PowerPoint -Introduction to Antivirus...
Upcoming SlideShare
Loading in...5

PowerPoint -Introduction to Antivirus...






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.slideshare.net 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Hello and welcome to today’s seminar entitled, “Information Security Lifecycle: A Business Approach for Today and Tomorrow.” We’ll be presenting lots of information about security and how you can best protect your enterprise.
  • First I’d like to cover some of the trends we see occurring from an attack perspective. Attacks related to malicious code and network intrusions are both rapidly rising. However, not only are attacks increasing in terms of frequency, but even more troubling is that they are becoming more complex, with the evolutionary chain including polymorphic viruses, mass mailers, denial of service, and more recently blended threats. Attacks related to malicious code make up the vast majority of the attack total. Organizations laboring under resource constraints are faced with the daunting task of dealing with this increase in attack rate and sophistication. Generally most attacks are dealt with in a reactive rather than a proactive manner making this task even more difficult. _____________________________________________________________________ Background: The Infection Attempts were calculated based on the total amount of systems installed world-wide (IDC numbers) and estimated infection attempts calculated per 1,000 systems (ICSA monthly infection rates). IDC provided the total systems installed world-wide (pc’s, laptops, and servers). The network intrusion attempts data comes from CERT. “ Increasing sophistication” means: Blended threats Plant innocuous and inactive trojan on a client system that then opens ports to particular threats Some worms are now targeting one OS to go after another. E.g., IIS/Sadmind worm released in May used infected Solaris boxes to deface web pages hosted on NT. Stock in trade behavior today is shut-down client system security and virus protection allowing payloads to have greater adverse impacts Difficult infections to find, complex remedial activities required Companies are faced with limited time and lack of security resources plus IT have increasing responsibilities Security budgets are increasing dramatically with no end in sight. Average cost of a security person is $ 70,000.00 per year Organizations must increase ROI through safe and efficient use of existing IT sunk costs like ERP…by extending ERP via customer relationship management (CRM), supplier relationship management (SRM), partner relationship management (PRM) and B2B commerce. Dangerous without even further investment in security Companies are still being compromised despite existing defenses In-house security personnel without support from trusted information partners like Symantec are reactive. The five minutes a security person takes to read Alert services or TMS message saves generally 2.5 hours per day of research…still the company does not have perspective on risk or mitigating strategies Vulnerability assessment and response is complex and is difficult to manage TMI…too many inputs…paralyze companies into late response to threats or potential threats. Symantec DeepSight offers two degrees of specifically organization targeted and filtered information Graph and “blended threats” term – because these are legacy Symantec, they will easily demonstrate how these services fit into or existing solution set.
  • While attack tools and the attacks themselves are becoming ever more sophisticated, the actual amount of knowledge required by an attacker is dramatically decreasing. This is because hacking software and techniques are widely published on the Internet providing intruders with downloadable “click and hack” automated tools. This lowers the bar for attacks, increasing the frequency.
  • Looking at the evolution of malicious threats and their historical and potential future impact in terms of scope we see the following: Individual denial of service attacks and web defacements evolve into more sophisticated distributed denial of service attacks. Stealing individual credit cards evolves into stealing millions of credit cards and selling them to organization crime. Attacks in the past affected individuals and organizations, while more recent attacks have increased in scope affected regions of the world and industry sectors such as a 2-week hacking incident in 2001 against the California Independent System Grid which came close to disrupting the transmission of electricity across the state. And a hacker in Australia succeeded in causing the sewage treatment system to leak hundreds of thousands of gallons of sewage into parks, rivers, and the Hyatt Regency Hotel. As we move forward into the future, we may see blended threats evolve into flash threats that move across the internet in seconds, massive worm-driven distributed denial of service attacks that disrupt service across the world, and attacks at individual nations’ infrastructures. Let’s look more specifically at how malicious code attacks are evolving… _______________________________________________________________  A few specific examples that can be used: e-mail worms – Melissa, LoveLetter DdoS – attacks on Yahoo, CNN, eBay, etc. in 2001 Limited Warhol threats - Slammer Worm-driven DDoS – Slammer, Code Red National credit hacking – recent attack compromising 8 million credit cards Infrastructure hacking – two examples:   1. CAL-ISO – in 2001, hackers attacked the California Independent System Operator's network (Cal-ISO), which controls most of the state's power grid for more than two weeks. The intruders came close to gaining access to key parts of the Cal-ISO network, where they could have seriously disrupted the transmission of electricity across the state, according to published reports (Los Angeles Times).   2. Sewage exploit – in 2000, a hacker in Australia broke into an online sewage treatment system, causing it to leak hundreds of thousands of gallons of sewage into parks, rivers, and the Hyatt Regency Hotel.  
  • This chart shows the emergence of new types of malicious code mapped against general threat classes, over time: To date most attacks have fallen into Class I threats which means that they take a matter of days to hours to spread. This includes e-mail worms and more recent blended threats like Nimda. Having human beings respond to such threats with virus updates, router filters, firewall rules, etc. is possible. Class II threats would spread across the Internet in a matter of a few hours to minutes . For example, a Warhol-type threats is one that can spread to massive numbers of systems in just 15 minutes of “fame”. The Slammer SQL worm that John talked about showed the first potential glimpses of a Warhol-type threat with its infection rate doubling every 8.5 seconds in the initial stages. (In fact, 90% of the vulnerable hosts were infected within 10 minutes.) Human response becomes difficult or impossible for such threats, although an automated response would be possible. Class III threats would spread across the Internet in a matter of minutes to seconds . We have not scene any true Flash threats yet, but we probably will in the next several years. The initial outbreak of the fast moving Flash threats will require proactive technologies for defense. _______________________________________________________________ New threat categories are listed according to the approximate time of their initial emergence - email worms (Melissa), Blended Threats (Code Red), etc. “ Warhol” threats have been discussed in the research literature; these threats which can spread to massive numbers of machines within minutes. The recent Slammer SQL worm showed the first potential glimpses of a Warhol-type threat – according to a recent research report, Slammer’s infection rate doubled every 8.5 seconds in its initial infection stages, infecting more than 90% of vulnerable hosts within 10 minutes ( http://www.cs.berkeley.edu/~nweaver/sapphire). “ Flash” threats have also been discussed in the research literature; they can spread to a large percentage of susceptible targets within within seconds. We have not yet seen any true Flash threats but these will likely occur in the not-so-distant future. 2. Threat Classifications (these specific threat classifications are proposed here, they have not been previously used to our knowledge): Class I threats spread to a large percentage of susceptible targets in timeframes from months/weeks to hours (traditional computer viruses, first generation email worms and blended threats). Human response to such threats is possible. Class II threats spread to a large percentage of susceptible targets in timeframes from hours to minutes (newer blended threats, Warhol threats). The fastest moving Class II threats are very difficult or impossible to address via human response mechanisms. They require more automated responses. Class III threats spread to a large percentage of susceptible targets in timeframes from minutes to seconds (Flash threats). The fastest Class III threats can likely only be defended through proactive technologies.
