SharePoint Multiple scan engines
Applies to: Forefront Security for SharePoint
With Forefront Security for SharePoint, you have the ability to employ multiple scan engines (up to five) to detect and clean viruses.
Multiple engines provide extra security by allowing you to draw upon the expertise of various virus labs to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three.
Multiple engines also allow for a variety of scanning methods. Forefront Security for SharePoint integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor’s Web site. Links are provided at Microsoft Help and Support.
All the scan engines that FSSP integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.
Multiple engines are easy to configure. You can select only the engines you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings work pane) enable the Forefront Security for SharePoint Multiple Engine Manager (MEM) to properly control the selected engines during the scan job.
MEM uses the engine results to decide the likelihood that a particular file contains a virus. If any of the engines used in a scan detect something, FSSP considers the item infected and has MEM deal with it accordingly. (For more information, see Cleaning Infected Files.)
About engine rankings
MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information enables MEM to weight each engine so that better-performing ones are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best-performing engines have more influence in the scanning process.
If two or more engines are equally ranked, FSSP invokes them by cycling through various engine order permutations.
Setting the bias
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system's performance.
Thus, at one extreme is the number of engines to use for maximum security. The other extreme is the number of engines that enable maximum performance. In between is the number of engines that enable balanced (called “neutral”) performance.
You can have a different bias setting for different scan jobs, depending on your needs. For example you might want to run a quick scan with a different setting than the Realtime Scan Job.
Note
The bias setting only applies to virus scanning. It is not used in file filtering.
About bias settings
There are several possible bias settings. Each scan (other than one with a bias setting of Favor Certainty or Maximum Certainty) independently selects the engines to use.
Maximum Performance |
Scans each item with only one of the selected engines. This gives the fastest performance, but the least security. |
Favor Performance |
Fluctuates between scanning each item with one of the selected engines and half of them. |
Neutral |
Scans each item with at least half of the selected engines. This setting balances security and performance. |
Favor Certainty |
Scans each item with all available selected engines. If an engine is not available because it is being updated, Forefront continues to scan with all of the remaining engines. Engines are returned to service when they become available again. This is the default value. |
Maximum Certainty |
Scans each item with all of the selected engines. If an engine is not available because it is being updated, files are queued until the engine is once again ready to scan them. This selection gives the slowest performance, but the greatest security. |
Assuming you select five engines (the maximum you can use), the following table shows how each of the bias settings uses the engines in virus scanning.
| Bias setting | Description |
|---|---|
Maximum Performance |
Each item is virus-scanned by only one of the selected engines. |
Favor Performance |
Fluctuates between virus scanning each item with one and three engines. |
Neutral |
Each item is virus-scanned by at least three engines. |
Favor Certainty |
Each item is scanned with all five engines unless one or more is unavailable. |
Maximum Certainty |
Each item is virus-scanned by all five of the selected engines. |
Configuring the bias setting
The bias setting is indicated on the Antivirus Settings work pane.
To indicate the bias setting
In the SETTINGS section of the Shuttle Navigator, select Antivirus. The Antivirus Settings work pane appears.
From the Job List in the top pane of the work pane, select a scan job.
In the Bias field in the lower pane, indicate the bias setting. (The values are those discussed in About bias settings.) To find out more about the other fields on the Antivirus Settings work pane, see SharePoint Manual Scan Job and SharePoint Realtime Scan Job.
Click Save to save your choices.
Cleaning infected files
The first engine that detects an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detect the infection fail to clean it, the item is deleted.