sip310 - forefront protection 2010 for sharepoint · extend security simplify security, manage...
TRANSCRIPT
Malware
Compliance
SharePoint Security
Forefront/SharePoint Better Together Security
Premium Antimalware Protection Keyword and File Filtering Restore Quarantine Scalability and Performance
Demo Microsoft® Forefront™ Protection 2010 for
SharePoint: Key Scenarios
Risks
Across on-premises & cloud
Highly Secure & Interoperable Platform
Identity Protect everywhere, access anywhere
Simplify the security experience, manage compliance
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Help securely enable business by managing risk and empowering people
Integrate and extend security across the
enterprise
Enable more secure business collaboration from virtually any location or device,
while preventing unauthorized use of confidential information
• Provide more secure, always-on access
• Protect sensitive information
• Best-in-class anti-malware
• Enterprise-wide visibility
• Easier partner management
PROTECT everywhere
ACCESS anywhere
INTEGRATE and
EXTEND security
SIMPLIFY security,
MANAGE compliance
• Deep Microsoft SharePoint and Office integration
• Standards-based interoperability
Features Summary
Protection for MOSS 2010, MOSS 2007 and Windows SharePoint Services
Multiple Antimalware Engines
Keyword and File Filtering
Scan RMS Protected Repositories
Restore Quarantined Files
Container : Zip, OpenXML, RAR, etc
Native 64-bit Implementation
Friendly user interface
PowerShell Support
Internet
Malware
Inappropriate
Content
Web Front End
Microsoft® SQL Server®
Malware
Inappropriate Content
Firewall
External SharePoint
Users
Internal
SharePoint Users
Web Front End
FPSP Deployment Infrastructure
Extranet Intranet
Web Application
Servers
SharePoint
Databases
SharePoint
Web Front-End
Servers
Forefront
Protection for
SharePoint
1
Upload
Scenario
2
3
4
SharePoint
Databases
SharePoint
Web Front-End
Servers
Forefront
Protection for
SharePoint
1
5
3
4
Download
Scenario
2
6
Scan Process
Workload (SharePoint/Exchange/OCS)
Forefront Scanning Architecture
File Navigators Keyword
File Filtering Engines
Quarantine and Actions
Antimalware engine adapters
Antivirus
Antispyware
Scanning Types
Realtime Scan
Scan triggered through the SharePoint VSAPI
Scheduled Scan
Schedule can be set for off hours scanning of selected SharePoint sites
On-Demand Scan
Immediate scanning of individual sites
Antimalware Scanning
Antivirus Scanning
Multi engines
Available with all 3 scanning types
Antispyware Scanning
Microsoft Antimalware Engine
Only available for Realtime scanning
Rapid response
to new threats
Fail-safe protection
through redundancy
Diversity of antivirus
engines and
heuristics
Response time1 (in hours)
WildList
Number
Malware
Name
Forefront
Engines Vendor A Vendor B Vendor C
07/09 autorun_itw702.ex_ 0.00 0.00 0.00 0.00
07/09 autorun_itw713.ex_ 0.00 65.50 16.33 76.02
07/09 buzus_itw16.ex_ 0.00 28.40 19.38 38.27
07/09 koobface_itw116.ex_ 0.00 0.00 7.22 532.87
07/09 koobface_itw135.ex_ 25.52 36.13 10.95 41.87
07/09 koobface_itw136.ex_ 0.00 20.32 3.75 1213.67
07/09 koobface_itw137.ex_ 0.00 0.00 0.00 0.00
07/09 koobface_itw155.ex_ 0.00 27.17 34.77 133.02
07/09 sdbot_itw2696.ex_ 0.00 87.42 117.83 214.27
08/09 autoit_itw111.ex_ 0.00 0.00 0.00 0.00
08/09 bspread_itw1.ex_ 2.05 576.33 363.55 591.28
