functionality and features
DESCRIPTION
FUNCTIONALITY AND FEATURES. Agenda. Main topics System requirements Scanning Viruses Spyware Updating virus signature updates Other features. Requirements. Supported platfroms - PowerPoint PPT PresentationTRANSCRIPT
FUNCTIONALITY AND FEATURES
Page 2
Agenda
Main topics
• System requirements
• Scanning
• Viruses
• Spyware
• Updating virus signature updates
• Other features
Page 3
Requirements
Supported platfroms
• Windows 2000 Professional (with SP4 or higher) and Windows XP (Professional and Home Edition, with SP1 or higher)
• Also installs on Longhorn Beta
Minimum requirements
• Intel Pentium compatible hardware
• 128 MB (Windows 2000), 256 MB (Windows XP)
• 256 MB or more recommended!
• 50 MB free hard disk space
• Internet connection recommended
SCANNING
Page 5
Scanning types
Scanning for Viruses and Spyware
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
What is scanned
What is monitored
Whole file system (incl. cookies, hosts file)
HTTP
SMTP, POP3 and IMAP
Selected files/folders
All files
Browser Control IE & pop-ups
System Control Some sections of the registry
Page 6
Real-Time Scanning:Virus Protection
Files are scanned every time they are accessed
• Created, opened, renamed, copied etc…
• Transparent operation
Real-time scanner scans processes every time it is enabled or virus
definitions are updated
• All running process are checked and related files are scanned (using real-time scanning settings).
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 7
Real-Time Scanning: Spyware Protection
When real-time scanning is
enabled, computer is protected
against viruses and spyware
• ”Scan for spyware” must be enabled (default setting)
• Transparent operation (depending on the “actions” settings)
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 8
Email Scanning
Scans the content of “incoming”
POP3 or IMAP and outgoing
SMTP mail traffic (only for viruses!)
• Ensures that no viruses are sent or received through email
• Intercepts the traffic before the real-time scanner
• Email client independent
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 9
Web Traffic Scanning
HTTP traffic is scanned for viruses
• Protects from new type of viruses like recently discovered JPG vulnerability
• Can be enabled when new virus outbreak or vulnerability occurs
• Disabled by default
• Transparent operation
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 10
Manual Scanning
Manual scans can be run to check a
certain file, folder or drive
• Viruses and Spyware can be scanned separately or together
• Usually, manual scans are more detailed scans and therefore more time consuming
• Quarantine function (for spyware only!)
• Can be locked by the administrator
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 11
Scheduled Scanning
Scan the computer at a specific
time by selecting the “Enable
scheduled scanning” checkbox
• Only scanning for viruses
• On daily, weekly or monthly bases
• Start time can be a fixed time or a fixed computer idle time
• Accesses scheduling service in Windows
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 12
Browser Control
When Browser Control is enabled, it blocks intrusive ad popups
and protects Internet Explorer against unwanted changes
Ad-Popup blocker
• Blocks banned pop-ups and tracking cookies
• Updated automatically
• User can manually add banned sites
Internet Explorer Shield
• Blocks drive-by downloads, browser hijacking and ActiveX installations
• Monitors IE entries in registryScanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 13
System Control
Protects against unexpected system
changes (unknown, new malware)
• Monitors certain sections of the windows registry and alerts on changes
• System start-up changes, critical file associations, application hijacking, generally critical system changes
• Thus clients are protected from new unknown malware and spyware
Scanning types
Real-time Scanning
Web Traffic Scanning
Email Scanning
Manual Scanning
Scheduled Scanning
Browser Control
System Control
Page 14
Generally about Scanning
Scanning performed by three anti-virus engines Libra, AVP and Orion and an anti-spyware engine Draco• Possible to turn individual engines off
• Multiple engines not a performance problem
By default only certain file types are scanned• File types commonly used with
malicious code
• Possibility of scanning all file types (performance issue!)
Supported archive types
• ZIP, ARJ, LZH, TAR, TGZ, GZ, CAB, RAR, BZ2 and JAR
• Packed files can not be disinfected, only deleted or renamed
Page 15
Detection Hierarchy
Anti-Virus
• Separate signature files for all three scanning engines
• Detection of tens of thousands of variants
• Scan engines also contain heuristic functionality
Anti-Spyware
• 8 categories (Data miners, Dialer, Monitoring tool, Vulnerability…)
• Over 600 families (Claria, DataMaker, CoolWebSearch…)
• Over 3000 variants
• Over 35000 signatures
Page 16
Actions on Detection
Anti-Virus
• Primary actions
• If prompts user for decision possibilities are disinfect, delete infected file or do nothing
• If automatic actions selected then either disinfect, delete, rename infected file or do nothing
• Secondary actions (automatic)
• Rename or delete
Anti-Spyware
• Prompt user for decision
• Possibilities are to quarantine, delete infected file, exclude from scan or do nothing
Note!
