Transport Event Sink
• Occurs after SMTP message is received and being
  processed by SMTP service
• Antigen uses to scan update message

6
SMTP ScanningWindows SMTP Event Sinks
Antigen Protocol Event Sink
Antigen Transport Event Sink
7
SMTP ScanningSMTP scanning direction

• Antigen provides three directions of scanning
• Inbound all messages relayed through an
  external server (i.e. Internet mail).
• Outbound any message where at least one
  recipient has an external address (not from your
  domains)
• Internal messages routed from one location
  within your organization to another
• All recipients must be within your domain or else
  the message is treated as Outbound
• The General Options panel has an Internal Address
  field to enter all internal domain information

8
SMTP ScanningSMTP scanning order

• Filters are applied in a specific sequence
• Designed for maximum performance

Spam Filtering
Content Filtering
Attachment Scanning
Body Scanning

• Allowed Sender Checks
• Spam Scanning
• RBL Filter

• Sender/Domain Filter
• Subject Line Filter

• Non-Archive Files
• Worm Scanning
• File Filtering
• Virus Scanning
• Archive Files
• File Filtering
• Traverse the archive

• Keyword Filtering
• Virus Scanning

9
Agenda

• Exchange Store Scanning
• Exchange VSAPI 2.5
• Background Scanning
• Proactive Scanning
• On-access Scanning
• Antigen VSAPI Implementation
• Antigen General Options

10
Exchange Store ScanningExchange VSAPI 2.5

• Virus Scanning API v 2.5
• Provided by Exchange 2000 and Exchange 2003
• Allows 3rd party products to hook into Exchange
  to scan message bodies and attachments
• Provides Single Instance scanning
• Marks messages scanned in an Exchange database
  table

11
Exchange Store ScanningExchange VSAPI 2.5

• VSAPI v 2.5 uses Global Thread Pooling to
  optimize server performance
• The default number of scanning threads is

2 ltnumber of processorsgt 1

• Number of threads is listed in the registry
• HKLM\SYSTEM\CurrentControlSet\Services\MSExchange
  IS\VirusScan\ScanningThreads

• AV vendors may override this setting
• Antigen does details ahead

12
Exchange Store ScanningExchange VSAPI 2.5

• VSAPI provides three scanning modes
• Background scanning runs actively in the
  background looking for items that have not been
  scanned
• Proactive scanning scans as items are submitted
  to the Exchange store
• On-access scanning scans when a message is
  accessed. Also referred to as Real-time scanning

13
Exchange Store ScanningVSAPI Background Scanning

• Uses one thread per database
• Runs at below normal priority
• Thread is activated when the store service is
  started and each time the virus scanning DLL is
  reloaded
• Checks to see which folders have been scanned
  with the current version of AV software and
  re-scans if needed
• Uses the ptagVirusScannerStamp to track AV
  version level

14
Exchange Store ScanningVSAPI Proactive Scanning

• As messages are submitted to the Exchange store,
  they enter the global scanning queue
• Items enter as low priority
• Maximum of 30 entries in the queue
• Scanned on a first in, first out (FIFO) basis
• Overflow messages will go to the store unscanned
• If an item is accessed while in queue, it is
  changed to high priority

15
Exchange Store ScanningVSAPI On-access Scanning

• When a message is accessed, the virus scanning
  stamp is checked
• If the item has been scanned by the most
  up-to-date AV version, it is not scanned
• If the AV version has changed
• Access to the item is blocked
• The message is submitted to the Global Scanning
  Queue with high priority
• When AV scan is completed, the item can be opened

16
Exchange Store ScanningAntigen VSAPI
implementation

• Background Scanning
• Turned off by default in Antigen for performance
  reasons
• Given the frequency of engine updates in Antigen,
  this would create a large amount of re-scans
• Antigen provides manual and scheduled scanning to
  allow re-scanning of the store
• Offers better granularity and control
• The VSAPI background options can be turned on via
  settings in the General Options panel

17
Exchange Store ScanningAntigen VSAPI
implementation

• Proactive Scanning
• Works the same as VSAPI except
• Antigen manages the number of scanning threads
  via its own registry key and the
  AntigenRealtime.exe process
• Default is two scanning threads per storage group
• May be increased to four via registry key
• HKLM\Software\Sybari Software\Antigen for
  Exchange\RealtimeProcessCount
• Antigen Realtime Scan Job refers to the VSAPI
  Proactive Scan

