virus and spy protection architecture
DESCRIPTION
VIRUS AND SPY PROTECTION ARCHITECTURE. Agenda. In this module Processes and services Product components Message flow during various scan operations. PROCESSES AND SERVICES. AVCS Processes. F-Secure Management Agent - PowerPoint PPT PresentationTRANSCRIPT
VIRUS AND SPY PROTECTION ARCHITECTURE
Page 2
Agenda
In this module
• Processes and services
• Product components
• Message flow during various scan operations
PROCESSES AND SERVICES
Page 4
AVCS Processes
F-Secure Management Agent
• fameh32.exe, fch32.exe, fsih32.exe, fsnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsguidll.exe
F-Secure Virus & Spy Protection
• fsav32.exe, fsaw.exe, fsgk32.exe, fsgk32st.exe, fsdfwd.exe, fsqh.exe, fsrw.exe, fssm32.exe
F-Secure Automatic Update Agent
• fsbwsys.exe, F-Secure Automatic Update.exe
Page 5
Processes: FSMA
fsm32.exe F-Secure Manager, displays the F- tray icon
fsma32.exe F-Secure Management Agent (Service)
fsmb32.exe Message Broker, processes communication between the different modules & products
fsnrb32.exe Handles the communication between the hosts and the PMS
fameh32.exe Alert and Messaging Handler, handles alert and log forwarding
fch32.exe Configuration Handler, reads the base policy files and writes the incremental policy files
fsih32.exe Installation Handler. Launches ilaunchr.exe during installations
Page 6
Processes: Virus & Spy Protection
fsav32.exe Anti-Virus Handler
fsaw.exe F-Secure Ad-Watch (Browser Control)
fsdfwd.exe Anti-Virus Firewall Deamon. Redirects e-mails to
the Scanner Manager (Service)
fsqh.exe Handles object quarantine
fsgk32.exe Gatekeeper Handler. Receives real-time scan
requests from the Gatekeeper
fsgk32st.exe Gatekeeper Handler Starter (Service)
fsrw.exe F-Secure Reg-Watch (System Control)
fssm32.exe Scanner Manager. Manages scanning engines
Page 7
Virus & Spy Protection Services
F-Secure Management Agent Environment
• NET STOP/START FSMA: fameh32.exe, fsaw.exe, fch32.exe, fsih32.exe, fnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsdfwd.exe, fsrw.exe, fsguidll.exe
F-Secure Gatekeeper Environment
• NET STOP/START FSGKHS: fsgk32.exe, fsgk32st.exe, fssm32.exe
F-Secure Automatic Update Environment
• NET STOP/START FSBWSYS: fsbwsys.exe, F-Secure Automatic Update.exe
PRODUCT COMPONENTS
Page 9
ServicesServices
InternetInternet Email Server
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
System Clean-upModule
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Spyware Quarantine
System Control
Product Components
DesktopDesktop Email Client
User Interfaces
Browser Control Browser
HTTP Scanning Module
Page 10
ServicesServices
DesktopDesktopEmail Client User Interfaces
InternetInternet Email Server
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
System Clean-upModule
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Browser Control
Spyware Quarantine
System Control
Real-Time Scanning:Clean File
1
2
3
4
5
Page 11
ServicesServices
DesktopDesktopEmail Client User Interfaces
InternetInternet Email Server
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
System Clean-upModule
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Browser Control
Spyware Quarantine
System Control
Real-Time Scanning:Infected File
1
2
3
6
7
4
5
Page 12
Gatekeeper Driver
fsgk.sys, fsrec.sys and
fsfilter.sys
• Provides the low-level file I/O for the user mode scanning (kernel mode)
• Intercepts and postpones file I/O request
• Posts scan request to Gatekeeper Handler (file or boot sector)
• Denies file access if file is infected
• Does not participate in the actual scanning
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 13
Gatekeeper Handler
fsgk32.exe
• Handles communication between Kernel and user mode
• Receives real-time scan requests from Gatekeeper driver
• Assigns scanning tasks to Scanner Manager, sends databases to Scanner Manager
• Starts and initializes Scanner Manager
• Enables GKH API through FSMA
• Manages policies interfaceEmail Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 14
Scanner Manager
fssm32.exe
• Manages scan engines (sending scanning requests), isolated from framework
• Upon finding an infection, ScannerManager will decide which action to take
• Implements ”Black-listing” of files that caused crash of a scan engine to prevent crash-loops, etc.
• Calls System Clean-up Module and Spyware Quarantine when disinfection selected
• Handles locked filesEmail Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 15
Scanning Engines
dffpi.dll, avpproxy.dll, fslfpi.dll and lsse.dll• Perform the actual scanning of files as
requested by the Scanner Manager
• Scanning engines are DLLs loaded into scanner manager’s process space (provides a ”sandbox” environment)
• Orion is a binary scanning engine
• AVP Proxy is a binary scanning engine with an a large virus history coverage
• Libra is macro and script virus engine
• Draco handles spyware, tracking cookie removal and hosts file protection
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 16
System Clean-Up Module
fssc.fsd
• Handles special virus-specific cleanup actions.
