Transcript Document
OPSWAT Presentation
for XXX
Month Date, Year
OPSWAT & ____________
Agenda
Overview of OPSWAT
Multi-scanning with Metascan
Controlling Data Workflow with Metadefender
Questions
OPSWAT at a Glance
Company
Established 2002
Private, profitable and growing
Head office in San Francisco, California
Products
Multi-scanning – Metascan® and Metadefender®
Security Application Manageability – OESIS® & AppRemover
Secure Virtual Desktop Isolation Technology
GEARS – Network Manageability
Customers
Governments, CERTs, Finance, Utilities, [esp. Nuclear], Military
OEM s – SSL VPN, NAC Management services, Support Tools
Customer Verticals
Network
Compliance and
Vulnerability
Assessment
Support
Tools
SSL VPN and NAC
Government
Managed
Services
Higher Ed and
Corporations
Metascan
Scan Files with Multiple
Antivirus Engines
Why Multi-scanning?
Too much malware, insufficient
detection
The Reality
Insufficient detection by any one AV product
Metascan
Multiple engine malware scanning technology
Over 220,000 new malware
variants appear every day
The rapid growth in the amount of malware
continues to accelerate
No AV vendor can keep up with the number of new
malware variants
http://www.av-test.org/en/statistics/malware/
“Cyber attacks on
America’s critical
infrastructure
increased 17-fold
between 2009 and
2011.”
http://www.csmonitor.com/Commentary/Opini
on/2012/0808/Help-wanted-Geek-squads-forUS-cybersecurity
Measuring Antivirus Capabilities
Much variation between different anti-malware engines
Detection Rate vs. False Positives for 19 Engines
100.00%
40
99.00%
35
98.00%
30
97.00%
25
96.00%
20
Detection Rate
False Positives
95.00%
15
94.00%
10
93.00%
5
92.00%
91.00%
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19
Source: AV Comparatives
September 2012
Illustrating The Decreased Outbreak
Detection Time
This graph shows the time
between malware outbreak and
AV detection by six AV engines
for 75 outbreaks.
No Vendor detects every
outbreak.
Only by combining six engines
in a multiscanning solution
are outbreaks detected
quickly.
By adding additional engines,
Zero hour detection
zero
hour detection rates
5 min to 5 days
increase
further.
No detection at 5 days
Geographic Distribution of Antivirus Engines
Performance by the numbers
The scan time is much shorter than
the sum of the individual scans
Presumed Scan Time
1 engine
3 engines
8 engines
PDF
EXE
JPG
OTHER
What is Metascan?
Multi-scanning engine
A server application with a local and
network programming interface that allows
customers to incorporate multiple antimalware engine scanning technologies into
their security architecture
Supports 0
to 30 anti-malware engines [and
growing!]
Simultaneously scans files with all engines
Scan directories, files, archives, buffers, and
boot sector
Automatic online definition updates or manual
offline updates
Metascan vs Traditional Antivirus Engines
Metascan integrates multiple engines that are optimized to work together on the same
system
Metascan does not provide Real Time Protection (RTP) like many traditional antivirus
engines, all scanning is done on demand
What is Metascan?
Multi-scanning engine
Flexible and scalable API driven solution
Many programming Interfaces –
C++
Java
PHP
C#/ASP.NET
RESTful (Web API)/HTTP
CLI[command line interface]
ICAP
Analyzes files locally on a single server
or remotely from Windows or Linux systems
Metascan
Who uses Metascan?
Analysts
who research threats
in binaries
CERTs (Computer Emergency Response/Readiness Teams)
Government agencies
Federal and State Law enforcement agencies
Computer forensic analysts
IT security managers who seek to control data flow
Files from public facing sharing/upload sites
Data moving across internal security domains
Detect infected attachments
Independent software vendors seeking to identify
threats in their binaries
False positives
Accidental infections
Metascan Features
Manual (Offline) Updates – ZIP file
Engine Definition updates
Download the package (.zip) from an Internet connected system
Transfer the file to a system in the offline network and use the Metascan Management Console or the
Metascan Management Station to “push” to multiple servers
Metascan
Standard packages
In addition to our
standard offerings, the
engines listed below may
be added to create
custom packages
Metadefender
Securing Data Flows into/out of
Organizations
Why Metadefender?
Peripheral media cannot be trusted
Why Metadefender?
Peripheral media is an easy attack vector
Surveys show that 10% to 25% of malware is spread
via USB (Sources: ESET & Panda)
Autorun viruses are easy to create
Instructions to create a virus are easily found
online
The US Department of Defense banned peripherals
entirely in 2008 after an outbreak of the SillyFDC
worm which was spread by removable media
Why Metadefender?
Metadefender use cases
USBs are the most effective way to deliver malware
into a company
USBs bypass network security and deliver malware
directly to the endpoint
Contractors and visiting vendors accidentally bring
in malware on USB
Software updates and upgrades brought into secure
networks on DVDs have contained malware
Banks and other financial institutions are attacked
with USBs dropped in parking lots that employees pick
up and insert in their work computers. (human
curiosity?)
