FSOCS multiple scan engines
Applies to: Forefront Security for Office Communications Server
Forefront Security for Office Communications Server (FSOCS) gives you the ability to employ multiple scan engines (up to five) in order to detect and clean viruses.
Multiple engines provide extra security by enabling you to draw upon the expertise of various virus labs in order to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three.
Multiple engines also permit a variety of scanning methods. FSOCS integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor's Web site. Links are provided at Microsoft Help and Support.
All the scan engines that FSOCS integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.
Multiple engines are easy to configure. You can select only the engines you would like to use for a scan job, and then indicate the bias setting. These two settings (both in the Antivirus Settings pane) enable the FSOCS Multiple Engine Manager (MEM) to properly control the selected engines during the scan job.
MEM uses the engine results in order to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSOCS considers the item infected and has the MEM deal with it accordingly. (For more information, see Cleaning infected files.)
About engine rankings
MEM uses the results from each engine as part of its engine-ranking process. MEM ranks each engine, based on its past performance and its age. This information enables MEM to weight each engine so that better-performing ones are used more during scanning, and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best-performing engines have more influence in the scanning process.
If two or more engines are equally ranked, FSOCS invokes them by cycling through various engine-order permutations.
Setting the bias
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system's performance.
Thus, at one extreme is the number of engines to use for maximum security. The other extreme is the number of engines that enable maximum performance. In between is the number of engines that enable balanced (called neutral) performance.
Note
The bias setting only applies to virus scanning. It is not used in file filtering.
About bias settings
There are several possible bias settings. Each scan (other than one with a bias setting of Favor Certainty or Maximum Certainty) independently selects the engines to use.
| Bias setting | Description |
|---|---|
Maximum Performance |
Scans each item with only one of the selected engines. This gives the fastest performance but the least security. |
Favor Performance |
Fluctuates between using one of the selected engines and half of them in order to scan each item. |
Neutral |
Scans each item with at least half of the selected engines. This setting balances security and performance. |
Favor Certainty |
Scans each item with all available selected engines. If an engine is not available because it is being updated, FSOCS continues to scan with all of the remaining engines. Engines are returned to service when they become available again. This is the default value. |
Maximum Certainty |
Scans each item with all of the selected engines. If an engine is not available because it is being updated, messages are queued until the engine is once again ready to scan them. This selection gives the slowest performance but the greatest security. |
Assuming you select five engines (the maximum you can use), the following table shows how each of the bias settings uses the engines in virus scanning.
| Bias setting | Description |
|---|---|
Maximum Performance |
Only one of the selected engines virus-scans each item. |
Favor Performance |
Fluctuates between using one and three engines in order to virus-scan each item. |
Neutral |
At least three engines virus-scan each item. |
Favor Certainty |
Fluctuates between using three and five engines in order to virus-scan each item. |
Maximum Certainty |
All five of the selected engines virus-scan each item. |
Configuring the bias setting
The bias setting is indicated on the Antivirus Settings pane.
To indicate the bias setting
In the Shuttle Navigator, in the SETTINGS section, click Antivirus.
In the Antivirus Settings pane, at the top of the pane, in the Job List, click the IM Scan Job.
At the bottom of the pane, in the Bias field, indicate the bias setting, and then click Save. (For more information, see About bias settings.) To find out more about the other fields on the Antivirus Settings pane, see IM Scan Job.
Cleaning infected files
The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.