E-mail Server Security Products

Bogdan KlekotMicrosoft Solutions Architect – Management & Securitybogdank@microsoft.com

Agenda

Introduction to Antigen E-mail Security Products Advanced Protection Features

n Multiple Antivirus (AV) Engine Managementn Distributed Protectionn Layered Anti-spam

Availability and Control Featuresn Performance Bias Settingn Scanning Innovationsn Worm Removaln Cluster Supportn Management

Secure Content Featuresn Content Filtering

Summary

Guidance

Developer Tools

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

IdentityManagement

Services

Information Protection

Client and Server OS

Server Applications

Edge

VirusesWormsSpam

Live Communications Server

Users

Internet

SMTP Server

ISAServer

SharePoint

Exchange Server

EdgeE-mail

Collaboration

Antigen E-mail and Collaboration Server Security

VirusesWormsInapp. Content

Management

Microsoft Operations Manager Antigen MP

Multiple scan engines at multiple layers throughout the e-mail infrastructure provide improved protection against e-mail threats.

Antigen e-mail security solutions help businesses protect their messaging servers against viruses, worms, spam, and inappropriate content.

E-mail Security

Advanced Advanced ProtectionProtection

Availability & Availability & ControlControl

Secure Secure ContentContent

Tight integration with Microsoft Exchange and Windows-based SMTP servers maximizes availability and management control.

Helps organizations eliminate inappropriate language and dangerous attachments from internal and external communications

New Microsoft Antigen Products

Antivirus and content filtering for Exchange 2003 and 2000

Helps stop threats that get past perimeter defenses and helps contain internal incidents

Antivirus and content filtering for Windows Server 2003 and 2000 SMTP Gateways

Helps stop threats before they reach internal messaging resources and users

Anti-spam and content filtering for Windows-based SMTP and Exchange-based servers

Helps stop spam before it can impact user and network productivity

Centralized management for Antigen-protected servers

Improves IT visibility and control into e-mail server security

Advanced Protection

Problem:Single Point of Failure

Exchange ExchangeExchange

VirusesWormsSpam

E-mail Antivirus Approaches

ISA Server SMTP Server

Internet

Single Vendor/Single Engine•Same scan engine, heuristicstechnology and signature files on all server and client platforms

• Dependent on one AV lab for scan engine updates during virus or worm outbreaks

• Queuing and delay during engine updates on mission critical servers (like Exchange)

AA

AAA

A

AA

VirusesWormsSpam

E-mail Antivirus Approaches

Internet

Multi-vendor/Multi-Engine

• Different scan engines, heuristicstechnologies and signature files on server and client platforms

• High acquisition and maintenance cost

• Added filtering complexity

Problem:Management/Cost

Exchange ExchangeExchange

ISA Server SMTP Servers

A

B

C D

E

A

E

C

Antigen Multiple Engine Management

Internet

Exchange Server/Windows-based SMTP Server

One solution, multiple technologies

A

B

C

DE

Antigen Antivirus Scan Engines

Antigen Stand-aloneProducts

Messaging Security Suite

Standard engines plus:

Total engines: 5 Total engines: 9

Microsoft Antivirus

Sophos

CA VET

CA InoculateIT

Norman

New!

Kaspersky Lab

AhnLabAuthentium

VirusBuster

Signature Updates

1,02638890,96875

0,90138890,89791670,893750,8875

0,86527780,85

0,82916670,78402780,7805556

0,76250,76250,7597222

0,7350,72708330,72152780,70555560,70416670,69375

SymanteceTrust-VET

McAfeeAvast

AVGTrend Micro

NormanAntiVir

eTrust- INOPanda

VirusBusterFortinet

F-SecureIkarus

CommandSophos

BitDefenderAVK

F-ProtKaspersky

Time

Sober.P Virus Detection TimeMay 2, 2005 (GMT)

No. Updates/Day

Kaspersky 18.5

Dr. Web 10.7

Sophos 2.7

BitDefender 1.7

ClamAV 1.5

AntiVir 1.4

F-Secure 1.4

Panda 1.3

Ikarus 1.1

Symantec 1.1

Trend Micro 1.0

AV-Test.org May 2005

AV-Test.org Feb. 2005

January 2005 Updates

Time of DayHour : Minute

Note: the chart (left) represents a single virus outbreak only. It does not represent average response times for the listed antivirus labs.