Advanced attacks mail infected USBs to employees as
gifts
What is Metadefender?
Metadefender allows customers to define data security policies for their users to prevent the
introduction of malware to a corporate network through portable media
Define multiple policies for different users or groups of users
Process files to determine if they are a threat
Take the appropriate actions on both allowed and blocked files
Optionally include Multi-scanning by Metascan
Metadefender
Features
Multi-Step Process to Secure Network
User Authentication
File Type Filtering
Scanning with Metascan
Scan look up by SHA256 hash value
File Type Conversions
Including embedded object removal
Enhanced Post-Processing
Metadefender System Restore after each session
to ensure system integrity
Metadefender and Metascan
The Metascan multi-scanning server can be integrated as part of the Metadefender security
workflow
Metascan can be installed on the same system as Metadefender or can be on its own dedicated
system
Multiple Metadefender systems can use a single Metascan for multi-scanning
Metadefender
Who uses Metadefender?
Highly Secure facilities that host outside
visitors/contractors
Government Agencies
Power Plants / Nuclear Facilities
IT security managers who seek to control
physical media
Banks
Investment companies
Any company concerned about physical
media-based malware infections
How Metadefender is commonly used
Data workflow controls
Create a process ( workflow ) to control
data coming into and out of your
organization.
Example:
Scan the contents of peripherals using multiple
AV engines
Require visitors to put all content onto a
provided USB – then scan the content for
malware with multiple AV engines
Convert selected data types
Convert files to jpeg or png to eliminate
threats in original file
Block selected file types
Metadefender
Metadefender is delivered in two formats:
Delivery
Software to deploy on any system that meets
Metadefender’s requirements
Kiosk with Metadefender pre-installed and configured
Metadefender Deployment
Choosing the bestOptions
for your
security needs
Product Deployment Options
Standalone Systems with no Network connectivity
In this deployment option, Metadefender kiosks have both the
Metascan server and the Metadefender client installed and have no
network connection. Virus definition updates are downloaded from a
system connected to the Internet and copied to physical media to
be transferred to each Metadefender kiosk.
Pros
No network connection required
Cons
Updating virus definitions requires physically bringing media (USB
drive/DVD/CD) to each kiosk and applying the update on each one
Product Deployment Options
Standalone Systems with Metascan Management Station
In this deployment option, a Metascan Management Station is installed on a
dedicated system that has network connection to each Metadefender kiosk.
The Metadefender kiosks have both the Metascan server and the Metadefender
client installed and have network connection to Metascan Management Station
only. Virus definition updates are downloaded on the system with the
Metascan Management Station installed, and updates are applied to the
Metadefender kiosks via the Metascan Management Station.
Pros
Easier to deploy than standalone systems with no network connectivity
Cons
Requires network connectivity between each kiosk and the Metascan
Management Station
Definition updates need to be transferred over the network
Requires an additional system for the Metascan Management Station
Product Deployment Options
Distributed Systems (Metascan Server Offline)
In a distributed system, Metadefender kiosks have only the Metadefender
client installed. The Metascan server is installed on a dedicated system.
In this deployment option, the Metascan server does not have access to the
Internet, and Metadefender kiosks have network connection to the Metascan
server only. Virus definition updates are downloaded on a system with
connection to the Internet and manually transferred and applied to the
Metascan server.
Pros
Only requires deploying virus definition updates to a single Metascan
server
The Metascan server can be higher powered to allow for higher scan
throughput
Cons
Requires network connectivity between each kiosk and the Metascan server
All files being scanned will be transferred over the network
Product Deployment Options
Distributed Systems (Metascan Server Online)
In a distributed system, Metadefender kiosks have only the Metadefender
client installed. The Metascan server is installed on a dedicated system.
In this deployment option, the Metascan server has access to the Internet,
and Metadefender kiosks have network connection to the Metascan server
only. Because of Internet connectivity, virus definitions automatically
update on the Metascan server.
Pros
Virus definition updates are applied automatically to the Metascan server
The Metascan server can be higher powered to allow for higher scan
throughput
Cons
Requires network connectivity between each kiosk and the Metascan server
All files being scanned will be transferred over the network
Requires Internet connection for the Metascan server
Support
OPSWAT provides three levels of support
Basic Support - Free
Premium Support – 18% of license cost
Platinum Support – 25% of license cost
Support
Premium Support
What is covered by Premium support?
Phone support, 9 am to 6 pm PST Monday – Friday
Support Account Manager
Quarterly Conference call
reviews
For details of what is covered by each
level of support see the Support page on
the OPSWAT website
Support
Platinum Support
What is covered by Platinum support?
(Everything in Premium support)
24/7 Phone support
Quarterly Meetings with Engineering and Product
Management
Prioritized enhancement requests
For details of what is covered by each
level of support see the Support page on
the OPSWAT website
Questions?