Protection and Control for Collaboration ServersMicrosoft Forefront Security for SharePoint

Lee Hickin CISSP

Security Specialistlhickin@microsoft.com

AgendaWhat is Forefront for SharePointThe Forefront Scan JobsFile filteringTopics of Interest

ZIP file behaviorPerformanceEnd user experienceLarge file supportForefront and IRMForefront and Office 2007

General informationForefront Security for SharePoint provides three kinds of protection

Antivirus scanning of files/documentsFile filteringDocument content keyword filtering

Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0

Previous SharePoint versions supported by Antigen for SharePoint

Supports both 32- and 64-bit deployments

Internet

A

B

C

D

E

SharePoint Server Farm Distributed

protection

Performance tuning

Content filtering

Central management

Microsoft AV

Multi-engineManager

SQL Data store

Recent AV-Test.org resultsForefront engine sets and other vendors

Signature response times in hours

MM/YY VIRUS FF Set 1 FF Set 2 FF Set 3 FF Set 4 FF Set 5 Vendor A Vendor B Vendor C

0406 Mytob.NQ@mm 1.53 1.00 1.00 1.00 3.07 9.93 17.35 2.10

0406 Mytob.NQ@mm 1.00 1.12 1.00 1.00 1.00 28.07 11.57 3.52

0406 Spybot!04C2 23.03 1.00 23.03 25.28 1.00 0.00 29.90 39.02

0406 Nugache.a 1.00 25.45 1.00 1.00 1.00 34.10 12.90 48.05

0506 Numuen.F 0.00 24.43 0.00 0.00 0.00 1.00 10.33 14.95

0506 Numuen.H 1.00 31.72 1.00 1.00 1.00 103.83 251.85 114.78

0506 Numuen.G 3.15 8.20 3.15 3.15 3.15 1.00 151.80 468.97

0506 Banwarum.C@mm 87.47 1.00 87.47 87.47 1.00 116.73 72.95 129.25

0506 Banwarum.B@mm 12.05 1.00 1.82 1.82 1.00 116.73 22.45 32.85

0506 Rbot!E905 0.00 0.00 0.00 0.00 0.00 1,141.78 217.57 1.00

0606 Bagle.EG 0.00 0.00 0.00 0.00 0.00 0.00 7.32 0.00

0606 Bagle.EH@mm 0.00 1.25 0.00 0.00 0.00 0.00 18.43 0.00

0606 Bagle.EG@mm 0.00 3.62 0.00 0.00 1.00 0.00 26.48 0.00

0606 Bagle.LY@mm 0.00 0.00 0.00 0.00 0.00 0.00 6.40 2.47

0706 Feebs.gen@mm 0.00 0.00 0.00 0.00 0.00 0.00 0.00 503.80

0706 Feebs.EU 0.00 1.00 0.00 0.00 0.00 52.30 173.17 38.97

0706 Virut.A 0.00 0.00 0.00 0.00 0.00 0.00 0.00 1,317.02

= less than 5 hours = bet 5 and 24 hours = more than 24 hours

Forefront antivirus scanningForefront provides two scan jobs

Realtime Scan Job – scans any files being uploaded to or downloaded from SharePoint

Works with web browser or any other application accessing SharePointProvides proactive protection

Manual Scan Job – Scans all or part of SharePoint document library on demand

Scans can be scheduledCan be used to scan with engines different than Realtime scan job

The Forefront Realtime Scan JobRealtime scanning always uses the VSAPI

Basic Realtime scan settings are centrally configured through the SharePoint interface, not the Forefront console

This is why they are grayed out in the Forefront console

Click here to change settings

Then click “Operations,” followed by “Antivirus”

SharePoint antivirus system settings

Scan documents on upload and Scan documents on download are separate settings that can be turned on or off

Best practices is to use both

Scanning Timeout is configurableDefault is 600 seconds

Number of scanning threads is configurable

Default is 10 threads, which is also the maximum“Threads” are actually processes that will be spawned as needed

Forefront virus detection actionsWhen Forefront detects a virus,

several Actions are availableSkip: detect only – logs presence of virus but does not block or delete it

Not a secure setting!Can be used for testing/evaluation purposes

Clean: repair document – Attempts to clean the file. If file cannot be cleaned, it is blocked.

Forefront virus detection actionsBlock: prevent transfer – blocks file

from being uploaded or downloaded without attempting to clean itHowever, there is potential conflict between Forefront settings and SharePoint settings!

SharePoint settings

Forefront settings

Who wins?

