Deploying AntiVirus Solutions For Exchange - PowerPoint PPT Presentation

1 / 54

About This Presentation

Title:

Deploying AntiVirus Solutions For Exchange

Description:

Norton AntiVirus Evaluator's Guide, Symantec Corporation. ... Symantec Norton Antivirus (NAV) for Exchange. Trend Micro ScanMail for Exchange ... – PowerPoint PPT presentation

Number of Views:487

Avg rating:3.0/5.0

Slides: 55

Provided by: emor5

Category:

more less

Transcript and Presenter's Notes

Title: Deploying AntiVirus Solutions For Exchange

1
Deploying Anti-Virus Solutions For Exchange
Evan Morris MCSE MCT ASEMessaging
Collaboration Business UnitCompaq Computer
Corporation
2
(No Transcript)
3
Contents

Introduction Virus Problem
AV Product Overviews
Deployment Issues
Performance Testing
Conclusions
Future Problems Solutions

4
Section 1 Introduction

Background on Viruses
Definitions and Methods
Levels of Security
Overview of Protection
Borders of Protection
Methods of Prevention or Detection
Beyond Scope

5
Background On Viruses

Definitions
Methods of Attack
Methods of Transmission

6
Definitions

Virus
Coded, Polymorphic, Stealth
Payload
Signature
Vector
Worm
Trojan horse
Spammail

7
Methods Of Transmission
8
Morris Worm (11/2/1988)

Crippled 10 of computers on Internet
Spread via Sendmail
Computer Emergency Response Team (CERT)
First Conviction

No relation
9
Methods Of Attack
10
The Escalating War
11
Head Start
Authoring Capabilities
1996 1997 1998 1999 2000
Executables
Macro
Applet
1997 1998 1999 2000 2001
Viral Outbreaks
12
Are You At risk?

Six to nine new viruses appear every day.
We're currently finding an average of one
infected message in every 500 that we scan

Norton AntiVirus Evaluators Guide, Symantec
Corporation. President of Financial Services
Company
13
The Big Picture
Network Security
Unwanted Content
System Operations
14
NTDs

Remember, when you connect with another
computer, you're connecting to every computer
that computer has connected to.
Dennis MillerSaturday Night Live

15
Levels Of Security

None
Identification
Authentication
Authorization
Privacy
Integrity
Guardianship

16
Overview Of Protection

Borders of Protection
Methods of Prevention
Beyond Scope

17
Borders Of Protection
Your Organization
Network Server

Tier 1 Client Desktops
Tier 2 File Application Servers
Tier 3 Firewalls Gateways

Internet
Point of Entry
Point of Entry
Gateway/ Firewall
E-mail SMTP relay
Point of Entry
18
Methods Of Prevention And Detection

Scanning
Content Filtering
Blocking
Demo
Code Execution
Policies and Procedures
User Education
Being Prepared

19
Beyond Scope

Blocking
IP address and URL blocking
Code Blocking Deny Attachments
Code Execution
Execute Code on Isolated Machine
File Server Protection
Client Protection

20
Section 2. Anti-Virus Products

Design / Architecture
Viral Identification
Handling Infected Files
Notification
Server Status and Monitoring
Updating Engine and Definitions
Other Features and Support Policy

21
Design / Architecture

Gateway (SMTP or IMS) Versions
Store / Mailbox Versions
Client (Outlook Based)
Sanitizers
Outsourcing Virus Scanning

22
Viral Identification

Signature
Attachment scanning
Recursive decompression
During transmission or scheduled
Heuristic
Content Filtering
Behavior

23
Infected Files And Notifications

Notifications
Word-of-Mouth
End-Users, Admins, Senior Executives
Automated
Broadcast, Paging, Reporting, E-mail
Senders, Recipients, Admin
Internal, External
AV Log or NT Event Log
Handling Infected Files
Repair, Quarantine, Removal

24
Server Maintenance

Status and Monitoring
Management Console
Service State Reporting, Alerting
Watch Utilization (PerfMon)
Updating Scanning Engine and Virus Definitions
Proxy / Firewall Issues
Scheduled Pull
Fan-out Distribution

25
Other Features And Support

Pricing and Licensing
Existing Products (e.g., desktop version)
Trade-up" pricing
Support Policy
E-mail, Web-based
Fit your time zone?
Longevity
MS Exchange Service Packs Upgrades
Future Windows 2000 Exchange 2000
Year 2000 Compliance

26
Section 3. Deployment Issues

Design and Hardware Issues
Example Deployment Scenario

27
Design And Hardware Issues

Mailbox or Internet Connector
System Overhead and Sizing
Processor and Memory
Disk Space (Queues)
Exchange Server Basics
Fault Tolerant Design
Disaster Recovery Plan
Monitoring and Management
Cluster Support (MSCS)
Trend Micro and Sybari

28
Example Deployment Scenario
Internet
Anti-Virus Gateway
Exchange Server
Firewall
Internet Mail Service
Virus Source
NT Domains
Mailbox Server
Mail Client
29
Section 4. Testing

Test Environment
Problem Files Viruses and Other
Products Tested Mailbox Server, Mail Client
and SMTP / IMS Gateway
Results
Effectiveness
Performance and Load Impact
Product Design and Usability

30
Problem Files And Tests

VIRUSES
Worm.Explorer
Macro Virus
Disguised Virus
Zip in Embedded Message
Acknowledge ZIP
Encrypted ZIP

