AntiMalware Protection: A Technical Dive into Forefront Client Security

1
Anti-Malware ProtectionA Technical Dive into
Forefront Client Security

• Ketil Pedersen
• Technology Specialist Manager
• Microsoft

2
Forefront System Center
IT Security
IT Management

• Change Configuration Management
• Backup Recovery
• Virtual Machine Management
• Systems Monitoring

• Client Security
• Application Server Security
• Network Edge Security
• Secure Remote Access

Common Management Infrastructure Platform
Simplified
Productive
Integrated
3
Agenda

• The Current Security Environment
• What Is Forefront Client Security?
• Demo
• Technical Review of
• Unified Protection
• Simplified Administration
• Critical Visibility Control
• Availability
• Closing remarks

4
Increasingly Challenging Security Environment
43,000

• New backdoor Trojan variants found in 1H 2006
• Of infected computers contained at least one
  backdoor Trojan1
• Of computers cleaned were infected with a mass
  mailing worm2
• Programs detected worldwide represent 28 of
  Potentially Unwanted Software removals3
• Get the Microsoft Security Intelligence Report
  January-June 2006 at www.microsoft.com/technet/
  Security/default.mspx

50
20
10

• MSRT in 1H 2006
• MSRT and Windows Live OneCare in 1H 2006
• Windows Defender in 1H 2006

5
Unified malware protection for business desktops,
laptops and server operating systems that is
easier to manage and control

• One solution for spyware and virus protection
• Built on protection technology used by millions
  worldwide
• Effective threat response
• Complements other Microsoft security products

• One console for simplified security
  administration
• Define one policy to manage client protection
  agent settings
• Deploy signatures and software faster
• Integrates with your existing infrastructure

• One dashboard for visibility into threats and
  vulnerabilities
• View insightful reports
• Stay informed with state assessment scans and
  security alerts

6
Demo Forefront Client Security in Action
7
Architecture
8
Unified ProtectionSecure against a broad range
of threats

• Unified agent for virus and spyware protection
• Common engine used by Windows Defender, OneCare,
  Forefront Server Security
• On-access protection via kernel mode mini-filter
• Built on Windows Filter Manager platform
• Malware prevented from executing entirely
  anti-virus and anti-spyware
• User mode scanning
• System Configuration, IE Add-ons Configuration
• IE and Office downloads
• Services drivers
• App execution registration
• Scheduled and on-demand scans
• Quick scan - In memory processes, targeted
  directories, common malware extensibility points
• Full scan Quick scan local drives

9
Unified ProtectionSecure against a broad range
of threats

• Agent behavior manageable by IT administrator
• Flexible scan scheduling (time interval based)
• Signature update frequency, roaming user
  fail-over
• Exclusions file extensions, directories
• Signature overrides
• By specific malware
• By malware category
• Local end-user interface
• Policy aware i.e. locked-down settings will be
  grayed out
• Lockdown user interface completely
• SpyNet reporting
• Compatible with Windows Security Center and Vista
  NAP
• Anti-virus and anti-spyware status on/off and
  signatures up-to-date

10
Unified ProtectionSecure against a broad range
of threats

• Research response organization delivers malware
  signatures for
• Forefront Client Security, Forefront Server
  Security, Windows Live OneCare, Windows Defender,
  Malicious Software Removal Tool (MSRT)
• Currently protecting millions of systems
• Research team uses multiple data sources to
  identify threats
• Released products Windows Defender, OneCare,
  MSRT, etc.
• Other sources PSS, Hotmail, web crawling,
  customer submissions
• Partnerships with industry
• Top priority is responding to active threats in
  the wild
• Automation in analysis Automatic malware
  submission storage and retrieval, resolving of
  duplicate submissions, prioritization of sample
  analysis
• Building out global 24x7 organization (US,
  Europe, Asia Pacific)
• Industry certifications (OneCare currently,
  expect same for FCS)
• ICSA Labs, West Coast Labs

11
Simplified AdministrationClient deployment
options

• FCS clients installation optimized forMicrosoft
  update (MU) and Windows Server Update Services
  (WSUS)
• FCS clients package is published on MU
• WSUS syncs with MU and downloads FCS client
  package
• Administrator configures and deploys FCS client
  policy
• Client sync with WSUS download, installs and
  applies policy
• Reporting in WSUS and FCS
• Can also use SMS, MOM, log on scripts, Group
  Policy and any software distribution system

