OPSWAT Presentation for XXX Month Date, Year

Multi-scanning with Metascan OPSWAT & ____________ Agenda Overview of OPSWAT Multi-scanning with Metascan Controlling Data Workflow with Metadefender Questions

OPSWAT at a Glance Company Established 2002 Private, profitable and growing Head office in San Francisco, California Products Multi-scanning – Metascan® and Metadefender® Security Application Manageability – OESIS® & AppRemover Secure Virtual Desktop Isolation Technology GEARS – Network Manageability Customers Governments, CERTs, Finance, Utilities, [esp. Nuclear], Military OEM s – SSL VPN, NAC Management services, Support Tools

Customer Verticals SSL VPN and NAC Managed Services Support Tools Network Compliance and Vulnerability Assessment SSL VPN and NAC Managed Services Support Tools Government Higher Ed and Corporations

Metascan Scan Files with Multiple Antivirus Engines

Why Multi-scanning? Too much malware, insufficient detection

Metascan The Reality Insufficient detection by any one AV product Multiple engine malware scanning technology Over 220,000 new malware variants appear every day http://www.av-test.org/en/statistics/malware/ The rapid growth in the amount of malware continues to accelerate No AV vendor can keep up with the number of new malware variants “Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.” http://www.csmonitor.com/Commentary/Opinion/2012/0808/Help-wanted-Geek-squads-for-US-cybersecurity AV-Test.org registers over 220,000 new malicious programs every day.

Measuring Antivirus Capabilities Much variation between different anti-malware engines Detection Rate vs. False Positives for 19 Engines Source: AV Comparatives September 2012

Illustrating The Decreased Outbreak Detection Time This graph shows the time between malware outbreak and AV detection by six AV engines for 75 outbreaks. No Vendor detects every outbreak. Only by combining six engines in a multiscanning solution are outbreaks detected quickly. By adding additional engines, zero hour detection rates increase further. Zero hour detection 5 min to 5 days No detection at 5 days

Geographic Distribution of Antivirus Engines

Performance by the numbers The scan time is much shorter than the sum of the individual scans Presumed Scan Time 1 engine 3 engines 8 engines PDF EXE JPG OTHER

What is Metascan? Multi-scanning engine A server application with a local and network programming interface that allows customers to incorporate multiple anti-malware engine scanning technologies into their security architecture Supports 0 to 30 anti-malware engines [and growing!] Simultaneously scans files with all engines Scan directories, files, archives, buffers, and boot sector Automatic online definition updates or manual offline updates ICAP functionality

Metascan vs Traditional Antivirus Engines Metascan integrates multiple engines that are optimized to work together on the same system Metascan does not provide Real Time Protection (RTP) like many traditional antivirus engines, all scanning is done on demand

What is Metascan? Flexible and scalable API driven solution Multi-scanning engine Flexible and scalable API driven solution Many programming Interfaces – C++ Java PHP C#/ASP.NET RESTful (Web API)/HTTP CLI[command line interface] ICAP Analyzes files locally on a single server or remotely from Windows or Linux systems

Metascan Who uses Metascan? Analysts who research threats in binaries CERTs (Computer Emergency Response/Readiness Teams) Government agencies Federal and State Law enforcement agencies Computer forensic analysts IT security managers who seek to control data flow Files from public facing sharing/upload sites Data moving across internal security domains Detect infected attachments Independent software vendors seeking to identify threats in their binaries False positives Accidental infections

Metascan Features Engine Definition updates Manual (Offline) Updates – ZIP file Download the package (.zip) from an Internet connected system Transfer the file to a system in the offline network and use the Metascan Management Console or the Metascan Management Station to “push” to multiple servers

Metascan Standard packages In addition to our standard offerings, the engines listed below may be added to create custom packages

Metascan ICAP Server Proxy traffic sent to ICAP server How does it work? Proxy traffic sent to ICAP server Scans all HTTP traffic over the network Scans incoming and/or outgoing traffic Incoming traffic for file and web content downloads Outgoing traffic for file uploads Blocks contents containing threats Configurable through the Metascan Management Console

