Upload
kerry-harmon
View
264
Download
2
Tags:
Embed Size (px)
Citation preview
Protection and Control for Collaboration ServersMicrosoft Forefront Security for SharePoint
Lee Hickin CISSP
Security [email protected]
AgendaWhat is Forefront for SharePointThe Forefront Scan JobsFile filteringTopics of Interest
ZIP file behaviorPerformanceEnd user experienceLarge file supportForefront and IRMForefront and Office 2007
General informationForefront Security for SharePoint provides three kinds of protection
Antivirus scanning of files/documentsFile filteringDocument content keyword filtering
Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0
Previous SharePoint versions supported by Antigen for SharePoint
Supports both 32- and 64-bit deployments
Internet
A
B
C
D
E
SharePoint Server Farm Distributed
protection
Performance tuning
Content filtering
Central management
Microsoft AV
Multi-engineManager
SQL Data store
Recent AV-Test.org resultsForefront engine sets and other vendors
Signature response times in hours
MM/YY VIRUS FF Set 1 FF Set 2 FF Set 3 FF Set 4 FF Set 5 Vendor A Vendor B Vendor C
0406 Mytob.NQ@mm 1.53 1.00 1.00 1.00 3.07 9.93 17.35 2.10
0406 Mytob.NQ@mm 1.00 1.12 1.00 1.00 1.00 28.07 11.57 3.52
0406 Spybot!04C2 23.03 1.00 23.03 25.28 1.00 0.00 29.90 39.02
0406 Nugache.a 1.00 25.45 1.00 1.00 1.00 34.10 12.90 48.05
0506 Numuen.F 0.00 24.43 0.00 0.00 0.00 1.00 10.33 14.95
0506 Numuen.H 1.00 31.72 1.00 1.00 1.00 103.83 251.85 114.78
0506 Numuen.G 3.15 8.20 3.15 3.15 3.15 1.00 151.80 468.97
0506 Banwarum.C@mm 87.47 1.00 87.47 87.47 1.00 116.73 72.95 129.25
0506 Banwarum.B@mm 12.05 1.00 1.82 1.82 1.00 116.73 22.45 32.85
0506 Rbot!E905 0.00 0.00 0.00 0.00 0.00 1,141.78 217.57 1.00
0606 Bagle.EG 0.00 0.00 0.00 0.00 0.00 0.00 7.32 0.00
0606 Bagle.EH@mm 0.00 1.25 0.00 0.00 0.00 0.00 18.43 0.00
0606 Bagle.EG@mm 0.00 3.62 0.00 0.00 1.00 0.00 26.48 0.00
0606 Bagle.LY@mm 0.00 0.00 0.00 0.00 0.00 0.00 6.40 2.47
0706 Feebs.gen@mm 0.00 0.00 0.00 0.00 0.00 0.00 0.00 503.80
0706 Feebs.EU 0.00 1.00 0.00 0.00 0.00 52.30 173.17 38.97
0706 Virut.A 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1,317.02
= less than 5 hours = bet 5 and 24 hours = more than 24 hours
Forefront antivirus scanningForefront provides two scan jobs
Realtime Scan Job – scans any files being uploaded to or downloaded from SharePoint
Works with web browser or any other application accessing SharePointProvides proactive protection
Manual Scan Job – Scans all or part of SharePoint document library on demand
Scans can be scheduledCan be used to scan with engines different than Realtime scan job
The Forefront Realtime Scan JobRealtime scanning always uses the VSAPI
Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console
This is why they are grayed out in the Forefront console
Click here to change settings
Then click “Operations,” followed by “Antivirus”
SharePoint antivirus system settings
Scan documents on upload and Scan documents on download are separate settings that can be turned on or off
Best practices is to use both
Scanning Timeout is configurableDefault is 600 seconds
Number of scanning threads is configurable
Default is 10 threads, which is also the maximum“Threads” are actually processes that will be spawned as needed
Forefront virus detection actionsWhen Forefront detects a virus,
several Actions are availableSkip: detect only – logs presence of virus but does not block or delete it
Not a secure setting!Can be used for testing/evaluation purposes
Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked.
Forefront virus detection actionsBlock: prevent transfer – blocks file
from being uploaded or downloaded without attempting to clean itHowever, there is potential conflict between Forefront settings and SharePoint settings!