VSAPI workflowThe ForefrontSPVsapi64.dll is registered with SharePoint

32-bit version is ForefrontSPVsapi.dll

VSAPI interface contains three methods that are implemented by the dll

STDMETHOD InitializeSTDMETHOD ScanSTDMETHOD Clean

VSAPI Interface detailsSTDMETHOD Initialize

SharePoint calls the ForefrontSPVsapi which returns the Forefront product string and version

STDMETHOD ScanSharePoint calls the ForefrontSPVsapi to scan the passed in content and return the infection status and virus information (if any)If “Attempt to Clean Infected Documents” has been selected in SharePoint, then Forefront returns MSOVSI_STATUS_CLEANABLE

SharePoint then calls the Clean Method to optimize performance

VSAPI Interface detailsSTDMETHOD Clean

The Clean Method attempts to clean detected viruses found in filesIt returns the infected status, virus information (e.g. virus name) and updates the output stream if viruses are cleanedWhen Clean Method is called, ForefrontSPVsapi finds an available ForefrontRealtime process

Note that a separate process is called for cleaning

If the clean process fails, it is set to MSOVSI_STATUS_CLEAN_FAILED, and file is blockedIf the clean process succeeds, it is set to MSOVSI_STATUS_CLEAN, and file is allowed

VSAPI Interface detailsSTDMETHOD Scan continued…

If “Attempt to Clean” is not selected, Forefront passes the content to an available Forefront Realtime process.After this, the data stream can no longer be returned to SharePointAt this point, files can no longer be cleaned because a cleaned file has no way to return to the SharePoint data streamTherefore, only blocking is allowed if “Attempt to Clean” is turned off in SharePoint

VSAPI Interface detailsSTDMETHOD Scan continued…

If the Scan Method returns MSOVIS_STATUS_INFECTED SharePoint notifies the user that the file is infected and displays virus information

File is blockedNo attempt is made to clean the file

If the content is clean, the status is set to MSOVSI_STATUS_CLEAN

File is allowed

If content cannot be processed due to time out or failure of the scan process, it is set to MSOVIS_STATUS_INFECTED

Scanning decision treeDOCUMENT

IsSharePoint

set toClean?

Call the Cleaning Method

Can file be

cleaned?

File cleaned and loaded into library

Pass to the Forefront scanner

Is the file infected?

File blocked

File blocked File loaded into library

YES

YES NO

NO

YES NO

Specific file behaviors on upload SharePoint Setting

Forefront Setting

Result Reported in Forefront as

Single cleanable virus

Clean Clean Cleaned Cleaned

Do not clean Clean Blocked Cleaned

Clean Block Blocked Blocked

Do not clean Block Blocked Blocked

ZIP file with embedded cleanable virus

Clean Clean Cleaned Cleaned

Do not clean Clean Blocked Cleaned

Clean Block Blocked Blocked

Do not clean Block Blocked Blocked

ZIP file with embedded non-cleanable virus

Clean Clean Infected embedded file removed

Removed

Do not clean Clean Blocked Blocked

Clean Block Blocked Blocked

Do not clean Block Blocked Blocked

Specific file behaviors on download SharePoint Setting

Forefront Setting

Result Reported in Forefront as

Single cleanable virus

Clean Clean Cleaned Cleaned

Do not clean Clean Blocked Cleaned (file is still infected)

Clean Block Blocked Blocked

Do not clean Block Blocked Blocked (file is still infected)

ZIP file with embedded cleanable virus

Clean Clean Cleaned Cleaned

Do not clean Clean Blocked Cleaned (file is still infected)

Clean Block Blocked Blocked

Do not clean Block Blocked Blocked

ZIP file with embedded non-cleanable virus

Clean Clean Blocked Blocked

Do not clean Clean Blocked Blocked

Clean Block Blocked Blocked

Do not clean Block Blocked Blocked

Realtime virus deletion textWhen a file is deleted because it contains a virus, Forefront replaces it with a text file

File keeps name but gets a .txt extension

Deletion text is only used in Realtime scanning when replacing files within a ZIP fileThe text file contains a configurable “Deletion Text” that can include system informationBy default, the deletion text reads: Microsoft Forefront Security for SharePoint %State% a file since it was found to be infected.File name: "%File%“Virus name: "%Virus%”

Forefront Manual Scan JobManual Scan provides tree-view into document libraryAll or part of the library can be setfor scanning by using check boxesSettings will not include new sites by default unless the top box is checked

