Malware

Compliance

SharePoint Security

Forefront/SharePoint Better Together Security

Premium Antimalware Protection Keyword and File Filtering Restore Quarantine Scalability and Performance

Demo Microsoft® Forefront™ Protection 2010 for

SharePoint: Key Scenarios

Risks

Across on-premises & cloud

Highly Secure & Interoperable Platform

Identity Protect everywhere, access anywhere

Simplify the security experience, manage compliance

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Help securely enable business by managing risk and empowering people

Integrate and extend security across the

enterprise

Enable more secure business collaboration from virtually any location or device,

while preventing unauthorized use of confidential information

• Provide more secure, always-on access

• Protect sensitive information

• Best-in-class anti-malware

• Enterprise-wide visibility

• Easier partner management

PROTECT everywhere

ACCESS anywhere

INTEGRATE and

EXTEND security

SIMPLIFY security,

MANAGE compliance

• Deep Microsoft SharePoint and Office integration

• Standards-based interoperability

Features Summary

Protection for MOSS 2010, MOSS 2007 and Windows SharePoint Services

Multiple Antimalware Engines

Keyword and File Filtering

Scan RMS Protected Repositories

Restore Quarantined Files

Container : Zip, OpenXML, RAR, etc

Native 64-bit Implementation

Friendly user interface

PowerShell Support

Internet

Malware

Inappropriate

Content

Web Front End

Microsoft® SQL Server®

Malware

Inappropriate Content

Firewall

External SharePoint

Users

Internal

SharePoint Users

Web Front End

FPSP Deployment Infrastructure

Extranet Intranet

Web Application

Servers

SharePoint

Databases

SharePoint

Web Front-End

Servers

Forefront

Protection for

SharePoint

1

Upload

Scenario

2

3

4

SharePoint

Databases

SharePoint

Web Front-End

Servers

Forefront

Protection for

SharePoint

1

5

3

4

Download

Scenario

2

6

Scan Process

Workload (SharePoint/Exchange/OCS)

Forefront Scanning Architecture

File Navigators Keyword

File Filtering Engines

Quarantine and Actions

Antimalware engine adapters

Antivirus

Antispyware

Scanning Types

Realtime Scan

Scan triggered through the SharePoint VSAPI

Scheduled Scan

Schedule can be set for off hours scanning of selected SharePoint sites

On-Demand Scan

Immediate scanning of individual sites

Antimalware Scanning

Antivirus Scanning

Multi engines

Available with all 3 scanning types

Antispyware Scanning

Microsoft Antimalware Engine

Only available for Realtime scanning

Rapid response

to new threats

Fail-safe protection

through redundancy

Diversity of antivirus

engines and

heuristics

Response time1 (in hours)

