Why Teams call analytics are critical to your entire business
Antigen tdm
1. E-mail Server Security Products
Bogdan Klekot
Microsoft Solutions Architect – Management & Security
bogdank@microsoft.com
2. Agenda
Introduction to Antigen E-mail Security Products
Advanced Protection Features
n Multiple Antivirus (AV) Engine Management
n Distributed Protection
n Layered Anti-spam
Availability and Control Features
n Performance Bias Setting
n Scanning Innovations
n Worm Removal
n Cluster Support
n Management
Secure Content Features
n Content Filtering
Summary
3. Service
s
Edge
Server
Applications
Information
Protection
Client and
Server OS
Identity
Management
Systems
Active Directory Management
Federation Services
(ADFS)
Guidance
Developer
Tools
4. Antigen E-mail and Collaboration Server
Security
Live
Communications SharePoint
Server
ISA
Server
Collaboration
SMTP
Server Exchange
Server
Internet
Users
Edge
Viruses E-mail
Viruses
Worms Worms
Spam Inapp. Content
Microsoft Operations
Manager Antigen MP
Management
5. E-mail Security
Antigen e-mail security solutions help businesses protect their messaging servers
against viruses, worms, spam, and inappropriate content.
Advanced Multiple scan engines at multiple layers throughout the e-mail
infrastructure provide improved protection against e-mail
Protection threats.
Availability & Tight integration with Microsoft Exchange and Windows-based
SMTP servers maximizes availability and management control.
Control
Helps organizations eliminate inappropriate language and
Secure dangerous attachments from internal and external
Content communications
6. New Microsoft Antigen Products
Antivirus and content filtering for
Exchange 2003 and 2000
Helps stop threats that get past perimeter
defenses and helps contain internal incidents
Antivirus and content filtering for Windows
Server 2003 and 2000 SMTP Gateways
Helps stop threats before they reach internal
messaging resources and users
Anti-spam and content filtering for
Windows-based SMTP and Exchange-based
servers
Helps stop spam before it can impact user
and network productivity
Centralized management for Antigen-
protected servers
Improves IT visibility and control into e-mail
server security
8. E-mail Antivirus Approaches
Internet
Viruses Single Vendor/Single Engine
Worms • Same scan engine, heuristics
Spam technology and signature files on
all server and client platforms
• Dependent on one AV lab
A A for scan engine updates
during virus or worm
ISA Server SMTP Server
outbreaks
• Queuing and delay during
A A A engine updates on mission
Exchange Exchange
critical servers (like
Exchange
Exchange)
A
Problem:
A A
Single Point of Failure
9. E-mail Antivirus Approaches
Internet
Viruses Multi-vendor/Multi-Engine
Worms
Spam
• Different scan engines, heuristics
technologies and signature files on
server and client platforms
A B
• High acquisition and
ISA Server SMTP Servers maintenance cost
• Added filtering complexity
C D E
Exchange Exchange Exchange
C
Problem:
A E Management/Cost
10. Antigen Multiple Engine Management
One solution, multiple technologies
A
B
C
Internet
D
E
Exchange Server/
Windows-based SMTP Server
11. Antigen Antivirus Scan Engines
Antigen Stand-alone Messaging
Products Security Suite
New! Microsoft Antivirus Standard engines plus:
Sophos Kaspersky Lab
CA VET AhnLab
Authentium
CA InoculateIT
VirusBuster
Norman
Total engines: 5 Total engines: 9
12. Signature Updates
Sober.P Virus Detection Time
May 2, 2005 (GMT) January 2005 Updates
No. Updates/Day
Time Kaspersky 18.5
Time of Day
Hour : Minute Dr. Web 10.7
Kaspersky 0,69375
F-Prot 0,7041667 Sophos 2.7
AVK 0,7055556
BitDefender 0,7215278 BitDefender 1.7
Sophos 0,7270833
ClamAV 1.5
Command 0,735
Ikarus
F-Secure
Antigen Engines
0,7597222
0,7625
AntiVir 1.4
Fortinet 0,7625 F-Secure 1.4
VirusBuster 0,7805556
Panda 1.3
Panda 0,7840278
eTrust- INO 0,8291667
Ikarus 1.1
AntiVir 0,85
Norman 0,8652778 Symantec 1.1
Trend Micro 0,8875
AVG 0,89375 Trend Micro 1.0
Avast 0,8979167
AV-Test.org Feb. 2005
McAfee 0,9013889
eTrust-VET 0,96875
Symantec 1,0263889
Note: the chart (left) represents a single virus
AV-Test.org May 2005
outbreak only. It does not represent average
response times for the listed antivirus labs.
