Annexure E Technical Bid Format ANTIVIRUS SOLUTION FOR MAIL SERVER SECURITY AND SERVER SECURITY FOR DESKTOP,LAPTOP Sr. No Description Compliance (Y/N) Remark 01 Must offer comprehensive client/server security by protecting enterprise networks from viruses, trojans, Ransomwares, worms, hackers, and network viruses, plus spyware and mixed threat attacks. 02 Must be able to reduce the risk of virus/malware entering the network by blocking files with real-time compressed executable files. 03 Must include capabilities for detecting and removing root kits 04 Must provide Real-time spyware/grayware scanning for file system to prevent or stop spyware execution 05 Must have capabilities to restore spyware/grayware if the spyware/grayware is deemed safe 06 Must clean computers of file-based and network viruses plus virus and worm remnants (Trojans, registry entries, viral files) through a fully-automated process 07 Terminating all known virus processes and threads in memory 08 Repairing the registry 09 Deleting any drop files created by viruses 10 Removing any Microsoft Windows services created by viruses 11 Restoring all files damaged by viruses 12 Includes Cleanup for Spyware, Adware etc 13 Must be capable of cleaning 1
viruses/malware even without the availability of virus cleanup components. Using a detected file as basis, it should be able to determine if the detected file has a corresponding process/service in memory and a registry entry, and then remove them altogether 14 Must provide Outbreak Prevention to limit/deny access to specific shared folders, block ports, and deny write access to specified files and folders on selected clients in case there is an outbreak 15 Behavior Monitoring 16 Must have behavior monitoring to restrict system behavior, keeping security-related processes always up and running 17 Must provide Real-time lock down of client configuration allow or prevent users from changing settings or unloading/uninstalling the software 18 Users with the scheduled scan privileges can postpone, skip, and stop Scheduled Scan. 19 CPU usage performance control during scanning 20 Checks the CPU usage level configured on the Web console and the actual CPU consumption on the computer 21 Adjusts the scanning speed if: The CPU usage level is Medium or Low, Actual CPU consumption exceeds a certain threshold 22 Should have a manual outbreak prevention feature that allows administrators to configure port blocking, block shared folder, and deny writes to files and folders manually 23 Should have Integrated spyware 2
protection and cleanup 24 Should have the capability to assign a client the privilege to act as a update agent for rest of the agents in the network 25 Shall be able to perform different scan Actions based on the virus type (Trojan/ Worm, Joke, Hoax, Virus, other) 26 Safeguards endpoint mail boxes by scanning incoming POP3 email and Outlook folders for Threats 27 shall be able to scan only those file types which are potential virus carriers (based on true file type) 28 Should be able to detect files packed using real-time compression algorithms as executable files 29 Solution should be able to manage both SaaS and on premise solution from the single management console 30 Client machine acting as update agent which is delivering pattern updates to rest of the machines in the LAN, should have the capability to upgrade program upgrades also. No separate web server should be required 31 Should have a provision for setting up a local reputation server so that for verifying reputation of any file, endpoints should not contact Internet always. 32 shall be able to scan Object Linking and Embedding (OLE) File 33 Should have a feature of scan cache based on digital signatures or ondemand scan cache 34 Solution should help identify the vulnerabilities and help them fix the by providing signature or rules for Windows XP, Windows 7,8,8.1 and above. 3
35 Solution should be able to Blocks known and unknown vulnerability exploits before patches are deployed 36 Solution should have enhanced scan feature which can identify and block ransomware program that runs on endpoints by identifying common behaviors and blocking processes commonly associated with ransomware programs. 37 Solution should have HIPS, Statefull firewall, Virtual Patching managed centrally 38 Should have a feature similar to Firewall Outbreak Monitor which sends a customized alert message to specified recipients when log counts from personal firewall, and/or network virus logs exceed certain thresholds, signaling a possible attack. 39 Must be able to send a customized notification message to specified Add-On Integrated DLP 01 Solution Should Protect sensitive data from unauthorized access and leakage from endpoint with the help of Antivirus Agent only. And also have focused on protecting the users from the external threat of data stealing malware. 02 Solution should have the ability to Immediately protect data by enabling Data Loss Prevention option in the same antivirus Server and Client using the administration console, directory, and user groups 03 Solution should provide real time visibility and control to Monitor, block, and report on the movement of sensitive data, with a real-time view of 4
