Forefront Security for Exchange and Multiple Engines

It took ages to find some decent information, so this is what I found out ..


Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:

image

Figure 1: Forefront for Exchange Antivirus Engines

Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously

image

Figure 2: Multiple Engines

Why Multiple Engines

One of the most important factors in the successful protection of your network against viruses is how fast you get new virus engine signature files. Email allows viruses to be spread in a matter of hours, and a single email virus is enough to infect your whole network. So a critical factor is how fast the signature files of your anti-virus solution are updated when a new virus emerges.

Every anti-virus vendor in the market claims to have a fast response time. Anti-virus labs produce updates for virus and worm outbreaks at different intervals. For example, the same lab may produce an update for one virus within six hours, yet take 18 hours for the next one.

The problems with a single antivirus engine approach originate from having only one system in place to identify threats – no engine is immune to vulnerability. Although the signature files used by an engine to identify viruses are generally updated several times a day, they are often released after a new virus has already hit and damage has been done. Even if an engine is 99.9 percent effective, it only takes one infection to cost an organization hundreds of thousands of dollars in lost productivity and downtime.

The Forefront Security for Exchange provides the capability to use multiple anti-virus engines and allows you to concurrently run up to 5 of the included Microsoft and third-party anti-malware engines. Using multiple scan engines delivers several critical advantages:

  • It increases the chances that emerging threats will be quickly caught.
  • It provides redundancy to help protect against scan failures or defects in individual engines; if an engine fails, other engines continue scanning messages.
  • It gives administrators an effective way to choose the most appropriate level of protection for their environment given their security needs and server performance capabilities.
  • It allows engines to be taken offline for updates or reconfiguration without forcing messages to be queued.

A recent set of tests performed by the independent AV-Test.org group found some surprising differences in signature update times from various vendors.

The tests compared AV lab response times were tested for 68 “In the Wild” viruses and variants that appeared from April – June 2007. (The tests used five randomly chosen Forefront engines versus three single-engine vendors.)

The results showed that 37 viruses were proactively detected by all labs, while 23 viruses showed significant variations in detection times

Forefront engine sets performed much better when compared to the three leading competitors tested – both the competitors’ release and beta engines (the data in this table include beta engines’ times).

image

Figure 3: Multiple Antivirus Engines

All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.

Bias

When using Multiple Antivirus engines with Forefront for Exchange, you can control how many engines are needed to provide an acceptable probability that the system is protected.

The Forefront for Exchange Server Multiple Engine Manager (MEM) controls the selected engines during the scan job. It ranks each engine based on its past performance and its age, and uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.

The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance. Microsoft recommends FAVOR CERTAINTY, which is the default setting, and MAX CERTAINTY where possible.

Bias Setting

Description

Max Certainty

Each item is virus-scanned by all five of the selected engines

Favor Certainty

Fluctuates between virus scanning each item with three and five engines

Neutral

Each item is virus-scanned by at least three engines

Favor Performance

Fluctuates between virus scanning each item with one and three engines

Max Performance

Each item is virus-scanned by only one of the selected engines

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: