Antigen 5.5

Loading the CPU
Scanning for infected documents will consume some CPU cycles on your server, no matter what product you use. A manual scan generates the heaviest load because it searches for and checks a continuous stream of documents. In my case, using a server with dual 233MHz Pentium II processors, Antigen's manual scan process consumed between 20 and 30 percent of the available CPU cycles. Demand peaked when the manual scan encountered large attachments, such as a 10MB Zip file that contained 15 Microsoft Word documents. Equipping an Exchange server with dual CPUs is a good idea, even if you don't immediately need the extra power. The additional CPU can take the load imposed by high-intensity applications such as a manual scan, smooth out peaks in user demand, and deliver a more predictable response to clients.

Realtime scans make a relatively small demand on server resources. Quantifying the demand is difficult because demand varies with the volume of messages that pass through the server and the percentage of the messages that have attachments. The realtime scan I observed took no more than 5 percent of the available CPU cycles.

As hardware capabilities grow, the load that critical add-ons such as virus checkers and system monitors impose becomes less important. When Exchange Server 4.0 shipped in 1996, the typical server had a 100MHz Pentium processor with perhaps 128MB of RAM and 2GB of hard disk space. Today's servers are much faster, and many of them have multiple processors—not to mention radically improved disk subsystems. Although servers are supporting more users and running more applications, they also have more headroom to accommodate add-ons. Lack of system space and insufficient speed are no longer valid reasons to neglect a virus-checker installation.

Reporting Virus Incidents
Reporting virus incidents with Antigen is straightforward. You can view a virus incident onscreen or export the incident's details to a file for later analysis. Either way, you need to extract an incident's details and mail the information to affected users so that the users realize that they've received infected documents. Screen 2 shows Antigen's reporting options, which include summary statistics of the scanners' work. Exchange Server's single-instance storage model accounts for the difference between logical and physical attachments. Many users can share one attachment. Antigen counts a shared attachment as one physical file with multiple logical links.

In my example, a relatively small server (with a 3GB priv.edb) has 6,139,158 logical links resulting from 30,021 physical attachments. I can only assume that a bug in the beta software caused a miscount. The figures that the realtime scan reported—468 physical attachments with 828 logical links—are more in line with what I'd expect. These numbers provide a sharing ratio of 1.77, roughly equivalent to the value of the single-instance storage ratio counter that Performance Monitor reported on this server (i.e., 1.86). Sybari's development staff is aware of the glitch and promises to address it by the time you read this. Generally, the product's quality is high, and I didn't see any evidence of other bugs.

When I reviewed the virus report, I was intrigued to see that Antigen had detected and cleaned several messages that contained the Worm.ExploreZip virus. Although the scanner had downloaded the latest signature file and I expected that Antigen would detect any new message that contained the virus, I hadn't expected Antigen to detect viruses in messages that had been soft-deleted. Remember that Exchange Server 5.5 introduced the two-stage deletion concept. The software first soft-deletes an item by moving it into a logical deleted items cache in the database, then eventually hard-deletes the item to remove it permanently. You can set a deleted items retention period to retain items in the IS. This setting lets users recover items that they deleted in error. Items in the deleted items cache are soft deletes. Hard deletion occurs after the preset retention time expires. You can set the retention period on a per-user basis or as a default for the entire IS. Most companies choose a 5- to 10-day retention.

I received 22 messages containing Worm.ExploreZip soon after the virus struck one of my company's mail servers. My suspicions were aroused when I read the text of the first infected message; I wasn't expecting any mail from the apparent sender. My suspicions were confirmed when I received the other 21 messages with similar attachments and body text in quick succession. When I exited Outlook, the software deleted the messages in my Deleted Items folder. (I prefer Outlook to empty this folder each time I exit because I don't like to hang on to deleted messages. Others prefer to use the Deleted Items folder as a convenient place to temporarily hold messages.) No apparent trace of the offending messages existed until Antigen found them, because Antigen's manual scan checks every attachment in the IS, including attachments marked with the soft-delete flag that are waiting for their retention period to expire. The majority of messages that Antigen reported in Screen 2 were soft-deleted items. The Realtime Scan Job detected the last message in the list, proving the worth of running the realtime and manual scan jobs in tandem for extra protection.

Supporting Different Virus Engines
Most virus checkers rely on one virus-detection engine. Sybari has licensed three engines that you can integrate with the product. Companies often select a particular virus checker as part of their desktop environment, so the ability to use the same checker on both desktop and server is a plus.

Screen 3 shows that Antigen is using the Norman Data Defense scanner on my server. The screen's bottom pane controls how the software automatically downloads scanner updates (i.e., according to a desired schedule). Sybari offers network-based updates via an FTP connection to the company's Web site. The automatic download feature didn't work for me—probably because of FTP proxy problems—so I had to resort to a local update. Sybari facilitates local updates by offering mail-based update distribution, which requires you to move the updated files to a suitable network share from which Antigen can pick them up. This easy process is probably the way that you'd set up your virus checker in your corporate environment so that one download to a network share would update multiple servers.

Preventing Internet Problems
Most viruses come from the Internet, so guarding this avenue is essential. You can use products such as Trend Micro's InterScan VirusWall (http://www.trendmicro.com) or Content Technologies' MIMEsweeper (http://www.mimesweeper.com) to protect the relay hosts that you use to channel mail from the Internet to Exchange Server, but a vendor that builds this feature into its antivirus software is ahead of the game. Antigen checks both inbound and outbound queues of Exchange Server's Internet Mail Service (IMS). From a user's perspective, scanning inbound and outbound messages produces no discernible delay on message throughput. Again, deploying today's fast systems as bridgehead servers contributes to fast message transmission. The extra overhead won't create problems; it'll only provide greater protection.

Finding the Right Product
I didn't intend this article to be an endorsement of Antigen over all the other antivirus products on the market, but Antigen is an innovative solution to a problem we all encounter. The product isn't perfect—for example, it doesn't protect against viruses that arrive on 3.5" disks or via other non-email routes. However, Antigen protects Exchange Server impressively against infected files that arrive as message attachments or post directly to public folders.

Every product has a unique feature set, and a different product might be more appropriate for your installation. As with any solution, you need to download evaluation versions of a couple of products and conduct tests to see which one best suits your needs. You need to ensure that you're protecting your Exchange server as comprehensively as possible. You can bet that you'll meet a virus one day, so you need to be prepared.

• Lab Reports: "Antigen 5.5" includes an incorrect email address for the author, Tony Redmond. His correct email address is tony.redmond@compaq.com. We apologize for any inconvenience this error might have caused.