Introduction to Antivirus Technology

1
Introduction to Antivirus Technology

• Manfred Hung
• Security Consultant

2
Agenda

• Security Climate Trends, Challenges Enterprise
  Solutions
• Security Lifecycle Best Practices
• Symantec Client Security
• Symantec Antivirus for SMTP Gateway
• Symantec Gateway Security
• Product Demo

3
Worldwide Attack Trends
Analysis by Symantec Security Response using
data from Symantec, IDC ICSA 2002 estimated
Source CERT
4
Less Knowledge Required to Attack
High
Low
1980
1985
1990
1995
2000
2005
5
General Threat Evolution
Global Impact
Sector
Scope
Regional
Individual Orgs.
Individual PCs
Time
2000
2003
1990s
6
Threat Evolution Malicious Code
Class III Human response impossible Automated
response unlikely Proactive blocking possible
Seconds
Class II Human response difficult/impossible Auto
mated response possible
Minutes
Contagion Timeframe
Hours
Class I Human response possible
Days
Weeks or months
Time
2000
Early 1990s
Mid 1990s
Late 1990s
2003
7
Threat Evolution Day-zero Threats

• A day-zero threat exploits a previously unknown,
  and therefore unprotected vulnerability.

Vulnerability-Threat Window
Time
Vulnerability identified
Threat Released
8
Threat Evolution Day-zero Threats

• A day-zero threat exploits a previously unknown,
  and therefore unprotected vulnerability.

Time
Threat released
Vulnerability identified
9
Threat Impact on Emerging Targets
Targets
Threats
Major disruption to multiple networks

• Impact to
• Power
• Comm
• Hydro
• Chemical
• Other infra.

GlobalInternet Disruption
Major disruption of B2B services sector-level
impact
Short-term disruptionof individual networks
Disruption of inter-networked SCADA
Short-term/ localized Internet disruption
Disruptionof targeted infrastructures
Account theft/ corruption, DoS
Data theft/ corruption, DoS
10
Vulnerabilities on the Rise New Vulnerabilities
per Week
Source Symantec
11
How Quickly Do I Need to Respond?
Risk increases exponentially over time
Source Symantec
12
Silo-Based Approach Who Secures What?
Network Services Routers Switches Gateways Firew
alls RAS ATM Firmware/ Software Upgrade/
Patches
Mid-Range Services Servers Application Upgrades/
Patches
Desktop Services Helpdesk Software
support Upgrades/ Patches
Mainframe Services Authorization Upgrades/ Patch
es Operations

• Security
• Services
• Policy
• Standards
• Development
• Maintenance
• Compliance
• Monitoring
• Response
• Recovery

Multiple Threats from one/manysources singly
orin parallel, against one or many silos
MalWare
WORM
Virus
Exploits
Social Engineering
13
Total Attack Volume
Attacks per Company by Week(January 1, 2002
December 30, 2002)
- - - - - - - - - - - - - - - - - - - - - - - - -
-
Jan 7 Jan 21 Feb 4 Feb 18 Mar 4 Mar 18 Apr 1 Apr
15 Apr 29 May 13 May 27 Jun 10 Jun 24 Jul 8 Jul
22 Aug 5 Aug 19 Sep 2 Sep 16 Sep 30 Oct 14 Oct
28 Nov 11 Nov 25 Dec 9 Dec 23
50 45 40 35 30 25 20 15 10 5 0
Attacks per Company
Week
Source Symantec Internet Security Threat Report
14
Enterprise Security Solution
15
Symantec is Securing the Enterprise
ProactiveControl
16
Answering the Challenges Securing Your
Enterprise
ProactiveControl
17
Securing the Enterprise

• Alert Early Warning
• Awareness of new vulnerabilities and global
  threats
• Symantecs alerting services allow customers to
• Close the gap between awareness of security
  issues and possible action
• Understand the impact of the global environment
• Reduce TCO of security by preventing attacks or
  avoiding damage

• Early Warning
• DeepSight
• Decoy Technology
• ManTrap
• Vulnerability
• Assessment