Antigen Engines

Distributed Protection

SMTP Server Exchange Server

A

B

C

D

E

Internet

Exchange Server

A

B

C

D

E

Internet

Internet Scan Job (SMTP)

Real-time Scan Job (Exchange Store)

Anti-spam Protection

Antigen Spam Manager (ASM) supports Windows-based SMTP gateways and Exchange Servern Integrated with Antigen for SMTP Gateways and Antigen for

Exchangen Also deploys stand-alone on Windows SMTP gateway servers

Signature-based, frequently updated anti-spam enginen Highly accurate protection against the latest spammer tacticsn Works with and complements Exchange Intelligent Message

F ilter’s heuristics spam detection approach Additional spam filtering options

n Real-time block list (RBL) supportn Mail-host block and allow lists by sender, domain and IP address

ArchiveFolder

Inbox

Junk E-mail

Layered Spam Detection

On the same server, Exchange Intelligent Message Filter (IMF) scans before ASM

Each applies an Spam Confidence Level (SCL) ratingn The higher rating always wins (has more confidence)n Mail that is rejected, deleted or archived by IMF will not make it to

ASM Example: IMF archives SCL 7,8 and 9

If SCL is 7,8,9

ASM Scan

IMFScan

Mail Store ASM SCL

set to 9

IMF SCL of 0-6

Availability & Control

Performance Bias Settings

Max Certainty: uses all engines (100%)Favor Certainty: uses 75% of available engines* Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

* Engines used are not always the same. They are dynamically allocated from the available pool.

D

A C

DB

Max Certainty: uses all engines (100%) Favor Certainty: uses 75% of available engines* Neutral: uses approx. 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

Performance Bias Settings

* Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

In-memory scanning

MemoryMemoryAllocationAllocation

Scanning Innovations

EXEEXE

Available Memory Available Memory PoolPool

432kb432kb

EXEEXE

Scanning Scanning ProcessProcessReturn to PoolReturn to Pool

Multi-threaded scanning

Worm Removal

Designed to purge all messages containing wormsn Use Sybari Worm List (wormprge.dat) to purge messages that match a known

Worm virusn Create a custom Worm List with a single wildcard ( * ) to help match all

malicious code detectedn Help provide pre-emptive protection against unknown worms with file filter

purge (size, type, extension, etc.)n The user receives nothing, not even a notification

Purged messages containing worms should not be quarantinedn There is no value in the messagen Reduces network bandwidth by removing un-needed messages.

Enhanced Cluster Support

Active Node Passive Node

Settings

Updates

Exchange Virtual Server

Passive Node Active Node

Central Management

SMTP Servers

Exchange Servers

Software Deployment Configuration Template

Deployment Distributed Quarantine

Management Distributed Log File

Retrieval

Automated Signature Updating

Internet

Engine Partner Updates

www.microsoft.com

Internet

AntigenEngineAdaptor

Notifications & Reporting

Over 100 Events, Performance Counters, and Services Monitoredn Monitors the state of Antigenn Collects statistical data on scanning, detection, and removal of

messages and attachmentsn Polls 5 Antigen Services - Provides timed events to poll systems

for critical process health Key Tasks:

n Triggers scan engine updatesn Centralizes storage and deployment of license filesn Imports, exports and deploys setting changesn Initiates and/or schedules manual scan jobsn Starts/Stops control of Antigen services

Microsoft Operations Manager IntegrationAntigen Management Pack for MOM 2005

Secure Content Features

Content Policy Enforcement

Body Content File name, type

Filters body content for inappropriate keywords or phrases

Filters documents based on name match, wild card, file type or file extension

Microsoft provides comprehensive security products for e-mail serversn Multiple Engines

n Integrated AV/AS

n Availability and performance support

n Central Management

n Keyword and file filtering

Antigen e-mail security products are key elements of any Windows-based SMTP or Exchange server deployment

Summary

Next Steps

Read whitepapers on Antigen and Advanced Spam Managern http://www.microsoft.com/antigenn Paste link for launch PressPass article

Download evaluation copy of Antigen e-mail security products http://www.microsoft.com/antigen

Read about Microsoft Secure Messaging solutionsn http://www.microsoft.com/securemessaging