antigen tdm
TRANSCRIPT
E-mail Server Security Products
Bogdan KlekotMicrosoft Solutions Architect – Management & [email protected]
Agenda
Introduction to Antigen E-mail Security Products Advanced Protection Features
n Multiple Antivirus (AV) Engine Managementn Distributed Protectionn Layered Anti-spam
Availability and Control Featuresn Performance Bias Settingn Scanning Innovationsn Worm Removaln Cluster Supportn Management
Secure Content Featuresn Content Filtering
Summary
Guidance
Developer Tools
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
IdentityManagement
Services
Information Protection
Client and Server OS
Server Applications
Edge
VirusesWormsSpam
Live Communications Server
Users
Internet
SMTP Server
ISAServer
SharePoint
Exchange Server
EdgeE-mail
Collaboration
Antigen E-mail and Collaboration Server Security
VirusesWormsInapp. Content
Management
Microsoft Operations Manager Antigen MP
Multiple scan engines at multiple layers throughout the e-mail infrastructure provide improved protection against e-mail threats.
Antigen e-mail security solutions help businesses protect their messaging servers against viruses, worms, spam, and inappropriate content.
E-mail Security
Advanced Advanced ProtectionProtection
Availability & Availability & ControlControl
Secure Secure ContentContent
Tight integration with Microsoft Exchange and Windows-based SMTP servers maximizes availability and management control.
Helps organizations eliminate inappropriate language and dangerous attachments from internal and external communications
New Microsoft Antigen Products
Antivirus and content filtering for Exchange 2003 and 2000
Helps stop threats that get past perimeter defenses and helps contain internal incidents
Antivirus and content filtering for Windows Server 2003 and 2000 SMTP Gateways
Helps stop threats before they reach internal messaging resources and users
Anti-spam and content filtering for Windows-based SMTP and Exchange-based servers
Helps stop spam before it can impact user and network productivity
Centralized management for Antigen-protected servers
Improves IT visibility and control into e-mail server security
Advanced Protection
Problem:Single Point of Failure
Exchange ExchangeExchange
VirusesWormsSpam
E-mail Antivirus Approaches
ISA Server SMTP Server
Internet
Single Vendor/Single Engine•Same scan engine, heuristicstechnology and signature files on all server and client platforms
• Dependent on one AV lab for scan engine updates during virus or worm outbreaks
• Queuing and delay during engine updates on mission critical servers (like Exchange)
AA
AAA
A
AA
VirusesWormsSpam
E-mail Antivirus Approaches
Internet
Multi-vendor/Multi-Engine
• Different scan engines, heuristicstechnologies and signature files on server and client platforms
• High acquisition and maintenance cost
• Added filtering complexity
Problem:Management/Cost
Exchange ExchangeExchange
ISA Server SMTP Servers
A
B
C D
E
A
E
C
Antigen Multiple Engine Management
Internet
Exchange Server/Windows-based SMTP Server
One solution, multiple technologies
A
B
C
DE
Antigen Antivirus Scan Engines
Antigen Stand-aloneProducts
Messaging Security Suite
Standard engines plus:
Total engines: 5 Total engines: 9
Microsoft Antivirus
Sophos
CA VET
CA InoculateIT
Norman
New!
Kaspersky Lab
AhnLabAuthentium
VirusBuster
Signature Updates
1,02638890,96875
0,90138890,89791670,893750,8875
0,86527780,85
0,82916670,78402780,7805556
0,76250,76250,7597222
0,7350,72708330,72152780,70555560,70416670,69375
SymanteceTrust-VET
McAfeeAvast
AVGTrend Micro
NormanAntiVir
eTrust- INOPanda
VirusBusterFortinet
F-SecureIkarus
CommandSophos
BitDefenderAVK
F-ProtKaspersky
Time
Sober.P Virus Detection TimeMay 2, 2005 (GMT)
No. Updates/Day
Kaspersky 18.5
Dr. Web 10.7
Sophos 2.7
BitDefender 1.7
ClamAV 1.5
AntiVir 1.4
F-Secure 1.4
Panda 1.3
Ikarus 1.1
Symantec 1.1
Trend Micro 1.0
AV-Test.org May 2005
AV-Test.org Feb. 2005
January 2005 Updates
Time of DayHour : Minute
Note: the chart (left) represents a single virus outbreak only. It does not represent average response times for the listed antivirus labs.
