Title: Deploying AntiVirus Solutions For Exchange
1Deploying Anti-Virus Solutions For Exchange
Evan Morris MCSE MCT ASEMessaging
Collaboration Business UnitCompaq Computer
Corporation
2(No Transcript)
3Contents
- Introduction Virus Problem
- AV Product Overviews
- Deployment Issues
- Performance Testing
- Conclusions
- Future Problems Solutions
4Section 1 Introduction
- Background on Viruses
- Definitions and Methods
- Levels of Security
- Overview of Protection
- Borders of Protection
- Methods of Prevention or Detection
- Beyond Scope
5Background On Viruses
- Definitions
- Methods of Attack
- Methods of Transmission
6Definitions
- Virus
- Coded, Polymorphic, Stealth
- Payload
- Signature
- Vector
- Worm
- Trojan horse
- Spammail
7Methods Of Transmission
8Morris Worm (11/2/1988)
- Crippled 10 of computers on Internet
- Spread via Sendmail
- Computer Emergency Response Team (CERT)
- First Conviction
No relation
9Methods Of Attack
10The Escalating War
11Head Start
Authoring Capabilities
1996 1997 1998 1999 2000
Executables
Macro
Applet
1997 1998 1999 2000 2001
Viral Outbreaks
12Are You At risk?
- Six to nine new viruses appear every day.
- We're currently finding an average of one
infected message in every 500 that we scan
Norton AntiVirus Evaluators Guide, Symantec
Corporation. President of Financial Services
Company
13The Big Picture
Network Security
Unwanted Content
System Operations
14NTDs
- Remember, when you connect with another
computer, you're connecting to every computer
that computer has connected to. - Dennis MillerSaturday Night Live
15Levels Of Security
- None
- Identification
- Authentication
- Authorization
- Privacy
- Integrity
- Guardianship
16Overview Of Protection
- Borders of Protection
- Methods of Prevention
- Beyond Scope
17Borders Of Protection
Your Organization
Network Server
- Tier 1 Client Desktops
- Tier 2 File Application Servers
- Tier 3 Firewalls Gateways
Internet
Point of Entry
Point of Entry
Gateway/ Firewall
E-mail SMTP relay
Point of Entry
18Methods Of Prevention And Detection
- Scanning
- Content Filtering
- Blocking
- Demo
- Code Execution
- Policies and Procedures
- User Education
- Being Prepared
19Beyond Scope
- Blocking
- IP address and URL blocking
- Code Blocking Deny Attachments
- Code Execution
- Execute Code on Isolated Machine
- File Server Protection
- Client Protection
20Section 2. Anti-Virus Products
- Design / Architecture
- Viral Identification
- Handling Infected Files
- Notification
- Server Status and Monitoring
- Updating Engine and Definitions
- Other Features and Support Policy
21Design / Architecture
- Gateway (SMTP or IMS) Versions
- Store / Mailbox Versions
- Client (Outlook Based)
- Sanitizers
- Outsourcing Virus Scanning
22Viral Identification
- Signature
- Attachment scanning
- Recursive decompression
- During transmission or scheduled
- Heuristic
- Content Filtering
- Behavior
23Infected Files And Notifications
- Notifications
- Word-of-Mouth
- End-Users, Admins, Senior Executives
- Automated
- Broadcast, Paging, Reporting, E-mail
- Senders, Recipients, Admin
- Internal, External
- AV Log or NT Event Log
- Handling Infected Files
- Repair, Quarantine, Removal
24Server Maintenance
- Status and Monitoring
- Management Console
- Service State Reporting, Alerting
- Watch Utilization (PerfMon)
- Updating Scanning Engine and Virus Definitions
- Proxy / Firewall Issues
- Scheduled Pull
- Fan-out Distribution
25Other Features And Support
- Pricing and Licensing
- Existing Products (e.g., desktop version)
- Trade-up" pricing
- Support Policy
- E-mail, Web-based
- Fit your time zone?
