Download - VIRUS AND SPY PROTECTION ARCHITECTURE

VIRUS AND SPY PROTECTION ARCHITECTURE

Agenda

In this module

• Processes and services

• Product components

• Message flow during various scan operations

PROCESSES AND SERVICES

AVCS Processes

F-Secure Management Agent

• fameh32.exe, fch32.exe, fsih32.exe, fsnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsguidll.exe

F-Secure Virus & Spy Protection

• fsav32.exe, fsaw.exe, fsgk32.exe, fsgk32st.exe, fsdfwd.exe, fsqh.exe, fsrw.exe, fssm32.exe

F-Secure Automatic Update Agent

• fsbwsys.exe, F-Secure Automatic Update.exe

Processes: FSMA

fsm32.exe F-Secure Manager, displays the F- tray icon

fsma32.exe F-Secure Management Agent (Service)

fsmb32.exe Message Broker, processes communication between the different modules & products

fsnrb32.exe Handles the communication between the hosts and the PMS

fameh32.exe Alert and Messaging Handler, handles alert and log forwarding

fch32.exe Configuration Handler, reads the base policy files and writes the incremental policy files

fsih32.exe Installation Handler. Launches ilaunchr.exe during installations

Processes: Virus & Spy Protection

fsav32.exe Anti-Virus Handler

fsaw.exe F-Secure Ad-Watch (Browser Control)

fsdfwd.exe Anti-Virus Firewall Deamon. Redirects e-mails to

the Scanner Manager (Service)

fsqh.exe Handles object quarantine

fsgk32.exe Gatekeeper Handler. Receives real-time scan

requests from the Gatekeeper

fsgk32st.exe Gatekeeper Handler Starter (Service)

fsrw.exe F-Secure Reg-Watch (System Control)

fssm32.exe Scanner Manager. Manages scanning engines

Virus & Spy Protection Services

F-Secure Management Agent Environment

• NET STOP/START FSMA: fameh32.exe, fsaw.exe, fch32.exe, fsih32.exe, fnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsdfwd.exe, fsrw.exe, fsguidll.exe

F-Secure Gatekeeper Environment

• NET STOP/START FSGKHS: fsgk32.exe, fsgk32st.exe, fssm32.exe

F-Secure Automatic Update Environment

• NET STOP/START FSBWSYS: fsbwsys.exe, F-Secure Automatic Update.exe

PRODUCT COMPONENTS

ServicesServices

InternetInternet Email Server

KernelKernel Firewall Driver Gatekeeper Driver

Gatekeeper Handler

Anti-Virus Handler

System Clean-upModule

Firewall Daemon

Management Agent

Email Scanning Module

Scanner Manager

Libra Orion

Draco AVP

Spyware Quarantine

System Control

Product Components

DesktopDesktop Email Client

User Interfaces

Browser Control Browser

HTTP Scanning Module

ServicesServices

DesktopDesktopEmail Client User Interfaces



Gatekeeper Handler

Anti-Virus Handler


Firewall Daemon

Management Agent


Scanner Manager

Libra Orion

Draco AVP

Browser Control

Spyware Quarantine

System Control

Real-Time Scanning:Clean File

1

2

3

4

5

ServicesServices




Gatekeeper Handler

Anti-Virus Handler


Firewall Daemon

Management Agent


Scanner Manager

Libra Orion

Draco AVP

Browser Control

Spyware Quarantine

System Control

Real-Time Scanning:Infected File

1

2

3

6

7

4

5

Gatekeeper Driver

fsgk.sys, fsrec.sys and

fsfilter.sys

• Provides the low-level file I/O for the user mode scanning (kernel mode)

• Intercepts and postpones file I/O request

• Posts scan request to Gatekeeper Handler (file or boot sector)

• Denies file access if file is infected

• Does not participate in the actual scanning

Email Server

Firewall Driver Gatekeeper Driver

Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager

Libra Orion Draco AVP

Spyware Quarantine

System Control

Email Client

User Interfaces

Browser Control BrowserHTTP

Scanning Module

Gatekeeper Handler

fsgk32.exe

• Handles communication between Kernel and user mode

• Receives real-time scan requests from Gatekeeper driver

• Assigns scanning tasks to Scanner Manager, sends databases to Scanner Manager

• Starts and initializes Scanner Manager

• Enables GKH API through FSMA

• Manages policies interfaceEmail Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

Scanner Manager

fssm32.exe

• Manages scan engines (sending scanning requests), isolated from framework

• Upon finding an infection, ScannerManager will decide which action to take

• Implements ”Black-listing” of files that caused crash of a scan engine to prevent crash-loops, etc.

• Calls System Clean-up Module and Spyware Quarantine when disinfection selected

• Handles locked filesEmail Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

Scanning Engines

dffpi.dll, avpproxy.dll, fslfpi.dll and lsse.dll• Perform the actual scanning of files as

requested by the Scanner Manager

• Scanning engines are DLLs loaded into scanner manager’s process space (provides a ”sandbox” environment)

• Orion is a binary scanning engine

• AVP Proxy is a binary scanning engine with an a large virus history coverage

• Libra is macro and script virus engine

• Draco handles spyware, tracking cookie removal and hosts file protection

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

System Clean-Up Module

fssc.fsd

• Handles special virus-specific cleanup actions.