18
Exchange Store ScanningAntigen VSAPI
implementation

• On-access Scanning
• Antigen disables re-scanning on every change of
  scanner
• Done for performance reasons due to frequency of
  engine updates
• The VSAPI on-access options can be turned on via
  settings in the General Options panel
• Antigen Realtime Scan Job includes the VSAPI
  on-access scanning

19
Exchange Store ScanningAntigen General Options

• Scan on ScanJob update
• Will rescan previously scanned files if Scan job
  settings are made, e.g. Bias settings or engine
  choices changed
• Enable Background Scan if Scan on ScanJob
  Update Enabled
• Will initiate background scan every time a
  ScanJob setting is changed

20
Exchange Store ScanningAntigen General Options

• Scan on Scanner Update
• Will rescan previously scanned files if any scan
  engine has updated since the last time the
  message was scanned (includes on-access and
  proactive)
• Enable Background Scan if Scan on Scanner
  Update Enabled
• Will initiate background scan every time a scan
  engine is updated

21
Agenda

• In Memory Scanning
• Overview
• Limitations
• Size Restriction Settings

22
In Memory ScanningOverview

• Antigen uses memory space to open attachments,
  rather than spooling to disk
• Delivers faster performance
• Memory is dynamically allocated based on the size
  of the message and attachment

EXE
432kb
Return to Pool
Available Memory Pool
23
In Memory ScanningLimitations

• Antigen uses a maximum of 3GB of memory
• This is the largest available addressable memory
  space in a 32-bit system
• 4GB total, but 1GB is reserved for the OS
• What happens if the file size exceeds the amount
  of available memory?
• There are various configurable settings to handle
  this.

24
In Memory ScanningSize restriction settings

• Maximum container file size largest container
  file size Antigen will attempt to clean or repair
  in the event that it discovers an infected or
  corrupted file
• 26 MB by default
• Antigen will report deleted files as
  LargeInfectedContainerFile virus.
• Can be set in General Options

25
In Memory ScanningSize restriction settings

• Maximum nested attachments the maximum nested
  attachments that can appear in MSG, TNEF, MIME,
  and Uuencoded files.
• The default is 30
• If the maximum is exceeded, the file is marked
  for deletion and Antigen will send a notification
  stating that an ExceedinglyNested virus was
  found.
• Can be set in General Options

26
In Memory ScanningSize restriction settings

• Maximum nested compressed files the maximum
  nested depth for a compressed file.
• Default value is 5 nestings.
• Value of 0 allows infinite nesting.
• If it should exceed the maximum, the entire file
  is marked for deletion and Antigen will send a
  notification stating that an ExceedinglyNested
  virus was found.
• Can be set in General Options

27
In Memory ScanningSize restriction settings

• Maximum container scan time the number of
  milliseconds that Antigen will scan a compressed
  attachment before reporting it as a
  ScanTimeExceeded virus.
• This setting in intended to prevent Denial of
  Service risk from Zip of Death attacks.
• The default value is 120,000 milliseconds (two
  minutes).
• Can be set in General Options

28
In Memory ScanningSize restriction settings

• Maximum Compressed Archive File Size the maximum
  compressed size for a file within a zip archive.
• Default is 20MB
• Files deleted and reported as Corrupted
  Compressed File
• Set via registry key HKLM\SOFTWARE\ Sybari
  Software\Antigen for Exchange\ MaxCompressedArchiv
  eFileSize

29
In Memory ScanningSize restriction settings

• Maximum Uncompressed File Size the maximum
  uncompressed file size for a file within a zip
  archive.
• Default is 100MB
• Files deleted and reported as Corrupted
  Compressed File
• Set via registry key HKLM\SOFTWARE\ Sybari
  Software\Antigen for Exchange\ MaxUnCompressedFile
  Size

30
In Memory ScanningZip attacks a side note

• Zip attacks can run up CPU utilization to 100
  and block mail processing, or overrun available
  memory or disk space
• Zip of Death zipping a file over and over, as
  much as 1,000 times or more
• Causes memory or disk outage, or CPU spike
• Zip expansion attack one or more large, simple,
  uniform files are zipped
• E.g. a 100MB txt file consisting of all zeros can
  zip to 560kb
• Causes memory or disk outage, or CPU spike

