Update on the recent Norman antivirus engine issue

Hello, my name is Molly Gilmore and I’m a program manager on the Forefront Security Rapid Response Engineering team. I work closely with our antivirus engine partners on support and technical integration issues. Others on the team and I have been working closely with the Norman engineering team to resolve some of the issues reported recently as a result of long engine initialization times and increased memory usage by the Norman engine.

Here is the status update for Forefront Security for Exchange/SharePoint and Antigen customers affected by the recent memory usage increase by the Norman engine that was released on February 24, 2009 in update package 0902240003.




On February 27, 2009, Microsoft Antigen customers began reporting significant increases in the amount of memory utilized by the Norman Virus Control engine. Memory required by Antigen scan jobs that had the Norman engine enabled started to exceed 350 MB per scanning process. For some customers, the impact was a significant reduction in available memory for other applications and processes and an allocation of all of the available system page pool by Antigen. There were also fail-over events reported by customers running Antigen in a clustered environment. The Antigen and Forefront Server (including the Stirling wave) product lines distribute the same version of the Norman engine, however, given the recommended server specifications for the Forefront Server products, which typically result in more memory available on a server, there were fewer Forefront Server customers who reported issues.


The timing of the increased memory utilization by the Norman engine coincides with the release of the 5.93.6 Norman engine version which was made available for customers to download on Tuesday, February 24, 2009 in update package 0902240003.


The Norman 5.93.6 engine release had incorporated performance improvements meant to reduce the time it takes for the Norman engine to initialize and load. The current, released versions of the Forefront Server and Antigen products will trigger an engine unload and reload every time a signature update for an engine occurs; reduction in engine load times means increased availability for the engine to be back online and scanning.


The root cause of the issue in the Norman 5.93.6 engine has been identified. Part of the intended performance improvements in Norman 5.93.6 included a change to store signature definition information that was previously written to disk to be kept in memory. The result was an average increase of about 50 MB of memory usage each time the Norman engine loaded. Each scan job running within Antigen (and Forefront Server) will load an instance of an enabled engine so that the cumulative result of an Antigen deployment with four Realtime scan jobs would be an additional ~200 MB of memory allocated by the Norman engine on the server.




The Norman release posted on February 24, 2009 containing the Norman 5.93.6 engine with the increased memory usage was rolled back on Thursday, February 26 to the Norman engine version originally posted on February 13, 2009. This happens automatically through our Rapid Update system. If you have downloaded a Norman update package with a version of 0902260005 or greater, then you have replaced the version of the Norman engine that requires higher amounts of memory with one that had been successfully deployed to customers previously. If you have downloaded the roll-back package, viewing the version properties of the Nse_W32.dll file that is part of the Norman engine should display a version number of 5.93.1 .


The RRE team has worked with the Norman engineering team to identify a solution that will be incorporated into a new version of the Norman engine. Initial testing is underway at Microsoft to validate that the expected decrease in memory usage is available in the new Norman engine and that the improved Norman initialization times have been maintained. Once test results have been reviewed, we will update this blog with a description of the release and planned distribution dates to our customers through the Rapid Update distribution channel.


This issue applies to:


Antigen for Exchange, Antigen for SharePoint, Antigen for SMTP Gateways, Forefront Security for Exchange Server, Forefront Security for SharePoint, Forefront Security for Office Communications Server, and the Forefront Security for Exchange and Forefront Security for SharePoint product versions that are part of the Stirling wave release.


Molly Gilmore

Program Manager

Forefront Server Security