Antigen Engines
Distributed Protection
SMTP Server Exchange Server
A
B
C
D
E
Internet
Exchange Server
A
B
C
D
E
Internet
Internet Scan Job (SMTP)
Real-time Scan Job (Exchange Store)
Anti-spam Protection
Antigen Spam Manager (ASM) supports Windows-based SMTP gateways and Exchange Servern Integrated with Antigen for SMTP Gateways and Antigen for
Exchangen Also deploys stand-alone on Windows SMTP gateway servers
Signature-based, frequently updated anti-spam enginen Highly accurate protection against the latest spammer tacticsn Works with and complements Exchange Intelligent Message
F ilter’s heuristics spam detection approach Additional spam filtering options
n Real-time block list (RBL) supportn Mail-host block and allow lists by sender, domain and IP address
ArchiveFolder
Inbox
Junk E-mail
Layered Spam Detection
On the same server, Exchange Intelligent Message Filter (IMF) scans before ASM
Each applies an Spam Confidence Level (SCL) ratingn The higher rating always wins (has more confidence)n Mail that is rejected, deleted or archived by IMF will not make it to
ASM Example: IMF archives SCL 7,8 and 9
If SCL is 7,8,9
ASM Scan
IMFScan
Mail Store ASM SCL
set to 9
IMF SCL of 0-6
Availability & Control
Performance Bias Settings
Max Certainty: uses all engines (100%)Favor Certainty: uses 75% of available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
* Engines used are not always the same. They are dynamically allocated from the available pool.
D
A C
DB
Max Certainty: uses all engines (100%) Favor Certainty: uses 75% of available engines* Neutral: uses approx. 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*
Performance Bias Settings
* Engines used are not always the same. They are dynamically allocated from the available pool.
A
B
In-memory scanning
MemoryMemoryAllocationAllocation
Scanning Innovations
EXEEXE
Available Memory Available Memory PoolPool
432kb432kb
EXEEXE
Scanning Scanning ProcessProcessReturn to PoolReturn to Pool
Multi-threaded scanning
Worm Removal
Designed to purge all messages containing wormsn Use Sybari Worm List (wormprge.dat) to purge messages that match a known
Worm virusn Create a custom Worm List with a single wildcard ( * ) to help match all
malicious code detectedn Help provide pre-emptive protection against unknown worms with file filter
purge (size, type, extension, etc.)n The user receives nothing, not even a notification
Purged messages containing worms should not be quarantinedn There is no value in the messagen Reduces network bandwidth by removing un-needed messages.
Enhanced Cluster Support
Active Node Passive Node
Settings
Updates
Exchange Virtual Server
Passive Node Active Node
Central Management
SMTP Servers
Exchange Servers
Software Deployment Configuration Template
Deployment Distributed Quarantine
Management Distributed Log File
Retrieval
Automated Signature Updating
Internet
Engine Partner Updates
www.microsoft.com
Internet
AntigenEngineAdaptor
Notifications & Reporting
Over 100 Events, Performance Counters, and Services Monitoredn Monitors the state of Antigenn Collects statistical data on scanning, detection, and removal of
messages and attachmentsn Polls 5 Antigen Services - Provides timed events to poll systems
for critical process health Key Tasks:
n Triggers scan engine updatesn Centralizes storage and deployment of license filesn Imports, exports and deploys setting changesn Initiates and/or schedules manual scan jobsn Starts/Stops control of Antigen services
Microsoft Operations Manager IntegrationAntigen Management Pack for MOM 2005
Secure Content Features
Content Policy Enforcement
Body Content File name, type
Filters body content for inappropriate keywords or phrases
Filters documents based on name match, wild card, file type or file extension
Microsoft provides comprehensive security products for e-mail serversn Multiple Engines
n Integrated AV/AS
n Availability and performance support
n Central Management
n Keyword and file filtering
Antigen e-mail security products are key elements of any Windows-based SMTP or Exchange server deployment
Summary
Next Steps
Read whitepapers on Antigen and Advanced Spam Managern http://www.microsoft.com/antigenn Paste link for launch PressPass article
Download evaluation copy of Antigen e-mail security products http://www.microsoft.com/antigen
Read about Microsoft Secure Messaging solutionsn http://www.microsoft.com/securemessaging