Anti-Malware Protection:A Technical Dive into Forefront Client SecurityKetil PedersenTechnology Specialist ManagerMicrosoft

SimplifiedSimplified

Forefront + System CenterIT Security IT Management

Change & Configuration Change & Configuration ManagementManagementBackup & RecoveryBackup & RecoveryVirtual Machine ManagementVirtual Machine ManagementSystems MonitoringSystems Monitoring

Common Management Infrastructure & Platform

ProductiveProductive IntegratedIntegrated

Client SecurityClient Security

Application Server SecurityApplication Server Security

Network Edge SecurityNetwork Edge Security

Secure Remote AccessSecure Remote Access

Agenda

The Current Security Environment

What Is Forefront Client Security?

Demo

Technical Review of:Unified Protection

Simplified Administration

Critical Visibility & Control

Availability

Closing remarks

Increasingly Challenging Security Environment

New backdoor Trojan variants found in 1H 2006Of infected computers contained at least one backdoor Trojan1

Of computers cleaned were infected with a mass mailing worm2

Programs detected worldwide represent 28% of Potentially Unwanted Software removals3

Get the Microsoft Security Intelligence Report: January-June 2006 at:

www.microsoft.com/technet/Security/default.mspx 1.MSRT in 1H 20062.MSRT and Windows Live OneCare in 1H 20063.Windows Defender in 1H 2006

One solution for spyware and virus protection

Built on protection technology used by millions worldwide

Effective threat response

Complements other Microsoft security products

One console for simplified security administration

Define one policy to manage client protection agent settings

Deploy signatures and software faster

Integrates with your existing infrastructure

One dashboard for visibility into threats and vulnerabilities

View insightful reports

Stay informed with state assessment scans and security alerts

Unified malware protection for business

desktops, laptops and server operating

systems that is easier to manage and

control

Demo: Forefront Client Security in Action

Architecture

Unified ProtectionSecure against a broad range of threats

Unified agent for virus and spyware protectionCommon engine used by Windows Defender, OneCare, Forefront Server Security

On-access protection via kernel mode mini-filter Built on Windows Filter Manager platformMalware prevented from executing entirely – anti-virus and anti-spyware

User mode scanningSystem Configuration, IE Add-ons & ConfigurationIE and Office downloadsServices & driversApp execution & registration

Scheduled and on-demand scansQuick scan - In memory processes, targeted directories, common malware extensibility points Full scan – Quick scan + local drives

Unified ProtectionSecure against a broad range of threats

Agent behavior manageable by IT administratorFlexible scan scheduling (time & interval based)

Signature update frequency, roaming user fail-over

Exclusions – file extensions, directories

Signature overrides By specific malware

By malware category

Local end-user interfacePolicy aware – i.e. locked-down settings will be grayed out

Lockdown user interface completely

SpyNet reporting

Compatible with Windows Security Center and Vista NAPAnti-virus and anti-spyware status – on/off and signatures up-to-date

Unified ProtectionSecure against a broad range of threats

Research & response organization delivers malware signatures for:

Forefront Client Security, Forefront Server Security, Windows Live OneCare, Windows Defender, Malicious Software Removal Tool (MSRT)

Currently protecting millions of systems

Research team uses multiple data sources to identify threats

Released products: Windows Defender, OneCare, MSRT, etc.

Other sources: PSS, Hotmail, web crawling, customer submissions

Partnerships with industry

Top priority is responding to active threats in the wild

Automation in analysis: Automatic malware submission storage and retrieval, resolving of duplicate submissions, prioritization of sample analysis

Building out global 24x7 organization (US, Europe, Asia Pacific)

Industry certifications (OneCare currently, expect same for FCS)

ICSA Labs, West Coast Labs

FCS clients installation optimized forMicrosoft update (MU) and Windows Server Update Services (WSUS)

FCS clients package is published on MUWSUS syncs with MU and downloads FCS client packageAdministrator configures and deploys FCS client policyClient sync with WSUS – download, installs and applies policyReporting in WSUS and FCS

Can also use SMS, MOM, log on scripts, Group Policy and any software distribution system

Simplified AdministrationClient deployment options

Malware ResearchMicrosof

tUpdate

WSUS + Update Assistant

Desktops, Laptops and Servers

Deploy Client Policy

Simplified AdministrationClient deployment options

One console for simplified security administration

One policy to manage client protection agent settings, e.g.:

