Microsoft Servers
Customer Solution Case Study

/ / Technology Consultancy Avoids Spam and Viruses with Layered E-mail Security Solution
Overview
Country or Region: United States
Industry: IT
Customer Profile
A Fortune 1000 company, Perot Systems delivers technology-based business solutions to help organizations worldwide control costs and cultivate growth.
Business Situation
Perot Systems and its clients faced disruptive and costly attacks from malicious software carried in e-mail messages and increasing amounts of spam.
Solution
In early 2006, Perot Systems deployed Microsoft® Antigen for Exchange and added Microsoft Antigen Spam Manager.
Benefits
 Complete solution
 Efficient management
 At least 96 percent catch rate
 Reliable safeguard / “[We] can recommend Microsoft Antigen for companies of all sizes because they can have one product that takes care of their worries related to antivirus scanning and spam on the server.”
Ajlan Karaoglu, Systems Integration Specialist, Perot Systems
Perot Systems provides technology consulting solutions and services to companies worldwide. With the rise in spam and e-mail viruses, Perot Systems sought an effective way to safeguard its own—and its customers’—messaging systems. Perot Systems turned to Microsoft® Antigen for Exchange for assistance in protecting company e-mail against viruses, worms, spam, and inappropriate content. This server-based antivirus solution integrates with Microsoft Exchange Server 2003 and Windows®-based Simple Mail Transfer Protocol gateway servers, bringing together the power of multiple scan engines from the world’s best antivirus labs. Content filtering technologies help maintain compliance with corporate policies and help eliminate inappropriate language and dangerous attachments from communications. To date, Perot Systems has not experienced a serious virus outbreak, and Perot Systems customers have experienced similarly impressive results.
Microsoft Antigen for Exchange and Microsoft Antigen Spam Manager are part of the Microsoft Forefront family of security products. Forefront Security for Exchange Server is the latest version of these Antigen products and provides antivirus and antispam protection for Exchange 2007 environments.

Situation

Since 1988, Perot Systems (NYSE: PER) has helped companies worldwide sustain business growth and maximize return on IT investments through its portfolio of consulting, business process, application, and infrastructure services and solutions. With headquarters in Plano, Texas, and locations around the globe, Perot Systems employs more than 20,000 associates and had 2005 revenues of U.S.$2 billion.

As part of its consulting practice, Perot Systems manages more than 150,000 desktops, notebooks, and servers for global clients. Perot Systems uses Microsoft® Exchange Server 2003 communication and collaboration server in its own infrastructure, and also installs and manages it for clients of all sizes. Since the late 1990s, companies have reeled from the devastating effects of malicious viruses, such as the “Melissa” macro-virus. A growing concern for many organizations, also, is spam, with its potential to have a negative impact on productivity and to breach security defenses. Specifically, “phishing” attacks and blended threats are increasing the danger that spam poses to organizations.

As companies recovered from “Melissa,” people in the Infrastructure Solutions Messaging Engineering group at Perot Systems realized that software to help protect against viruses and spam would become an increasingly important part of safeguarding any company’s e-mail system and information assets.

At many companies, subsequent viruses and worms continued to wreak havoc and cripple messaging systems—in some cases, even when companies had antivirus scanning software in place. When it comes to avoiding a virus outbreak, e-mail administrators at Perot Systems and elsewhere have learned that time is of the essence.

“Early on, we found that the problem with using antivirus software from a vendor that only provides one scan engine is that if a virus spreads before the vendor releases an outbreak-preventing virus signature (.dat) file, it’s too late. E-mail and productivity virtually halt, and companies lose money,” says Ajlan Karaoglu, Systems Integration Specialist at Perot Systems. “We realized that the only way to effectively safeguard against e-mail viruses and worms would be to use multiple scan engines. If doing so meant using software from several vendors, the administrative burden, cost, and messaging system performance hit would be high for us and for our clients.”