• Called by Scan Manager every time an infection needs to be removed (disinfected)
• Calls secondary action lists
• Changes secondary action behaviour
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 17
Manual Scan:Virus vs. Spyware
ServicesServicesAnti-Virus Handler
Scanner Manager
Libra
Orion
Draco AVP
Spyware Quarantine
DesktopDesktopEmail Client User Interfaces Browser Control
RegistryFile System
File System
3 Detection
Clean File
File w/ Virus
Trojan
4
RemovalClean File
Clean File
5
3
2
1
Detection
HKEY_LOCAL_M…
HKEY_LOCAL_M…
4
Spyware File
Spyware File
5
Spyware File
Spyware File
System Clean-upModule
Page 18
Anti-Virus Handler
fsav32.exe• Handles on-demand scans
• Decides when is it be necessary to ask the user to restart the computer
• When such a decision has been made, an appropriate message will be sent to FSMUIAV
• Gatekeeper Handler will notify AVH about situations when a need to restart a computer arises
• Posts alerts to FSMA (which will forward the alerts as specified in its policy)
• Delivers database updates
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 19
User Interfaces
fsm32.exe
• F-Secure Manager (FSM) manages the GUI plug-ins
fsmuiav.dll
• Shows a dialog or message box to the user, asking the computer to be restarted when necessary.
• Invokes Scan Wizard and provides it with required information
fsuipx.dll• System Control UI Proxy
• Communication link between F-Secure System Control and GUI
fsawfsm.dll• Ad-Watch plug-in
• Communication link between F-Secure Browser Control and GUI
• Loads F-Secure Browser Control (fsaw.exe)
Page 20
Spyware Quarantine
fsqrt.dll
• Generic component of F-Secure scanning services (currently only spyware)
• Scanners communicate with quarantine via FSSM
• Provides storage for removed objects (XML based database)
• Relies on Access Control Lists (ACLs) and user rights
• User needs administrative rights to clean system and add or restore objects
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 21
ServicesServices
DesktopDesktopEmail Client User Interfaces
InternetInternet Email Server
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
System Clean-upModule
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Browser Control
Spyware Quarantine
System Control
Email Scanning:Sending Email (SMTP)
4
1
2
3
5
6
Page 22
ServicesServices
DesktopDesktopEmail Client User Interfaces
InternetInternet Email Server
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
System Clean-upModule
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Browser Control
Spyware Quarantine
System Control
Email Scanning:Receiving Email (POP & IMAP)
4
1
2
3
5
6
Page 23
Firewall Driver
fsdfw.sys
• Catches all new outgoing e-mail connections and re-routes them to the E-Mail Scanning Module
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 24
Firewall Deamon and Email Scanning Module
fsdfwd.exe
• Starts F-Secure E-Mail Scanning Module (FSAVES)
• Receives re-routed e-mails from firewall engine
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
fsmirror.dll
• Detects possible e-mails being transmitted (either sent or received) and stores them temporary for scanning
• Sends e-mail path or memory address (depending on size) to F-Secure Scanner Manager (FSSM) module which starts scanning in the following order
Page 25
Registry Watch (System Control)
fsrw.exe
• Does the actual registry monitoring
• Communicates with GUI through System Control UI Proxy (fsuipx.dll)
• Loaded through FSMA interface
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 26
Browser Control
ServicesServices
DesktopDesktop Email Client
User Interfaces
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Browser Control
Spyware Quarantine
System Control
Browser
HTTP Scanning Module
1
Page 27
Ad-Watch (Browser Control)
fsaw.dll
• Lavasoft Ad-Watch module
• Does the actual blocking for IE Shield and Pop-up Blocker features
• Framework integration through F-Secure Browser Control (fsaw.exe)
• Settings, database and license handling
• Communication with GUI
• Loaded through FSM interface
• Running as user account
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 28
ServicesServices
DesktopDesktop Email Client
User Interfaces
KernelKernel Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
System Clean-upModule
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion
Draco AVP
Browser Control
Spyware Quarantine
System Control
Web Traffic Scanning
3
2
Browser
HTTP Scanning Module
1
Page 29
HTTP Scanner
fslsp.dll, fshttp.dll
• Loaded into the process space of the applications that uses HTTP (they are hooked into the WinSock DLL)
• HTTP scanner uses Scanner Manager for scanning via Gatekeeper
Email Server
Firewall Driver Gatekeeper Driver
Gatekeeper Handler
Anti-Virus Handler
Clean-up Module
Firewall Daemon
Management Agent
Email Scanning Module
Scanner Manager
Libra Orion Draco AVP
Spyware Quarantine
System Control
Email Client
User Interfaces
Browser Control BrowserHTTP
Scanning Module
Page 30
Summary
In this module
• Processes and services
• Product components
• Message flow during various scan operations