31
Agenda

• Performance Bias Settings
• Engine Bias Settings
• SMTP Scan Job
• Realtime Scan Job

32
Performance Bias Settings

• The Bias setting controls how many engines are
  applied to each message
• Max Certainty uses all engines (100)
• Favor Certainty uses 75 of available engines
• Neutral uses approximately 50 of available
  engines
• Favor Performance uses 25 of available engines
• Max Performance uses one engine for every scan

33
Performance Bias Settings

• Engine selection is based on engine performance
  rankings, last signature update time and
  occasional round-robin
• Additional notes about Engine Bias
• When using Max Certainty, all mail will be queued
  while a scan engine is being updated
• This is because Max Certainty requires all
  engines to scan each mail
• If you wish to continue scanning during engine
  updates, set to Favor Certainty
• Keep in mind that the engine being updated will
  not scan mail during the update cycle

34
Performance Bias SettingsSMTP Scan Job

• Best practice is to provide maximum scanning
  protection at the SMTP scan job
• Configure Bias to Max Certainty if possible
• If necessary, increase number of available
  processes (scanning threads) through registry
  setting
• HKLM\Software\Sybari Software\Antigen for
  Exchange
• Set InternetProcessCount between 2 and 8
• Proceed gradually and with caution! Settings
  above 4 are very rare.
• Each process consumes memory

35
Performance Bias SettingsRealtime Scan Job

• Best security practice is to provide maximum
  scanning protection at every level
• Realistically, lower settings are used at the
  store
• Configure Bias to Neutral and monitor performance
• If necessary, increase number of available
  processes (scanning threads) through registry
  setting
• HKLM\Software\Sybari Software\Antigen for
  Exchange
• Set RealtimeProcessCount between 2 and 4
• Proceed gradually and with caution!

36
Agenda

• Automated Engine Updates
• Updating the server
• Engine update process on the server
• Rapid Update engine packaging

37
Scan EngineUpdating the server

• Timely scan engine updating is critical to
  successful antivirus protection
• All engines are packaged into Antigen format and
  provided by Microsoft
• They are not downloaded from the engine vendors
• Scan engine Adapters provide a single interface
  into Antigen and handle engine-specific behaviors
• Antigen automatically polls for engine updates
• Administrator sets polling interval
• Every 15 minutes in the shortest interval
• Each engine has its own schedule
• Administrator can manually initiate an engine
  update

38
Scan EngineUpdating the server

• Updates can be retrieved via HTTP or FTP directly
  by the Antigen server
• For multi-server environments
• One Antigen server can download and others can
  pull updates via UNC share
• Sybari Enterprise Manager provides point of
  download and distribution for multiple servers
• Single point of management

39
Scan EngineEngine update process on the server

• Single updating mechanism for all engines
• New engine package downloaded to server
• Package expanded
• Engine tested with EICAR test virus
• Current engine taken offline
• New engine swapped in
• New engine brought online

40
Scan Engine UpdatingRapid Update engine packaging

• Automated engine update posting process
• Poll engine vendor website for update
• Download vendor engine package
• Expand vendor engine package
• Create Antigen Engine Update package containing
  Antigen engine adapter
• Run automated test with a set of viruses
• Post to Sybari/Microsoft website
• Send engine update notifications

41
Agenda

• File Filtering
• Overview
• Setting up file filters
• File filter actions
• File filtering behavior with ZIP files
• Tips

42
File FilteringOverview

• A key part of any mail protection strategy
• File filtering proactively blocks a specific
  range of potentially dangerous file types whether
  or not a signature exists
• Suggested files to block EXE, COM, PIF, SCR,
  VBS, SHS, CHM and BAT
• Some users will block the same file types that
  are blocked by Outlook 2003, a much longer list
• See Outlook online help for list

43
File FilteringSetting up file filters

• Antigen blocks by extension and true file type
• Cant fool filter by simple change of extension
• Each is configured differently