  • Blended threats, worms, and hackers often exploit vulnerabilities. Typically these exploits occur sometime after the vulnerability is identified we call this the vulnerability threat window. Recent high profile cases, like Nimda, Slammer, etc. all had vulnerability threat windows of many months, leaving plenty of time for the vendor to create a patch and the public to be warned reducing potential threat damage. In fact, thus far the shortest time period for a vulnerability to be exploited after a patch was available was 28 days with Code Red. On the average exploits have taken six months after the vulnerability was publicly disclosed. In the day-zero scenario, an exploit is created and released immediately once the vulnerability is discovered, …
  • … leaving no time for the targeted software vendor, or computer administrators and users to respond. Today, many of even the most damaging malicious threats are released by “amateurs”, often young people with no particular target in mind (for example, Nimda and Klez,for all of the damage they did, were not targeted at any specific organization or set of systems). However, with more critical business and government functions conducted online, we expect to see a shift in attacker demographics from the amateur programmer to better funded and more dedicated attackers – organized crime, terrorist organizations, nation/state threats, etc. These attackers are likely to have much more specific targets and motivations. We expect to see a reduction in the vulnerability-threat window as this shift occurs. (Searching for vulnerabilities and quickly creating exploits is likely to be a time consuming and expensive task, requiring the efforts of more heavily funded attackers.)
  • This chart shows the potential impact from various types of threats on emerging targets over the next several years – Wireless Infrastructure, Web Services, Internet Backbone and Physical Infrastructure Systems often using SCADA (Supervisory Control and Data Acquisition). In general, as we move from Targeted Hacking to Day-Zero, Warhol and Flash Threats, we expect to see a shift from localized short-term disruption to major disruption. The wireless and internet infrastructures are more likely to be more resilient to disruption than web services and perhaps industry infrastructure systems. SCADA systems tend to be based on old hardware and protocols relying primarily on physical security controls. _______________________________________________________________ Some statistics: Wireless - Ovum Research forecasts wireless Internet usage to climb to 484 million users by 2005 Wireless - In-Stat predicts that wireless-using workers in the U.S. will rise to more than 60 percent in 2004 and business spending on wireless devices will increase to nearly $74 billion in 2005. Web services - ZapThink estimates the market for XML and Web Services security is expected to grow from $40 million in 2001 to $4.4 Billion by 2006 Broadband - eMarketer predicts the number of broadband subscribers worldwide will rise to 117 million by 2004, while In-Stat/MDR places the number of users at home at more than 120 million by 2005. Instant messaging - IDC estimates the number of IM users will grow to over 500 million by 2005, with 300 million of those being corporate users
  • Over the past 4-5 years, we have seen a consistent increase in the number of new vulnerabilities reported, moving from an average of 10 per week in 1999 to an average of 50 per week in 2002. We are estimating that this year, we will see the increase continue to an average of 70 per week. The number of new reported vulnerabilities is not because we are seeing more bug-ridden products, but rather it can be attributed to several causes: Increased attitude of full disclosure Increased awareness of vulnerabilities This is a double edged sword. Although we have more information available to secure our networks, the bad guys also have more information available with which to launch their attacks. So of the 10 new vulnerabilities reported yesterday, do you know which ones affect your network environment?
  • Now take a look at this data. The graph shows us the age of the targeted vulnerability for each event reported to Symantec last year. In other words, how long between the first disclosure of the vulnerability and when a hacker used it to attack a company. If this graph looks reassuring, make note that the 10% represented as being exploited within 90 days of vulnerability disclosure, represents over 20 million events reported to the Symantec last year. < 30 days = 1 M events 31-60 days = 7 M events 61-90 days = 14 M events > 90 days = 234 M events While 90 Days may sound like enough time to respond, it’s not. Remember that the vulnerability targeted by Slammer was 6 months old…and Slammer was successful. We see the same pattern repeated over and over again. If you haven’t taken steps to mitigate your vulnerabilities after 90 days, your risk of exploit increases exponentially. Source: Symantec TMS, CY2002 IDS data
  • Today protecting the network is handled at multiple tiers in the network(Gateway/Server/Client) that do not “work together” to stop the security threat. As a result, expertise knowledge sharing does not occur and this ultimately hurts all the departments – unintentionally, these departments may introduce vulnerabilities or threats into the organization since one dept thought another was covering the exposure & visa-versa. Because of this, Security Management needs to look at the enterprise Holistically, not just at one tier, one technology, but translate all this information into meaningful information that is actionable. So, due to the challenges business have today, in conjunction with the pressures on then, the implications of this is that: Business is inefficient – your resources are working as hard as they can but they (and you) are unsure of the current security posture, unsure of what will make the biggest difference to their protection if they have a choice of implementing one solution over another. Your business ultimately may have less protection than you expect. Many vulnerabilities are unidentified. Many of the tools you have implemented provide so many alerts that you stop listening (also known as “false positives). Blended threats impact so many possible different portions of your network you’re not sure what to fix first. This ultimately causes a very high cost of ownership. Interactive questions to pose to audience: Who has overall responsibility for security? Who does a user call if there is a security issue? Does that person/group have authority to mandate a fix? Who manages the security configuration? Which systems/networks are secure? How do you know? Can you tell when they go out of compliance? Who returns them to compliance?
  • Let’s look at attack patterns per company over the last 6 months. Predicting when attacks occur is impossible. The reality is that you must always be prepared.
  • I probably don’t have to convince you that when we talk enterprise security, we’re discussing a complex environment where a number of different security technologies are in place. You probably also realize that one vendor cannot do it all and therefore, you need to partner in various areas and have a multi layered solution.
