Chapter 5 - Implementing multiple scan engines and setting bias modes
Applies to: Microsoft Antigen
Antigen for SMTP Gateways provides you with the ability to implement multiple scan engines for detecting and cleaning viruses.
Multiple engines provide extra security by enabling you to use the expertise of various virus labs to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three.
Multiple engines also allow for a variety of scanning methods. Antigen for SMTP Gateways integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor’s Web site. Links are provided at Microsoft Help and Support.
All the scan engines that Antigen for SMTP Gateways integrates with have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.
Multiple engines are easy to configure. You need only select which engines you would like to use for a scan job and indicate the bias setting. These two settings (both on the Antivirus Settings work pane) allow the Antigen Multiple Engine Manager to properly control the selected engines during the scan job.
The Multiple Engine Manager uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, the Multiple Engine Manager returns a result greater than 0. Antigen for SMTP Gateways then considers the item infected and has the Multiple Engine Manager deal with it accordingly. (For more information, see Cleaning infected files.)
About engine rankings
The Multiple Engine Manager uses the results from each engine as part of its engine ranking process. The Multiple Engine Manager ranks each engine based on its past performance and its age. This information allows the Multiple Engine Manager to weight each engine so that better-performing ones are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best-performing engines have more influence in the scanning process.
If two or more engines are equally ranked, Antigen for SMTP Gateways invokes them by cycling through various engine order permutations.
Setting the bias
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance.
Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that allows maximum performance. In between is the number of engines that permit balanced (called neutral) performance.
After you make your scan engine configurations and bias configurations, it is recommended that you reevaluate the server performance and then make any necessary adjustments. These adjustments may involve increasing or decreasing the number of scan engines, or changing the bias setting based on the needs of your organization. For best performance, it is recommended that you use no more than five engines per scan job.
You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your gateway server to maximize its system performance. Then, you can use several engines on your other servers.
Note
The bias setting only applies to virus scanning. It is not used in file filtering.
About bias settings
There are several possible bias settings. Each scan (other than one with a bias setting of Maximum Certainty) independently selects the engines to use, as described in the following table.
| Bias setting | Description |
|---|---|
Maximum Performance |
Scans each message with only one of the selected engines. This gives the fastest performance, but the least security. |
Favor Performance |
Fluctuates between virus scanning with one of the selected engines and half of them. |
Neutral |
Scans each message with at least half of the selected engines. This setting balances security and performance. Neutral is the default value. |
Favor Certainty |
Fluctuates between virus scanning with half of the selected engines and all of them. |
Maximum Certainty |
Scans each message with all of the selected engines. This gives the slowest performance, but the greatest security. If an engine is not available because it is being updated, messages are queued until the engine is once again ready to scan them. |
Assuming you select five engines, the following table shows how each of the bias settings uses the engines in virus scanning:
| Bias mode | Description |
|---|---|
Maximum Performance |
Each item is virus-scanned by only one of the selected engines. |
Favor Performance |
Fluctuates between virus scanning each item with one and three engines. |
Neutral |
Each item is virus-scanned by at least three engines. |
Favor Certainty |
Fluctuates between virus scanning each item with three and five engines. |
Maximum Certainty |
Each item is virus-scanned by all five of the selected engines. |
Configuring the bias
The bias is set on the Antivirus Settings work pane. Select Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears to the right.
To configure the bias, select a scan job at the top of the work pane. Then, set its bias, using the Bias field in the lower part of the work pane. The values are those discussed in About bias settings. To find out more about the other fields on the Antivirus Settings work pane, see Chapter 6 - Configuring SMTP Scan Jobs. Remember to click Save to save your choices.
Cleaning infected files
The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.