Chapter 1: Configuring Antivirus Scanning for Multiple Engines

  • Article

 

Applies to: Forefront Security for Office Communications Server

To ensure that instant messaging (IM) users are not sharing infected files or inappropriate content, Forefront Security for Office Communications Server enables you to use up to five scan engines to scan for, detect, and clean viruses.

Compared to a single antivirus scan engine, multiple engines provide extra security because they:

  • Draw on the expertise of various virus labs. A virus may slip by one engine, but it is unlikely to get past three.
  • Permit a variety of scanning methods. Forefront Security for Office Communications Server integrates engines that use heuristic scanning methods as well as signatures. All the integrated scan engines have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin. (For information about individual scan engines, visit the Web site for each engine vendor.)

To enable this protection, you need to:

  1. Configure the scan job to specify which type of IM (inbound, outbound, or internal) you want Forefront Security for Office Communications Server to scan.

  2. Select the engines and configure the antivirus detection and bias settings.

Note

For more information about configuring scan engines, refer to the IM Scan Job section in the Forefront Security for Office Communications Server User Guide.

In this chapter

  • How multiple engine detection improves IM protection
    • MEM: managing multiple engines for optimal detection
    • Bias settings: balancing detection and performance
    • Taking action on detected malware
  • Configuring the IM scan job
    • To configure the IM scan job
  • Selecting engines and configuring antivirus settings
    • To select engines and configure antivirus settings

How multiple engine detection improves IM protection

There are three main components that enable Forefront Security for Office Communications Server to detect and block malware accurately and efficiently using engines from multiple third-party engines:

  • The Multiple Engine Manager (MEM)
  • Bias settings
  • Detection actions

MEM: managing multiple engines for optimal detection

Forefront Security for Office Communications Server allows you to select up to five engines for use in scanning instant messages; but to reduce impact on system performance, you can scan with a subset of those engines (see the next section on bias settings). The product determines which of these possible engines to use through its Multiple Engine Manager (MEM). To do this, the MEM system monitors the performance of each active engine, scoring both its past performance at identifying new threats and how current its virus definitions are. MEM uses these scores (or MEM ratings) and the administrator-specified bias settings to determine which engines to use more often.

MEM weights each engine so that the most up-to-date and best performing engines are used more, and their results are given more weight in determining if an attached file is infected. If two or more engines are equally ranked, Forefront Security for Office Communications Server will switch between them rather than selecting one or the other.

Note

For more information about how MEM works, read the white paper The Multiple Scan Engine Advantage and Best Practices for Optimal Security and Performance.

Bias settings: balancing detection and performance

Through engine bias settings, Forefront Security for Office Communications Server enables you to control how many of the engines to select (up to five) to yield an acceptable probability that your system is protected.

There is a trade-off between virtual certainty and system performance. The more engines you use, the greater the probability that all viruses will be caught—and the greater the impact on your system's performance.

Note

Bias settings apply only to virus scanning; they are not used in filtering.

Bias setting Scan engine action

Maximum Performance

Scans with just one of the selected engines. MEM automatically chooses the engine that, based on MEM ratings, appears most likely to catch an incoming threat. This gives the fastest performance but the least security.

Favor Performance

Depending on server CPU load, adjusts the number of scan engines used to scan incoming items. MEM automatically determines which of the selected engines to use.

Neutral

Scans with at least half of the selected engines, balancing security and performance. MEM automatically determines which of the selected engines to use. This enables a balance between performance and security.

Favor Certainty (default)

Scans using all available selected engines. If an engine is offline (for example, being updated), Forefront Security for Office Communications Server continues to scan with all of the remaining engines.

Maximum Certainty

Scans with all the selected engines. If an engine is offline (for example being updated), messages are queued until the engine is once again ready to scan them. This selection results in the slowest performance but the greatest security.

Taking action on detected malware

You can specify what action you want Forefront Security for Office Communications Server to take (outlined in the table below) when it finds an IM attachment that is infected with a virus. In addition, you may choose to quarantine a detected attachment so it can subsequently be delivered in the event that it was incorrectly tagged as containing a virus. You can also notify users and virus administrators of the attached files that were blocked, the reason for blocking, and the possible actions available to them.


Engine action		 Description

Skip: detect only

Makes no attempt to clean or delete the infection. Reports viruses and infected file attachments, but leaves infected attachments in place.

Clean: repair attachment (default)

Attempts to clean the virus. If it is successful, the infected attachment is replaced with a clean version. If cleaning is not possible, Forefront Security for Office Communications Server replaces the attachment with special deletion text.

Note: Most of the time the entire attachment is a virus and has no valid content. Because attempting to clean the virus consumes processing resources, many organizations choose to simply block or delete infected attachments.

Delete: remove infection

Removes the attachment from the message without attempting to clean it and adds special deletion text to the IM by way of explanation.

Block

Prevents the IM or transferred file from reaching the intended recipient. Sends a message that the file was infected.

Configuring the IM scan job

The IM scan job scans each instant message in real time as it is transferred through the IM server. Configure the IM scan job to specify what combination of inbound, outbound, and internal messages should be scanned.

To configure the IM scan job

To configure the IM scan job

  1. Under SETTINGS, click Scan Job.

    0382fdee-e85f-40bf-b126-6fb4f99f8c03

  2. Under Name (which contains a list of configurable scan jobs), click IM Scan Job.

  3. Make sure that State is set to Enabled, and that Virus Scanning is On.

  4. If it is not, click OPERATE at screen left, and then click Run Job. Make sure Virugs Scanning is checked, and then click Enable.

    Note

    Any change to these settings is immediate, even if the job is currently running.

  5. Under IM Messages, check the boxes to select which message queues you want to scan.

  6. You can choose to scan any combination of Inbound messages (those originating outside the enterprise), Outbound messages (those leaving the enterprise), or Internal messages (those within the company intranet).

  7. Click Save.

Selecting engines and configuring antivirus settings

Now that you have configured the scan job:

  • Choose which engines you want to use.
  • Specify the engine bias that allows you to balance system and detection performance.
  • Determine the action you want an engine to take when it detects an infected attachment. When viruses or inappropriate content are detected, they can, for example, be blocked based on the administrator’s preference.

The engine bias and action specify how Forefront Security for Office Communications Server controls the selected engines during the scan job through its built-in Multiple Engine Manager.

To select engines and configure antivirus settings

To select engines and configure antivirus settings

  1. Under SETTINGS at screen left, click Antivirus.

  2. Under Name, make sure the IM Scan Job you just configured is selected.

  3. Under File Scanners, check the engines you want to use.

    The ones you chose at installation are selected by default. You can choose up to five engines for each job.

    902301ae-0c01-4868-9b19-df43b9e9683e

  4. Under Bias, select from the list the setting you want, balancing protection and performance.

  5. Under Action, select the action you want Forefront Security for Office Communications Server to take when they detect a virus.

  6. This action will apply across all scan engines for the job.

  7. To send e-mail notifications when a virus is detected, check the Send Notifications box.

    For details, see Chapter 4: Configuring Notifications.

  8. To save copies of infected files for later inspection, check the Quarantine Files box.

    For details on quarantining, see Chapter 6: Using the Quarantine Database.

  9. Click Save.

Editing the scan job or antivirus settings

To edit the scan job or antivirus settings:

  1. Under SETTINGS at screen left, select either Scan Job or Antivirus, depending on the settings you want to modify.

  2. Make the changes you want, and click Save.