18
Securing the Enterprise

• Integrated Solutions
• Client Security
• Gateway Security
• Best-of-breed products
• Host and Network
• Intrusion Detection
• Antivirus
• Filtering
• Firewall
• VPN

• Protection
• Multi-layered security at the Gateway, Server and
  Client
• Symantecs Protection solutions allow customers
  to
• Provide protection against blended threats
  through layered, integrated solutions
• Have significantly lower total cost of ownership
  common install, management and update features

19
Securing the Enterprise

• Respond
• Trusted timely content updates and 24/7 global
  remediation support
• Symantecs Response capabilities allow customers
  to
• Automatically update all Protection products with
  latest threat content
• Obtain immediate expertglobal support
• Recover quickly after an incident has occurred

Security Response (LiveUpdate) 7x24 customer
support Professional Services Disk Recovery
Respond
20
Securing the Enterprise

• Manage
• Effectively identify critical vulnerabilities and
  blended threats in real-time
• Symantecs Management Solutions allow customers
  to
• Identify incidents accurately and timely
• Simplify management of protection products at all
  points of the network
• Implement a single point of control
• Reduce or eliminate monitoring burden, focusing
  security staff on risk mitigation

• Policy Compliance
• Security Management
• Incident Manager
• Event Managers
• Managed Security Services

Manage
21
Enterprise Antivirus Protection Solution
22
The ChallengeGrowth and Evolution of Malware
Number of Known Viruses
Dramatic increase in the number and severity of
malware attacks
PDA Virus (Palm Liberty)
Mass Mailer Viruses (LoveLetter/Melissa)
Remote Control Trojan (NetBus)
Macro Viruses
Polymorphic Viruses (Tequila)
Source Symantec
23
Symantec AntiVirus Technologies

• Same quality and timeliness of response
• Uses NAVEX architecture
• Leverages
• Central Quarantine
• Scan Deliver
• Digital Immune System

24
Symantec Security Response Centers Follow the
Sun Rapid Response
Leiden, NL
Tokyo, JN
Santa Monica, USA
Sydney, AU
25
Antivirus Information Resource
http//www.symantec.com http//www.sarc.com http/
/www.securityfocus.com
26
Symantec Client Security Overview
27
Introduction of Symantec Client Security

• Symantec Client Security integrates
• Antivirus
• Client Firewall
• Intrusion Detection
• Privacy Control
• Single Management Console
• Single Deployment mechanism
• Single Update mechanism

28
Symantec Client Security
Better client protection and lower cost through
integration

• First integrated client security product for the
  Enterprise
• Industry leading technologies
• Antivirus
• Client Firewall
• Client-side Intrusion Detection
• Integrated installation
• Common Management console, with optional
  integration intoSymantec Information Management
• Rapid Response with timely definitions, rules,
  signatures using common LiveUpdate deployment
• Integrated Support
• Integrated Services

29
Integrated Protection
The technologies talk to each other
For Example Firewall technology will initiate an
antivirus scan even when AV has been turned
off! Intrusion Detection technology will instruct
Firewall to block traffic from malicious sources
30
Integrated Deployment

• Three pre-configured Integrated installations
• Fully managed
• Lightly managed
• Thin client
• Customizable deployment packages
• Modular components
• Flexible installation options

31
Common Management Console

• Centralized Configuration Management
• High scalability - hundreds of thousands of nodes
• Hierarchical infrastructure
• Policy management with settings lockdown
• Group management including logical groupings
• Product deployment
• Event management
• Update management

32
Integration with Symantec Security Management
System

• Centralized Alerting
• alerting threshold
• Centralized Logging
• Graphical Reporting
• customizable reports
• Cross-tier security technology management
• Available Q4 2002

33
Symantec Client Security Client Protection

• Client platforms - Win98/ME, Win XP, WinNT/2000
• 64-bit client support Coming
• Win2K3 support Coming
• Silent or interactive integrated install
• Three pre-packaged installations
• Fully managed
• Lightly managed
• Thin Client
• Product migration
• Competitive Uninstaller
• Limited or full user interface with password
  protection