SharePoint settings
Forefront settings
Who wins?
VSAPI workflowThe ForefrontSPVsapi64.dll is registered with SharePoint
32-bit version is ForefrontSPVsapi.dll
VSAPI interface contains three methods that are implemented by the dll
STDMETHOD InitializeSTDMETHOD ScanSTDMETHOD Clean
VSAPI Interface detailsSTDMETHOD Initialize
SharePoint calls the ForefrontSPVsapi which returns the Forefront product string and version
STDMETHOD ScanSharePoint calls the ForefrontSPVsapi to scan the passed in content and return the infection status and virus information (if any)If “Attempt to Clean Infected Documents” has been selected in SharePoint, then Forefront returns MSOVSI_STATUS_CLEANABLE
SharePoint then calls the Clean Method to optimize performance
VSAPI Interface detailsSTDMETHOD Clean
The Clean Method attempts to clean detected viruses found in filesIt returns the infected status, virus information (e.g. virus name) and updates the output stream if viruses are cleanedWhen Clean Method is called, ForefrontSPVsapi finds an available ForefrontRealtime process
Note that a separate process is called for cleaning
If the clean process fails, it is set to MSOVSI_STATUS_CLEAN_FAILED, and file is blockedIf the clean process succeeds, it is set to MSOVSI_STATUS_CLEAN, and file is allowed
VSAPI Interface detailsSTDMETHOD Scan continued…
If “Attempt to Clean” is not selected, Forefront passes the content to an available Forefront Realtime process.After this, the data stream can no longer be returned to SharePointAt this point, files can no longer be cleaned because a cleaned file has no way to return to the SharePoint data streamTherefore, only blocking is allowed if “Attempt to Clean” is turned off in SharePoint
VSAPI Interface detailsSTDMETHOD Scan continued…
If the Scan Method returns MSOVIS_STATUS_INFECTED SharePoint notifies the user that the file is infected and displays virus information
File is blockedNo attempt is made to clean the file
If the content is clean, the status is set to MSOVSI_STATUS_CLEAN
File is allowed
If content cannot be processed due to time out or failure of the scan process, it is set to MSOVIS_STATUS_INFECTED
Scanning decision treeDOCUMENT
IsSharePoint
set toClean?
Call the Cleaning Method
Can file be
cleaned?
File cleaned and loaded into library
Pass to the Forefront scanner
Is the file infected?
File blocked
File blocked File loaded into library
YES
YES NO
NO
YES NO
Specific file behaviors on upload SharePoint Setting
Forefront Setting
Result Reported in Forefront as
Single cleanable virus
Clean Clean Cleaned Cleaned
Do not clean Clean Blocked Cleaned
Clean Block Blocked Blocked
Do not clean Block Blocked Blocked
ZIP file with embedded cleanable virus
Clean Clean Cleaned Cleaned
Do not clean Clean Blocked Cleaned
Clean Block Blocked Blocked
Do not clean Block Blocked Blocked
ZIP file with embedded non-cleanable virus
Clean Clean Infected embedded file removed
Removed
Do not clean Clean Blocked Blocked
Clean Block Blocked Blocked
Do not clean Block Blocked Blocked
Specific file behaviors on download SharePoint Setting
Forefront Setting
Result Reported in Forefront as
Single cleanable virus
Clean Clean Cleaned Cleaned
Do not clean Clean Blocked Cleaned (file is still infected)
Clean Block Blocked Blocked
Do not clean Block Blocked Blocked (file is still infected)
ZIP file with embedded cleanable virus
Clean Clean Cleaned Cleaned
Do not clean Clean Blocked Cleaned (file is still infected)
Clean Block Blocked Blocked
Do not clean Block Blocked Blocked
ZIP file with embedded non-cleanable virus
Clean Clean Blocked Blocked
Do not clean Clean Blocked Blocked
Clean Block Blocked Blocked
Do not clean Block Blocked Blocked
Realtime virus deletion textWhen a file is deleted because it contains a virus, Forefront replaces it with a text file
File keeps name but gets a .txt extension
Deletion text is only used in Realtime scanning when replacing files within a ZIP fileThe text file contains a configurable “Deletion Text” that can include system informationBy default, the deletion text reads: Microsoft Forefront Security for SharePoint %State% a file since it was found to be infected.File name: "%File%“Virus name: "%Virus%”
Forefront Manual Scan JobManual Scan provides tree-view into document libraryAll or part of the library can be setfor scanning by using check boxesSettings will not include new sites by default unless the top box is checked
Use Quick Scan to scan a particular part of the library
Forefront Manual Scan JobThe Manual Scan uses a combination of the VSAPI and the SharePoint object model
Basically the same interface anything else uses to access a document in SharePoint
When not using the API, Forefront uses a COM object to navigate the SharePoint site(s), containers, folders and to retrieve content for scanning Circumstances dictate which form of scanning will be used
Forefront Manual Scan JobThe nature of the Manual Scan is determined by the Anti Virus Vendor ID (AVVendorID)The AV ID is the current virus engine number as understood by Forefront
The AV ID is incremented every night during the database compaction process (2 a.m.)The AV ID will also increment with each engine update if “Scan on Scanner Update” is activatedThe AV ID increments when SharePoint system virus settings are changed
