virus and spy protection architecture

Download VIRUS AND SPY  PROTECTION ARCHITECTURE

Post on 11-Jan-2016

17 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

VIRUS AND SPY PROTECTION ARCHITECTURE. Agenda. In this module Processes and services Product components Message flow during various scan operations. PROCESSES AND SERVICES. AVCS Processes. F-Secure Management Agent - PowerPoint PPT Presentation

TRANSCRIPT

  • VIRUS AND SPY PROTECTION ARCHITECTURE

    Page *

    AgendaIn this moduleProcesses and servicesProduct componentsMessage flow during various scan operations

  • PROCESSES AND SERVICES

    Page *

    AVCS ProcessesF-Secure Management Agentfameh32.exe, fch32.exe, fsih32.exe, fsnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsguidll.exe

    F-Secure Virus & Spy Protectionfsav32.exe, fsaw.exe, fsgk32.exe, fsgk32st.exe, fsdfwd.exe, fsqh.exe, fsrw.exe, fssm32.exe

    F-Secure Automatic Update Agentfsbwsys.exe, F-Secure Automatic Update.exe

    Page *

    Processes: FSMAfsm32.exe F-Secure Manager, displays the F- tray iconfsma32.exeF-Secure Management Agent (Service)fsmb32.exeMessage Broker, processes communication between the different modules & productsfsnrb32.exeHandles the communication between the hosts and the PMSfameh32.exeAlert and Messaging Handler, handles alert and log forwardingfch32.exeConfiguration Handler, reads the base policy files and writes the incremental policy filesfsih32.exeInstallation Handler. Launches ilaunchr.exe during installations

    Page *

    Processes: Virus & Spy Protectionfsav32.exeAnti-Virus Handlerfsaw.exeF-Secure Ad-Watch (Browser Control)fsdfwd.exe Anti-Virus Firewall Deamon. Redirects e-mails to the Scanner Manager (Service)fsqh.exeHandles object quarantinefsgk32.exeGatekeeper Handler. Receives real-time scan requests from the Gatekeeperfsgk32st.exeGatekeeper Handler Starter (Service)fsrw.exe F-Secure Reg-Watch (System Control)fssm32.exeScanner Manager. Manages scanning engines

    Page *

    Virus & Spy Protection Services F-Secure Management Agent EnvironmentNET STOP/START FSMA: fameh32.exe, fsaw.exe, fch32.exe, fsih32.exe, fnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsdfwd.exe, fsrw.exe, fsguidll.exeF-Secure Gatekeeper EnvironmentNET STOP/START FSGKHS: fsgk32.exe, fsgk32st.exe, fssm32.exeF-Secure Automatic Update EnvironmentNET STOP/START FSBWSYS: fsbwsys.exe, F-Secure Automatic Update.exe

  • PRODUCT COMPONENTS

    Page *

    Product ComponentsServices

    InternetEmail ServerKernelFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerSystem Clean-upModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem ControlDesktop

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Real-Time Scanning:Clean FileServices

    Desktop

    Email ClientUser InterfacesInternetEmail ServerKernelFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerSystem Clean-upModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPBrowser ControlSpyware QuarantineSystem Control3

    Page *

    Real-Time Scanning:Infected FileServices

    Desktop

    Email ClientUser InterfacesInternetEmail ServerKernelFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerSystem Clean-upModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPBrowser ControlSpyware QuarantineSystem Control3

    Page *

    Gatekeeper Driverfsgk.sys, fsrec.sys and fsfilter.sysProvides the low-level file I/O for the user mode scanning (kernel mode)Intercepts and postpones file I/O requestPosts scan request to Gatekeeper Handler (file or boot sector)Denies file access if file is infectedDoes not participate in the actual scanning

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Gatekeeper Handlerfsgk32.exeHandles communication between Kernel and user modeReceives real-time scan requests from Gatekeeper driverAssigns scanning tasks to Scanner Manager, sends databases to Scanner ManagerStarts and initializes Scanner ManagerEnables GKH API through FSMAManages policies interface

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Scanner Managerfssm32.exeManages scan engines (sending scanning requests), isolated from framework Upon finding an infection, Scanner Manager will decide which action to take Implements Black-listing of files that caused crash of a scan engine to prevent crash-loops, etc. Calls System Clean-up Module and Spyware Quarantine when disinfection selectedHandles locked files

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Scanning Enginesdffpi.dll, avpproxy.dll, fslfpi.dll and lsse.dllPerform the actual scanning of files as requested by the Scanner Manager Scanning engines are DLLs loaded into scanner managers process space (provides a sandbox environment)Orion is a binary scanning engineAVP Proxy is a binary scanning engine with an a large virus history coverageLibra is macro and script virus engineDraco handles spyware, tracking cookie removal and hosts file protection

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    System Clean-Up Modulefssc.fsdHandles special virus-specific cleanup actions. Called by Scan Manager every time an infection needs to be removed (disinfected)Calls secondary action listsChanges secondary action behaviour

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Manual Scan:Virus vs. SpywareServices

    Anti-Virus HandlerScanner Manager

    Libra Orion Draco AVPSpyware Quarantine

    Desktop

    Email ClientUser InterfacesBrowser ControlRegistry

    File System

    File System

    System Clean-upModule

    Page *

    Anti-Virus Handlerfsav32.exeHandles on-demand scansDecides when is it be necessary to ask the user to restart the computerWhen such a decision has been made, an appropriate message will be sent to FSMUIAVGatekeeper Handler will notify AVH about situations when a need to restart a computer arisesPosts alerts to FSMA (which will forward the alerts as specified in its policy)Delivers database updates

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    User Interfacesfsm32.exeF-Secure Manager (FSM) manages the GUI plug-ins

    fsmuiav.dllShows a dialog or message box to the user, asking the computer to be restarted when necessary.Invokes Scan Wizard and provides it with required information fsuipx.dllSystem Control UI ProxyCommunication link between F-Secure System Control and GUI

    fsawfsm.dllAd-Watch plug-inCommunication link between F-Secure Browser Control and GUILoads F-Secure Browser Control (fsaw.exe)

    Page *

    Spyware Quarantinefsqrt.dllGeneric component of F-Secure scanning services (currently only spyware)Scanners communicate with quarantine via FSSMProvides storage for removed objects (XML based database)Relies on Access Control Lists (ACLs) and user rightsUser needs administrative rights to clean system and add or restore objects

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Email Scanning:Sending Email (SMTP)Services

    Desktop

    Email ClientUser InterfacesInternetEmail ServerKernelFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerSystem Clean-upModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPBrowser ControlSpyware QuarantineSystem Control4

    Page *

    Email Scanning:Receiving Email (POP & IMAP)Services

    Desktop

    Email ClientUser InterfacesInternetEmail ServerKernelFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerSystem Clean-upModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPBrowser ControlSpyware QuarantineSystem Control4

    Page *

    Firewall Driverfsdfw.sysCatches all new outgoing e-mail connections and re-routes them to the E-Mail Scanning Module

    Email ServerFirewall DriverGatekeeper DriverGatekeeper HandlerAnti-Virus HandlerClean-up ModuleFirewall Daemon

    Management AgentEmail Scanning ModuleScanner Manager

    Libra Orion Draco AVPSpyware QuarantineSystem Control

    Email ClientUser InterfacesBrowser ControlBrowser

    HTTP Scanning Module

    Page *

    Firewall Deamon and Email