08/09 kolab_itw22.ex_ 2.27 306.47 55.57 58.45
08/09 kolab_itw24.ex_ 0.00 127.72 10.63 81.47
08/09 koobface_itw172.ex_ 0.00 0.00 0.00 0.00
08/09 koobface_itw175.ex_ 0.00 0.00 3.07 431.20
08/09 mytob_itw640.ex_ 1.55 614.92 576.05 629.87
08/09 onlinegames_itw116.ex_ 0.00 0.00 0.00 0.00
08/09 palevo_itw3.ex_ 2.27 51.50 27.77 57.08
08/09 spybot_itw290.ex_ 13.07 59.78 0.00 115.53
09/09 autorun_itw768.ex_ 0.00 16.60 194.65 0.00
09/09 autorun_itw774.ex_ 0.00 19.17 196.33 739.45
09/09 autorun_itw775.ex_ 0.00 0.00 0.00 0.00
09/09 buzus_itw20.ex_ 0.00 72.03 1.48 84.23
09/09 buzus_itw21.ex_ 0.00 20.03 14.22 209.40
09/09 palevo_itw5.ex_ 0.00 18.57 200.07 410.50
09/09 sdbot_itw2701.ex_ 0.00 33.93 101.22 19.47
09/09 vb_itw142.ex_ 0.00 0.00 0.00 0.00
** 0.00 denotes proactive detection 1 Source: AV-Test.org 2009 (www.av-test.org)
Single-engine solutions
Less than 5 hours
5 to 24 hours
More than 24 hours
Keyword Filtering
Searches documents for matches to keywords in selected lists
Can be imported from an existing file
Can filter phases
Support operators: AND, OR, NOT
Actions: SkipDetect, Delete, Suspend
File Filtering
Filter by name, type, or size *.exe, *.doc, *>10mb
Filters can be combinations of size, name and type <photo1.jpg>10mb, *.mp3>5mb, *>10mb
Suggested files to block: EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT
Actions: SkipDetect, Suspend(Realtime), Delete(Scheduled/OnDemand)
Filter Rules:
Delete *.exe
Quarantine
Container behavior (zip, rar, etc)
Forefront scans within ZIP and other compressed formats and deletes only the offending file
Container file
before scan
EXE DOC
JPG BMP
Container file
after scan
TXT DOC
JPG BMP
Custom deletion text
Quarantine
EXE
Performance and Impact
In http://office deployment, measured at 12-15% overhead
Average less than 1 second per file overhead on file access requests (upload and download).
~80% speed improvement scanning Office 2007 documents
Scalability Improvements
More efficiently normalizing strings for keyword filtering
Reductions in context switching
More efficient use of machine resources to allow scanning of larger files
Native 64-bit implementation takes advantage of systems with more than 4GB of memory
http://technet.microsoft.com/en-us/library/ee707326.aspx
Feature FPM FSSMC Service Pack
(FPE 2010, FPSPS 2010)
FSSMC
Legacy Products
Server Discovery
(Workload and Product)
Server Grouping
Remote Deployment
(Management Agent)
Remote Deployment (Product)
Policy Deployment
In-line Policy Editing Partial
Quarantine Administration
Signature Redistribution
Alerts
Hybrid Management
Cluster Management
Licensing and Activation
Centralized Reporting
Manual & On Demand Scan
Rich Reporting TBD
Log Collection
Technology
SQL Support Standard - 2008 Express – 2005 & 2008
UI Architecture .NET
Thick Client
Web
(ASP.NET)
Reporting Architecture SQL Standard SRS SQL Express SRS + Custom Custom
Communications Channel SCOM WCF / WS DCOM
http://office
Major players: TrendMicro, McAfee, Symantec
Support for MOSS 2007, 2003 and Windows SharePoint Services
Scan for Malware
Some with File Filtering and Rules Engine
http://technet.microsoft.com/en-us/library/cc482990.aspx
http://blogs.technet.com/FSS/
http://technet.microsoft.com/en-us/library/dd639425.aspx
Play the TAG Game and Win Exciting Prizes!
http://gettag.mobi