Use Quick Scan to scan a particular part of the library

Forefront Manual Scan JobThe Manual Scan uses a combination of the VSAPI and the SharePoint object model

Basically the same interface anything else uses to access a document in SharePoint

When not using the API, Forefront uses a COM object to navigate the SharePoint site(s), containers, folders and to retrieve content for scanning Circumstances dictate which form of scanning will be used

Forefront Manual Scan JobThe nature of the Manual Scan is determined by the Anti Virus Vendor ID (AVVendorID)The AV ID is the current virus engine number as understood by Forefront

The AV ID is incremented every night during the database compaction process (2 a.m.)The AV ID will also increment with each engine update if “Scan on Scanner Update” is activatedThe AV ID increments when SharePoint system virus settings are changed

There is both a system-wide AV ID as well as an AV ID on each particular file in the library

Forefront Manual Scan JobThe Manual Scan is also impacted by whether or not a file is listed as “infected” in the SharePoint databaseThis occurs when a virus is detected by the Realtime Scan during a download attempt

The file is not deleted, but it is marked as “infected”

Summarizing, the manual scan is impacted by

The system AV IDThe individual file AV IDThe infected status of the file

Sidebar: viewing the AVVendorIDTo view the AVVEndorID, use the

following syntax:stsadm –o getproperty –pn AVVendorID

Found in the directory: \Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN

Forefront Manual Scan JobThere are problems in the VSAPI implementation of SharePoint that cause errant behavior in the Forefront Manual Scan process

Realtime Scanning is not affected

This behavior needs to be understoodChanges will not be implemented until both SharePoint and Forefront deliver fixes

Forefront service release tentative for August 2007SharePoint service release tentatively planned for March, 2008Problem may be corrected earlier with Hot Fixes

Manual Scanning decision tree

Is file already

marked as infected?

Scanned by the Manual Scan (COM

object)

The file is not detected by Forefront and is not

scanned

YESNO

Document AV ID matches

system AV ID

If the System AV ID and File AV ID match

This is incorrect behavior! Note that

the file becomes “invisible” to

Forefront.

Reported by Manual Scan Job

Manual Scanning decision tree

Is file already

marked as infected?

VSAPI used to scan file

The file is not detected by Forefront and is not scanned

YES

YES

NO

Document AV ID does not match system AV ID

If the System and File AV IDs do not match

Is a virus detected?

Reported under Realtime Scan Job in Forefront

Scanned again by Manual Scan Job

This is incorrect behavior!

NO

Impact of API issuesOnce a file has been detected as “infected,” it becomes “invisible” to the Manual Scan

Access to the file is blocked, as seen in this Program Log excerpt

The file will also be “invisible” to File Filter scans and keyword scans

"WARNING: SPFile.OpenBinary failed (0x80041050) on "http://sydney/Shared Documents/eicar.com". It might be infected and blocked by SharePoint. Manual scan can't scan this document.”

Impact of API issuesIf a file has been detected as infected during download, it can no longer be removed by Forefront

User access to it will be blocked, but the infected file remains in the libraryYou would have to manually delete it

During a Manual Scan, many detected viruses may actually be detected by the Realtime Scan

This is especially likely if the Scan on Scanner Update option is used which frequently toggles the virus IDRealize that scan job settings can be different

Manual Scan Virus detection actions

Actions available to Manual ScanSkip:detect only – logs presence of virus but does not block or delete itClean:repair document – Attempts to clean the file. If file cannot be cleaned, it is deletedDelete:remove infection – deletes the file without attempting to clean it

Replaces deleted file with text fileFile retains name and extension

File FilteringProactive protection of SharePoint by keeping out dangerous file types

E.g. EXE, VBS, COM, PIF, SCR, etc. Used to block unwanted file types

E.g. MP3, AVI, and other files that may present liability or storage issues

Blocks based on file name as well as true file type Blocks based on file size and size/type combinations

File FilteringSharePoint also supports file blocking, but performs only file extension checking

Can be easily circumvented by changing the extension

If SharePoint and Forefront rules overlap, SharePoint rule is applied first

SharePoint file scanning requires less overhead and should be used in conjunction with ForefrontBlock the same list of files in both places

Skip:detect mode can be used to inventory the library or understand real-time file storage patterns

ZIP file behaviorForefront can unpack and repack ZIPs and other container formats while removing the unwanted content