Solution

Karaoglu and his colleague, Don Westurn, Senior Microsoft Exchange Engineer at Perot Systems, evaluated the antivirus software solutions available at the time. When they learned that Antigen for Exchange[1] offered multiple scan engines and virus signatures from multiple vendors in a single product, they tested—and eventually deployed—Antigen for Exchange and Antigen Enterprise Manager. Antigen for Exchange is an antivirus solution that tightly integrates with Microsoft Exchange Server and Windows®-based Simple Mail Transfer Protocol (SMTP) gateway servers. Antigen for Exchange delivers comprehensive server-level antivirus protection with a unique layered protection approach that offers a comprehensive defense against undesirable and malicious message traffic.

Antigen for Exchange solves the problem of on-time release of .dat files two ways: by using signature updates from multiple vendors (one vendor will typically release a signature for a given virus ahead of other vendors), and by automating the signature update process.

The company’s e-mail system infrastructure consists of six mailbox servers for North America, two for Europe, and four for India, all running Exchange Server 2003 and Antigen for Exchange. There are two bridgehead servers. Additional servers support Microsoft Office Outlook® Web Access. (See Figure 1 for an illustration.)

The mail system processes nearly 15.5 million inbound messages each month. Table 1 describes additional statistics related to the message load processed through Microsoft Exchange Server.

Deploying Microsoft Antigen for Exchange

In early 2006, Perot Systems deployed and tested Microsoft Antigen for Exchange in a production environment. The company also deployed Microsoft Antigen Enterprise Manager and Microsoft Antigen Spam Manager.

“We wanted to benefit—early—from the updated Antigen Spam Manager that integrates with Microsoft Antigen for Exchange, as well as test real load in real production,” says Karaoglu. He dedicated a mailbox server inside the production environment, removed the other regular users, and put on users from only the IT department—45 mailboxes in all. Then Karaoglu added another proxy address to re-route e-mail at the gateway to the mailboxes on the server running Microsoft Antigen so that the messages bypass the production spam and antivirus filters, and the servers running Microsoft Antigen take the load.

“Deploying Microsoft Antigen was very easy; seamless, really, and it’s been very easy to use,” comments Karaoglu.

Using Multiple Scan Engines

Microsoft Antigen for Exchange protects organizations against the latest threats by managing multiple antivirus scan engines throughout the e-mail infrastructure. This approach allows Microsoft Antigen to minimize the average window of exposure for emerging e-mail threats by providing continual signature updates from multiple antivirus labs around the world.

On the server running Microsoft Antigen, Perot Systems uses the following scan engines:

 Microsoft antivirus engine

 Computer Associates Vet engine

 Norman Data Defense engine

 Sophos engine

Microsoft Antigen’s multiple-engine management also ensures that Perot Systems can update or replace one engine without taking others offline. When an engine is offline for updates, there’s virtually no impact to users; mail doesn’t queue up to be scanned because the remaining engines continue scanning.

Balancing Security and Performance

Microsoft Antigen for Exchange provides bias settings that allow administrators to configure how many engines are to be used for a given scan job. Bias settings deliver more flexibility and control over e-mail security and server performance. Perot Systems typically uses the Neutral bias setting for all scan jobs, meaning that about 50 percent, or 2 to 3 engines, are used to scan every e-mail message. However, Perot Systems e-mail administrators can raise the setting if a known threat or outbreak emerges, so that more e-mail messages are scanned by more engines. By changing the bias settings, Perot Systems has strong control over both the security and performance of its e-mail systems.

Preventing Unsafe Content

Through administrator-defined content filtering rules, Microsoft Antigen helps enforce compliance with corporate policy for language usage and confidentiality within subject lines and message body text. Microsoft Antigen also offers configurable file filtering rules that help companies ensure that file types known for carrying viruses (for example, an .exe file) or for opening organizations to legal exposure (for example, a .mp3 file) are preemptively blocked, regardless of origin or destination.

Perot Systems is using file and content filtering in Microsoft Antigen, with the following settings:

 Files: block 71 attachment file types.

 Keywords: filter for profanity and racial and sexual discrimination, and for spam in subject line and e-mail message text. Karaoglu used the keyword list provided with Antigen.

 Subject Lines: exclude some subjects to reduce false positives.

 Sender Domains: block known spam-sending domains (3,280 domains).

 Allowed Senders: allow recognized domains to reduce false positives.