- Longevity
- MS Exchange Service Packs Upgrades
- Future Windows 2000 Exchange 2000
- Year 2000 Compliance
26Section 3. Deployment Issues
- Design and Hardware Issues
- Example Deployment Scenario
27Design And Hardware Issues
- Mailbox or Internet Connector
- System Overhead and Sizing
- Processor and Memory
- Disk Space (Queues)
- Exchange Server Basics
- Fault Tolerant Design
- Disaster Recovery Plan
- Monitoring and Management
- Cluster Support (MSCS)
- Trend Micro and Sybari
28Example Deployment Scenario
Internet
Anti-Virus Gateway
Exchange Server
Firewall
Internet Mail Service
Virus Source
NT Domains
Mailbox Server
Mail Client
29Section 4. Testing
- Test Environment
- Problem Files Viruses and Other
- Products Tested Mailbox Server, Mail Client
and SMTP / IMS Gateway - Results
- Effectiveness
- Performance and Load Impact
- Product Design and Usability
30Problem Files And Tests
- VIRUSES
- Worm.Explorer
- Macro Virus
- Disguised Virus
- Zip in Embedded Message
- Acknowledge ZIP
- Encrypted ZIP
PROBLEM FILES Zero Byte .COM Empty ZIP file
TESTS AV Service starting Digital Signature
Encrypted To Uninitialized Mailbox Delayed
Send With Invalid Return Address Embedded in
Outlook Form To Distribution List
To Public Folder via Post To Public Folder via
SMTP address Drag Drop File to Public
Folder Exchange Settings Private .PST as
delivery (Client logged on) Invalid Address
(create NDR) Invalid Address (NDR) with valid
CC Message in Sent Items
31Products Tested
- Mailbox Server Versions
- Content Technologies (Integralis) MAILSweeper for
Exchange - NEMX Anti Virus for MS Exchange
- NAI (Network Associates) Groupshield
- Sybari Antigen for Exchange
- Symantec Norton Antivirus (NAV) for Exchange
- Trend Micro ScanMail for Exchange
- Not Tested McAfee, Cheyenne, Dr. Solomon
32Products Tested
- Internet Gateway Versions
- Sybari Antigen for Exchange
- Symantec Norton Antivirus for Gateways
- Trend Micro InterScan E-Mail VirusWall
- Outlook Client Versions
- NEMX Anti Virus for Outlook
- NAI (Network Associates) Groupshield
- Trend Micro ScanMail for Outlook
33Test Environment
- Compaq ProLiant 7000s
- NT4 EE SP5 Exchange 5.5 SP2 ? SP3
- Limited to 2 CPU Xeon 400 (1 MB Cache) and 1 GB
RAM - Mailbox Server
- 1500 Users / Server (LoadSim 2L2M1H)
- 3100ES RAID Controller
34Test Procedure
- Settings
- Scan All Attachments Types, Notify Sender, Admin
and Recipient, Repair if possible, Quarantine if
Not - Detection
- Start AV Service, send virus
- Performance and Detection
- Run LoadSim Normal Load
- MailStorm Push to Bottleneck
- 1, 2, 4 CPUs and 512 MB and 1 GB RAM
35Results
36Results
- Detection Rates
- Performance Measures
- User Response (LoadSim)
- PerfMon Counters
- Processor Time Total
- Processor Time AV Processes
- Memory Used AV Processes
- Disk Usage and Queue Length
- Message Delivery Times
- Queues AV, IMC, PRIV, PUB
37Performance Trade-Offs
Processing (CPU RAM)
Disk Queues
User Response
38The Ideal Product
- Design / Architecture
- Installation and Usability
- Viral Identification (Effectiveness)
- Load Impact and Performance
- Handling Infected Files
- Notification and Reporting
- Updates
- Server Status and Monitoring
- Vendor Support Policy
39The Ideal Product
- Design / Architecture Sybari Antigen
- Mailbox and IMC Product
- ESE, Store and Attachments Table
- Existing Public Folder Hierarchy
- Installation and Usability
- Remote Install and Admin ?
