Maximizing scan engine performance
Applies to: Forefront Protection for Exchange
Microsoft Forefront Protection 2010 for Exchange Server (FPE) provides you with the ability to employ multiple scan engines (up to five) to detect and perform actions upon malware in your Microsoft Exchange environment.
To maximize engine performance, you can customize the number of scan engines used for each scan. You have the option of selecting one or more scan engines for a scan as well as configuring the performance settings for the engines. Using a redistribution server to distribute scheduled updates also enhances server performance.
About multiple engines
Multiple engines provide extra protection so you can draw upon the expertise of various malware labs to keep your environments malware-free. Malware may slip past one engine, but it is unlikely to get past three or more.
Using multiple engines also permits a variety of scanning methods to be used to protect your environment. FPE integrates scan engines that use heuristic scanning methods with engines that use definitions to provide comprehensive malware protection. For more information about individual scan engines, visit each engine vendor's Web site. Links are provided at Microsoft Help and Support.
Configuring engines
It is easy to configure multiple scan engines. For the best balance of protection and performance, it is recommended to retain the default setting of using all available engines. FPE automatically updates and uses all configured engines based on the default Engines and Performance setting of scanning with all available engines.
However, if you so choose, you can manually disable one or more scan engines for each scan job (transport, realtime, scheduled, and on-demand). For more information about how to do this, see Selecting the scan engines used for each scan.
After selecting the number of engines you want to use for a scan job, you can then use the Engines and Performance setting for each scan job to further fine tune your antimalware scanning configuration to best fit the needs of your organization. For more information about this setting and how it can affect how multiple scan engines are used, see Configuring the number of scan engines used for each scan.
These configuration settings enable the FPE Multiple Engine Manager (MEM) to properly control the selected engines during a scan. MEM uses the engine results to decide the likelihood that a particular message or file contains malware. If any of the engines used in a scan detect malware, FPE considers the item infected and implements the configured antimalware action (for details, see Configuring the action when malware is detected).
Server performance can be enhanced when different engines are used for the transport scan job on multiple servers. If you feel that scanning with 5 engines on a single server is too taxing, but you still want to ensure the best protection, then the load can be spread across multiple servers. If, for example, all incoming mail initially is sent through an Edge Transport server, followed by a Hub server, the Edge Transport server can be configured to scan with 3 scan engines with an Engines and Performance setting of Scan with all engines. The Hub server can be configured to scan with a different set of engines, also with an Engines and Performance setting of Scan with all engines.
For this strategy to work properly, the configuration option Optimize for performance by not rescanning messages already virus scanned needs to be disabled in the Antimalware – Hub Transport (or Antimalware – Edge Transport depending on the Exchange role) pane to disable the Exchange antivirus stamp feature, and have mail scanned at each hop. This ensures that each incoming mail is scanned by all selected engines on each server, because the antivirus stamp will be honored by the server and previously scanned messages will not be re-scanned.
Scheduling engine updates using a redistribution server
There are two approaches to engine updates and each affects overall server performance.
Engine updates can be made by downloading the engine updates directly from the Microsoft HTTP server to a receiving server. However, your server’s bandwidth may be compromised, which affects performance.
Universal Naming Convention (UNC) updating using a redistribution server running FPE to distribute engine and definition updates can maximize server bandwidth because it reduces the number of servers accessing the Internet for updates. By leveraging UNC updating, servers can be easily updated without access to the Internet. This means that you do not have to open a port to the Internet for your Mailbox or Hub servers that otherwise do not need access.
Using UNC updating increases overall server performance because only the redistribution server connects to the HTTP server. Other FPE servers can then download the engine and definition updates from the redistribution server. This approach is preferred as it allows the other servers in the network to perform at full potential.
By default, on a redistribution server, FPE will save the two most recent engine update packages instead of the usual single engine package. FPE also downloads the full update package rather than performing an incremental update. The multiple engine packages enable the receiving servers to continue pulling updates from the redistribution server while a new update is being downloaded.
.png "UNC Updating with a Redistribution Server")
Tip
You can manage engine and definition updates on multiple FPE servers by using the Microsoft Forefront Protection Server Management Console (FPSMC). You can download FPSMC from the Microsoft Download Center at the following location: Microsoft Forefront Protection Server Management Console (FPSMC) 2010. Documentation that covers engine and definition updates with FPSMC can be found in the TechNet library at Signature Redistribution Jobs.