  • This here is how Symantec makes sense of all components within the environment and the process by which to secure your enterprise. The four main components are: Alert Protect Manage Respond
  • The optimal state is one that takes into account all 4 of these security disciplines. The key to this slide is that we convey that it is about THE CUSTOMER, not about Symantec. We’ve been thinking about all this complexity – and asking ourselves how we can help customers get their arms around it. So we’ve come up with this simple model of what it takes to secure the enterprise. First, you want an early-alerting system. And you want to be alerted BEFORE threats damage your business. Next and most fundamentally, you want to protect your business. You need a variety of security solutions at all tiers of the network. Third, you need to respond when threats emerge. And here the key word is FAST. Finally, you have to manage this far-flung security environment. It’s not an easy task – that’s the ultimate understatement – and that’s the problem we’re addressing with today’s announcement. Alert- Early information to gain control and to take action Protect- Security technologies to effectively prevent & defend against attacks Manage- Efficient use of technology, data & personnel Respond- Optimal attack readiness and remediation
  • Let’s start with Alert. The Alert segment is designed to give users the knowledge and intelligence to proactively defend themselves from potential threats. (Products / services should not be discussed in this section.)
  • Next, the Protect segment contains all of the technologies that are used to manage the access to the system and to prevent malicious code from reaching the applications for which the code was designed to harm.
  • Third, the Respond component deals with the necessity to provide users with the instant repair action and with instant signature updates. This provides the ability to have the helping hand needed to recover and to address a problem once it has begun.
  • And, ultimately, the Manage segment deals with the complexity of data and with the ability to administer the entire environment, focusing on components of the threat that are the most important to deal with.
  • Provides customers the same quality and timeliness of response as our desktop/server protection Uses NAVEX architecture Leverages Central Quarantine, Scan & Deliver etc. (Digital Immune System)
  • This is the industry’s FIRST integrated client security offering – not a suite of products, but INTEGRATED technologies Based on industry leading technologies AV based on our latest corporate AV technology (SAV Corp) Client Firewall based on our award winning Norton Personal Firewall, modified to meet the demands of enterprise customers Best in class host based Intrusion Detection ·All of these provided with a single install with pre-packaged installations or conveniently customizable (uses Packager technology – pre-packaged offerings include a fully managed install, a lightly managed install, and a thin client) All of these technologies are managed by a common management console, the Symantec System Center that our installed base NAV CE customers are already familiar with For enhanced management capabilities, optional Integration with Symantec Security Management System – an advantage of our common architecture – SESA - I’ll describe in a minute A great stride forward in providing the quickest Response possible to the new types of threats today – a single, timely deployment of definitions, rules, signatures using our world-class LiveUpdate deployment mechanism Game changing because no other competitor can do FW, AV and IDS for the client. Customer Benefits: Multiple integrated security technologies provide better protection Reduces the administrative burden of network client protection Enables the enterprise to respond to threats more quickly Reduces security costs and total cost of ownership Simplifies the security problem while providing needed protection
  • Until now, customers have deployed multiple security technologies from multiple security vendors. This leads to possible compatibility issues and potential holes in security that will allow a complex threat to spread. What is needed is integrated technologies that are aware of each other and can take appropriate action when a complex threat is encountered. CLIENT SECURITY POLICY ENFORCEMENT Typical client firewall products scan Incoming and outgoing traffic against firewall and applications rules. If a file coming through the firewall is infected with a virus the typical firewall is going to let it come through. Firewall technology within Symantec Client Security works seamlessly with antivirus technology to protect the client from viruses, even if the administrator or user has configured real-time virus protection technology in the “off position.” When the firewall encounters a file it will call the antivirus scan engine to check for viruses. If a virus is found the antivirus technology will instruct the firewall to raise the threat level to “high” with a default action to “block” the file from entering or leaving the system. Through integration of client firewall and intrusion detection technologies, scanning and comparing all incoming and outgoing traffic with known sets of signatures enables the intrusion detection technology to instruct the firewall to block an unauthorized intruder’s offending IP address for up to 30 minutes.
  • Symantec Client Security offers flexible, easy installation and deployment of all or selected security components in a single install package, using the Symantec Packager. Administrators can: Deploy the solution immediately by selecting from three, pre-configured installation packages; managed client, lightly managed client, and thin client (the thinnest client possible while not affecting protection) or Create custom deployment packages that include the security components, sub-components, and installation options that suit diverse client environments Benefit: Makes deployment easier, saving administrator time/effort and lowering costs Provides greater flexibility through its modular design to meet the unique needs of varying environments
  • A top need of customers today is the ability to communicate the health of their client security to management. It is one thing to have protection on client machines, but another to determine how well the security is working. In Q4 2002, Symantec Client Security will integrate with Symantec Information Management, the first release of Symantec Security Management System and provide centralized logging, alerting and graphical reporting. Many large enterprises tell us that they receive virus alerts all day long. The alerts happen at different times and from various regions. The administrator is left with a bunch of alerts, but no way of identifying if an “event” is taking place. Symantec Information Management offers altering threshold such that the administrator could set an alert to occur if x number virus alerts occur within a given time span. The benefit is that the administrator has an early warning system that allows them to be proactive in the case of a rapid spreading threat.