endpoint status 04 Monitor, block, and report on the movement of sensitive data, with a realtime view of endpoint status 05 Should Monitor, report, or block all network channels such as email clients, FTP, HTTP, HTTPS, instant messaging, SMB and webmail in terms of Data Loss. Monitor only the transmissions outside the local area network or monitor all transmissions 06 Should also have application channel monitor which will help monitor, report, or block all system and application channels such as data recorders (CD/DVD), peer-to-peer applications, printers, removable storage, synchronization software and even the Microsoft Windows clipboard 07 Should have pre-defined templates for common compliance requirements such as HIPAA, PCI-DSS, US PII, SB-1386, GLBA 08 Should provide option to filter the content with low-impact filtering based on keywords, metadata and regular expressions. Build customized regex (regular expressions) to monitor and block specific data 09 Should provide option to customized regex (regular expressions) to monitor and block specific data 10 Must be able to send notifications whenever it detects a security risk on any client or during a security risk outbreak, via E-mail, Pager, SNMP trap or Windows NT Event log Mail Server Security 01 The Proposed solution should be deployable in SPAN/TAP, BCC and MTA 5
mode 02 The Proposed solution should be able to detect and analyze URLs which embedded in MS office and PDF attachments 03 The Proposed solution detect and analyze the URL direct link which point to a file on the mail body 04 The Proposed solution should be able to detect and analyzed the URL's in mail subject. 05 The proposed solution detect and analyze the URL in the email subject 06 The Proposed solution should have capabilities to perform scans using Reputation and Heuristic technologies to detect unknown threats and document exploits 07 The Proposed Solution should be able to detect known bad URL before sandboxing 08 The Proposed solution should be able to detect targeted Malwares 09 The Proposed solution should support memory dump scanning 10 The sandbox should be able to detect Disabling of security software agents 11 The sandbox should be able to detect connection to malicious network destinations 12 The sandbox should be able to detect behaviors like self-replication; infection of other files 13 The sandbox should be able to detect Dropping or downloading of executable files by documents 14 The sandbox should be able to detect modification of startup and other important system settings 15 The sandbox should be able to detect connection to unknown network 6
destinations; opening of ports 16 The sandbox should be able to detect unsigned executable files 17 The sandbox should be able to detect self-deletion of the malware 18 The proposed solution should be able to detects, downloads and analyzes files directly linked in the email message body. 19 The Proposed solution should be able to detect true file types. 20 The Proposed solution should have capabilities to detect Ramsomware using Decoy files on sandboxes 21 The Proposed solution should not have any limitation which require all attachments to be sent to sandbox, only suspicious attachments should be sent to sandbox for analysis 22 The Proposed solution should have an option for timeout/ release of an email, if the file analysis on the sandbox if over 20 mins. 23 The Proposed solution should support importing of custom passwords for archive files 24 The Proposed solution should support at least 100 predefined passwords for scanning archive files 25 The Proposed solution should support Windows 7, 8, 8.1 and above sandbox images 26 The Proposed solution should support Windows 2003, 2008, 2012 and above server sandbox images 27 The Proposed solution should allow at least three types of sandbox images 28 The Proposed solution should have support for analysis of executable files (EXE) 29 The solution should be able to Block 7
mail message and store a copy in the Quarantine area. 30 The Proposed solution should support multi-syslog servers 31 The Proposed solution should support CEF/LEEF/TMEF syslog format for ArcSight/Q-Radar integration 32 The Proposed solution should be able to Deliver the email message to the recipient after replacing the suspicious attachments with a text file and tag the email message subject with a string to notify the recipient 33 The Proposed solution should be able to pass and tag the email message 34 The Proposed solution should have option to make policy exceptions for safe senders, recipients, and X-header content, files and URL's 35 The Proposed Solution should be able to define risk levels after investigation of email messages 36 The solution should have option to specifying message tags 37 The Proposed solution should allow administrators to be able to see the HTML format reporting on console and download PDF report 38 The Proposed solution should be able to send real time email alert per detection 39 The Proposed solution should be able notify administrator for Message Delivery Queue, CPU Usage, Sandbox Queue, Disk Space, Detection Surge and Processing Surge 40 The Proposed solution should allow Admin be able to inquire how many detections come from malicious password-protected files 41 The Proposed solution show archive password of malicious archive file, and 8
Admin/AV vendor be able to decompress this malicious archive and analyze the content 42 The Proposed solution should have options to define global recipients/contacts setting for alert/report 43 The Proposed solution should have customizable dashboards for Attack Sources, High-Risk Messages, Detected Messages, Top Attack Sources, Quarantined Messages, Top Attachment Names, Top Attachment Types, Top Callback Hosts from sandbox, Top Email Subjects, Processed Messages by Risk, Processing Volume, Delivery Queue, Hardware Status, sandbox Queue, Suspicious Objects from Sandbox, Email Messages with Advanced Threats, 44 The Proposed solution should be able to send emails to at least 9 different email servers. 45 Proposed Solutions should not induce latency for all email attachments, only suspicious attachments which are being sent to sandbox for analysis is acceptable. 46 Should be support Linux Zebra mail Server Server Security 01 Solution should support Firewalling 02 Solution should support Deep Packet Inspection (HIPS/HIDS) 03 Solution should support Anti Malware 04 Solution should support Integrity monitoring 05 Solution should be light and it should not slowdown the other processes of servers at any time (Scanning, Real time 9