There is both a system-wide AV ID as well as an AV ID on each particular file in the library
Forefront Manual Scan JobThe Manual Scan is also impacted by whether or not a file is listed as “infected” in the SharePoint databaseThis occurs when a virus is detected by the Realtime Scan during a download attempt
The file is not deleted, but it is marked as “infected”
Summarizing, the manual scan is impacted by
The system AV IDThe individual file AV IDThe infected status of the file
Sidebar: viewing the AVVendorIDTo view the AVVEndorID, use the
following syntax:stsadm –o getproperty –pn AVVendorID
Found in the directory: \Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN
Forefront Manual Scan JobThere are problems in the VSAPI implementation of SharePoint that cause errant behavior in the Forefront Manual Scan process
Realtime Scanning is not affected
This behavior needs to be understoodChanges will not be implemented until both SharePoint and Forefront deliver fixes
Forefront service release tentative for August 2007SharePoint service release tentatively planned for March, 2008Problem may be corrected earlier with Hot Fixes
Manual Scanning decision tree
Is file already
marked as infected?
Scanned by the Manual Scan (COM
object)
The file is not detected by Forefront and is not
scanned
YESNO
Document AV ID matches
system AV ID
If the System AV ID and File AV ID match
This is incorrect behavior! Note that
the file becomes “invisible” to
Forefront.
Reported by Manual Scan Job
Manual Scanning decision tree
Is file already
marked as infected?
VSAPI used to scan file
The file is not detected by Forefront and is not scanned
YES
YES
NO
Document AV ID does not match system AV ID
If the System and File AV IDs do not match
Is a virus detected?
Reported under Realtime Scan Job in Forefront
Scanned again by Manual Scan Job
This is incorrect behavior!
NO
Impact of API issuesOnce a file has been detected as “infected,” it becomes “invisible” to the Manual Scan
Access to the file is blocked, as seen in this Program Log excerpt
The file will also be “invisible” to File Filter scans and keyword scans
"WARNING: SPFile.OpenBinary failed (0x80041050) on "http://sydney/Shared Documents/eicar.com". It might be infected and blocked by SharePoint. Manual scan can't scan this document.”
Impact of API issuesIf a file has been detected as infected during download, it can no longer be removed by Forefront
User access to it will be blocked, but the infected file remains in the libraryYou would have to manually delete it
During a Manual Scan, many detected viruses may actually be detected by the Realtime Scan
This is especially likely if the Scan on Scanner Update option is used which frequently toggles the virus IDRealize that scan job settings can be different
Manual Scan Virus detection actions
Actions available to Manual ScanSkip:detect only – logs presence of virus but does not block or delete itClean:repair document – Attempts to clean the file. If file cannot be cleaned, it is deletedDelete:remove infection – deletes the file without attempting to clean it
Replaces deleted file with text fileFile retains name and extension
File FilteringProactive protection of SharePoint by keeping out dangerous file types
E.g. EXE, VBS, COM, PIF, SCR, etc. Used to block unwanted file types
E.g. MP3, AVI, and other files that may present liability or storage issues
Blocks based on file name as well as true file type Blocks based on file size and size/type combinations
File FilteringSharePoint also supports file blocking, but performs only file extension checking
Can be easily circumvented by changing the extension
If SharePoint and Forefront rules overlap, SharePoint rule is applied first
SharePoint file scanning requires less overhead and should be used in conjunction with ForefrontBlock the same list of files in both places
Skip:detect mode can be used to inventory the library or understand real-time file storage patterns
ZIP file behaviorForefront can unpack and repack ZIPs and other container formats while removing the unwanted content
Works with both AV engines and file filters
Unwanted file is replaced with deletion text
File name changed to original-file-name.txt
This allows protection to be maintained without disrupting the valid files
Performance featuresForefront Security for SharePoint uses the SharePoint anti-virus API which is optimized for SQL serverMulti-threaded scanning allows up to ten documents to be scanned at the same time
Minimizes end user wait time
Scanning logic does not re-scan documents that have already been scanned
Performance featuresTo save scanning cycles, files detected once as viruses are, by default, not scanned again when users attempt to download them and the same AV ID is in place
The file will be blocked, but you will not see a virus detection event listed in Forefront Uploaded files are always scanned because their state cannot be known
However, if the AV ID of the file and the system are different, the file is rescanned
End user experienceWhen a file is blocked, the user receives an on-screen notification.
