anti-malware protection: a technical dive into forefront client security
DESCRIPTION
Anti-Malware Protection: A Technical Dive into Forefront Client Security. Ketil Pedersen Technology Specialist Manager Microsoft. Forefront + System Center. IT Security. IT Management. Client Security Application Server Security Network Edge Security Secure Remote Access. - PowerPoint PPT PresentationTRANSCRIPT
Anti-Malware Protection:A Technical Dive into Forefront Client SecurityKetil PedersenTechnology Specialist ManagerMicrosoft
SimplifiedSimplified
Forefront + System CenterIT Security IT Management
Change & Configuration Change & Configuration ManagementManagementBackup & RecoveryBackup & RecoveryVirtual Machine ManagementVirtual Machine ManagementSystems MonitoringSystems Monitoring
Common Management Infrastructure & Platform
ProductiveProductive IntegratedIntegrated
Client SecurityClient Security
Application Server SecurityApplication Server Security
Network Edge SecurityNetwork Edge Security
Secure Remote AccessSecure Remote Access
Agenda
The Current Security Environment
What Is Forefront Client Security?
Demo
Technical Review of:Unified Protection
Simplified Administration
Critical Visibility & Control
Availability
Closing remarks
Increasingly Challenging Security Environment
New backdoor Trojan variants found in 1H 2006Of infected computers contained at least one backdoor Trojan1
Of computers cleaned were infected with a mass mailing worm2
Programs detected worldwide represent 28% of Potentially Unwanted Software removals3
Get the Microsoft Security Intelligence Report: January-June 2006 at:
www.microsoft.com/technet/Security/default.mspx 1.MSRT in 1H 20062.MSRT and Windows Live OneCare in 1H 20063.Windows Defender in 1H 2006
One solution for spyware and virus protection
Built on protection technology used by millions worldwide
Effective threat response
Complements other Microsoft security products
One console for simplified security administration
Define one policy to manage client protection agent settings
Deploy signatures and software faster
Integrates with your existing infrastructure
One dashboard for visibility into threats and vulnerabilities
View insightful reports
Stay informed with state assessment scans and security alerts
Unified malware protection for business
desktops, laptops and server operating
systems that is easier to manage and
control
Demo: Forefront Client Security in Action
Architecture
Unified ProtectionSecure against a broad range of threats
Unified agent for virus and spyware protectionCommon engine used by Windows Defender, OneCare, Forefront Server Security
On-access protection via kernel mode mini-filter Built on Windows Filter Manager platformMalware prevented from executing entirely – anti-virus and anti-spyware
User mode scanningSystem Configuration, IE Add-ons & ConfigurationIE and Office downloadsServices & driversApp execution & registration
Scheduled and on-demand scansQuick scan - In memory processes, targeted directories, common malware extensibility points Full scan – Quick scan + local drives
Unified ProtectionSecure against a broad range of threats
Agent behavior manageable by IT administratorFlexible scan scheduling (time & interval based)
Signature update frequency, roaming user fail-over
Exclusions – file extensions, directories
Signature overrides By specific malware
By malware category
Local end-user interfacePolicy aware – i.e. locked-down settings will be grayed out
Lockdown user interface completely
SpyNet reporting
Compatible with Windows Security Center and Vista NAPAnti-virus and anti-spyware status – on/off and signatures up-to-date
Unified ProtectionSecure against a broad range of threats
Research & response organization delivers malware signatures for:
Forefront Client Security, Forefront Server Security, Windows Live OneCare, Windows Defender, Malicious Software Removal Tool (MSRT)
Currently protecting millions of systems
Research team uses multiple data sources to identify threats
Released products: Windows Defender, OneCare, MSRT, etc.