• It is possible to set up customized messages when malware is found
Page 17
Scan Wizard
Scan wizard for
viruses and spyware
easy to use
Page 18
Lavasoft TAC:Threat Assessment Chart
Criteria to add software to Spyware list is based on a point system
• Points added according to five criteria: Removal, Integration, Distribution, Behaviour, Privacy
• Software requires a TAC number of three or higher (on a scale of zero to ten) to be included in the database
• This list is public and complying to these strict rules is important as most spyware is legal software
• Draco anti-spyware engine based on AdAware from Lavasoft
Page 19
Threat Assessment System
Integration
• Can cause system instability
Distribution
• Intentionally hidden installation or clear indication that application is designed with the explicit intention of making it difficult or impossible to remove
• Bundled installation that is undisclosed, no notice given to the user pre-install or the host application’s EULA attempts to hide the application’s inclusion
• No info disclosed in EULA, confusing EULA, or a hidden EULA listing
Page 20
Threat Assessment System
Behaviour
• Virus or trojan
• Connects to perform or aid in a D-DoS attack
• Use or creation of tracking cookies
• Changes browsing results (browser hijack, redirect, replaces text or graphics, opens random websites)
• Operates stealthily
• Opens web sites not initiated by the user, unsolicited pop-ups or requests to join a different site
• Auto-updates without user permission or knowledge
• Dials an unauthorized Internet connection
• Opens or exploits a system vulnerability
Page 21
Threat Assessment System
Privacy
• Connects to a remote system with or without the user's awareness to transmit usage statistics and/or personally identifiable information
• Connects to a remote system without the user's awareness to transmit/receive information
• Tracks the user's surfing habits
Removal
• Provides no uninstaller at all or non-functional application uninstaller
• Lacks clear evidence of intention, suspicion that the application's developer intentionally made the software difficult to uninstall
Page 22
>35000 Signatures>35000 Signatures
FileSignatures
Registry KeySignatures
Registry ValueSignatures
>3000 Variants>3000 Variants
CoolWebSearchVariant 1
CoolWebSearchVariant 2
CoolWebSearchVariant 3
CoolWebSearchVariant 4
CoolWebSearchVariant 5
CoolWebSearchVariant 6
> 600> 600 FamiliesFamilies8 Categories8 Categories
Spyware Category Structure
Data Miner
Monitoring tool
Vulnerability
Malware
Dialer
Worm
Cookie
Misc
Claria (Adware)
Blazing Tools(Keylogger)
WideStep Elite (Keylogger)
CoolWebSearch(Browser Hijacker)
DateMaker(Adult Dialer)
Blaster(Network Worm)
Tracking Cookies(Adware)
LycosSidesearch(Bundled Adware)
DATABASE UPDATES
Page 24
Virus & Spy Databases
Heart of Virus & Spy Protection
• Provided by Anti-Virus Research
• Different for each scanning engine (Orion, AVP, Libra and Draco)
• Databases are signed (DAAS) and only taken into use if it is certain the updates originated from F-Secure
• Daily update usually a few kilobytes
Viruses are normally detected by several scanning engines and
disinfected by the first detecting engine
Page 25
F-Secure Update Server
Updates
Database updates are downloaded and handled by F-Secure
Automatic Update Engine
• Also possible to manually update with a file downloaded from F-Secure website (FSUPDATE.EXE)
Centrally managed AVCS
Automatic Update Agent
Policy Manager Server
Automatic Update Agent
Stand-alone AVCS
Automatic Update Agent
Automatic Update Server
Page 26
Network Quarantine
Intelligent Network Access (INA)
• If the virus definitions are old or if real-time scanning is disabled, the product automatically changes the Internet Shield security level into Access Restricted
• Network access is restricted until the virus definitions are updated and/or real-time scanning is enabled (prompts the end user to update)
Page 27
Network Admission Control (NAC)
Solution developed by Cisco Systems
• Requires a Cisco architecture (Cisco Trust Agents (CTA) on each device, Cisco IOS Network Access Device (NAD) and Access Control Server (ACS))
• No centralized management
Provides a host with the appropriate network access based on the
state of the system
• Healthy: Full network access granted
• Quarantine: E.g. outdated virus definitions during outbreak => access restrictions
OTHER FEATURES
Page 29
Unloading and Uninstalling
It is possible to unload FSAVCS to free memory (approx. 13 MB of
memory)
• 2 unload possiblilities
• Unload only Virus & Spy Protection
• Unload Virus & Spy Protection and Internet Shield (not recommended)
• Features meant for home users (while playing games etc.)
• Feature can be disabled from the policy
Product has protection against uninstallation
• Not password based, requires a change in policy
Page 30
Try and Buy Version
It is possible to try out F-Secure products for 30 days with the TNB
version
• Available for both servers and workstations
• After 30 days no longer operates, but can be activated once license bought
• After purchase of license no need to reinstall
• All functionality present
Page 31
Sidegrade Support
Automatic detection and removal for main competitors
• McAffee
• Computer Associates (CA)
• Trend Micro
• Symantec
Transparent to the end user
• No user intervention required
Page 32
On-line Help
Online help is always available to end users by pressing “Help”
New online help includes F-Secure Anti-Virus Client Security
administration manual
• Available in the Policy Manager Console (by pressing “F1”)
Page 33
Internet Shield
Integrated desktop firewall (Internet Shield)
• Integrated stateful inspection desktop firewall that provides robust monitoring and filtering of Internet traffic preventing unauthorized access to the workstation over the network
• Program access control from the workstation to the Internet
• Protecting the workstation from Internet hackers and network worms.
Intrusion Detection System, (IDS)
• The IDS analyses Internet traffic and automatically detects and blocks malicious hacker and network worm attacks such as port scans and Slammer that are not detected by traditional antivirus software.
Page 34
Summary
Main topics
• System requirements
• Scanning
• Viruses
• Spyware
• Updating virus signature updates
• Other features