Works with both AV engines and file filters

Unwanted file is replaced with deletion text

File name changed to original-file-name.txt

This allows protection to be maintained without disrupting the valid files

Performance featuresForefront Security for SharePoint uses the SharePoint anti-virus API which is optimized for SQL serverMulti-threaded scanning allows up to ten documents to be scanned at the same time

Minimizes end user wait time

Scanning logic does not re-scan documents that have already been scanned

Performance featuresTo save scanning cycles, files detected once as viruses are, by default, not scanned again when users attempt to download them and the same AV ID is in place

The file will be blocked, but you will not see a virus detection event listed in Forefront Uploaded files are always scanned because their state cannot be known

However, if the AV ID of the file and the system are different, the file is rescanned

End user experienceWhen a file is blocked, the user receives an on-screen notification.

End user experienceDue to limitations in the API, the notification always says Virus Found even when using a file filter or keyword filter

Shows that it was a file

filter

Displays as if a virus

Mapped drive supportForefront scans documents accessed via Explorer, but the user experience is unclear

In a download scenario, the copy fails without any error – progress screen disappears

In an upload scenario, the copy fails with a vague error message

Large File SupportLarge file support has been added to the VSAPI in SharePoint 2007The VSAPI hook can load and transfer pieces of the file on demandForefront requests file data in chunksMaximum file size to be scanned is 2 GBIf the file is larger than 2 GB, then the ForefrontService will return a value of MSOVSI_STATUS_INFECTEDThe Virus Information string will note “Exceeded File Size”

Large File Support BugDue to a bug in the current Forefront for SharePoint release, the “Exceeded File Size” blocking occurs at files of 128MB insteadof 2 GBThis is a known issue based on a mistaken hard-coded parameter

Has already been identified and fixed

A hotfix has not yet been created because there have been no customer issues raised yetFix will be rolled into the first Service Pack

Forefront and IRMInformation Rights Management applies RMS protection on documents on a per folder level, enforced by SharePointVSAPI will decrypt documents automatically for Forefront

Only applies to Realtime scanning

Manual Scan can only scan IRM protected documents when VSAPI is called (as per previous discussion)

Forefront and Office 2007New Office DOCX document format

supported in Forefront for SharePointCan be scanned for viruses, file filtering, keyword filteringFormat presents specific scanning challenges due to nature of formatCurrent Antigen sees the Office 2007 format as a ZIP file

Will be addressed in Antigen SP1

A new XML Navigator has been added to Forefront to properly handle these formats

Forefront and Office 2007File Filter listed as

OPENXML in Forefront interface Filter is not able to distinguishbetween Word, Powerpoint, Excel,and so on, but sees all OpenXML files as the same type

They can be distinguished by extension name

.DOCX

.PPTX

.XLSX

Forefront and Office 2007When using the file type filter, Forefront

detects it directly, as seen in this program log entry: Tue Jan 16 10:06:25 2007, "DIAGNOSTIC:

workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)"Tue Jan 16 10:06:25 2007, "DIAGNOSTIC: The Realtime scanner is scanning the file named “TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine"Tue Jan 16 10:06:25 2007 ( 2492- 2620), "DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TESTFILE.docx" located in the "**During Cleaning**" folder using the Filtering Engine"Tue Jan 16 10:06:25 2007 ( 2492- 2496), "INFORMATION: Realtime scan found virus: Folder: **During Cleaning** File: TESTFILE.docx Incident: FILE FILTER= *.* Scanner: FILE_FILTER_SCANNER State: Blocked"

Forefront and Office 2007If not blocking by file type, however,

Forefront explodes the file into constituent XML partsDIAGNOSTIC: The Realtime scanner detected a FileType of 10 (FOBTYPE_ZIPFILE)"

DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner has finished scanning the file named "TestFile.pptx" DIAGNOSTIC: The Realtime scanner is uncompressing file "DIAGNOSTIC: workthread.cpp::ScanFileEx(): DIAGNOSTIC: The Realtime scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->[Content_Types].xml" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->slide1.xml.rels"DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->presentation.xml.rels"DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->slideLayout7.xml.rels" DIAGNOSTIC: The Realtime scanner is scanning the file named "TestFile.pptx->theme1.xml [and so on…]

Above sample log is highly edited for ease of viewing.

SummaryForefront Security for SharePoint provides three kinds of protection

Antivirus scanning of files/documentsFile filteringDocument content keyword filtering

Forefront supports Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0

Previous SharePoint versions supported by Antigen for SharePoint

Supports both 32- and 64-bit deploymentsAvailable now for production deployment !

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this

presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.