Metascan ICAP Server Deployment All endpoints within an organization are connected to the Internet through a proxy server All traffic going through the proxy can be scanned by Metascan

Metascan Client Easy endpoint scanning with multiple engines

What is Metascan Client? Endpoint scanning A simple executable for scanning Windows or Linux systems Nothing is installed on the endpoint Can be run from a USB, CD or DVD or local hard drive No coding required Scan files, folders, drives, and active processes in memory and files associated with active processes Requires a Metascan server

Metascan Client Features – Technical details File processing sequence:

Metascan Client Features Online Deployment Multiple Metascan Clients connected to a single Metascan server The client is run from a USB, CD or DVD, or local drive. It connects to the Metascan server and scans the contents of the endpoint Updates are automatically downloaded from the internet

Metascan Client Features Offline Deployment Multiple Metascan Clients connected to a single Metascan server. The client is run on the endpoints. It connects to the Metascan server and scans the contents of the endpoint. The Metascan server is offline [not connected to the internet] and updated manually

Metascan Client Features Bootable USB Solution for scanning laptops that are brought into a facility. System boots into OS on Metascan Client USB. Allows entire system to be scanned (including boot sector) without booting into system OS Windows and Linux versions available

How should you use Metascan Client? IT Administrators managing endpoints in their network VPN Authentication Process Schedule Scans IT Troubleshooting Independent software vendors seeking to proactively address issues with new binaries False positives Accidental infections from open source or third party libraries Bootable USB to scan systems (e.g. laptops) before they are brought into secure facilities

Metascan Client Packages Metascan Client USB Windows or Linux Metascan Client Standalone Executable File or Process Scanning GUI (Windows Only) or CLI (Windows and Linux) Metascan Client Connector File Scanning Functionality API and CLI Metascan Client SDK Windows Only Process Scanning Functionality

Metascan Online API Programmatic File Scanning with 40+ Engines

Metascan Online Overview www.metascan-online.com Online Implementation of Metascan with 40+ engines Upload and Scan files Look up scan results by file hash (MD5, SHA1, SHA256) Web Interface and REST API Available

Metascan Online Overview www.metascan-online.com

Metascan Online API How does it work? Metascan Online Public API allows for the following functionality File scanning Hash lookups Scan Result Lookup Utilizes same Metascan engines and same database as web front end

Licensing for Metascan Online API All OPSWAT Portal users can activate their Metascan Online API key for free through the OPSWAT Portal

Licensing for Metascan Online API Free Metascan Online API keys allow up to 25 file scans and 1000 file hash lookups per hour Scan and hash lookup limits can be raised by purchasing premium Metascan Online API access Private file scanning (no sharing of files) is also available by purchasing premium Metascan Online API access Premium access to the Metascan Online API can be purchased through OPSWAT Sales (sales@opswat.com)

Metadefender Securing Data Flows into/out of Organizations

Why Metadefender? Peripheral media cannot be trusted We previously described the advantages of multiscanning in addressing the general increased threat level from malware.

Why Metadefender? Peripheral media is an easy attack vector Surveys show that 10% to 25% of malware is spread via USB (Sources: ESET & Panda) Autorun viruses are easy to create Instructions to create a virus are easily found online The US Department of Defense banned peripherals entirely in 2008 after an outbreak of the SillyFDC worm which was spread by removable media

Why Metadefender? Metadefender use cases USBs are the most effective way to deliver malware into a company USBs bypass network security and deliver malware directly to the endpoint Contractors and visiting vendors accidentally bring in malware on USB Software updates and upgrades brought into secure networks on DVDs have contained malware Banks and other financial institutions are attacked with USBs dropped in parking lots that employees pick up and insert in their work computers. (human curiosity?) Advanced attacks mail infected USBs to employees as gifts

What is Metadefender? Metadefender allows customers to define data security policies for their users to prevent the introduction of malware to a corporate network through portable media Define multiple policies for different users or groups of users Process files to determine if they are a threat Take the appropriate actions on both allowed and blocked files Optionally include Multi-scanning by Metascan