Choice of 3 integrated policy profile deployment methods:

Microsoft Forefront Client Security Console (uses AD/GP)

ADM file (uses AD/GP)

Export to a file then use existing software distribution system

Anti-spyware unknown actionAlert levelEvent and logging settingsSpyNet reporting on/offLevel of end-user UI shown

Scan scheduleReal time protection on/offSignature update frequencyAnti-spyware signature overridesSecurity state assessment settings

Alerts managed using MOM 2005 operator console

Alert configuration is policy specific

Alerts notify admin of high-value incidents, including:

Alert levels control type & volume of alerts generated

Outbreak Malware removal failed

Signature update failed

Malware detected and removed

Signature update failed (per min)

Rich Data,High Value Assets

Critical Issues Only,Low Value Assets

Malware detectedMalware failed to remove

Malware outbreakMalware protection disabled

Simplified AdministrationAlerting Configuration

1 5432

Security SummarySecurity SummarySecurity SummarySecurity Summary

Critical Visibility & ControlSummary Report

Critical Visibility & ControlSecurity State Assessment

Security State Assessment Host agent:Perform scan based on security check definitionsScans scheduled via policy or invoked on-demand

Security checksDetect missing security updates based on Microsoft UpdateCompare system configuration against security best practices

Examine data from registry, file system, WMI, IIS metabase, SQL, etc.

Checks updateable via Microsoft Update

Security State Assessment provides “Score” and “Severity” for each check:

Score Value – risk associated with security issuesSeverity Value – provided by MSRC for Security Updates

Reporting enables drilldown into specific security issues

Critical Visibility & Control“Is my environment

compliant with security best practices?”

“Has my level of vulnerability

exposure changed over time?”

“What portion of my environment is at

high risk?”

When ESG surveyed respondents in December 2006, 8% of organizations were already evaluating Microsoft Forefront client while another 35% said they would do so in 2007.*

ESG found that most users believe that desktop security products are commodities. Many enterprise organizations are also perfectly willing to switch vendors over the next year.*

* CNET “A Sea Change for Desktop Security” by Jon Oltsikhttp://news.com.com/A+sea+change+for+desktop+security/2010-7355_3-6170199.html?tag=nefd.top

TestimonialsOver 85000 FCS public beta downloads!!!

TestimonialsOver 85,000 FCS Public Beta downloads!!!Quotes from customers participating in the Rapid Deployment Program:

“Forefront gives us the ability to easily manage our IT environment in a centralized way while giving us full reporting on the security of the entire Windows infrastructure.”

Industry leading Retail/training/consulting firm in the US

“Soon after deployment, Forefront immediately began identifying spyware, malware, and viruses on our systems that our previous security solution wasn’t finding. With Forefront Client Security, the IT environment is much easier to administer, particularly in terms of automatic updates.”

Leading chemistry-based drug discovery, development and manufacturing company in the US

“With our Forefront solution, we’re easily saving two to three person-days a year, and if the average senior consultant bills $300 an hour, that’s effectively a savings of $5,000 to $8,000 a year. Switching to Forefront has simplified our processes significantly. We have a full security implementation that is easier to manage and maintain.”

IT consulting firm

AvailabilityPublic beta available now!

Download at: www.microsoft.com/clientsecurity

Community-based support at: www.microsoft.com/technet/clientsecurity

Release To Manufacture planned for Q2 CY2007

Will be available through Microsoft’s volume licensing programs

“Forefront gives us the ability to easily manage our IT environment in a centralized way while giving us full reporting on the security of the entire Windows infrastructure.”

- Industry leading Retail/training/consulting firm in the US

“When ESG surveyed respondents in December 2006, 8% of organizations were already evaluating Microsoft Forefront client while another 35% said they would do so in 2007.”- CNET “A Sea Change for Desktop Security” by Jon Oltsik

SummaryUnified Virus & Spyware Protection

Simplified Administration

Critical Visibility & Control

An integral part of Microsoft Forefront™

Visit http://www.microsoft.com/infrastructure Learn more about how Forefront Client Security fits in the Forefront & System Center solutionDownload beta/evaluation software