Forefront Support for Multiple Scan Engines (Multiple Engine Management)

As detailed in other articles, Forefront Security for SharePoint supports the opportunity of not conforming to just a singular vendor scanning engine, but offering faculties of assimilating the functionality from multiple vendors scan engines in order to properly examine your content repositories thus leveraging as much intelligence as possible. This is a rather powerful option, since often time’s one vendor will leverage routines to catch specific viruses and virus strains whereas others might not have that capability or are not currently being configured for arbitrary detection routines. Most network administrators have encountered this endeavor, while one virus lab (vendor) is currently focusing on building routines for a released virus; another is focusing on another strain. The virus industry is indeed a lucrative one, and implementing detection routines for every infected virus is a difficult task. By implementing the routines from multiple scan engines, you are assured that you are scanning for all viruses that might be a threat to your environment, not just those that a specific vendor releases. This architecture also always for different types of scanning mechanisms, such as heuristic or signature based scanning, to be implemented in one environment through one entity. This type of combination allows you to ensure that your content repositories are receiving the best type of antivirus protection. The most cost beneficial option of this is you to don’t have to buy a new antivirus package for your corporation; you can use your existing AV vendor aggregating it into your Forefront for SharePoint scanning architecture. If you desire an enhanced level of protection, you can purchase a license for other engines and easily combine it with your current scanning engines. The most efficient mechanism is leveraging the logs discussed in other articles to determine the validity and capability of your current engines, and then making substitutions/enhancements to reach optimal efficiency and detection metrics. 

Using the Forefront Security for SharePoint Multiple Engine Manager (MEM) and Bias Settings

In order to setup multiple scanning engines from various AV vendors (i.e. MEM), there is one major task that has to be configured in order to implement the differing AV engines, relating to the Bias settings. The Bias settings within Forefront Security for SharePoint are the parent control which sets the amount of engines you implement in relation to performance. The larger the count of engines implementing within Forefront Security for SharePoint, clearly the performance will take a hit since there has to compensation on a performance factor for each engine running. There are two extremes on each side of the equation, one will use a minimum quantity of engines for maximum Forefront Security for SharePoint performance, and the other is the maximum amount of engines with the bare minimum in relation to Forefront Security for SharePoint execution. If one engine detects a likely infected file, this file is compensated for, and the other engines aren’t tripped. If however five engines are implemented, then each engine will ensure that the file is not infected until one engine tosses the file as infected. It is serial process, one engine trips after another engine. It is pretty simple to depict:

I have one engine (performance light) — I have balanced engine deployment (performance average) I have multiple engine deployment (performance heavy)

The SharePoint or network administrator will have to determine which is performance efficient while still conforming to your corporate antivirus policy. You can use rudimentary calculus (since it is the mathematics of change, and the most relevant to virus detection since it is a dynamic field), to build a graphical metrics representation of you attack versus counter attack measures and tailor your framework accordingly.  

Using the Forefront Security for SharePoint Bias Settings

Using the Bias configuration is a rather straightforward process. To get into the Forefront Security for SharePoint Bias (somewhat interesting since it resembles BIOS) module, launch the FSSP client which will drop you firstly into the settings pane. From there, select the Anti-Virus option, which will drop you into the antivirus dialog. You can see a small drop down box which has the Bias settings in it, which will allow setting the performance and certainty factors. Based on your corporate antivirus policy, you can set the certainty factor that is mandated by your security corporate personnel, which clearly relates to your AV scanning engines options. The neatest factor of the MEM engine is the built in intelligence that allows it to prioritize engines. This is based on several factors. It isn’t exactly to the tier of functional AI, however sets baseline extremes and can make intelligence off those metrics. It isn’t to the realm of fuzzy logic or other AI mechanisms (which would allow the definition of a grey area between the black and white arenas, and make palpable decisions accordingly), however this may be built into the next version of Forefront Security for SharePoint.

Factors that affect the MEM

Performance of the Engine based on past performance metrics, how fast (scanning) was this engine in relation to other AV scan engines within the environment currently assimilated into Forefront Security for SharePoint?

Last Updates and Age of Engine how current are the algorithms that this engine implements? (how often will it pick up newly infected files based on acquired definition files?)

Why Build Intelligence Into the MEM?

The reason that Forefront Security for SharePoint has these intelligence options built into its engine is it allows a tweak of the performance, without arduous manual configuration, so that only the engines that are most important (meaning those are current with updates and engines who are considerably speedy) are the first engines since they are the most likely to pick up infected files the quickest and with the most accuracy. This is without a doubt the nicest characteristic of the Forefront Security for SharePoint framework, since although you may have multiple engines being used by leveraging the MEM option, since you can have multiple engines, and although perhaps one vendor updates frequently another engine which updates more frequently, and is quicker performance wise, it is the first engine to detect and pick up infected files.