Chapter 5 - Using multiple scan engines
Applies to: Microsoft Antigen
Antigen provides you with the ability to implement multiple scan engines for detecting and cleaning viruses.
Multiple engines provide extra security by enabling you to draw on the expertise of various virus labs to keep your environments virus-free. A virus can slip by one engine, but it is unlikely to get past three.
Multiple engines also allow for a variety of scanning methods. Antigen integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor’s Web site. Links are provided at Microsoft Help and Support.
All the scan engines that Antigen integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.
Multiple engines are easy to configure. You can select only the engines that you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings work pane) enable Antigen’s Multiple Engine Manager (MEM) to properly control the selected engines during the scan job.
MEM uses the engine results to determine the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, the MEM returns a result greater than 0. Antigen then considers the item infected and has the MEM deal with it accordingly (for more information, see Cleaning infected files).
About engine rankings
MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information enables the MEM to weight each engine so that better-performing engines will be used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up to date and best-performing engines have more influence in the scanning process.
If two or more engines are equally ranked, Antigen invokes them by cycling through various engine order permutations.
Setting the bias
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance.
Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. In between is the number of engines that permit balanced (called neutral) performance.
After you make your scan engine configurations and bias configurations, it is recommended that you reevaluate the server performance and then make any necessary adjustments. These adjustments may involve increasing or decreasing the number of scan engines, or changing the bias setting based on the needs of your organization. For best performance, it is recommended that you use no more than five engines per scan job.
You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Gateway server to maximize its system performance. Then, you can use several engines on your mailbox servers.
Note
The bias setting applies only to virus scanning. It is not used in file filtering.
About bias settings
There are several possible bias settings. Each scan (other than one with a bias setting of Maximum Certainty) independently selects which engines to use:
| Bias Setting | Description |
|---|---|
Maximum Performance |
Scans each message with only one of the selected engines. This provides the fastest performance, but the least security. |
Favor Performance |
Fluctuates between virus scanning with one of the selected engines and half of the engines. |
Neutral |
Scans each message with at least half of the selected engines. This setting balances security and performance. Neutral is the default value. |
Favor Certainty |
Fluctuates between virus scanning with half of the selected engines and all of them. |
Maximum Certainty |
Scans each message with all of the selected engines. This gives the slowest performance, but the greatest security. If an engine is not available because it is being updated, messages are queued until the engine is once again ready to scan them. |
Assuming that you select five engines, the following table shows how each of the bias settings uses the engines in virus scanning:
| Bias Mode | Description |
|---|---|
Maximum Performance |
Each item is virus-scanned by only one of the selected engines. |
Favor Performance |
Fluctuates between virus scanning each item with one engine and with three engines. |
Neutral |
Each item is virus-scanned by at least three engines. |
Favor Certainty |
Fluctuates between virus scanning each item with three and five engines. |
Maximum Certainty |
Each item is virus-scanned by all five of the selected engines. |
Configuring the Bias
The bias is set on the Antivirus Settings work pane. Select Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears on the right.
To configure the bias, select a scan job at the top of the work pane. Then, set its bias by using the Bias field in the lower part of the work pane. The values are those discussed in About bias settings. To find out more about the other fields on the Antivirus Settings work pane, see any of the scan job chapters. Remember to Save your choices.
Cleaning infected files
The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.