  • Client platforms: Symantec Client Security supports the most popular platforms 64-bit support : The solution will support the Intel Itanium class machine and offer 64-bit client support in Q4 2002. The support for this platform will include 64-bit drivers. However, the application will be running in 32-bit mode. Although not optimized for the Itanium chip, the level of protection offered does not decrease as a result. .NET support: The solution will support the .NET platform in Q4 2002. Will provide antivirus protection for .NET, .NET Advanced Server and .NET DataCenter. Silent or interactive integrated install: The administrator has the flexibility in deciding how the solution get installed on the client machine. For novice users the administrator could select to install the solution silently, without end user interation. Or, for advanced users the administrator might want to offer the flexibility to the user in how and where the solution is installed. Three pre-packaged installations: For customers not interested in the flexibility of customizable installation packages and have the need to deploy immediately, Symantec Client Security offers three pre-packaged installations that can be deployed directly from the Symantec Client Security CD or using their own distribution mechanism. Product migration: One of the biggest needs of customers who own competitive products or have legacy Symantec technology is to be able to migrate to Symantec Client Security with minimal cost and overhead. This is very important to Symantec. We include a generic uninstall tool that can be utlilized to remove competitor products from client machines. The Symantec Client Security install will identify legacy versions of Symantec technology, uninstall them and install the new solution. For customers that own NAV Corp 7.x the install will retain user settings, remove NAV Corp and install Symantec Client Security with the saved user settings. Limited or full user interface with password protection: Many customers do not want their end users to interact with the client security that has been installed. Symantec Client Security allows the administrator to set whether the user has full or limited access to the integrated solution. Password protection stops the user from accessing or uninstalling the solution. Note: The solution will ship with antivirus server support for Netware 6.0
  • Inbound and outbound traffic scanning: Symantec Client Security brings firewall technology to the desktop by monitoring of all inbound and outbound traffic and allowing through only what has been defined as valid traffic. Firewall technology within Symantec Client Security works seamlessly with antivirus technology to protect the client from viruses, even if the administrator or user has configured real-time virus protection technology in the “off position.” When the firewall encounters a file it will call the antivirus scan engine to check for viruses. If a virus is found the antivirus technology will instruct the firewall to raise the threat level to “high” with a default action to “block” the file from entering or leaving the system. Intrusion Detection: Symantec Client Security intrusion detection will compare inbound and outbound traffic against a known set of instrusion signatures maintained by the Symantec Security Response team, thus providing a significantly higher level of protection In the event of an intrusion attempt, the instrusion detection technology will instruct the firewall to automatically block the offending IP address for 30 minutes Internet Zone Control: Allows an Administrator to define specific computers, individually or IP range as Trusted or restricted computers. Offers t he ability to say that an Intrusion source address is restricted permanently from access to the client Additive VPN Support Nortel Contivity Extranet Switch with Extranet Access Client (IPSec) Nortel Contivity Extranet Switch with Windows as client (PPTP) Cisco/Altiga VPN Concentrator with Altiga client (IPSec) Cisco/Altiga VPN Concentrator with Windows as client (PPTP) Raptor Mobile Microsoft Win2K Client Checkpoint Content Filtering – user defined: Prevents user-defined confidential information from being sent out without user knowledge. Prevents Web servers from retrieving information without user knowledge on a site-by-site basis. Allows for control of ActiveX controls and Java applets on a site-by-site basis
  • Common Scan Engine: The scanning engine in Symantec Client Security is the same scanning engine in all of Symantec AntiVirus products. It is multi-platform, multi-tier and multi-lingual. This means that Symantec can deliver a single set virus definitions and scanning engine updates that apply to all platforms, network tiers and languages Unknown virus detection – Heuristics: Symantec Client Security antivirus technology has the ability to detect unknown threats through heuristic technology. When a file is accessed Symantec Client Security watches for odd behavior. If, for example, the user launches a Word document. Word attempts to write to the boot sector of the hard drive. Since this is not normal behavior for Word, Symantec Client Security is going to flag the file as possibly infected. Incremental virus definitions: Symantec Client Security has two methods of updating virus definitions: LiveUpdate and Virus Definition Transport Method. Both have the capability of delivering incremental virus definitions – only delivers incremental definitions since the last update. “ Push” Technology: One of the solutions major competitive points. In an outbreak scenario the administrator wants to be able to deploy the cure as fast as possible. Using the Virus Definition Transport Method, the administrator can “push” the cure through the hierarchical management system ensuring the fastest deployment possible. Because the cure is using the Symantec System Center infrastructure natural throttling is achieved. Competitors use scheduling mechanisms to update their end users. In the case of an outbreak these administrators are at the mercy of each user’s update schedule. This means a longer timeframe to update the environment. Note: The definition file associated with the push technology has been reduced from 4.2 Meg (what is used in NAV Corp today) to ~80K due to incremental virus definitions. And, the incremental push technology does not require a monthly hub (full set of virus definitions). Roaming: If the client’s parent server goes down the client will roam to the closest parent server to retreive updates. Similarily, if the client travels to a remote office (sometimes with very slow connectivity back to the home office) the client will roam to the closest, fastest parent server for updates. Quarantine: If the the virus protection identifies a known or suspicious file, it will Quarantine the file such that the user can not interact with it. The file can also be sent to a central Quarantine server where the administator can view all virus activity in the enterprise. Central Quarantine can submit the infected file to Symantec for analysis via the Digital Immune System. Digital Immune System: Provides access to unparalleled backend response mechanisms that enable the delivery of fast, reliable, and hands-free virus detection, analysis, and repairs via Closed Loop Automation. This is a VERY UNIQUE feature in Symantec Client Security. Email Scanning: Symantec Client Security has the ability to scan incomming email and attachments from MS Exchange and Lotus Notes. Below are some other enhancements made to the antivirus technology in Symantec Client Security: Improving the decomposer scan time by up to 50% - in memory decomposition AutoProtect Resume enables real-time protection if turned off Can now scan Ghost images Discovery speed is now multi-threaded Multi-threaded server rollout of definitions Adjust priority of a scan such that it will only can at idle mode Auto-protect scanned file cache optimized Auto-protect exclusions optimized Battery Check – will not perform scheduled scan if on battery power Scan Delay/Snooze allows the user to pause and delay an admin set scheduled scan Continuous LiveUpdate – we will launch silent update if the defs are out of date. Can schedule updates more than once a day Terminal Server installed as client Log any attempts at compromising unauthorized registry changes. Authentication to policy and definition updates from Symantec System Center to the client Notification of Application Tampering Admin Forced LiveUpdate - LU performs update of definition if set is older than x days
  • We are making major investments to ensure that Symantec responds to new threats more rapidly and completely than any other company. We implemented wireless alerting capabilities to reach our customers anytime, anywhere. We instituted new processes to get the virus definitions written up more quickly. We introduced live 24x7 coverage for mission-critical perimeter products. We improved our ability to handle web traffic on demand. (Akamai). We continued to refine our ability to detect and protect from more threats than any other company. In fact, we were the only company out of 21 surveyed by Virus Bulletin to detect 100% of viruses – both standard viruses and ‘in-the-wild” viruses. We instituted an on-line customer feedback process to improve overall responsiveness. We will continue to make investments of this magnitude. Current areas of focus … web-based support and increasing the % of customer issues that get resolved in the first phone call. The Nimda worm is an example of the paybacks on these investments 7 a.m. PST on 9/18 …Our AntiVirus Response Manager notified us of the problem 25 minutes later … first write-up posted on the Symantec Security Response Web site 10:00 a.m. … broadcast a wireless alert at 10:00 Fifteen minutes later … we had checked in the virus detection source code. 2:30 p.m. … posted the certified virus definitions 48 hours after initial alert … a working fix tool released Now a few comments about how some of our competitors performed. NETA’s virus definitions incorrectly deleted files rather than repairing them. The result was unusable computers. By the third release of a fix tool, NETA still wasn’t removing the virus form memory. Trendmicro had the same problem. They got a fixtool out ahead of us, but it didn’t remove the virus in memory. By the fifth release of that tool, it still didn’t address memory. And not having made the investments we’ve made, Trendmicro’s website was completely down and out for the whole week of the virus crisis. “ Here’s the kind of e-mail we were receiving during Nimda: “Your web site is a bomb! I have been working with Mcafee for three days … with no results. They offer NO, I mean NO support. I went to your site and, twenty minutes later, no more
  • What is Symantec Client Security? Talk about the differences between SAV SMTP and the previous version, and the importance behind the latest rev. (See notes below) Enhanced Security Improved Antispam Maintaining performance lead Improved manageability
  • Security in a Vacuum is no security at all! The old world strategy of “one threat, one cure” has become outdated. Today’s adversaries are employing new combinations of offenses against IT infrastructures. Single point solutions will no longer be adequate to address these new “blended” threats. Attacks can now come in the form of a trojan, dropping replicating viruses, leveraging weak password-protection and improper network configuration allowing access to organization’s resource and leaving additional ‘holes’ for FUTURE exploits when least expected! Symantec provides an umbrella of protection to the client, with solutions to address security at all tiers.