- Antigen and Trend Micro ScanMail Choice of HTML
or GUI interface (fixed size) - NEMX NAI Groupshield In Exchange Admin
40The Ideal Product
- Effectiveness Sybari Antigen
- IS/IMC Dependent on Antigen Service
- Test Start AV Service under load
- Highest Score 20/23
- Passed All PST, NDR, Public Folder tests
- Choice of Engines Rollback
- Scan IMC Queues for filename
- IMC Trend Micro VirusWall (IMC only)
- Client NAI Groupshield (Form based) and NEMX
Note All fail encrypted message test
41The Ideal Product
- Load Impact and Performance
- Content Managers Trend Micro eManager and
Content Technologies MAILSweeper - Filename Blocking Antigen (RegKey)
- Scheduled Scan ScanMail (Incremental)
- Handling Infected Files
- Quarantine Hierarchy (vs. flat)
- Backing up file before repair ScanMail
42The Ideal Product
- Notification and Reporting
- NT Event log NAV logs Encrypted files
- Internal vs. External Antigen
- Outbreak Alert ( / hr x) ScanMail
43The Ideal Product
- Server Status and Monitoring
- PerfMon Objects Antigen and ScanMail
- Console ScanMail Enterprise Monitor
- Updates Antigen, ScanMail, NAV
- Isolated subnet
- Automated
- Hub and Spoke Network Source
- Support Content Technologies, Sybari
- Establish relationship
44Section 5. Conclusions
- Levels of Protection
- Level 3 Point of Entry
- Level 2 Points of Access
- Level 1 Zero Tolerance
45Level 3Point of Entry
- AV Scanner on Gateway
- Exchange IMC
- AV Relay Box
- Outsourced
- Corporate Security Policy
- Education Procedures
- Minimal Protection
46Level 2Points of Access
- Real-time Mailbox Scanning
- Corporate Security Policy
- Education Procedures
- Optional
- AV Scanner on Gateway
- Content Filtering
- Scheduled Mailbox Cleaning
47Level 1Zero Tolerance
- Content Filtering
- Code Blocking or Execution
- AV Scanner on Gateways
- Real-time Mailbox Scanning
- Corporate Security Policy
- Education Procedures
- Optional
- Scheduled Mailbox Cleaning
48Section 6. Future Problems And Future Solutions
- New Viral Types and New Tools
- New Methods and Procedural Changes
- Increased Security
- Staying Informed
49New Viral Types And Tools
- We will be releasing tools at DEF CON or in the
near future which we believe will provide a much
more robust method of protecting your system than
what the AV vendors can do today. - Tweety Fish,Cult of the Dead Cow
50Levels of Security
51New Methods And Procedural Changes
- Procedural Changes
- Disaster Recovery Plan
- Auto-Send vs. Offline Mode
- Attachments
- No Executables or Code
- RTF or Plain Text with no macros
- URL or Baggage Claim instead
- Lack of Trust PKI Integration
- Argument for Diversity?
- Better to protect existing systems
52Staying Informed
- AV Network Security Research Organizations
- http//www.icsa.net
- http//www.virusbtn.com/
- http//www.eicar.org/
- http//www.wildlist.org/
- http//www.cerias.purdue.edu/
53Staying Informed
- Anti-Virus Software Vendors
- http//www.antivirus.com/vinfo/alerts.htm
- http//www.sarc.com/
- http//www.avertlabs.com/public/datafiles/valerts
/ - http//www.cert.org/nav/alerts.html/
- Compaq Active Answers
- http//www.compaq.com/activeanswers
- Microsoft
- http//www.microsoft.com/security/bulletins/curren
t.asp
54(No Transcript)