Once you have discovered and documented the risks your organization faces, the next step is to examine and organize the defenses you will use to provide your antivirus solution. The defense-in-depth security model is an excellent starting point for this process. This model identifies seven levels of security defenses that are designed to ensure that attempts to compromise the security of an organization will be met by a robust set of defenses. Each set is capable of deflecting attacks at many different levels. If you are not familiar with the defense-in-depth security model, Microsoft recommends reviewing the Security Content Overview page on Microsoft TechNet at:

You can also find additional information and practical design examples for this process in the Security Architecture chapter of the Windows Server System Reference Architecture guidance on TechNet at:


The layers in the figure provide a view of each area in your environment you should consider when designing security defenses for your network.

You can modify the detailed definitions of each layer based on your organization’s security priorities and requirements. For purposes of this guidance, the following simple definitions define the layers of the model:

Data. Risks at the data layer arise from vulnerabilities an attacker could potentially exploit to gain access to configuration data, organization data, or any data that is unique to a device the organization uses. For example, sensitive data such as confidential business data, user data, and private customer information stores should all be considered part of this layer. The primary concerns for the organization at this layer of the model are business and legal issues that may arise from data loss or theft, and operational issues that vulnerabilities may expose at the host or application layers.

Application. Risks at the application layer arise from vulnerabilities an attacker could potentially exploit to access running applications. Any executable code a malware writer can package outside of an operating system could be used to attack a system. The primary concerns for the organization at this layer are access to the binary files that comprise applications, access to the host through vulnerabilities in the application’s listening services, or inappropriate gathering of specific data from the system to pass on to someone who can use it for their own purposes.

Host. This layer is typically targeted by vendors who provide service packs and hotfixes in order to address malware threats. Risks at this layer arise from attackers exploiting vulnerabilities in the services that the host or device offers. Attackers exploit these in a variety of ways to mount attacks against the system. A buffer overrun, which is a condition that results from adding more information to a buffer than it was designed to hold, is a good example. The primary concerns for an organization at this layer are preventing access to the binary files that comprise the operating system, as well as access to the host through vulnerabilities in the operating system’s listening services.

Internal Network. The risks to organizations’ internal networks largely concern the sensitive data transmitted via networks of this type. The connectivity requirements for client workstations on these internal networks also have a number of risks associated with them.

Perimeter Network. Risks associated with the perimeter network layer (also known as the DMZ, demilitarized zone, or screened subnet) arise from an attacker gaining access to wide area networks (WAN) and the network tiers that they connect. The primary risks at this layer of the model focus on available Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that the network uses.

Physical Security. Risks at the physical layer arise from an attacker gaining physical access to a physical asset. This layer encompasses all the previous layers because physical access to an asset can in turn allow access to all of the other layers in the defense-in-depth model. The primary concern at this layer of the model for organizations using antivirus systems is to stop infected files from bypassing the perimeter and internal network defenses. Attackers may attempt to do this simply by copying an infected file directly to the host computer via some physical removable media, such as a USB disk device.

Policies, Procedures and Awareness. Surrounding all of the security model layers are the policies and procedures your organization needs to put in place to meet and support the requirements for each level. Finally, it is important for you to promote awareness in your organization to all interested parties. In many cases, ignorance of a risk can lead to a security breach. For this reason, training also should be an integral part of any security model.

Using the security layers of the model as the basis for your antivirus defense-in-depth approach allows you to refocus your view to optimize them into groupings for the antivirus defenses in your organization. How this optimization occurs in your organization is entirely dependent on the priorities of your organization and the specific defense applications it is using. The important point is to avoid an incomplete and weakened antivirus design by ensuring that none of the security layers are excluded from the defenses. The following figure shows a more focused antivirus defense-in-depth view:

The Data, Application, and Host layers can be combined into two defense strategies to protect the organization’s clients and servers. Although these defenses share a number of common strategies, the differences in implementing client and server defenses are enough to warrant a unique defense approach for each.

The Internal Network and Perimeter layers can also be combined into a common Network Defenses strategy, as the technologies involved are the same for both layers. The implementation details will differ in each layer, depending on the position of the devices and technologies in the organization’s infrastructure.


MR. B