• Use .exe and All Types of files to block
  anything named .exe

• Use . and EXEFILE to block any executable file
  no matter what it is named

44
File FilteringSetting up file filters

• Search for specific files by name, e.g.
  resume.doc
• Wildcards supported, e.g. resume.doc
• Each represents 250 characters
• File filters can be Inbound or Outbound
• ltingt.exe, ltoutgt.doc
• Files can be blocked based on size, and
  size/name/type/direction combinations
• ltingt.mp3gt2mb
• ltoutgt.mp3gt5mb

• ltingt.gt10mb

45
File FilteringActions

• Every filter or filter list can have a separate
  action applied, offering great flexibility
• SkipDetect only logs the event but does not
  block or alter the message
• Not a secure setting!
• Useful for monitoring and discovery purposes
• Allows for pre-testing of new rules without end
  user impact
• DeleteRemove contents removes the attachment
  only and replaces with the customized deletion
  text

46
File FilteringActions

• PurgeEliminate message deletes both the
  attachment and the message body
• End user receives nothing
• Identify Tag message inserts text into subject
  line, inserts text into message header, or
  applies SCL rating to message
• Note only one subject line or header text phrase
  is available for all filters, e.g. spam, keyword,
  file, etc.
• SCL rating would route message to Junk E-Mail
  folder not very useful for file filtering

47
File FilteringZIP file behavior

• Antigen will scan within ZIP and other compressed
  formats and delete only the offending file and
  then repackage the ZIP

Custom deletion text
Container file before scan
48
File FilteringArchive types supported

• Antigen navigates the following archive types
• PKZip (.zip)
• Java archive (.jar)
• GNU Zip (.gzip)
• TNEF (winmail.dat)
• Structure Storage (.doc)
• MIME (.eml)
• SMIME (.eml)
• UUEncode (.uue)
• Unix Tape Archive (.tar)
• RAR archive (.rar)

49
File FilteringTips

• When creating file filters, more specific is more
  efficient
• For example, to log resume.doc files

• Creating a filter for resume.doc with a file type
  of DOCFILE is more efficient

• Creating a filter for resume.doc with a file type
  of ALL TYPES is less efficient

50
Agenda

• Spam Scanning
• Overview
• Detection methods
• SpamCure engine
• Junk Mail folders
• SpamCure and IMF together

51
Spam ScanningOverview

• Uses the SpamCure engine from Mail-Filters
• A signature-based engine with highly accurate
  detection
• Updates approximately once every 30 minutes
• Scans only at the SMTP layer on inbound messages
• Does not scan the store
• Does not scan outbound or internal email

52
Spam ScanningDetection Methods

• Multiple spam detection methods available
• SpamCure engine the primary method
• RBL lists support for multiple external RBLs
• Message Body Keywords used more for policy
  management, not very effective for spam
• Mailhost filtering blocking based on domain and
  IP as found in the email header. A manual
  process, work intensive and reactive
• Sender/Domain filtering blocking based on email
  sender or domain
• Filters on both display name and SMTP address, in
  that order

53
Spam ScanningSpamCure Engine

• STAR Engine Spam Tricks Analysis and Response
• Spammer tricks are identified and neutralized
• The STAR engine removes the comments, so
  normalized message can be matched against
  signatures
• Bullet Signature Database human editors create
  small, targeted signatures
• Based on specific, unique characteristics of a
  message
• Such as URL, phone number, specific text string
• Targets the Spammer
• Bullets dont catch just one spam message, they
  catch multiple spam from the same spammer
• A new signature is not required for each new spam
  message

www.contoso.com
ltrandom-commentsgt
www.con
to
so.com
ltcommentsgt
54
Spam ScanningJunk Mail folders

• Two Junk Mail folder options
• ASM Junk Mail folder. Created within each users
  Inbox.
• End user Block and Approve tools
• Can be created in Exchange 5.5, 2000 and 2003
• Support for SCL rating allows use of Exchange
  2003 UCE features along with Outlook 2003 Junk
  E-Mail folder
• ASM applies only two SCL ratings
• Spam 9
• Not spam 0

55
ASM and IMF together

• On the same server, IMF scans before ASM
• Each applies an SCL rating the higher rating
  always wins (i.e. has more confidence)
• Mail that is rejected, deleted or archived by IMF
  will not make it to ASM
• Example IMF archives SCL 7,8 and 9

ASM Spam set to 9
Mail Store
IMF SCL of 0-6
If SCL is 7,8,9
If Admin moves message
56
(No Transcript)