  • Encryption support (SSL) for transmitting administrative passwords securely across the network Support for LiveUpdate 1.7 with digitally-signed and verified virus update packages (tamper-proof virus updates). Outbreak Alert – Alerting the administrator when the threshold of number of viruses found in a given timeframe is exceeded. DoS Prevention – measures to prevent possible attacks aimed at destroying the first line of anti-virus defense, the SMTP gateway scanner. More flexible detection of non-standard MIME messages – more broadly addressing issues with malformed MIME messages that run contrary to RFC, but are interpreted correctly by some popular email clients and pose a danger to our customers. Detection and special handling of messages with encrypted attachments
  • -         System Alerts : System can automatically notify administrator if specific server-related events occur, like LiveUpdate succeeded or failed, system is running out of disk space or memory, the service has crashed, service has been stopped and/or re-started etc. Also Outbreak Notification feature tells administrator when an unusual number of viruses are found in a certain period of time. -         Live Update: Support for LiveUpdate 1.7 with digitally-signed and verified virus update packages (tamper-proof virus updates). -         Shareable configuration files - “Write once, share everywhere” . Eases the administrative burden in setting configuration policy across multiple servers by allowing administrators to create a standard configuration file and manual share the file across multiple servers. -         Report-only Access : Access to the management console can be restricted by a separate password that gives lower-level administrators rights to run reports and view system status, but not to change critical configuration settings or to inadvertently stop virus scanning. -         Expanded System Overview Screen – Quick, comprehensive overview of key system status, such as number of viruses found, emails rejected, attachments blocked etc., the current product version and virus update set, as well as many other customer-requested metrics. -         More flexible notifications – Offers greater granularity in the kinds of notifications that can’t be sent based on content-related or AV-related violations Relay Pause – Gives the administrator greater flexibility in responding to emergency situations by allowing them to queue incoming emails only or to stop accepting emails altogether without shutting down the service.
  • The important point is that we are seeking to maintain or even expand our lead in processing performance at the SMTP gateway: In-memory message decomposition (Dec. 3) for faster message processing Improved message and queue handling Ability to filter messages based on message size, file type, and attachment name Integrated Content blocking capabilities mean that all SMTP traffic is scanned once for viruses and content to provide fast scanning with minimal impact to network performance Scalable, enterprise-wide virus protection and content filtering. Integrated Content blocking capabilities mean that all SMTP traffic is scanned once for viruses and content to provide fast scanning with minimal impact to network performance
  • Anti-Spam Support Support for Mail Abuse Prevention Systems (MAPS) RBL, DUL and RSS Antispam Lists. Administrators have the ability to add their own domains and addresses to block against. -         MAPS TM Realtime Blackhole List Services support – supporting 3 rd party anti-spam lists to block known open/spam relays, which will cut down on the number of spam emails received. -         Custom domain/address block lists that let the customer block specific senders or email from specific domains to cut down on unsolicited or unwanted email.
  • The “Nimda” worm. Visitors to infected sites were vulnerable to receiving the infected file. Lesson: If you are going to scan HTTP traffic for content, you should also scan it for other malicious “payloads” (viruses/worms/ trojans).
  • DDR takes a heuristic approach Analyzes word relationships on HTML page to discern context Only initial HTML file (~26 kb) is retrieved and analyzed first – very rapid, in-memory process "Safety-net" because we can not possibly detect and categorize every new website as they appear and some sites will never be found by URL reviewers, private homepages, for example. Simple keyword filtering is too broad and blocks indiscriminately.
  • The first layer involves checking to see whether the user even has permission to download a file or visit a website. The second layer deals concurrently deals with whether a file being downloaded from an allowed site is infected AND, in the case of a web page, whether an HTML page being requested is allowed, even though the URL didn't appear in the URL list. This is an effective second level of checking that augments the traditional URL lookup method.

PowerPoint -Introduction to Antivirus... PowerPoint -Introduction to Antivirus... Presentation Transcript

  • Introduction to Antivirus Technology Manfred Hung Security Consultant
  • Agenda
    • Security Climate: Trends, Challenges & Enterprise Solutions
    • Security Lifecycle: Best Practices
    • Symantec Client Security
    • Symantec Antivirus for SMTP Gateway
    • Symantec Gateway Security
    • Product Demo
  • Worldwide Attack Trends *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated **Source: CERT 0 0 200M 300M 400M 500M 600M 700M 900M 100M 800M 20,000 40,000 60,000 80,000 120,000 100,000 1995 1996 1997 1998 1999 2000 2001 2002 Infection Attempts Network Intrusion Attempts Blended Threats (CodeRed, Nimda, Slammer) Denial of Service (Yahoo!, eBay) Mass Mailer Viruses (Love Letter/Melissa) Zombies Polymorphic Viruses (Tequila) Malicious Code Infection Attempts * Network Intrusion Attempts **
  • Less Knowledge Required to Attack High Low 1980 1985 1990 1995 2000 2005 Automated Tools & Attack Sophistication Intruder Knowledge
  • General Threat Evolution Individual Orgs. Regional Scope Individual PCs Sector Global Impact 2000 2003 1990s Time
    • 1 st gen. viruses
    • Individual DoS
    • Web defacement
    • email worms
    • DDoS
    • Credit hacking
    • Blended threats
    • Limited Warhol threats
    • Worm-driven DDoS
    • National credit hacking
    • Infrastructure hacking
    • Future Threats
    • Flash threats?