Other sources: PSS, Hotmail, web crawling, customer submissions
Partnerships with industry
Top priority is responding to active threats in the wild
Automation in analysis: Automatic malware submission storage and retrieval, resolving of duplicate submissions, prioritization of sample analysis
Building out global 24x7 organization (US, Europe, Asia Pacific)
Industry certifications (OneCare currently, expect same for FCS)
ICSA Labs, West Coast Labs
FCS clients installation optimized forMicrosoft update (MU) and Windows Server Update Services (WSUS)
FCS clients package is published on MUWSUS syncs with MU and downloads FCS client packageAdministrator configures and deploys FCS client policyClient sync with WSUS – download, installs and applies policyReporting in WSUS and FCS
Can also use SMS, MOM, log on scripts, Group Policy and any software distribution system
Simplified AdministrationClient deployment options
Malware ResearchMicrosof
tUpdate
WSUS + Update Assistant
Desktops, Laptops and Servers
Deploy Client Policy
Simplified AdministrationClient deployment options
One console for simplified security administration
One policy to manage client protection agent settings, e.g.:
Choice of 3 integrated policy profile deployment methods:
Microsoft Forefront Client Security Console (uses AD/GP)
ADM file (uses AD/GP)
Export to a file then use existing software distribution system
Anti-spyware unknown actionAlert levelEvent and logging settingsSpyNet reporting on/offLevel of end-user UI shown
Scan scheduleReal time protection on/offSignature update frequencyAnti-spyware signature overridesSecurity state assessment settings
Alerts managed using MOM 2005 operator console
Alert configuration is policy specific
Alerts notify admin of high-value incidents, including:
Alert levels control type & volume of alerts generated
Outbreak Malware removal failed
Signature update failed
Malware detected and removed
Signature update failed (per min)
Rich Data,High Value Assets
Critical Issues Only,Low Value Assets
Malware detectedMalware failed to remove
Malware outbreakMalware protection disabled
Simplified AdministrationAlerting Configuration
1 5432
Security SummarySecurity SummarySecurity SummarySecurity Summary
Critical Visibility & ControlSummary Report
Critical Visibility & ControlSecurity State Assessment
Security State Assessment Host agent:Perform scan based on security check definitionsScans scheduled via policy or invoked on-demand
Security checksDetect missing security updates based on Microsoft UpdateCompare system configuration against security best practices
Examine data from registry, file system, WMI, IIS metabase, SQL, etc.
Checks updateable via Microsoft Update
Security State Assessment provides “Score” and “Severity” for each check:
Score Value – risk associated with security issuesSeverity Value – provided by MSRC for Security Updates
Reporting enables drilldown into specific security issues
Critical Visibility & Control“Is my environment
compliant with security best practices?”
“Has my level of vulnerability
exposure changed over time?”
“What portion of my environment is at
high risk?”
When ESG surveyed respondents in December 2006, 8% of organizations were already evaluating Microsoft Forefront client while another 35% said they would do so in 2007.*
ESG found that most users believe that desktop security products are commodities. Many enterprise organizations are also perfectly willing to switch vendors over the next year.*
* CNET “A Sea Change for Desktop Security” by Jon Oltsikhttp://news.com.com/A+sea+change+for+desktop+security/2010-7355_3-6170199.html?tag=nefd.top
TestimonialsOver 85000 FCS public beta downloads!!!
TestimonialsOver 85,000 FCS Public Beta downloads!!!Quotes from customers participating in the Rapid Deployment Program:
“Forefront gives us the ability to easily manage our IT environment in a centralized way while giving us full reporting on the security of the entire Windows infrastructure.”
Industry leading Retail/training/consulting firm in the US
“Soon after deployment, Forefront immediately began identifying spyware, malware, and viruses on our systems that our previous security solution wasn’t finding. With Forefront Client Security, the IT environment is much easier to administer, particularly in terms of automatic updates.”
Leading chemistry-based drug discovery, development and manufacturing company in the US
“With our Forefront solution, we’re easily saving two to three person-days a year, and if the average senior consultant bills $300 an hour, that’s effectively a savings of $5,000 to $8,000 a year. Switching to Forefront has simplified our processes significantly. We have a full security implementation that is easier to manage and maintain.”
IT consulting firm
AvailabilityPublic beta available now!
Download at: www.microsoft.com/clientsecurity
Community-based support at: www.microsoft.com/technet/clientsecurity
Release To Manufacture planned for Q2 CY2007
Will be available through Microsoft’s volume licensing programs
“Forefront gives us the ability to easily manage our IT environment in a centralized way while giving us full reporting on the security of the entire Windows infrastructure.”
- Industry leading Retail/training/consulting firm in the US
“When ESG surveyed respondents in December 2006, 8% of organizations were already evaluating Microsoft Forefront client while another 35% said they would do so in 2007.”- CNET “A Sea Change for Desktop Security” by Jon Oltsik
SummaryUnified Virus & Spyware Protection
Simplified Administration
Critical Visibility & Control
An integral part of Microsoft Forefront™
Visit http://www.microsoft.com/infrastructure Learn more about how Forefront Client Security fits in the Forefront & System Center solutionDownload beta/evaluation software