Deploying AntiVirus Solutions For Exchange

1
Deploying Anti-Virus Solutions For Exchange
Evan Morris MCSE MCT ASEMessaging
Collaboration Business UnitCompaq Computer
Corporation
2
(No Transcript)
3
Contents

• Introduction Virus Problem
• AV Product Overviews
• Deployment Issues
• Performance Testing
• Conclusions
• Future Problems Solutions

4
Section 1 Introduction

• Background on Viruses
• Definitions and Methods
• Levels of Security
• Overview of Protection
• Borders of Protection
• Methods of Prevention or Detection
• Beyond Scope

5
Background On Viruses

• Definitions
• Methods of Attack
• Methods of Transmission

6
Definitions

• Virus
• Coded, Polymorphic, Stealth
• Payload
• Signature
• Vector
• Worm
• Trojan horse
• Spammail

7
Methods Of Transmission
8
Morris Worm (11/2/1988)

• Crippled 10 of computers on Internet
• Spread via Sendmail
• Computer Emergency Response Team (CERT)
• First Conviction

No relation
9
Methods Of Attack
10
The Escalating War
11
Head Start
Authoring Capabilities
1996 1997 1998 1999 2000
Executables
Macro
Applet
1997 1998 1999 2000 2001
Viral Outbreaks
12
Are You At risk?

• Six to nine new viruses appear every day.
• We're currently finding an average of one
  infected message in every 500 that we scan

Norton AntiVirus Evaluators Guide, Symantec
Corporation. President of Financial Services
Company
13
The Big Picture
Network Security
Unwanted Content
System Operations
14
NTDs

• Remember, when you connect with another
  computer, you're connecting to every computer
  that computer has connected to.
• Dennis MillerSaturday Night Live

15
Levels Of Security

• None
• Identification
• Authentication
• Authorization
• Privacy
• Integrity
• Guardianship

16
Overview Of Protection

• Borders of Protection
• Methods of Prevention
• Beyond Scope

17
Borders Of Protection
Your Organization
Network Server

• Tier 1 Client Desktops
• Tier 2 File Application Servers
• Tier 3 Firewalls Gateways

Internet
Point of Entry
Point of Entry
Gateway/ Firewall
E-mail SMTP relay
Point of Entry
18
Methods Of Prevention And Detection

• Scanning
• Content Filtering
• Blocking
• Demo
• Code Execution
• Policies and Procedures
• User Education
• Being Prepared

19
Beyond Scope

• Blocking
• IP address and URL blocking
• Code Blocking Deny Attachments
• Code Execution
• Execute Code on Isolated Machine
• File Server Protection
• Client Protection

20
Section 2. Anti-Virus Products

• Design / Architecture
• Viral Identification
• Handling Infected Files
• Notification
• Server Status and Monitoring
• Updating Engine and Definitions
• Other Features and Support Policy

21
Design / Architecture

• Gateway (SMTP or IMS) Versions
• Store / Mailbox Versions
• Client (Outlook Based)
• Sanitizers
• Outsourcing Virus Scanning

22
Viral Identification

• Signature
• Attachment scanning
• Recursive decompression
• During transmission or scheduled
• Heuristic
• Content Filtering
• Behavior

23
Infected Files And Notifications

• Notifications
• Word-of-Mouth
• End-Users, Admins, Senior Executives
• Automated
• Broadcast, Paging, Reporting, E-mail
• Senders, Recipients, Admin
• Internal, External
• AV Log or NT Event Log
• Handling Infected Files
• Repair, Quarantine, Removal

24
Server Maintenance

• Status and Monitoring
• Management Console
• Service State Reporting, Alerting
• Watch Utilization (PerfMon)
• Updating Scanning Engine and Virus Definitions
• Proxy / Firewall Issues
• Scheduled Pull
• Fan-out Distribution

