FUNCTIONALITY AND FEATURES. Page 2 Agenda Main topics System requirements Scanning Viruses Spyware...

FUNCTIONALITY AND FEATURES

Agenda

Main topics

• System requirements

• Scanning

• Viruses

• Spyware

• Updating virus signature updates

• Other features

Requirements

Supported platfroms

• Windows 2000 Professional (with SP4 or higher) and Windows XP (Professional and Home Edition, with SP1 or higher)

• Also installs on Longhorn Beta

Minimum requirements

• Intel Pentium compatible hardware

• 128 MB (Windows 2000), 256 MB (Windows XP)

• 256 MB or more recommended!

• 50 MB free hard disk space

• Internet connection recommended

SCANNING

Scanning types

Scanning for Viruses and Spyware

Real-time Scanning

Web Traffic Scanning

Email Scanning

Manual Scanning

Scheduled Scanning

What is scanned

What is monitored

Whole file system (incl. cookies, hosts file)

HTTP

SMTP, POP3 and IMAP

Selected files/folders

All files

Browser Control IE & pop-ups

System Control Some sections of the registry

Real-Time Scanning:Virus Protection

Files are scanned every time they are accessed

• Created, opened, renamed, copied etc…

• Transparent operation

Real-time scanner scans processes every time it is enabled or virus

definitions are updated

• All running process are checked and related files are scanned (using real-time scanning settings).

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

Real-Time Scanning: Spyware Protection

When real-time scanning is

enabled, computer is protected

against viruses and spyware

• ”Scan for spyware” must be enabled (default setting)

• Transparent operation (depending on the “actions” settings)

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

Email Scanning

Scans the content of “incoming”

POP3 or IMAP and outgoing

SMTP mail traffic (only for viruses!)

• Ensures that no viruses are sent or received through email

• Intercepts the traffic before the real-time scanner

• Email client independent

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control


HTTP traffic is scanned for viruses

• Protects from new type of viruses like recently discovered JPG vulnerability

• Can be enabled when new virus outbreak or vulnerability occurs

• Disabled by default

• Transparent operation

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

Manual Scanning

Manual scans can be run to check a

certain file, folder or drive

• Viruses and Spyware can be scanned separately or together

• Usually, manual scans are more detailed scans and therefore more time consuming

• Quarantine function (for spyware only!)

• Can be locked by the administrator

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

Scheduled Scanning

Scan the computer at a specific

time by selecting the “Enable

scheduled scanning” checkbox

• Only scanning for viruses

• On daily, weekly or monthly bases

• Start time can be a fixed time or a fixed computer idle time

• Accesses scheduling service in Windows

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

Browser Control

When Browser Control is enabled, it blocks intrusive ad popups

and protects Internet Explorer against unwanted changes

Ad-Popup blocker

• Blocks banned pop-ups and tracking cookies

• Updated automatically

• User can manually add banned sites

Internet Explorer Shield

• Blocks drive-by downloads, browser hijacking and ActiveX installations

• Monitors IE entries in registryScanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

System Control

Protects against unexpected system

changes (unknown, new malware)

• Monitors certain sections of the windows registry and alerts on changes

• System start-up changes, critical file associations, application hijacking, generally critical system changes

• Thus clients are protected from new unknown malware and spyware

Scanning types

Real-time Scanning


Email Scanning

Manual Scanning

Scheduled Scanning

Browser Control

System Control

Generally about Scanning

Scanning performed by three anti-virus engines Libra, AVP and Orion and an anti-spyware engine Draco• Possible to turn individual engines off

• Multiple engines not a performance problem

By default only certain file types are scanned• File types commonly used with

malicious code

• Possibility of scanning all file types (performance issue!)

Supported archive types

• ZIP, ARJ, LZH, TAR, TGZ, GZ, CAB, RAR, BZ2 and JAR

• Packed files can not be disinfected, only deleted or renamed

Detection Hierarchy

Anti-Virus

• Separate signature files for all three scanning engines

• Detection of tens of thousands of variants

• Scan engines also contain heuristic functionality

Anti-Spyware

• 8 categories (Data miners, Dialer, Monitoring tool, Vulnerability…)

• Over 600 families (Claria, DataMaker, CoolWebSearch…)

• Over 3000 variants

• Over 35000 signatures

Actions on Detection

Anti-Virus

• Primary actions

• If prompts user for decision possibilities are disinfect, delete infected file or do nothing

• If automatic actions selected then either disinfect, delete, rename infected file or do nothing

• Secondary actions (automatic)

• Rename or delete

Anti-Spyware

• Prompt user for decision

• Possibilities are to quarantine, delete infected file, exclude from scan or do nothing

Note!

