Wednesday, June 06, 2007

ForeFront Security for SharePoint

Microsoft has just released the Client Security version of ForeFront. But the ForeFront Security for SharePoint (FSSP) has been release for a while now. FSSP supplies the following functionalities:
1.) Anti-virus scanning of documents uploaded and/or downloaded.
2.) File filtering based on file signatures.
3.) Document content keyword filtering
With FSSP is supplied with eight scan engines (Microsoft, Computer Associates, Norman, AhnLab, VirusBuster, Sophos, Kaspersky and Authenticum) and it is possible to check files with up to five scan engines at a time.

How do viruses enter SharePoint:
Viruses can enter SharePoint when infected files are uploaded or when a mapping to a SharePoint document library has been made from an infected computer.

Why an anti-virus solution:
Some people ask “why do you need anti-virus software on your SharePoint environment when your server has a file system anti-virus software installed”. The answer to this question is simple:
Files uploaded to SharePoint do not touch the file system. They come in through the TCP/IP protocol and are saved to the database. Therefore file system AV software is not able to scan the files.

When the SharePoint environment is used on the internal network and all computers on that network are managed, having a AV solution on your SharePoint environment might not be necessary. But with SharePoint being used to collaborate with external users (e.g. partners, customers, suppliers), knowing 100% that all files uploaded are virus free is impossible. Therefore having a AV solution in SharePoint is a must.

How does ForeFront Security for SharePoint work:
FSSP has two types of scanmodes. The first is the Realtime Scan mode. Files uploaded and/or downloaded are scanned by FSSP and blocked if a virus is found.
The second mode is Manual Scan mode, which scans the environment (or a subset) for viruses.

FSSP uses the VSAPI of SharePoint, which is optimized for SQL. This integration means that some basic settings must be made in SharePoint, for example are files scanned during upload and/or download.
These settings can be viewed from the FSSP Management console.

What does ForeFront Security for SharePoint have to do when a virus is found:
Once FSSP detects a virus, administrators have several options what to do with those viruses. In Realtime Scan mode, the options are “Skip, Detect only” and “Clean, Repair document. Delete if unsuccessful”. In both cases the detection is logged in the incident log, but of course the first option is not a very secure setting to use.

In Manual Scan mode, the options are “Skip, Detect only”, “Clean, Repair document. Delete if unsuccessful” and “Delete file”. This last option replaces the content of file with some customizable text, notifying the user that the file contained a virus and has been deleted.

File Filter option:
Besides virus scanning, does FSSP also supply a File Filter option. This functionality can be used for blocking potentially dangerous content, for example exe, com, vbs or scr files, but also block unwanted content like mp3 or avi files.
The difference with the file blocking option of SharePoint is that FSSP does not look at the extension alone, but also checks the file header. So renaming a exe file to txt will fool the “Block file types” option of SharePoint, but not FSSP.

As you might know, with SharePoint it is possible to block certain extensions. These blocks have precedence over the virus scanning. So if you upload an exe file which contains a virus, this file is block (by default) by the “Blocked file types” option of SharePoint, not by FSSP.

Note 2:
When a file is blocked by the File Filter, the user will receive a “Virus Found” message. Even when the file does not contain a virus. Educating your users is wise to do.

What else:
One thing to know is that once a file is scanned, it will not be scanned again until it has been changed. This will improve performance.

As mentioned before, when FSSP detects a virus during a Manual Scan it will replace the content of the file with customizable text. The name of the file will remain exactly the same. Users will not see any difference, besides the changed file size. This is due to limitations of SharePoint. The FSSP team is working with the SharePoint team to fix this.

FSSP does support the Office 2007 file format, but cannot detect if the file is a Word, Excel or PowerPoint file (besides checking the extension). The File Filter will has just one OpenXML option.

SP1 for FSSP will be release somewhere this month (June 2007). One option that has been added in this Service Pack is that installing FSSP on an Exchange server is not possible. When you have a server which is running both Exchange and SharePoint, FSSP cannot be used. Personally I find this very strange, but Microsoft probably has it reasons.

More info:
ForeFront Security for SharePoint Product Overview
Download trial

No comments: