Yaniv FeldmanMicrosoft Security Regional DirectorInfrastructure & Security LeadDb@net Israel

TWC

SDL

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

Identity Management

Services

Information Protection

Encrypting File System (EFS)

Encrypting File System (EFS)

BitLocker™

BitLocker™

Client and Server OS

Server Applications

Edge

Network Access Protection (NAP)

Client and Server OS

Server Applications

Edge

Forefront Stirling Management

Con

figu

rati

on

Sec

uri

ty

Per

form

ance

Network

OS

Applications

Data

One solution for spyware and virus protection

Built on protection technology used by millions worldwide

Effective threat response

Complements other Microsoft security products

One console for simplified security administration

Define one policy to manage client protection agent settings

Deploy signatures and software faster

Integrates with your existing infrastructure

One dashboard for visibility into threats and vulnerabilities

View insightful reports

Stay informed with state assessment scans and security alerts

Unified malware protection for business

desktops, laptops and server operating

systems that is easier to manage and

control

Unified agent for virus and spyware protectionCommon engine used by Windows Defender, OneCare, Forefront Server Security

On-access protection via kernel mode mini-filter Built on Windows Filter Manager platformMalware prevented from executing entirely – anti-virus and anti-spyware

User mode scanningSystem Configuration, IE Add-ons & ConfigurationIE and Office downloadsServices & driversApp execution & registration

Scheduled and on-demand scansQuick scan - In memory processes, targeted directories, common malware extensibility points Full scan – Quick scan + local drives

Agent behavior manageable by IT administratorFlexible scan scheduling (time & interval based)Signature update frequency, roaming user fail-overExclusions – file extensions, directoriesSignature overrides

By specific malware

By malware category

Local end-user interfacePolicy aware – i.e. locked-down settings will be grayed out

Lockdown user interface completely

SpyNet reporting

Compatible with Windows Security Center and Vista NAP

Anti-virus and anti-spyware status – on/off and signatures up-to-date

Research & response organization delivers malware signatures for:

Forefront Client Security, Forefront Server Security, Windows Live OneCare, Windows Defender, Malicious Software Removal Tool (MSRT)

Currently protecting millions of systems

Research team uses multiple data sources to identify threats

Released products: Windows Defender, OneCare, MSRT, etc.

Other sources: PSS, Hotmail, web crawling, customer submissions

Partnerships with industry

Top priority is responding to active threats in the wild

Automation in analysis: Automatic malware submission storage and retrieval, resolving of duplicate submissions, prioritization of sample analysis

Building out global 24x7 organization (US, Europe, Asia Pacific)

Industry certifications (OneCare currently, expect same for FCS)ICSA Labs, West Coast Labs

Security SummarySecurity SummarySecurity SummarySecurity Summary

“Is my environment compliant with security best practices?”

“Has my level of vulnerability

exposure changed over time?”

“What portion of my environment is at

high risk?”

Problem Single Point of Failure

SharePointSharePoint

ISA ISA ServerServer

SMTP SMTP ServerServer

Internet

Viruses

ExchangExchangee

ExchangExchangee

Single VendorSingle Engine

Worms

Spam

A A

A A A

A

A A

Problem Management/Cost

SharePointSharePoint

ISA ISA ServerServer

SMTP SMTP ServerServer

Internet

Viruses

ExchangExchangee

ExchangExchangee

Multi-vendorMulti-engine

Worms

Spam

A B

C

A

ED

B C

Forefront Server Security products integrate and ship with industry-leading antivirus scan engines from

Each scan job in a Forefront Server Security product can run up to five engines simultaneously

Internal Messaging and Collaboration Servers

A B C ED

ComprehensiveProtection

Optimized Performance

Simplified Management

Ships with & manages multiple antivirus enginesFile Filtering and premium anti-spam protectionFile & Content Keyword Filtering for SharePoint

Deep integration with platformScanning innovations and performance controlsMaintains uptime and optimizes performance.

Easily manage configuration and operationAutomated signature updatesReporting, Notifications and Alerts