• Called by Scan Manager every time an infection needs to be removed (disinfected)

• Calls secondary action lists

• Changes secondary action behaviour

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

Manual Scan:Virus vs. Spyware

ServicesServicesAnti-Virus Handler

Scanner Manager

Libra

Orion

Draco AVP

Spyware Quarantine

DesktopDesktopEmail Client User Interfaces Browser Control

RegistryFile System

File System

3 Detection

Clean File

File w/ Virus

Trojan

4

RemovalClean File

Clean File

5

3

2

1

Detection

HKEY_LOCAL_M…

HKEY_LOCAL_M…

4

Spyware File

Spyware File

5

Spyware File

Spyware File


Anti-Virus Handler

fsav32.exe• Handles on-demand scans

• Decides when is it be necessary to ask the user to restart the computer

• When such a decision has been made, an appropriate message will be sent to FSMUIAV

• Gatekeeper Handler will notify AVH about situations when a need to restart a computer arises

• Posts alerts to FSMA (which will forward the alerts as specified in its policy)

• Delivers database updates

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

User Interfaces

fsm32.exe

• F-Secure Manager (FSM) manages the GUI plug-ins

fsmuiav.dll

• Shows a dialog or message box to the user, asking the computer to be restarted when necessary.

• Invokes Scan Wizard and provides it with required information

fsuipx.dll• System Control UI Proxy

• Communication link between F-Secure System Control and GUI

fsawfsm.dll• Ad-Watch plug-in

• Communication link between F-Secure Browser Control and GUI

• Loads F-Secure Browser Control (fsaw.exe)

Spyware Quarantine

fsqrt.dll

• Generic component of F-Secure scanning services (currently only spyware)

• Scanners communicate with quarantine via FSSM

• Provides storage for removed objects (XML based database)

• Relies on Access Control Lists (ACLs) and user rights

• User needs administrative rights to clean system and add or restore objects

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

ServicesServices




Gatekeeper Handler

Anti-Virus Handler


Firewall Daemon

Management Agent


Scanner Manager

Libra Orion

Draco AVP

Browser Control

Spyware Quarantine

System Control

Email Scanning:Sending Email (SMTP)

4

1

2

3

5

6

ServicesServices




Gatekeeper Handler

Anti-Virus Handler


Firewall Daemon

Management Agent


Scanner Manager

Libra Orion

Draco AVP

Browser Control

Spyware Quarantine

System Control

Email Scanning:Receiving Email (POP & IMAP)

4

1

2

3

5

6

Firewall Driver

fsdfw.sys

• Catches all new outgoing e-mail connections and re-routes them to the E-Mail Scanning Module

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

Firewall Deamon and Email Scanning Module

fsdfwd.exe

• Starts F-Secure E-Mail Scanning Module (FSAVES)

• Receives re-routed e-mails from firewall engine

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

fsmirror.dll

• Detects possible e-mails being transmitted (either sent or received) and stores them temporary for scanning

• Sends e-mail path or memory address (depending on size) to F-Secure Scanner Manager (FSSM) module which starts scanning in the following order

Registry Watch (System Control)

fsrw.exe

• Does the actual registry monitoring

• Communicates with GUI through System Control UI Proxy (fsuipx.dll)

• Loaded through FSMA interface

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

Browser Control

ServicesServices


User Interfaces


Gatekeeper Handler

Anti-Virus Handler

Firewall Daemon

Management Agent


Scanner Manager

Libra Orion

Draco AVP

Browser Control

Spyware Quarantine

System Control

Browser


1

Ad-Watch (Browser Control)

fsaw.dll

• Lavasoft Ad-Watch module

• Does the actual blocking for IE Shield and Pop-up Blocker features

• Framework integration through F-Secure Browser Control (fsaw.exe)

• Settings, database and license handling

• Communication with GUI

• Loaded through FSM interface

• Running as user account

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

ServicesServices


User Interfaces


Gatekeeper Handler

Anti-Virus Handler


Firewall Daemon

Management Agent


Scanner Manager

Libra Orion

Draco AVP

Browser Control

Spyware Quarantine

System Control

Web Traffic Scanning

3

2

Browser


1

HTTP Scanner

fslsp.dll, fshttp.dll

• Loaded into the process space of the applications that uses HTTP (they are hooked into the WinSock DLL)

• HTTP scanner uses Scanner Manager for scanning via Gatekeeper

Email Server


Gatekeeper Handler

Anti-Virus Handler

Clean-up Module

Firewall Daemon

Management Agent


Scanner Manager


Spyware Quarantine

System Control

Email Client

User Interfaces


Scanning Module

Summary

In this module

• Processes and services

• Product components

• Message flow during various scan operations

Download - VIRUS AND SPY PROTECTION ARCHITECTURE

Top Related