WildList

Number

Malware

Name

Forefront

Engines Vendor A Vendor B Vendor C

07/09 autorun_itw702.ex_ 0.00 0.00 0.00 0.00

07/09 autorun_itw713.ex_ 0.00 65.50 16.33 76.02

07/09 buzus_itw16.ex_ 0.00 28.40 19.38 38.27

07/09 koobface_itw116.ex_ 0.00 0.00 7.22 532.87

07/09 koobface_itw135.ex_ 25.52 36.13 10.95 41.87

07/09 koobface_itw136.ex_ 0.00 20.32 3.75 1213.67

07/09 koobface_itw137.ex_ 0.00 0.00 0.00 0.00

07/09 koobface_itw155.ex_ 0.00 27.17 34.77 133.02

07/09 sdbot_itw2696.ex_ 0.00 87.42 117.83 214.27

08/09 autoit_itw111.ex_ 0.00 0.00 0.00 0.00

08/09 bspread_itw1.ex_ 2.05 576.33 363.55 591.28

08/09 kolab_itw22.ex_ 2.27 306.47 55.57 58.45

08/09 kolab_itw24.ex_ 0.00 127.72 10.63 81.47

08/09 koobface_itw172.ex_ 0.00 0.00 0.00 0.00

08/09 koobface_itw175.ex_ 0.00 0.00 3.07 431.20

08/09 mytob_itw640.ex_ 1.55 614.92 576.05 629.87

08/09 onlinegames_itw116.ex_ 0.00 0.00 0.00 0.00

08/09 palevo_itw3.ex_ 2.27 51.50 27.77 57.08

08/09 spybot_itw290.ex_ 13.07 59.78 0.00 115.53

09/09 autorun_itw768.ex_ 0.00 16.60 194.65 0.00

09/09 autorun_itw774.ex_ 0.00 19.17 196.33 739.45

09/09 autorun_itw775.ex_ 0.00 0.00 0.00 0.00

09/09 buzus_itw20.ex_ 0.00 72.03 1.48 84.23

09/09 buzus_itw21.ex_ 0.00 20.03 14.22 209.40

09/09 palevo_itw5.ex_ 0.00 18.57 200.07 410.50

09/09 sdbot_itw2701.ex_ 0.00 33.93 101.22 19.47

09/09 vb_itw142.ex_ 0.00 0.00 0.00 0.00

** 0.00 denotes proactive detection 1 Source: AV-Test.org 2009 (www.av-test.org)

Single-engine solutions

Less than 5 hours

5 to 24 hours

More than 24 hours

Keyword Filtering

Searches documents for matches to keywords in selected lists

Can be imported from an existing file

Can filter phases

Support operators: AND, OR, NOT

Actions: SkipDetect, Delete, Suspend

File Filtering

Filter by name, type, or size *.exe, *.doc, *>10mb

Filters can be combinations of size, name and type <photo1.jpg>10mb, *.mp3>5mb, *>10mb

Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT

Actions: SkipDetect, Suspend(Realtime), Delete(Scheduled/OnDemand)

Filter Rules:

Delete *.exe

Quarantine

Container behavior (zip, rar, etc)

Forefront scans within ZIP and other compressed formats and deletes only the offending file

Container file

before scan

EXE DOC

JPG BMP

Container file

after scan

TXT DOC

JPG BMP

Custom deletion text

Quarantine

EXE

Performance and Impact

In http://office deployment, measured at 12-15% overhead

Average less than 1 second per file overhead on file access requests (upload and download).

~80% speed improvement scanning Office 2007 documents

Scalability Improvements

More efficiently normalizing strings for keyword filtering

Reductions in context switching

More efficient use of machine resources to allow scanning of larger files

Native 64-bit implementation takes advantage of systems with more than 4GB of memory

http://technet.microsoft.com/en-us/library/ee707326.aspx

Feature FPM FSSMC Service Pack

(FPE 2010, FPSPS 2010)

FSSMC

Legacy Products

Server Discovery

(Workload and Product)

Server Grouping

Remote Deployment

(Management Agent)

Remote Deployment (Product)

Policy Deployment

In-line Policy Editing Partial

Quarantine Administration

Signature Redistribution

Alerts

Hybrid Management

Cluster Management

Licensing and Activation

Centralized Reporting

Manual & On Demand Scan

Rich Reporting TBD

Log Collection

Technology

SQL Support Standard - 2008 Express – 2005 & 2008

UI Architecture .NET

Thick Client

Web

(ASP.NET)

Reporting Architecture SQL Standard SRS SQL Express SRS + Custom Custom

Communications Channel SCOM WCF / WS DCOM

http://office

Major players: TrendMicro, McAfee, Symantec

Support for MOSS 2007, 2003 and Windows SharePoint Services

Scan for Malware

Some with File Filtering and Rules Engine

http://technet.microsoft.com/en-us/library/cc482990.aspx

http://blogs.technet.com/FSS/

http://technet.microsoft.com/en-us/library/dd639425.aspx

Play the TAG Game and Win Exciting Prizes!

http://gettag.mobi