Chapter 2: Selecting and Configuring Antivirus Scan Engines
Applies to: Forefront Security for SharePoint
With Forefront Security for SharePoint, you can use up to five engines to scan for, detect, or clean viruses or remove the files in which they are found. Using multiple engines provides extra security because you draw on the expertise of various industry-leading virus labs to help keep your environment virus-free. A virus may slip by one engine, but it is unlikely to get past three or more. Multiple engines also allow for a variety of scanning methods, integrating scan engines that use heuristic scanning methods with those that use signatures.
Scan engines are easy to configure. After you choose which engines you want to use, you specify (1) the engine bias (which allows you to balance system and detection performance) and (2) the action you want an engine to take when it detects a virus. These two settings specify how Forefront Security for SharePoint controls the selected engines during the scan job through SharePoint Multiple Engine Manager (MEM).
Note
for more options and information about configuring scan engines, refer to the “Scanning” section of the “SharePoint Forefront Server Security Administrator” chapter in the Forefront Security for SharePoint User Guide.
In this chapter
How SharePoint Multiple Engine Manager works
How engine bias works
What scan engines do when they detect a virus
Selecting and configuring antivirus scan engines
To select and configure antivirus scan engines
How SharePoint Multiple Engine Manager works
Forefront Security for SharePoint determines which engines to use through SharePoint Multiple Engine Manager (MEM). The MEM system monitors the performance of each active engine, scoring how well it has performed in the past at identifying new threats and how current its virus definitions are. These scores (or MEM ratings) and the administrator-specified bias settings (defined in the next section) are used to determine which engines to use more often. This information allows MEM to weight each engine so that the most up-to-date and best performing engines are used more, and their results are given more weight in determining if a file is infected.
Note
For more information about the complex topic of how MEM works and how Forefront Security for SharePoint uses it, read the white paper, The Multiple Scan Engine Advantage and Best Practices for Optimal Security and Performance.
How engine bias works
Engine bias determines how many engines (up to five) will be used in each scan. The bias setting controls how many engines are needed to give you an acceptable probability that your system is protected. There is a trade-off between protection and system performance. The more engines you use, the greater the probability that viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance.
Thus, at one extreme you use all selected engines for maximum certainty that all viruses will be caught. At the other extreme you use only one engine for maximum performance but reduced certainty. In between is the number of engines that permit balanced (or neutral) performance. To help determine the optimal setting for your environment (as described below), refer to the white paper, The Multiple Scan Engine Advantage and Best Practices for Optimal Security and Performance.
| Bias settings | Scan engine action (of the set you define) |
|---|---|
Maximum Performance |
Scans each item with only one of the selected engines. MEM automatically chooses the engine that, based on MEM engine ratings, appears most likely to catch an incoming threat. |
Favor Performance |
Depending on server CPU load, adjusts the number of scan engines used to scan incoming items. MEM chooses which engines to use based on MEM engine ratings. |
Neutral |
Scans using approximately half of the selected engines. Depending on file arrival rates and server resource usage, more engines may be used. |
Favor Certainty |
Scans each item with all available engines; if an engine is offline (for example, getting updated), it will not be used. |
Maximum Certainty |
Scans each item with all selected engines. If one of the engines is offline (for example, getting updated), files will not be processed until that engine has come back online. |
What scan engines do when they detect a virus
You can specify what action you want engines to take (as outlined in the table below) when they find a file that is infected with a virus. In addition, you may also choose to quarantine detected files (in the event that a file has been incorrectly tagged as containing a virus) and to notify users and virus administrators of files that were blocked, the reason for blocking, and the possible actions available to them.
| Engine action | Description |
|---|---|
Skip: detect only |
Makes no attempt to clean or delete the infection. Reports viruses and infected files, but leaves infected files in place. |
Clean: repair attachment |
Passes the file to each of the selected scan engines for cleaning. If one is not able to clean the file, it is passed to the next engine. If none of the engines are able to clean the file, the file is deleted and blocked from upload or download. This option is only available if you check Attempt to clean infected documents when you configure the scan job. (Get more information about Clean: Repair Attachment. ) |
Block: prevent transfer (for real-time scans) |
Blocks the download or upload of infected files. Sends a message that the file was infected and could not be uploaded or downloaded. |
Delete: remove infection (for manual scans) |
Deletes the file without attempting to clean the infection. The deletion text file will be sent in place of the file. (For more information, see Deletion Text.) |
More About Clean: Repair Attachment
If the scan engine is unable to clean an infected file (including nested files), it will block or quarantine the file. For example, suppose there are four nested files within a .zip package and three of those are infected and one is clean. The engine scans each and lets the clean file through. Of the three infected files, if it was able to clean two but not the third, it lets the two cleaned files go through but not the third, which it could not clean.
This feature was more useful some years ago when cleanable viruses were more common and valid documents were often infected. Today, however, the vast majority of viruses are not cleanable (by some estimates, less than 10 percent). Furthermore, a valid infected file is much less common. Most of the time the entire attachment is a virus and has no valid content.
Because attempting to clean the virus requires additional processing resources, many organizations decide to simply block or delete the infected file.
Selecting and configuring antivirus scan engines
After you choose which scan engine you want to use, you specify the engine bias, which allows you to balance system and detection performance. Then you determine the action you want an engine to take when it detects a virus.
To select and configure antivirus scan engines
Under SETTINGS, click Antivirus.
.gif "67487fda-0f42-4b90-ae38-46cd247cbb33")
Select the scan job you want to use.
Under File Scanners, check the engines you want to use. (The ones you chose at installation are selected by default.)
You can choose up to five engines for each job.Under Bias, select from the list the setting you want, balancing protection and performance.
Under Action, select from the list the action you want engines to take when they detect a virus.
This action will apply across all scan engines for the job.To send notifications when a virus is detected, check the Send Notifications box. (For details on notifications, see Configuring Event Notifications.)
To save copies of infected files for later inspection, check the Quarantine Files box.
Although rare, it is possible that a scan engine will falsely identify a file as containing a virus. Quarantining saves a copy of the file, where it can be examined later and, if need be, released.Note
There is overhead in quarantining files, particularly if many viruses are identified. (Large organizations may block millions of viruses in a month.) Ideally, you would quarantine files, but you may decide that the more effective course is to delete them. (For more information, see Using the Quarantine Database.)
Click Save.