25
Other Features And Support

• Pricing and Licensing
• Existing Products (e.g., desktop version)
• Trade-up" pricing
• Support Policy
• E-mail, Web-based
• Fit your time zone?
• Longevity
• MS Exchange Service Packs Upgrades
• Future Windows 2000 Exchange 2000
• Year 2000 Compliance

26
Section 3. Deployment Issues

• Design and Hardware Issues
• Example Deployment Scenario

27
Design And Hardware Issues

• Mailbox or Internet Connector
• System Overhead and Sizing
• Processor and Memory
• Disk Space (Queues)
• Exchange Server Basics
• Fault Tolerant Design
• Disaster Recovery Plan
• Monitoring and Management
• Cluster Support (MSCS)
• Trend Micro and Sybari

28
Example Deployment Scenario
Internet
Anti-Virus Gateway
Exchange Server
Firewall
Internet Mail Service
Virus Source
NT Domains
Mailbox Server
Mail Client
29
Section 4. Testing

• Test Environment
• Problem Files Viruses and Other
• Products Tested Mailbox Server, Mail Client
  and SMTP / IMS Gateway
• Results
• Effectiveness
• Performance and Load Impact
• Product Design and Usability

30
Problem Files And Tests

• VIRUSES
• Worm.Explorer
• Macro Virus
• Disguised Virus
• Zip in Embedded Message
• Acknowledge ZIP
• Encrypted ZIP

PROBLEM FILES Zero Byte .COM Empty ZIP file
TESTS AV Service starting Digital Signature
Encrypted To Uninitialized Mailbox Delayed
Send With Invalid Return Address Embedded in
Outlook Form To Distribution List
To Public Folder via Post To Public Folder via
SMTP address Drag Drop File to Public
Folder Exchange Settings Private .PST as
delivery (Client logged on) Invalid Address
(create NDR) Invalid Address (NDR) with valid
CC Message in Sent Items
31
Products Tested

• Mailbox Server Versions
• Content Technologies (Integralis) MAILSweeper for
  Exchange
• NEMX Anti Virus for MS Exchange
• NAI (Network Associates) Groupshield
• Sybari Antigen for Exchange
• Symantec Norton Antivirus (NAV) for Exchange
• Trend Micro ScanMail for Exchange
• Not Tested McAfee, Cheyenne, Dr. Solomon

32
Products Tested

• Internet Gateway Versions
• Sybari Antigen for Exchange
• Symantec Norton Antivirus for Gateways
• Trend Micro InterScan E-Mail VirusWall
• Outlook Client Versions
• NEMX Anti Virus for Outlook
• NAI (Network Associates) Groupshield
• Trend Micro ScanMail for Outlook

33
Test Environment

• Compaq ProLiant 7000s
• NT4 EE SP5 Exchange 5.5 SP2 ? SP3
• Limited to 2 CPU Xeon 400 (1 MB Cache) and 1 GB
  RAM
• Mailbox Server
• 1500 Users / Server (LoadSim 2L2M1H)
• 3100ES RAID Controller

34
Test Procedure

• Settings
• Scan All Attachments Types, Notify Sender, Admin
  and Recipient, Repair if possible, Quarantine if
  Not
• Detection
• Start AV Service, send virus
• Performance and Detection
• Run LoadSim Normal Load
• MailStorm Push to Bottleneck
• 1, 2, 4 CPUs and 512 MB and 1 GB RAM

35
Results
36
Results

• Detection Rates
• Performance Measures
• User Response (LoadSim)
• PerfMon Counters
• Processor Time Total
• Processor Time AV Processes
• Memory Used AV Processes
• Disk Usage and Queue Length
• Message Delivery Times
• Queues AV, IMC, PRIV, PUB

37
Performance Trade-Offs
Processing (CPU RAM)
Disk Queues
User Response
38
The Ideal Product

• Design / Architecture
• Installation and Usability
• Viral Identification (Effectiveness)
• Load Impact and Performance
• Handling Infected Files
• Notification and Reporting
• Updates
• Server Status and Monitoring
• Vendor Support Policy

