Navigate Up
Sign In

Forefront Protection 2010 for SharePoint prevents infected document in SharePoint 2010

Item is currently unrated. Press SHIFT+ENTER to rate this item.1 star selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+ESCAPE to leave rating submit mode.2 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.3 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.4 stars selected. Press SHIFT+ENTER to submit. Press TAB to increase rating. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.5 stars selected. Press SHIFT+ENTER to submit. Press SHIFT+TAB to decrease rating. Press SHIFT+ESCAPE to leave rating submit mode.

You may also be interested in: Secure SharePoint with User Claims White Paper from Titus


Editor's Note: Contributor Thuan Nguyen (SharePoint MVP) is a Senior Infrastructure Architect at Bellamys IT International. Follow him @nnthuan.

This article explains why Forefront Protection 2010 for SharePoint 2010 should be considered in the SharePoint environment where a myriad of documents are shared throughtout an organization. The first part gives an example of antivirus deployment in many organizations. The second part walks you through how to create an infected document by using the Metasploit Framework (MSF) tool. Finally, I illustrate how Forefront Protection 2010 for SharePoint prevents an infected document from being uploaded to any given SharePoint document library.

These days, many organizations are trying to take full advantage of SharePoint which likely draws out money from the pockets of those organizations.  Document Management systems are inevitably one of the first things they would consider.  One of the key required components of a generic document management system is the security perspective. Security factors in document management systems come from many different things.  One of them could be consideration of sharing documents internally within the company. It also could be prevention of threats from the Internet into the document storage.  IT departments have been designing and planning security solutions that have the ability to protect documents from both the intranet and extranet.

From an intranet environment security perspective, building a typical Active Directory model is worth considering. Active Directory Domain Services have been designed to facilitate user and computer management. Additionally, Active Directory helps enforce security policies, as well as easily install critical patches or hotfixes for all client computers joined to the AD environment. To protect client computers and servers, the IT department has installed client-based and server-based antivirus applications. However, imagine that an end-user were to access SharePoint through the Internet using a borrowed computer.  This end-user could unknowingly upload an infected document to a shared document library within SharePoint. What could happen after uploading this infected document? Your deployed antivirus applications in the SharePoint environment may not detect the infected document during the uploading process.  If that infected document is completely uploaded to the SharePoint server, does the deployed antivirus have the ability to scan all databases thoroughly? 

Microsoft provides a solution called “Forefront Protection 2010 for SharePoint” or FPSP. FPSP provides a powerful shield which has the ability to prevent end-users from uploading and downloading infected documents to SharePoint document libraries.  It may be beneficial to know that FPSP combines multiple anti-malware scanning engines developed by five big computer security companies, one of them being a green giant: Kaspersky.


Engines that available in Forefront Protection 2010 for SharePoint

Let’s say you are working as a SharePoint administrator who is responsible for maintaining, managing and troubleshooting the SharePoint environment for a financial service company. Your company has implemented a document management system based on the SharePoint 2010 platform. Symantec software is currently installed on all client computers in the corporate network. Symantec will automatically immediately delete malware, viruses or malicious sources when it detects it.

An accountant reported to the IT department that she lost a password of a bank account in the morning. The accountant used her personal computer at home to log in to the web-based banking application. After downloading a financial document in the Accounting department’s SharePoint library to her computer, she opened the document and entered information and saved the document into the bank’s SharePoint website. After these series of events is when she lost the password. In actuality, the accountant opened an infected document uploaded by another accountant. When she opened the infected document, its malicious code was executed and her password was gained by someone else (Attacker).

The figure 1.1 depicts the example above.


How to create an infected document for testing

Metasploit Framework (MSF) is one of the redoubtable security & hacking tools. It enables attackers to develop malware scripts in order to exploit IT systems through vulnerabilities. Metasploit is used broadly by security professionals as well as many script-kiddies. To learn more about MSF, visit: In this section, we will create and inject a malware script to a *.pdf file. When an end-user opens this file, a malware script is executed, establishing a connection from an attacker’s computer to the computer of the end-user immediately. To build the test environment, make sure you have Backtrack 5 R2 installed in virtual machine (or physical computer).

Open MSF and type #msconsole


Type the following code to create a *.pdf file including malware scripts utilizing the vulnerability ‘util.print()’ JavaScript Function Stack injecting to Adobe Reader.


We will use the command use exploit/windows/fileformat/adobe_utilprintf as an exploitability of vulnerability ‘util.printf()’. We are assuming the Adobe Reader installed in the client computer is version 9. We have seen instances where client computers have not upgraded to the latest Adobe Reader build so this may be a gap opened for attackers. The command set FILENAME Financial Analysis Quater 4.pdf is used to name the infected document. The command set PAYLOAD windows/meterpreter/reverse_tcp will automatically open a TCP connection to the attacker’s computer for the next execution. In this case, when Financial Analysis Quater 4.pdf document is opened by a user, a TCP connection from the attacker’s computer to victim is immediately established.

After that, we will set the IP address of the attacker’s computer and port which listens to the TCP connection established from the victim’s computer. Note:  use show options to review all settings and parameters.

The next step is to execute an exploitability, use this command /pentest/exploits/framework3/data/exploits/. And then use the following command to establish a listening channel in the attacker’s computer to get a data connection from victim’s computer.


Next, we will install Forefront Protection 2010 for SharePoint. Read this post.

Forefront Protection 2010 for SharePoint is installed in the Web-front end server in our SharePoint environment. We have included some small figures in the image.


We created a site collection using a Team Site template for the demonstration. Shared Document library is used by default. The image below shows the result of the failed uploading.  It failed because Forefront Protection 2010 for SharePoint detected the infected document and prevented it from being uploaded.


Working as a SharePoint administrator, you will need to know what to do when you receive this error. Open Forefront Protection 2010 for SharePoint administration interface, under Server Security Views, click Incidents and check the Detection Details tab.



In order to provide a simple scenario in which Forefront Protection 2010 for SharePoint detects infected documents and prevents users from uploading them, I created an infected document and tried to upload it to a SharePoint document library. This resulted in failure when trying to upload this document as Forefront Protection 2010 for SharePoint detected it and prevented it from being uploaded.

Categories: SharePoint; Design; Deployment; MOSS; WSS; 2010



Forefront Protection 2010 for SharePoint has it's life shortened

You might want to mention that MS have already started shelving FP2010SharePoint so depending on your medium to long term plans with SharePoint (e.g. Sp2013 and beyond) you may want to start looking at other products...
Such a shame...

Posted 18-Oct-2012 by Craig

Notify me of comments to this article


Add Comment