Centralized Management

Perot Systems uses Antigen Enterprise Manager and its Web-based administration capabilities to cut down on time spent deploying and managing Microsoft Antigen on multiple instances of Microsoft Exchange Server. Specifically, e-mail administrators use the configuration template in Antigen Enterprise Manager to set file or content filters, scan engine settings, performance settings and the like—once—and then deploy the template to each server in the environment.

Benefits

Since deploying Microsoft Antigen, Perot Systems has experienced no serious virus outbreaks thanks, in part, to automated signature and scan engine updates. The company also has had great results with the Microsoft Antigen Spam Manager antispam protection.

“Antigen attained early and widespread acceptance in the Perot Systems Infrastructure Solutions Messaging Engineering group because of the quality of the product and its tight integration with Microsoft Exchange Server,” remarks Westurn. “We’ve since deployed it on many servers in different kinds of environments, and Antigen continues to impress. In every instance, we’ve had great results; Antigen has been easy to deploy, robust, and reliable.”

Complete Solution

Perot Systems not only uses Microsoft Antigen in its own messaging infrastructure; the company also has deployed Antigen for clients of all sizes, from small business to large global enterprise customers.

“We’ve had great success and can recommend Microsoft Antigen for companies of all sizes because they can have one product that takes care of their worries related to antivirus scanning and spam on the server,” says Karaoglu. “And because of tight integration between Microsoft Antigen and Exchange Server, companies gain even more benefit from the built-in Exchange Server functionality—such as the Exchange Intelligent Message Filter (IMF)—that also works with Microsoft Antigen.” IMF provides advanced server-side message filtering. When used in combination with the Microsoft Office Outlook 2003 messaging and collaboration client, IMF helps to significantly reduce the volume of spam that users receive.

Efficient Management

Perot Systems benefits from the deployment, management, and reporting features in Microsoft Antigen Enterprise Manager. The Web-based management console for all Microsoft Antigen products, Microsoft Antigen Enterprise Manager provides centralized deployment, quarantine management, signature updating, SMTP and Simple Network Management Protocol (SNMP) alerting, and reporting.

Karaoglu and the rest of the e-mail support team have improved accuracy and controlled administrative time and costs by using configuration templates in Microsoft Antigen Enterprise Manager. Settings can take place in real time, without having to reboot that server.

“Configuration templates in Antigen help us create consistency throughout our environment. They also reduce potential for human error, because we establish configuration settings once for all the servers in the environment,” says Karaoglu. “Templates also save time and money if we need to make a change to the configuration: we change it once and deploy it out to all the servers. For our clients who run large enterprise messaging environments with literally hundreds of mailbox servers, configuration templates can provide a huge time and cost savings.”

At least 96 Percent Catch Rate

Perot Systems has had great results with Microsoft Antigen. “Deploying in a production environment took e-mail from the Internet directly to the server running Microsoft Antigen and put the load there, where we could see exactly what happened,” explains Karaoglu. “It’s beautiful; we’re seeing Microsoft Antigen catch 96 percent to 97 percent of the spam. There are very few false positives.”

Reliable Safeguard

“With Microsoft Antigen, we have a solution that delivers signatures from industry-leading antivirus labs around the world so that we’re safeguarded with a single product that offers complete virus signature coverage,” says Westurn.

The Antigen signature update process automatically downloads updates from scan engine partners as soon as the updates are available, and tests them against a virus database. Within minutes, the engines and signatures have been tested, digitally signed by Microsoft, and posted. Microsoft Antigen Enterprise Manager can be configured to automatically download the latest updates.

To ensure successful scan engine and signature file updates, Microsoft Antigen for Exchange can be configured with redundant update paths—useful if primary network connections are not functioning properly.

“Multiple update paths is an important feature for us and for our enterprise clients because it provides a fall-back solution that keeps updates accessible in case the primary network location is unavailable,” remarks Karaoglu. “Other antivirus mailbox scanning products just don’t have all these extensive capabilities.”


Microsoft Windows Server System

Microsoft Windows Server System is a line of integrated and manageable server software designed to reduce the complexity and cost of IT. Windows Server System enables you to spend less time and budget on managing your systems so that you can focus your resources on other priorities for you and your business.

For more information about Windows Server System, go to:

[1] In June 2005, Microsoft acquired Sybari Software, Inc. and its Antigen product line.