PROBLEM FILES Zero Byte .COM Empty ZIP file
TESTS AV Service starting Digital Signature
Encrypted To Uninitialized Mailbox Delayed
Send With Invalid Return Address Embedded in
Outlook Form To Distribution List
To Public Folder via Post To Public Folder via
SMTP address Drag Drop File to Public
Folder Exchange Settings Private .PST as
delivery (Client logged on) Invalid Address
(create NDR) Invalid Address (NDR) with valid
CC Message in Sent Items
31
Products Tested

Mailbox Server Versions
Content Technologies (Integralis) MAILSweeper for
Exchange
NEMX Anti Virus for MS Exchange
NAI (Network Associates) Groupshield
Sybari Antigen for Exchange
Symantec Norton Antivirus (NAV) for Exchange
Trend Micro ScanMail for Exchange
Not Tested McAfee, Cheyenne, Dr. Solomon

32
Products Tested

Internet Gateway Versions
Sybari Antigen for Exchange
Symantec Norton Antivirus for Gateways
Trend Micro InterScan E-Mail VirusWall
Outlook Client Versions
NEMX Anti Virus for Outlook
NAI (Network Associates) Groupshield
Trend Micro ScanMail for Outlook

33
Test Environment

Compaq ProLiant 7000s
NT4 EE SP5 Exchange 5.5 SP2 ? SP3
Limited to 2 CPU Xeon 400 (1 MB Cache) and 1 GB
RAM
Mailbox Server
1500 Users / Server (LoadSim 2L2M1H)
3100ES RAID Controller

34
Test Procedure

Settings
Scan All Attachments Types, Notify Sender, Admin
and Recipient, Repair if possible, Quarantine if
Not
Detection
Start AV Service, send virus
Performance and Detection
Run LoadSim Normal Load
MailStorm Push to Bottleneck
1, 2, 4 CPUs and 512 MB and 1 GB RAM

35
Results
36
Results

Detection Rates
Performance Measures
User Response (LoadSim)
PerfMon Counters
Processor Time Total
Processor Time AV Processes
Memory Used AV Processes
Disk Usage and Queue Length
Message Delivery Times
Queues AV, IMC, PRIV, PUB

37
Performance Trade-Offs
Processing (CPU RAM)
Disk Queues
User Response
38
The Ideal Product

Design / Architecture
Installation and Usability
Viral Identification (Effectiveness)
Load Impact and Performance
Handling Infected Files
Notification and Reporting
Updates
Server Status and Monitoring
Vendor Support Policy

39
The Ideal Product

Design / Architecture Sybari Antigen
Mailbox and IMC Product
ESE, Store and Attachments Table
Existing Public Folder Hierarchy
Installation and Usability
Remote Install and Admin ?
Antigen and Trend Micro ScanMail Choice of HTML
or GUI interface (fixed size)
NEMX NAI Groupshield In Exchange Admin

40
The Ideal Product

Effectiveness Sybari Antigen
IS/IMC Dependent on Antigen Service
Test Start AV Service under load
Highest Score 20/23
Passed All PST, NDR, Public Folder tests
Choice of Engines Rollback
Scan IMC Queues for filename
IMC Trend Micro VirusWall (IMC only)
Client NAI Groupshield (Form based) and NEMX

Note All fail encrypted message test
41
The Ideal Product

Load Impact and Performance
Content Managers Trend Micro eManager and
Content Technologies MAILSweeper
Filename Blocking Antigen (RegKey)
Scheduled Scan ScanMail (Incremental)
Handling Infected Files
Quarantine Hierarchy (vs. flat)
Backing up file before repair ScanMail

42
The Ideal Product

Notification and Reporting
NT Event log NAV logs Encrypted files
Internal vs. External Antigen
Outbreak Alert ( / hr x) ScanMail

43
The Ideal Product

Server Status and Monitoring
PerfMon Objects Antigen and ScanMail
Console ScanMail Enterprise Monitor
Updates Antigen, ScanMail, NAV
Isolated subnet
Automated
Hub and Spoke Network Source
Support Content Technologies, Sybari
Establish relationship

44
Section 5. Conclusions

Levels of Protection
Level 3 Point of Entry
Level 2 Points of Access
Level 1 Zero Tolerance

45
Level 3Point of Entry

AV Scanner on Gateway
Exchange IMC
AV Relay Box
Outsourced
Corporate Security Policy
Education Procedures
Minimal Protection

46
Level 2Points of Access

Real-time Mailbox Scanning
Corporate Security Policy
Education Procedures
Optional
AV Scanner on Gateway
Content Filtering
Scheduled Mailbox Cleaning

47
Level 1Zero Tolerance

Content Filtering
Code Blocking or Execution
AV Scanner on Gateways
Real-time Mailbox Scanning
Corporate Security Policy
Education Procedures
Optional
Scheduled Mailbox Cleaning

48
Section 6. Future Problems And Future Solutions

New Viral Types and New Tools
New Methods and Procedural Changes
Increased Security
Staying Informed

49
New Viral Types And Tools

We will be releasing tools at DEF CON or in the
near future which we believe will provide a much
more robust method of protecting your system than
what the AV vendors can do today.
Tweety Fish,Cult of the Dead Cow

50
Levels of Security
51
New Methods And Procedural Changes