    • Massive worm-driven DDoS?
    • Critical infrastructure attacks?
  • Threat Evolution: Malicious Code Hours Time Weeks or months Days Minutes Seconds Early 1990s Mid 1990s Late 1990s 2000 2003 Contagion Timeframe Class I Human response: possible Class III Human response: impossible Automated response: unlikely Proactive blocking: possible Class II Human response: difficult/impossible Automated response: possible “ Flash” Threats File Viruses Macro Viruses e-mail Worms Blended Threats “ Warhol” Threats
  • Threat Evolution: Day-zero Threats Vulnerability-Threat Window Threat Released
    • A day-zero threat exploits a previously unknown, and therefore unprotected vulnerability.
    Vulnerability identified Time
  • Threat Evolution: Day-zero Threats
    • A day-zero threat exploits a previously unknown, and therefore unprotected vulnerability.
    Vulnerability identified Threat released Time As attacker demographics shift, we expect a reduction in the vulnerability-threat window. Time Until Exploitation Months Days Hours “ Day 0” Novice Programmer Sophisticated Programmer Organized Crime/ Terrorist Organization Nation/State Threat Day-zero exploit Threat released
  • Threat Impact on Emerging Targets Threats Targets Major disruption of B2B services sector-level impact Major disruption to multiple networks Short-term disruption of individual networks Account theft/ corruption, DoS
    • Impact to:
    • Power
    • Comm
    • Hydro
    • Chemical
    • Other infra.
    Disruption of inter-networked SCADA Disruption of targeted infrastructures Global Internet Disruption Short-term/ localized Internet disruption Data theft/ corruption, DoS Targeted Hacking DDoS Blended Threats Warhol and Day-Zero Threats Flash and Day-Zero Threats Physical Infrastructure/ SCADA Internet Backbone/ Broadband Web Services Wireless Infrastructure
  • Vulnerabilities on the Rise – New Vulnerabilities per Week Source: Symantec
  • How Quickly Do I Need to Respond? Source: Symantec Risk increases exponentially over time
  • Silo-Based Approach – Who Secures What? Network Services Routers Switches Gateways Firewalls RAS ATM Firmware/ Software Upgrade/ Patches Mid-Range Services Servers Application Upgrades/ Patches Desktop Services Helpdesk Software support Upgrades/ Patches Mainframe Services Authorization Upgrades/ Patches Operations
    • Security
    • Services
    • Policy &
    • Standards
    • Development
    • Maintenance
    • Compliance
    • Monitoring
    • Response
    • Recovery
    WORM Exploits MalWare Virus Social Engineering Multiple Threats from one/many sources – singly or in parallel, against one or many silos
  • Total Attack Volume 50 45 40 35 30 25 20 15 10 5 0 Jan 7 Jan 21 Feb 4 Feb 18 Mar 4 Mar 18 Apr 1 Apr 15 Apr 29 May 13 May 27 Jun 10 Jun 24 Jul 8 Jul 22 Aug 5 Aug 19 Sep 2 Sep 16 Sep 30 Oct 14 Oct 28 Nov 11 Nov 25 Dec 9 Dec 23 - - - - - - - - - - - - - - - - - - - - - - - - - - Week Attacks per Company Attacks per Company by Week (January 1, 2002 – December 30, 2002) Source: Symantec Internet Security Threat Report
  • Enterprise Security Solution Authentication Access Control & Authorization Identity Mgmt Antivirus Firewall Intrusion Detection VPN Content Updates & Security Response 24x7 Global Customer Support Attack Recovery Tools/Svcs Honey Pot & Decoy Technology Threat Management & Early Warning Vulnerability Assessment Policy Compliance Event & Incident Mgmt Config. Mgmt Common Console Encryption
  • Symantec is Securing the Enterprise Proactive Control Authentication Access Control & Authorization Identity Mgmt Antivirus Firewall Intrusion Detection VPN Content Updates & Security Response 24x7 Global Customer Support Attack Recovery Tools/Svcs Honey Pot & Decoy Technology Threat Management & Early Warning Vulnerability Assessment Policy Compliance Event & Incident Mgmt Config. Mgmt Common Console Encryption
  • Answering the Challenges – Securing Your Enterprise Proactive Control
    • Early awareness of vulnerabilities and threats in the wild
    • Listening posts
    • Preventing unwanted attacks
    • Detect physical breaches
    • Privacy of information assets
    • Environment
      • Policies and Vulnerabilities
      • Device Configuration
      • User Access
      • Identity Management
    • Information
      • Events and incidents
    • Internal
      • Workflow
      • Auto-configuration
      • Disaster recovery
    • External
      • Content Update
      • Hotline
  • Securing the Enterprise
    • Alert – Early Warning
      • Awareness of new vulnerabilities and global threats
    • Symantec’s alerting services allow customers to…
      • Close the gap between awareness of security issues and possible action
      • Understand the impact of the global environment
      • Reduce TCO of security by preventing attacks or avoiding damage
    • Early Warning
    • DeepSight ™
    • Decoy Technology
    • ManTrap ®
    • Vulnerability
    • Assessment
  • Securing the Enterprise
    • Protection
      • Multi-layered security at the Gateway, Server and Client
    • Symantec’s Protection solutions allow customers to…
      • Provide protection against blended threats through layered, integrated solutions
      • Have significantly lower total cost of ownership – common install, management and update features
    • Integrated Solutions
    • Client Security
    • Gateway Security
    • Best-of-breed products
    • Host and Network
    • Intrusion Detection
    • Antivirus
    • Filtering
    • Firewall
    • VPN
  • Securing the Enterprise
    • Respond
      • Trusted timely content updates and 24/7 global remediation support
    • Symantec’s Response capabilities allow customers to…
      • Automatically update all Protection products with latest threat content
      • Obtain immediate expert global support
      • Recover quickly after an incident has occurred
    Security Response (LiveUpdate) 7x24 customer support Professional Services Disk Recovery Respond
  • Securing the Enterprise
    • Manage
      • Effectively identify critical vulnerabilities and blended threats in real-time
    • Symantec’s Management Solutions allow customers to…
      • Identify incidents accurately and timely
      • Simplify management of protection products at all points of the network
      • Implement a single point of control
      • Reduce or eliminate monitoring burden, focusing security staff on risk mitigation
    • Policy Compliance
    • Security Management
    • Incident Manager
    • Event Managers
    • Managed Security Services
  • Enterprise Antivirus Protection Solution