Malware Research
Microsoft Update
WSUS Update Assistant
Deploy Client Policy
Desktops, Laptops and Servers
12
Simplified AdministrationClient deployment
options

• One console for simplified security
  administration
• One policy to manage client protection agent
  settings, e.g.
• Choice of 3 integrated policy profile deployment
  methods
• Microsoft Forefront Client Security Console (uses
  AD/GP)
• ADM file (uses AD/GP)
• Export to a file then use existing software
  distribution system

• Anti-spyware unknown action
• Alert level
• Event and logging settings
• SpyNet reporting on/off
• Level of end-user UI shown

• Scan schedule
• Real time protection on/off
• Signature update frequency
• Anti-spyware signature overrides
• Security state assessment settings

13
Simplified AdministrationAlerting Configuration

• Alerts managed using MOM 2005 operator console
• Alert configuration is policy specific
• Alerts notify admin of high-value incidents,
  including

• Alert levels control type volume of alerts
  generated

Rich Data, High Value Assets
Critical Issues Only, Low Value Assets
1
5
4
3
2
Outbreak
Malware removal failed
Signature update failed
Malware detected and removed
Signature update failed (per min)
14
Critical Visibility ControlSummary Report
15
Critical Visibility ControlSecurity State
Assessment

• Security State Assessment Host agent
• Perform scan based on security check definitions
• Scans scheduled via policy or invoked on-demand
• Security checks
• Detect missing security updates based on
  Microsoft Update
• Compare system configuration against security
  best practices
• Examine data from registry, file system, WMI, IIS
  metabase, SQL, etc.
• Checks updateable via Microsoft Update
• Security State Assessment provides Score and
  Severity for each check
• Score Value risk associated with security
  issues
• Severity Value provided by MSRC for Security
  Updates
• Reporting enables drilldown into specific
  security issues

16
Critical Visibility Control
17
TestimonialsOver 85000 FCS public beta
downloads!!!
CNET A Sea Change for Desktop Security by Jon
Oltsik http//news.com.com/Aseachangefordeskto
psecurity/2010-7355_3-6170199.html?tagnefd.top
18
TestimonialsOver 85,000 FCS Public Beta
downloads!!!

• Quotes from customers participating in the Rapid
  Deployment ProgramForefront gives us the
  ability to easily manage our IT environment in a
  centralized way while giving us full reporting on
  the security of the entire Windows
  infrastructure.
• Industry leading Retail/training/consulting
  firm in the US
• Soon after deployment, Forefront immediately
  began identifying spyware, malware, and viruses
  on our systems that our previous security
  solution wasnt finding. With Forefront Client
  Security, the IT environment is much easier to
  administer, particularly in terms of automatic
  updates.
• Leading chemistry-based drug discovery,
  development and manufacturing company in the
  US
• With our Forefront solution, were easily saving
  two to three person-days a year, and if the
  average senior consultant bills 300 an hour,
  thats effectively a savings of 5,000 to 8,000
  a year. Switching to Forefront has simplified our
  processes significantly. We have a full security
  implementation that is easier to manage and
  maintain.
• IT consulting firm

19
Availability

• Public beta available now!
• Download at www.microsoft.com/clientsecurity
• Community-based support at www.microsoft.com/tech
  net/clientsecurity
• Release To Manufacture planned for Q2 CY2007
• Will be available through Microsofts volume
  licensing programs

20
Summary

• Unified Virus Spyware Protection
• Simplified Administration
• Critical Visibility Control
• An integral part of Microsoft Forefront
• Visit http//www.microsoft.com/infrastructure
• Learn more about how Forefront Client Security
  fits in the Forefront System Center solution
• Download beta/evaluation software

Forefront gives us the ability to easily manage
our IT environment in a centralized way while
giving us full reporting on the security of the
entire Windows infrastructure. - Industry
leading Retail/training/consulting firm in the US
When ESG surveyed respondents in December 2006,
8 of organizations were already evaluating
Microsoft Forefront client while another 35 said
they would do so in 2007. - CNET A Sea Change
for Desktop Security by Jon Oltsik