34
Symantec Client Security Firewall/IDS
Protection

• Inbound and outbound traffic scanning
• Integrates with antivirus scanning for integrated
  protection
• Intrusion Detection
• Integrates with firewall to automatically block
  unauthorized intrusions
• Internet Zone Control
• Additive VPN Support
• Nortel Contivity Client
• Cisco VPN Client
• Symantec VPN Client (RaptorMobile)
• CheckPoint VPN Client
• Content Filtering user defined

35
Symantec Client Security - Antivirus Protection

• Common scan engine
• Multi platform, multi-tier and multi-lingual
  support
• Extensible does not require redeploy or reboot
• Unknown virus detection - Heuristics
• Incremental virus definitions small updates
• Push Technology fast deployment of cures
• Roaming
• Quarantine
• Digital Immune System automated response
• Email scanning for MS Exchange and Lotus
  Notes/Domino

36
Others Key Benefits
37
Key Features

• Packager - Remote Deployment
• Multiple LU Server Provide Fail-over features
• Scanning Performance Improved
• Scan Phase/Snooze
• VD Update Improved

38
Benefits

• Eases Management Effort
• Simplified security management
• Holistic view of security at client
• Better Protection at the client
• Multiple integrated security technologies
  provides better protection against blended
  threats
• Better reporting results in an improved security
  posture
• Better response thru centralized updating and
  distribution
• Optimizes administrator resources
• Centralized installation, reporting, management
  and updates
• Eliminates cross-vendor interoperability issues
• Multiple technologies from a single vendor
• Reduced Total Cost of Ownership

39
Response
40
Digital Immune System Automated Response
41
IntegratedResponse
Virus Definitions Firewall Updates Intrusion
Detection Signatures

• Integrated Response in a single update via our
  world-class LiveUpdate technology
• Provides the highest security posture available
• Rapid deployment in the face of a fast spreading
  outbreak
• Minimizes impact on network bandwidth

42
Management Key Feature

• Laptop users
• Semi-managed Client for roaming users
• Power Status Schedule scanning
• Tamper Protection
• SSC Auto-Protection Notification
• Registry Key monitoring
• Auto-Protect Disable Notification
• Auto-Protect Re-enable
• Force password setting
• Quarantine Setting

43
Symantec System Center
44
Symantec System Center
45
Integrated Firewall/IDS
46
Symantec Client Firewall
47
Symantec Client Firewall FW/IDS
48
Symantec Client Firewall - Logging
49
Symantec Client Firewall Administrator
50
Symantec Antivirus For SMTP Gateway
51
Solution Overview

• What is Symantec AntiVirus for SMTP Gateways?
• Comprehensive virus protection for Internet
  Email, a.k.a. SMTP, Gateway
• Reduces Spam and eliminates unwanted email
  content, like attachments

52
Solution Overview
Viruses, Worms, Trojan Horses, Spam, Unwanted
Content
SAV SMTP
Protected Customer
53
Features Highlight

• This release focused on
• Security
• Management
• Performance
• Antispam

54
Security

• Enhanced Malformed MIME handling
• Not unique, but critical
• Extensive DoS Prevention (Zip of Death)
• Outbreak Alerts
• Tamper Alerts
• Admin password encryption (through SSL)
• Multi-Level Administration Passwords
• Secure defaults failing closed

55
Security - Why do they care?

• Provide confidence that the first line of
  defense is not the first line of attack
• Need the right tools to respond to todays
  threats and vulnerabilities
• Security awareness is growing and is gaining in
  importance at all tiers
• Expect no less from Symantec as the leader in
  Internet Security

56
Management

• Flexible and granular notifications about
  viruses/content violations
• System Alerting
• Triggered by events like failed LU, running
  out of disk space etc.
• The system tells Admin when something is wrong
• Relay Pause greater flexibility for handling
  outbreak situations
• LiveUpdate Scheduling greater flexibility
• Shareable Configuration Files configure once
  and reuse on other servers

57
Management - Why do they care?

• Ease of management is critical
• Need high-effectiveness, without
  labor-intensiveness

58
Performance

• Goal is to maintain or expand the lead over Trend
  and Neta gained since v2.5
• Faster message processing (using in-memory
  scanning)
• Improved message and queue handling