  • The Challenge: Growth and Evolution of Malware Mass Mailer Viruses (LoveLetter/Melissa) Remote Control Trojan (NetBus) Polymorphic Viruses (Tequila) PDA Virus (Palm Liberty) Macro Viruses Source: Symantec Number of Known Viruses Dramatic increase in the number and severity of malware attacks
  • Symantec AntiVirus Technologies
    • Same quality and timeliness of response
    • Uses NAVEX architecture
    • Leverages
      • Central Quarantine
      • Scan & Deliver
      • Digital Immune System
  • Symantec Security Response Centers “Follow the Sun” Rapid Response Santa Monica, USA Leiden, NL Sydney, AU Tokyo, JN
  • Antivirus Information Resource http://www. symantec .com http://www. sarc .com http://www. securityfocus .com
  • Symantec Client Security Overview
  • Introduction of Symantec Client Security
      • Symantec Client Security integrates:
        • Antivirus
        • Client Firewall
        • Intrusion Detection
        • Privacy Control
        • Single Management Console
        • Single Deployment mechanism
        • Single Update mechanism
  • Symantec Client Security Better client protection and lower cost through integration
    • First integrated client security product for the Enterprise:
    • Industry leading technologies
      • Antivirus
      • Client Firewall
      • Client-side Intrusion Detection
    • Integrated installation
    • Common Management console, with optional integration into Symantec Information Management
    • Rapid Response with timely definitions, rules, signatures using common LiveUpdate deployment
    • Integrated Support
    • Integrated Services
  • Integrated Protection For Example: Firewall technology will initiate an antivirus scan even when AV has been turned off! Intrusion Detection technology will instruct Firewall to block traffic from malicious sources The technologies talk to each other
  • Integrated Deployment
    • Three pre-configured Integrated installations
      • Fully managed
      • Lightly managed
      • Thin client
    • Customizable deployment packages
    • Modular components
    • Flexible installation options
  • Common Management Console
    • Centralized Configuration Management
      • High scalability - hundreds of thousands of nodes
      • Hierarchical infrastructure
      • Policy management with settings lockdown
      • Group management including logical groupings
      • Product deployment
      • Event management
      • Update management
  • Integration with Symantec Security Management System
    • Centralized Alerting
      • alerting threshold
    • Centralized Logging
    • Graphical Reporting
      • customizable reports
    • Cross-tier security technology management
    • Available Q4 2002
  • Symantec Client Security Client Protection
    • Client platforms - Win98/ME, Win XP, WinNT/2000
    • 64-bit client support – Coming
    • Win2K3 support – Coming
    • Silent or interactive integrated install
    • Three pre-packaged installations
      • Fully managed
      • Lightly managed
      • Thin Client
    • Product migration
      • Competitive Uninstaller
    • Limited or full user interface with password protection
  • Symantec Client Security – Firewall/IDS Protection
    • Inbound and outbound traffic scanning
      • Integrates with antivirus scanning for integrated protection
    • Intrusion Detection
      • Integrates with firewall to automatically block unauthorized intrusions
    • Internet Zone Control
    • Additive VPN Support
      • Nortel Contivity Client
      • Cisco VPN Client
      • Symantec VPN Client (RaptorMobile)
      • CheckPoint VPN Client
    • Content Filtering – user defined
  • Symantec Client Security - Antivirus Protection
    • Common scan engine –
      • Multi platform, multi-tier and multi-lingual support
      • Extensible – does not require redeploy or reboot
    • Unknown virus detection - Heuristics
    • Incremental virus definitions – small updates
    • “ Push” Technology – fast deployment of cures
    • Roaming
    • Quarantine
    • Digital Immune System – automated response
    • Email scanning for MS Exchange and Lotus Notes/Domino
  • Others Key Benefits
  • Key Features
    • Packager - Remote Deployment
    • Multiple LU Server – Provide Fail-over features
    • Scanning Performance Improved
    • Scan Phase/Snooze
    • VD Update Improved
  • Benefits
    • Eases Management Effort:
      • Simplified security management
      • Holistic view of security at client
    • Better Protection at the client:
      • Multiple integrated security technologies provides better protection against blended threats
      • Better reporting results in an improved security posture
      • Better response thru centralized updating and distribution
    • Optimizes administrator resources:
      • Centralized installation, reporting, management and updates
      • Eliminates cross-vendor interoperability issues
      • Multiple technologies from a single vendor
    • Reduced Total Cost of Ownership
  • Response
  • Digital Immune System – Automated Response Bloodhound Heuristics
    • Looks for suspicious viral activity
    • Local Quarantine
    • Alert Administrator
    Central Quarantine
    • Central virus repository
    • Content stripping
    • Sample submission (Internet)
    • Definition retrieval/deployment
    • Real-time status
    Immune System Gateways
    • Scalable architecture to handle
    • flood conditions
    • Clearing house
    Symantec AntiVirus Response Automation
    • Automatic analysis
    • Generates cures for
    • 90% of all submissions
    Symantec Security Response
    • USA
    • Europe
    • Japan
    • Australia
  • Integrated Response Virus Definitions Firewall Updates Intrusion Detection Signatures
    • Integrated Response in a single update via our world-class LiveUpdate technology
      • Provides the highest security posture available
      • Rapid deployment in the face of a fast spreading outbreak
      • Minimizes impact on network bandwidth
  • Management Key Feature
    • Laptop users
      • Semi-managed Client for roaming users
      • Power Status – Schedule scanning
    • Tamper Protection
      • SSC Auto-Protection Notification
      • Registry Key monitoring
      • Auto-Protect Disable Notification
      • Auto-Protect Re-enable
      • Force password setting
      • Quarantine Setting
  • Symantec System Center
  • Symantec System Center
  • Integrated Firewall/IDS
  • Symantec Client Firewall
  • Symantec Client Firewall – FW/IDS
  • Symantec Client Firewall - Logging
  • Symantec Client Firewall Administrator
  • Symantec Antivirus For SMTP Gateway
  • Solution Overview
    • What is Symantec AntiVirus for SMTP Gateways?