Multi-Step Process to Secure Network Metadefender Features Multi-Step Process to Secure Network User Authentication File Type Filtering Scanning with Metascan Scan look up by SHA256 hash value File Type Conversions Including embedded object removal Enhanced Post-Processing Metadefender System Restore after each session to ensure system integrity

Metadefender and Metascan The Metascan multi-scanning server can be integrated as part of the Metadefender security workflow Metascan can be installed on the same system as Metadefender or can be on its own dedicated system Multiple Metadefender systems can use a single Metascan for multi-scanning

Metadefender Who uses Metadefender? Highly Secure facilities that host outside visitors/contractors Government Agencies Power Plants / Nuclear Facilities IT security managers who seek to control physical media Banks Investment companies Any company concerned about physical media-based malware infections

How Metadefender is commonly used Data workflow controls Create a process ( workflow ) to control data coming into and out of your organization. Example: Scan the contents of peripherals using multiple AV engines Require visitors to put all content onto a provided USB – then scan the content for malware with multiple AV engines Convert selected data types Convert files to jpeg or png to eliminate threats in original file Block selected file types Block all executables and other commonly infected files [e.g., PDF]

Metadefender Delivery Metadefender is delivered in two formats: Software to deploy on any system that meets Metadefender’s requirements Kiosk with Metadefender pre-installed and configured

Metadefender Deployment Options Choosing the best for your security needs

Product Deployment Options Standalone Systems with no Network connectivity In this deployment option, Metadefender kiosks have both the Metascan server and the Metadefender client installed and have no network connection. Virus definition updates are downloaded from a system connected to the Internet and copied to physical media to be transferred to each Metadefender kiosk. Pros No network connection required Cons Updating virus definitions requires physically bringing media (USB drive/DVD/CD) to each kiosk and applying the update on each one

Product Deployment Options Standalone Systems with Metascan Management Station In this deployment option, a Metascan Management Station is installed on a dedicated system that has network connection to each Metadefender kiosk. The Metadefender kiosks have both the Metascan server and the Metadefender client installed and have network connection to Metascan Management Station only. Virus definition updates are downloaded on the system with the Metascan Management Station installed, and updates are applied to the Metadefender kiosks via the Metascan Management Station. Pros Easier to deploy than standalone systems with no network connectivity Cons Requires network connectivity between each kiosk and the Metascan Management Station Definition updates need to be transferred over the network Requires an additional system for the Metascan Management Station

Product Deployment Options Distributed Systems (Metascan Server Offline) In a distributed system, Metadefender kiosks have only the Metadefender client installed. The Metascan server is installed on a dedicated system. In this deployment option, the Metascan server does not have access to the Internet, and Metadefender kiosks have network connection to the Metascan server only. Virus definition updates are downloaded on a system with connection to the Internet and manually transferred and applied to the Metascan server. Pros Only requires deploying virus definition updates to a single Metascan server The Metascan server can be higher powered to allow for higher scan throughput Cons Requires network connectivity between each kiosk and the Metascan server All files being scanned will be transferred over the network

Product Deployment Options Distributed Systems (Metascan Server Online) In a distributed system, Metadefender kiosks have only the Metadefender client installed. The Metascan server is installed on a dedicated system. In this deployment option, the Metascan server has access to the Internet, and Metadefender kiosks have network connection to the Metascan server only. Because of Internet connectivity, virus definitions automatically update on the Metascan server. Pros Virus definition updates are applied automatically to the Metascan server The Metascan server can be higher powered to allow for higher scan throughput Cons Requires network connectivity between each kiosk and the Metascan server All files being scanned will be transferred over the network Requires Internet connection for the Metascan server

Support OPSWAT provides three levels of support Basic Support - Free Premium Support – 18% of license cost Platinum Support – 25% of license cost

Support What is covered by Premium support? Phone support, 9 am to 6 pm PST Monday – Friday Support Account Manager Quarterly Conference call reviews For details of what is covered by each level of support see the Support page on the OPSWAT website

Support What is covered by Platinum support? (Everything in Premium support) 24/7 Phone support Quarterly Meetings with Engineering and Product Management Prioritized enhancement requests For details of what is covered by each level of support see the Support page on the OPSWAT website

Questions?