59
Performance - Why do they care?

• End-users dont accept delays lightly
• Throwing more hardware at the problem is not an
  easy or desirable option
• More servers? Larger servers?
• Rack-space? Downtime?
• To handle the same load on Win2K, Trend and Neta
  would require either more and/or beefier servers

60
Spam - What is it?

• Unsolicited (bulk) commercial email
• Usually can't unsubscribe from it
• Usually sent through compromised internet
  resources (open relays)
• Not only impacts mail server load and end-user
  satisfaction also carries potential liability

61
Spam a problem?!
62
Antispam (Anti-relay)

• Antispam
• Block by domain, email address
• Support for MAPS Lists
• MAPS Mail Abuse Prevention System LLC
• Lists supported RBL, DUL, RSS, RBL
• First subscribe to MAPS, then activate
• Anti-relay
• External relay prevention
• Block by special character in recipient address

63
Spam - Why do they care?

• Boss is getting tired of receiving it (so is
  ours!)
• Problem has become worse over last few months
• Concerns about liability i.e. unsolicited
  offensive spam NOT being stopped

64
The Management Console Web-based
65
Symantec Web Security
66
The ChallengeGrowth in Internet Web Sites
Exponential Increases in the number of websites
67
The Advent of the Blended Threat

• Nimda worm (Fall of 2001) - propagated via
• SMTP (e-mail)
• HTTP (web browsing)
• Lesson
• HTTP is a viable, but often neglected infection
  vector
• Scan HTTP traffic for content, and other
  malicious payloads (viruses/worms/trojans)

Source Symantec
68
Content Security is about Filtering Out ALL
Harmful Data
Harmful Applications
Dangerous Malicious Code
Litigious Content
Non- Work-related content
69
URL FilteringEmerging Gaps in Protection
1994 - 1999

• URL Lists relatively effective
• Limited to vendors ability to find and update
  lists
• Usually weak on non-English sites

2000 and beyond

• Nature of delivery changing
• URL redirection
• Cached pages
• URLs with multiple host IPs
• Unlisted anonymizers
• Future technologies
• URL Lists losing effectiveness

70
Symantec's Filtering "Safety-Net"

• Combining list-based with heuristic analysis
• Analogous to today's anti-virus protection
• Technologies designed to detect both the Known
  AND the New
• Effective second layer of defense
• It understands most of our customer's languages
  (14 in all!)

URL Lists (list-based)

DDR Analysis (heuristics)
71
Dynamic Document Review (DDR)

• "Keyword Filtering" too broad
• Blocks all pages containing a single instance of
  a word, ex. "breast"
• DDR takes a heuristic approach
• Analyzes word context
• Only initial HTML file (26 kb) is retrieved and
  analyzed first
• Very rapid, in-memory process

72
Why Customers Should Care Thin line between fun
and fatal content
Just a game?
73
Using Filtering as a Proactive Anti-Virus
Measure

• Minimizing exposure to potentially lethal
  executables, Trojans etc.
• Preventing access to web-based email during
  outbreaks, ex. Hotmail, Yahoo! Mail
• Ensures that all web-based email attachments are
  scanned for viruses/malicious code
• Inhibit or track internal access to hacker tools
  or hacker-related sites

74
How Integrated Scanning Works
1st Level
2nd Level
Is request even allowed?
Is request truly clean?
If ok, display
Permissions
DDR
HTML
URL List
DDR on Search
or download
If ok, retrieve proceed
AV Scan
Binary
User surfs, sends request
If no, reject immediately
on client
75
URL Filtering Response Team

• Dedicated to searching and categorizing
  international websites
• International reviewers use automated tools,
  including DDR-based tools, to find and categorize
  content
• Dedicated RD for "safety-net" detection
  technologies such as DDR

• Periodic review of URLs sent by customers
  (filtering_at_symantec.com)

76
Symantec Web SecurityDeployment
77
Symantec Web Security Deployment Examples
78
Symantec Web SecurityUser end
79
Download infected object
80
Download blocked object
81
Download blocked object
82
Download progress
83
Product Demo
84
(No Transcript)