      • Comprehensive virus protection for Internet Email, a.k.a. SMTP, Gateway
      • Reduces Spam and eliminates unwanted email content, like attachments
  • Solution Overview SAV SMTP Protected Customer Viruses, Worms, Trojan Horses, Spam, Unwanted Content
  • Features Highlight
    • This release focused on:
    • Security
    • Management
    • Performance
    • Antispam
  • Security
    • Enhanced Malformed MIME handling
      • Not unique, but critical
    • Extensive DoS Prevention (Zip of Death)
    • Outbreak Alerts
    • Tamper Alerts
    • Admin password encryption (through SSL)
    • Multi-Level Administration Passwords
    • Secure defaults – “failing closed”
  • Security - Why do they care?
    • Provide confidence that the “first line of defense” is not the “first line of attack”
    • Need the right tools to respond to today’s threats and vulnerabilities
    • Security awareness is growing and is gaining in importance at all tiers
    • Expect no less from Symantec as “the” leader in Internet Security
    • Flexible and granular notifications about viruses/content violations
    • System Alerting
      • Triggered by events like “failed LU”, “running out of disk space” etc.
      • The system tells Admin when something is wrong
    • Relay Pause – greater flexibility for handling outbreak situations
    • LiveUpdate Scheduling – greater flexibility
    • Shareable Configuration Files – configure once and reuse on other servers
  • Management - Why do they care?
    • “ Ease of management” is critical
      • Need high-effectiveness, without labor-intensiveness
    • Goal is to maintain or expand the lead over Trend and Neta gained since v2.5
      • Faster message processing (using in-memory scanning)
      • Improved message and queue handling
  • Performance - Why do they care?
    • End-users don’t accept delays lightly
    • Throwing more hardware at the problem is not an easy or desirable option
      • More servers? Larger servers?
      • Rack-space? Downtime?
    • To handle the same load on Win2K, Trend and Neta would require either more and/or beefier servers
  • Spam - What is it?
    • Unsolicited (bulk) commercial email
    • Usually can't unsubscribe from it
    • Usually sent through compromised internet resources (open relays)
    • Not only impacts mail server load and end-user satisfaction; also carries potential liability
  • Spam – a problem?!
    • Antispam
      • Block by domain, email address
      • Support for MAPS Lists
        • MAPS = Mail Abuse Prevention System LLC
        • Lists supported: RBL, DUL, RSS, RBL+
        • First subscribe to MAPS, then activate
    • Anti-relay
      • External relay prevention
      • Block by special character in recipient address
    Antispam (Anti-relay)
  • Spam - Why do they care?
    • Boss is getting tired of receiving it (so is ours!)
    • Problem has become worse over last few months
    • Concerns about liability – i.e. unsolicited offensive spam NOT being stopped
  • The Management Console – Web-based
  • Symantec Web Security
  • The Challenge : Growth in Internet Web Sites Exponential Increases in the number of websites
  • The Advent of the “Blended Threat” Source: Symantec
    • “ Nimda” worm (Fall of 2001) - propagated via
      • SMTP (e-mail)
      • HTTP (web browsing)
    • Lesson:
      • HTTP is a viable, but often neglected infection vector
      • Scan HTTP traffic for content, and other malicious “payloads” (viruses/worms/trojans)
  • Content Security is about Filtering Out ALL Harmful Data Harmful Applications Dangerous Malicious Code Litigious Content Non- Work-related content
  • URL Filtering: Emerging Gaps in Protection
    • Nature of delivery changing
      • URL redirection
      • Cached pages
      • URLs with multiple host IPs
      • Unlisted anonymizers
      • Future technologies
    • URL Lists losing effectiveness
    1994 - 1999 2000 and beyond
    • URL Lists relatively effective
    • Limited to vendor’s ability to find and update lists
    • Usually weak on non-English sites
  • Symantec's Filtering "Safety-Net"
    • Combining list-based with heuristic analysis
    • Analogous to today's anti-virus protection
    • Technologies designed to detect both the Known AND the New
    • Effective second layer of defense
    • It understands most of our customer's languages (14 in all!)
    URL Lists (list-based) DDR Analysis (heuristics) +
  • Dynamic Document Review (DDR)
    • "Keyword Filtering" too broad
      • Blocks all pages containing a single instance of a word, ex. "breast"
    • DDR takes a heuristic approach
      • Analyzes word context
      • Only initial HTML file (~26 kb) is retrieved and analyzed first
        • Very rapid, in-memory process
  • Why Customers Should Care: Thin line between fun and fatal content Just a game?
  • Using Filtering as a Proactive Anti-Virus Measure:
    • Minimizing exposure to potentially lethal executables, Trojans etc.
    • Preventing access to web-based email during outbreaks, ex. Hotmail, Yahoo! Mail
    • Ensures that all web-based email attachments are scanned for viruses/malicious code
    • Inhibit or track internal access to hacker tools or hacker-related sites
  • How Integrated Scanning Works DDR AV Scan HTML Is request truly clean? If ok, display … Is request even allowed? URL List DDR on Search 1 st Level 2 nd Level If no, reject immediately If ok, retrieve & proceed Permissions Binary User surfs, sends request … or download … on client
  • URL Filtering Response Team
    • Dedicated to searching and categorizing international websites
    • International reviewers use automated tools, including DDR-based tools, to find and categorize content
    • Dedicated R&D for "safety-net" detection technologies such as DDR
    • Periodic review of URLs sent by customers (filtering@symantec.com)
  • Symantec Web Security Deployment
  • Symantec Web Security Deployment Examples Web/File Server HTTP/FTP Virus Scanner and/or Content Filter Switch Unfiltered Filtered Client (Generating requests for web objects)
  • Symantec Web Security User end
  • Download infected object
  • Download blocked object
  • Download blocked object
  • Download progress
  • Product Demo