etc.). 06 Solution should support Log inspection 07 Solution should support CPU-based licensing model for virtualized environments 08 Solution should also support Serverbased licensing for installation on physical/standalone servers. 09 Firewall should have the capability to define different rules to different network interfaces. 10 Firewall rules should filter traffic based on source and destination IP address, port, MAC address, etc. and should detect reconnaissance activities such as port scans. 11 Solution should provide policy inheritance exception capabilities. 12 Solution should have the ability to lock down a computer (prevent all communication) except with management server. 13 Firewall should integrate with Hypervisors like Vmware ESXi without the need to install agents on the guest VMs 14 Solution should have Security Profiles allows Firewall rules to be configured for groups of systems, or individual systems. For example, all Windows 2003, 2008, 2012 and above servers use the same operating system rules which are configured in a single Security Profile which is used by several servers. 15 The solution should protect against Distributed DoS attacks 16 HIPS should integrate with Hypervisors like Vmware ESXi and NSX without the need to install agents on the guest VMs 17 Host based IDS/IPS should support virtual patching both known and 10
unknown vulnerabilities until the next scheduled maintenance window. 18 Virtual Patching should be achieved by using a high-performance HIPS engine to intelligently examine the content of network traffic entering and leaving hosts. 19 Should provide automatic recommendations against existing vulnerabilities, Dynamically tuning IDS/IPS sensors (Eg. Selecting rules, configuring policies, updating policies, etc...) and provide automatic recommendation of removing assigned policies if a vulnerability no longer exists - For Example - If a patch is deployed 20 Detailed events data to provide valuable information, including the source of the attack, the time, and what the potential intruder was attempting to exploit, should be logged 21 Solution should be capable of blocking and detecting of IPv6 attacks. 22 Solution should offer protection for virtual or physical, or a combination of both the environment 23 The solution OEM should deliver virtual patching updates within 24hours of an application vendor announcing a vulnerability in their system 24 The solution should have Application Control rules provide increased visibility into, or control over, the applications that are accessing the network. These rules will be used to identify malicious software accessing the network and provide insight into suspicious activities such as allowed protocols over unexpected ports (FTP traffic on a mail server, HTTP traffic on an unexpected 11
server, or SSH traffic over SSL, etc.) which can be an indicator of malware or a compromise. 25 Solution should provide policy inheritance exception capabilities. 26 Product should support CVE cross referencing when applicable 27 Solution should have Security Profiles allows rules to be configured for groups of systems, or individual systems. For example, all Windows 2003 servers use the same operating system rules which are configured in a single Security Profile which is used by several servers 28 Agent less Antivirus should support both Real Time and Schedule scan 29 Solution should have flexibility to configure different real time and schedule scan times for diff guest VMs 30 Solution should also support restoration of quarantined files. 31 Solution should support hypervisor level caching and de-duplication during Anti- Malware Scanning for improved performance 32 Integrity Monitoring module should be capable of monitoring critical operating system and application elements (files, directories, and registry keys) to detect suspicious behavior, such as modifications, or changes in ownership or permissions. 33 Solution should have extensive file property checking whereby files and directories are monitored for changes to contents or attributes (ownership, permissions, size, etc). 34 Solution should be able to track addition, modification, or deletion of Windows registry keys and values, access control lists, or web site files are 12
further examples of what can be monitored. 35 Solution should have single console to Manage desktop AV, Servers, Mail and Web Gateway software solution Solution should have the capability to generate User based Alerts and Reports in case of following events 01 Virus outbreak alert 02 Special virus alert (10) 03 Virus found - first and second actions unsuccessful 04 Virus found - first action successful 05 Virus found - second action successful 06 Network virus alert 07 Suspicious vulnerability attack detected 08 Virus Detection Reports Viruses Detected Most Commonly Detected Viruses (10, 25, 50, 100) 09 Antivirus Client Information Reports Detailed/Basic Summary 10 Comparative Reports Spyware/Grayware, Grouped by (Day, Week, Month) Viruses, Grouped by (Day, Week, Month) 11 Antivirus Server Deployment Reports Detailed Summary Basic Summary Detailed Failure Rate Summary 12 Network VirusWall Reports Policy Violation report: Policy violations, Grouped by (Day, Week, Month) Service Violation report: Service violations, Grouped by (Day, Week, Month) Most common clients in violation: Clients with the most violations, (10, 25, 50, 100) 13
14