Response time1 (in hours)Forefront Server

Securitymultiple-engine

advantageWildList Number

MalwareName

Forefront

Set 1

Forefront

Set 2

Forefront

Set 3

Vendor 1*

Vendor 2*

Vendor 3*

10/2006 Areses!Itw30 0.00** 0.00 0.00 0.00 0.00 0.0010/2006 Areses!Itw36 0.00 0.00 0.00 1598.78 0.00 0.0010/2006 Areses!Itw37 0.00 0.00 0.00 0.00 52.30 175.4510/2006 Areses!Itw41 0.00 0.00 0.00 0.00 13.15 194.3510/2006 Mytob!Itw590 0.00 0.00 0.00 1332.17 0.00 0.0010/2006 Rontokbro!Itw36 0.00 0.00 0.00 0.00 0.00 613.4010/2006 Sdbot!Itw1809 0.00 0.00 0.00 9.97 166.07 270.3910/2006 Stration!Itw101 0.00 0.00 0.00 93.88 23.46 96.8510/2006 Stration!Itw102 0.00 0.00 0.00 26.00 28.05 30.8310/2006 Stration!Itw42 0.92 0.92 0.92 3.72 3.12 7.0510/2006 Stration!Itw43 2.00 2.00 2.00 4.80 4.20 8.1310/2006 Stration!Itw44 0.00 0.00 0.00 5.60 2.00 7.5810/2006 Stration!Itw45 0.00 0.00 0.00 3.55 2.00 7.5810/2006 Stration!Itw46 0.00 0.00 0.00 2.75 2.20 6.7810/2006 Stration!Itw47 0.00 0.00 0.00 3.72 3.12 7.0510/2006 Stration!Itw60 0.00 0.00 0.00 0.00 4.64 6.3211/2006 Rbot!Itw2090 0.00 0.00 0.00 1739.10 0.00 298.6411/2006 Sdbot!Itw1814 0.00 0.00 0.00 1.00 0.00 0.0011/2006 Sdbot!Itw1866 0.00 0.00 0.00 26.80 1.00 35.2711/2006 Sdbot!Itw1867 0.00 0.00 0.00 14.00 12.84 23.1411/2006 Sdbot!Itw1876 0.00 0.00 0.00 468.60 306.82 430.8011/2006 Stration!Itw124 0.00 0.00 0.38 0.66 1.88 8.8012/2006 Bagle!Itw137 0.00 0.00 0.00 4.01 0.00 13.8312/2006 Bagle!Itw141 0.00 0.00 0.00 17.15 0.00 13.8312/2006 Puce!Itw1 0.00 0.00 0.00 0.00 0.00 1.0012/2006 Rbot!Itw2038 0.00 0.00 0.00 1026.27 0.00 0.0012/2006 Sdbot!Itw1889 0.00 0.00 0.00 128.28 255.20 63.96

* Includes beta signatures** 0.00 denotes proactive detection

1 Source: AV-Test.org 2007 (www.av-test.org)

Single-engine competitors

= Less than 5 hours

= 5 to 24 hours = More than 24 hours

Key Value PropositionLeverage multiple antivirus research labs

Diversity of Diversity of antivirus engines antivirus engines and heuristicsand heuristicsRapid responseRapid responseRedundancyRedundancy

Response time

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

A

B

Max Certainty: uses all engines (100%) Favor Certainty: uses approximately 75% of available engines*Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

C

D

Bias

Engines used are not always the same. They are dynamically allocated from the available pool.

Max Certainty: uses all engines (100%) Favor Certainty: uses approximately` 75% of available engines*

Neutral: uses approximately 50% of available engines*Favor Performance: uses 25% of available engines*Max Performance: uses one engine for every scan*

A

B

Central management console Deploys and configures Forefront/Antigen Security for Exchange and SharePoint environmentsAutomates signature updates across the enterprise

SharePoint Servers

Exchange Servers

Over 100 Events, Performance Counters, and Services Monitored

Monitors the state of Forefront.Collects statistical data on scanning, detection, and removal of messages and attachmentsPolls Forefront Services - Provides timed events to

poll systems for critical process health

Key TasksTriggers scan engine updatesCentralizes storage and deployment of license filesImports, exports and deploys setting changesInitiates and/or schedules manual scan jobsStarts/Stops control of Forefront services

Mailbox

ClientAccess

Unified Messaging

EdgeTransport

HubTransport

Enterprise networkOtherSMTP

Servers

•Mailbox

Routing Hygiene Routing Policy

Voice Messaging

PBX or VoIP

PublicFolders

Fax

Applications:OWA

Protocols:ActiveSync, POP, IMAP, RPC / HTTP …

Programmability:Web services, Web parts

INTERNET

New intelligent scanning does not scan email that has already been scanned

By default, email scanned at Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes

Minimizes AV scanning overhead to maximize mail system performance

Significantly reduces scanning impact at the storeCan be turned off to allow scanning at all points

I

N

T

E

R

N

E

T

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

• Mail scanned only once at the Edge• Saves processing load on Hub and

Mailbox servers

Transport ScanningInbound Mail

Edge Server Hub Role Mailbox Role

Mailbox Role

Public Folder

Client

SCAN and STAMP

NO SCAN NO SCAN

NO SCAN

Internal mail is routed through Hub roleProactive scanning at the Mailbox server (store) is turned off by defaultSaves processing load on Mailbox servers

Internet

Forefront Security for Exchange Server licenses and activates the premium anti-spam features for Exchange 2007Deployed on Exchange Edge or Hub server role

Edge server can be deployed in front of Exchange 2003 mailboxes

Built upon base anti-spam in Exchange 2007, premium anti-spam protection adds:

Microsoft IP reputation filter service and automated updatesAutomated updates for Microsoft Smartscreen spam heuristics, phishing Web sites and Intelligent Message Filter (IMF)Targeted spam signature data and automatic updates to identify latest spam campaigns

SQL Document Library

Document

Users

Document

SharePoint Server

Virus Protection for Document Libraries- Real-time scanning of documents uploaded

and downloaded from document library- Manual and scheduled scanning of

document library

Content Policy Enforcement- File filtering to block documents from

being posted based on name match, file type or file extension

- Content filtering by keywords withindocuments for inappropriate words and phrases

ISA Server

Public IM Networks

External Users Perimeter Network Internal Network

Remote User

Access Edge Server

Front-End Server

Director Server

(VPN)

Federated (Trusted) Organization

FSOCS scans IM Messages & file transfers flowing through OCS 2007 by protecting each instance of a Standard Edition, Front End, Director and Access Edge server role.

ISA Server

PastPast

Client

Server

Edge

CurrentCurrent Future

Next Generation Client Security

Next Generation Client Security

Next Generation Server Security

Next Generation Server Security

Next Generation Edge Security

Next Generation Edge Security

Integrated Protection &Management

Codename‘Stirling’Codename‘Stirling’

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Yaniv FeldmanYaniv@dbnet.co.il

Thanks for Listening