39
The Ideal Product

• Design / Architecture Sybari Antigen
• Mailbox and IMC Product
• ESE, Store and Attachments Table
• Existing Public Folder Hierarchy
• Installation and Usability
• Remote Install and Admin ?
• Antigen and Trend Micro ScanMail Choice of HTML
  or GUI interface (fixed size)
• NEMX NAI Groupshield In Exchange Admin

40
The Ideal Product

• Effectiveness Sybari Antigen
• IS/IMC Dependent on Antigen Service
• Test Start AV Service under load
• Highest Score 20/23
• Passed All PST, NDR, Public Folder tests
• Choice of Engines Rollback
• Scan IMC Queues for filename
• IMC Trend Micro VirusWall (IMC only)
• Client NAI Groupshield (Form based) and NEMX

Note All fail encrypted message test
41
The Ideal Product

• Load Impact and Performance
• Content Managers Trend Micro eManager and
  Content Technologies MAILSweeper
• Filename Blocking Antigen (RegKey)
• Scheduled Scan ScanMail (Incremental)
• Handling Infected Files
• Quarantine Hierarchy (vs. flat)
• Backing up file before repair ScanMail

42
The Ideal Product

• Notification and Reporting
• NT Event log NAV logs Encrypted files
• Internal vs. External Antigen
• Outbreak Alert ( / hr x) ScanMail

43
The Ideal Product

• Server Status and Monitoring
• PerfMon Objects Antigen and ScanMail
• Console ScanMail Enterprise Monitor
• Updates Antigen, ScanMail, NAV
• Isolated subnet
• Automated
• Hub and Spoke Network Source
• Support Content Technologies, Sybari
• Establish relationship

44
Section 5. Conclusions

• Levels of Protection
• Level 3 Point of Entry
• Level 2 Points of Access
• Level 1 Zero Tolerance

45
Level 3Point of Entry

• AV Scanner on Gateway
• Exchange IMC
• AV Relay Box
• Outsourced
• Corporate Security Policy
• Education Procedures
• Minimal Protection

46
Level 2Points of Access

• Real-time Mailbox Scanning
• Corporate Security Policy
• Education Procedures
• Optional
• AV Scanner on Gateway
• Content Filtering
• Scheduled Mailbox Cleaning

47
Level 1Zero Tolerance

• Content Filtering
• Code Blocking or Execution
• AV Scanner on Gateways
• Real-time Mailbox Scanning
• Corporate Security Policy
• Education Procedures
• Optional
• Scheduled Mailbox Cleaning

48
Section 6. Future Problems And Future Solutions

• New Viral Types and New Tools
• New Methods and Procedural Changes
• Increased Security
• Staying Informed

49
New Viral Types And Tools

• We will be releasing tools at DEF CON or in the
  near future which we believe will provide a much
  more robust method of protecting your system than
  what the AV vendors can do today.
• Tweety Fish,Cult of the Dead Cow

50
Levels of Security
51
New Methods And Procedural Changes

• Procedural Changes
• Disaster Recovery Plan
• Auto-Send vs. Offline Mode
• Attachments
• No Executables or Code
• RTF or Plain Text with no macros
• URL or Baggage Claim instead
• Lack of Trust PKI Integration
• Argument for Diversity?
• Better to protect existing systems

52
Staying Informed

• AV Network Security Research Organizations
• http//www.icsa.net
• http//www.virusbtn.com/
• http//www.eicar.org/
• http//www.wildlist.org/
• http//www.cerias.purdue.edu/

53
Staying Informed

• Anti-Virus Software Vendors
• http//www.antivirus.com/vinfo/alerts.htm
• http//www.sarc.com/
• http//www.avertlabs.com/public/datafiles/valerts
  /
• http//www.cert.org/nav/alerts.html/
• Compaq Active Answers
• http//www.compaq.com/activeanswers
• Microsoft
• http//www.microsoft.com/security/bulletins/curren
  t.asp

54
(No Transcript)