End user experienceDue to limitations in the API, the notification always says Virus Found even when using a file filter or keyword filter
Shows that it was a file
filter
Displays as if a virus
Mapped drive supportForefront scans documents accessed via Explorer, but the user experience is unclear
In a download scenario, the copy fails without any error – progress screen disappears
In an upload scenario, the copy fails with a vague error message
Large File SupportLarge file support has been added to the VSAPI in SharePoint 2007The VSAPI hook can load and transfer pieces of the file on demandForefront requests file data in chunksMaximum file size to be scanned is 2 GBIf the file is larger than 2 GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTEDThe Virus Information string will note “Exceeded File Size”
Large File Support BugDue to a bug in the current Forefront for SharePoint release, the “Exceeded File Size” blocking occurs at files of 128MB insteadof 2 GBThis is a known issue based on a mistaken hard-coded parameter
Has already been identified and fixed
A hotfix has not yet been created because there have been no customer issues raised yetFix will be rolled into the first Service Pack
Forefront and IRMInformation Rights Management applies RMS protection on documents on a per folder level, enforced by SharePointVSAPI will decrypt documents automatically for Forefront
Only applies to Realtime scanning
Manual Scan can only scan IRM protected documents when VSAPI is called (as per previous discussion)
Forefront and Office 2007New Office DOCX document format
supported in Forefront for SharePointCan be scanned for viruses, file filtering, keyword filteringFormat presents specific scanning challenges due to nature of formatCurrent Antigen sees the Office 2007 format as a ZIP file
Will be addressed in Antigen SP1
A new XML Navigator has been added to Forefront to properly handle these formats
Forefront and Office 2007File Filter listed as
OPENXML in Forefront interface Filter is not able to distinguishbetween Word, Powerpoint, Excel,and so on, but sees all OpenXML files as the same type
They can be distinguished by extension name
.DOCX
.PPTX
.XLSX
Forefront and Office 2007When using the file type filter, Forefront
detects it directly, as seen in this program log entry: Tue Jan 16 10:06:25 2007, "DIAGNOSTIC:
workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)"Tue Jan 16 10:06:25 2007, "DIAGNOSTIC: The Realtime scanner is scanning the file named “TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine"Tue Jan 16 10:06:25 2007 ( 2492- 2620), "DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine"Tue Jan 16 10:06:25 2007 ( 2492- 2496), "INFORMATION: Realtime scan found virus: Folder: **During Cleaning** File: TESTFILE.docx Incident: FILE FILTER= *.* Scanner: FILE_FILTER_SCANNER State: Blocked"
Forefront and Office 2007If not blocking by file type, however,
Forefront explodes the file into constituent XML partsDIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)"
DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner is uncompressing file "DIAGNOSTIC: workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->[Content_Types].xml" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->slide1.xml.rels"DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->presentation.xml.rels"DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->slideLayout7.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->theme1.xml [and so on…]
Above sample log is highly edited for ease of viewing.
SummaryForefront Security for SharePoint provides three kinds of protection
Antivirus scanning of files/documentsFile filteringDocument content keyword filtering
Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0
Previous SharePoint versions supported by Antigen for SharePoint
Supports both 32- and 64-bit deploymentsAvailable now for production deployment !
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.