13. Distributed Protection
SMTP Server Exchange Server
Internet
A
B D
C E
Exchange Server
Internet
A
D
Internet Scan Job B Real-time Scan Job
(SMTP) E (Exchange Store)
C
14. Anti-spam Protection
Antigen Spam Manager (ASM) supports Windows-based
SMTP gateways and Exchange Server
n Integrated with Antigen for SMTP Gateways and Antigen for
Exchange
n Also deploys stand-alone on Windows SMTP gateway servers
Signature-based, frequently updated anti-spam engine
n Highly accurate protection against the latest spammer tactics
n Works with and complements Exchange Intelligent Message
F ite r’ h e u ri cs sp a m d e te cti n a p p ro a ch
l s sti o
Additional spam filtering options
n Real-time block list (RBL) support
n Mail-host block and allow lists by sender, domain and IP address
15. Layered Spam Detection
On the same server, Exchange Intelligent Message Filter
(IMF) scans before ASM
Each applies an Spam Confidence Level (SCL) rating
n The higher rating always wins (has more confidence)
n Mail that is rejected, deleted or archived by IMF will not make it to
ASM
Example: IMF archives SCL 7,8 and 9
IMF SCL
of 0-6
IMF ASM Mail Inbox
Scan Scan ASM SCL Store
set to 9
If SCL
is 7,8,9
Archive Junk
Folder E-mail
17. Performance Bias Settings
* Engines used are not
always the same. They are
dynamically allocated from
A C the available pool.
B
D D
Max Certainty: uses all engines (100%)
Favor Certainty: uses 75% of available engines*
Neutral: uses approximately 50% of available engines*
Favor Performance: uses 25% of available engines*
Max Performance: uses one engine for every scan*
18. Performance Bias Settings
* Engines used are not
always the same. They are
A dynamically allocated from
the available pool.
B
Max Certainty: uses all engines (100%)
Favor Certainty: uses 75% of available engines*
Neutral: uses approx. 50% of available engines*
Favor Performance: uses 25% of available engines*
Max Performance: uses one engine for every scan*
19. Scanning Innovations
In-memory scanning
Multi-threaded scanning
EXE EXE
432kb Scanning Memory
Process Return to Pool
Allocation Available Memory
Pool
20. Worm Removal
Designed to purge all messages containing worms
n Use Sybari Worm List (wormprge.dat) to purge messages that match a known
Worm virus
n Create a custom Worm List with a single wildcard ( * ) to help match all
malicious code detected
n Help provide pre-emptive protection against unknown worms with file filter
purge (size, type, extension, etc.)
n The user receives nothing, not even a notification
Purged messages containing worms should not be quarantined
n There is no value in the message
n Reduces network bandwidth by removing un-needed messages.
21. Enhanced Cluster Support
Active Node Passive Node
Passive Node Active Node
Settings
Updates
Exchange Virtual Server
25. Microsoft Operations Manager Integration
Antigen Management Pack for MOM 2005
Over 100 Events, Performance Counters, and Services Monitored
n Monitors the state of Antigen
n Collects statistical data on scanning, detection, and removal of
messages and attachments
n Polls 5 Antigen Services - Provides timed events to poll systems
for critical process health
Key Tasks:
n Triggers scan engine updates
n Centralizes storage and deployment of license files
n Imports, exports and deploys setting changes
n Initiates and/or schedules manual scan jobs
n Starts/Stops control of Antigen services
27. Content Policy Enforcement
Filters body content for inappropriate
Filters documents based on name match,
keywords or phrases
wild card, file type or file extension
Body Content File name, type
28. Summary
Microsoft provides comprehensive security products
for e-mail servers
n Multiple Engines
n Integrated AV/AS
n Availability and performance support
n Central Management
n Keyword and file filtering
Antigen e-mail security products are key elements of
any Windows-based SMTP or Exchange server
deployment
29. Next Steps
Read whitepapers on Antigen and Advanced Spam Manager
n http://www.microsoft.com/antigen
n Paste link for launch PressPass article
Download evaluation copy of Antigen e-mail security products
http://www.microsoft.com/antigen
Read about Microsoft Secure Messaging solutions
n http://www.microsoft.com/securemessaging