• It is possible to set up customized messages when malware is found

Scan Wizard

Scan wizard for

viruses and spyware

easy to use

Lavasoft TAC:Threat Assessment Chart

Criteria to add software to Spyware list is based on a point system

• Points added according to five criteria: Removal, Integration, Distribution, Behaviour, Privacy

• Software requires a TAC number of three or higher (on a scale of zero to ten) to be included in the database

• This list is public and complying to these strict rules is important as most spyware is legal software

• Draco anti-spyware engine based on AdAware from Lavasoft

Threat Assessment System

Integration

• Can cause system instability

Distribution

• Intentionally hidden installation or clear indication that application is designed with the explicit intention of making it difficult or impossible to remove

• Bundled installation that is undisclosed, no notice given to the user pre-install or the host application’s EULA attempts to hide the application’s inclusion

• No info disclosed in EULA, confusing EULA, or a hidden EULA listing


Behaviour

• Virus or trojan

• Connects to perform or aid in a D-DoS attack

• Use or creation of tracking cookies

• Changes browsing results (browser hijack, redirect, replaces text or graphics, opens random websites)

• Operates stealthily

• Opens web sites not initiated by the user, unsolicited pop-ups or requests to join a different site

• Auto-updates without user permission or knowledge

• Dials an unauthorized Internet connection

• Opens or exploits a system vulnerability


Privacy

• Connects to a remote system with or without the user's awareness to transmit usage statistics and/or personally identifiable information

• Connects to a remote system without the user's awareness to transmit/receive information

• Tracks the user's surfing habits

Removal

• Provides no uninstaller at all or non-functional application uninstaller

• Lacks clear evidence of intention, suspicion that the application's developer intentionally made the software difficult to uninstall

>35000 Signatures>35000 Signatures

FileSignatures

Registry KeySignatures

Registry ValueSignatures

>3000 Variants>3000 Variants

CoolWebSearchVariant 1






> 600> 600 FamiliesFamilies8 Categories8 Categories

Spyware Category Structure

Data Miner

Monitoring tool

Vulnerability

Malware

Dialer

Worm

Cookie

Misc

Claria (Adware)

Blazing Tools(Keylogger)

WideStep Elite (Keylogger)

CoolWebSearch(Browser Hijacker)

DateMaker(Adult Dialer)

Blaster(Network Worm)

Tracking Cookies(Adware)

LycosSidesearch(Bundled Adware)

DATABASE UPDATES

Virus & Spy Databases

Heart of Virus & Spy Protection

• Provided by Anti-Virus Research

• Different for each scanning engine (Orion, AVP, Libra and Draco)

• Databases are signed (DAAS) and only taken into use if it is certain the updates originated from F-Secure

• Daily update usually a few kilobytes

Viruses are normally detected by several scanning engines and

disinfected by the first detecting engine

F-Secure Update Server

Updates

Database updates are downloaded and handled by F-Secure

Automatic Update Engine

• Also possible to manually update with a file downloaded from F-Secure website (FSUPDATE.EXE)

Centrally managed AVCS

Automatic Update Agent

Policy Manager Server


Stand-alone AVCS


Automatic Update Server

Network Quarantine

Intelligent Network Access (INA)

• If the virus definitions are old or if real-time scanning is disabled, the product automatically changes the Internet Shield security level into Access Restricted

• Network access is restricted until the virus definitions are updated and/or real-time scanning is enabled (prompts the end user to update)

Network Admission Control (NAC)

Solution developed by Cisco Systems

• Requires a Cisco architecture (Cisco Trust Agents (CTA) on each device, Cisco IOS Network Access Device (NAD) and Access Control Server (ACS))

• No centralized management

Provides a host with the appropriate network access based on the

state of the system

• Healthy: Full network access granted

• Quarantine: E.g. outdated virus definitions during outbreak => access restrictions

OTHER FEATURES

Unloading and Uninstalling

It is possible to unload FSAVCS to free memory (approx. 13 MB of

memory)

• 2 unload possiblilities

• Unload only Virus & Spy Protection

• Unload Virus & Spy Protection and Internet Shield (not recommended)

• Features meant for home users (while playing games etc.)

• Feature can be disabled from the policy

Product has protection against uninstallation

• Not password based, requires a change in policy

Try and Buy Version

It is possible to try out F-Secure products for 30 days with the TNB

version

• Available for both servers and workstations

• After 30 days no longer operates, but can be activated once license bought

• After purchase of license no need to reinstall

• All functionality present

Sidegrade Support

Automatic detection and removal for main competitors

• McAffee

• Computer Associates (CA)

• Trend Micro

• Symantec

Transparent to the end user

• No user intervention required

On-line Help

Online help is always available to end users by pressing “Help”

New online help includes F-Secure Anti-Virus Client Security

administration manual

• Available in the Policy Manager Console (by pressing “F1”)

Internet Shield

Integrated desktop firewall (Internet Shield)

• Integrated stateful inspection desktop firewall that provides robust monitoring and filtering of Internet traffic preventing unauthorized access to the workstation over the network

• Program access control from the workstation to the Internet

• Protecting the workstation from Internet hackers and network worms.

Intrusion Detection System, (IDS)

• The IDS analyses Internet traffic and automatically detects and blocks malicious hacker and network worm attacks such as port scans and Slammer that are not detected by traditional antivirus software.

Summary

Main topics

• System requirements

• Scanning

• Viruses

• Spyware

• Updating virus signature updates

• Other features

FUNCTIONALITY AND FEATURES. Page 2 Agenda Main topics System requirements Scanning Viruses Spyware...

Documents

Transcript of FUNCTIONALITY AND FEATURES. Page 2 Agenda Main topics System requirements Scanning Viruses Spyware...