Scan Engine Bias Setting

  • Article

Hi. My name is Noreen Lynch, and I am a Dev Lead on the Forefront Server Security team. I’ve been working on our Forefront security product (formerly Antigen) for almost 7 years. Our team is located on Long Island, in New York. The best part of my job is the chance to work with an amazing group of people. We have a great team here that has worked together through many challenges and has consistently delivered a great product.

But enough about our team, what I really want to talk about is how our bias setting works within our multiple scan engine architecture. By default, each scan job within Forefront Server Security will be configured to scan with 5 scan engines, with a bias setting of “Favor Certainty”. But what does that mean – what exactly is the “bias”?

In a nutshell, the bias is what is used to decide how many engines will be used to scan a file. The calculation for how many engines to use takes into account both the bias selection in the Forefront Administrator, as well as how many engines are selected for that scan job. The bias setting range in our Administrator is from Maximum Certainty to Maximum Performance. Maximum Certainty uses every engine selected for the scan job for each scan. This gives the slowest performance, but the highest degree of certainty that a virus will be caught. At the other end of the spectrum is Maximum Performance, which scans each item with only one of the selected engines. This gives the fastest performance, but the least certainty. The Neutral setting is in the middle, scanning each item with at least half of the selected engines. This provides better performance than Maximum Certainty, but less certainty.

So, what is the difference between Maximum Certainty and Favor Certainty? For Maximum Certainty, EVERY engine selected in the client is used for EVERY scan. If that engine is currently being updated, all scans will wait for the engine update to complete. In most cases, the time needed to wait for the update to finish is minimal (the time does not include the time to download the new engine, but only a small portion of the entire update process). However, mail will queue until the update completes. With Favor Certainty, every available engine that is selected in the Administrator is used for every scan, but in this case, if an engine is being updated and a scan request is made, the scan will be done with all remaining engines. Only one engine can be updated at a time, so all but that one engine will be used for the scan. Mail will not queue. Favor Certainty is our default (and recommended) setting.

Some creative things can be done with the engine settings within an organization. If an administrator feels that scanning with 5 engines on a single server is too taxing, but still wants to ensure maximum certainty, the load can be spread across multiple servers. If, for example, all incoming mail goes through an Edge server, and then a Hub server, the Edge server could be configured to scan with 3 scan engines with a bias of Maximum Certainty, and the Hub server could be configured to scan with a different set of engines, also with a bias of Maximum Certainty.

The configuration option “Optimize for Performance by Not Rescanning Messages Already Virus Scanned - Transport” needs to be turned off in General Options to disable the “Transport Stamp” feature to allow mail to be scanned at each hop. This ensures that each incoming mail will be scanned by all selected engines, but the scanning will occur on two different servers.

The scanning load can also be shared if there are two servers in the organization, a Gateway/Hub and a Mailbox server. A hidden option exists that allows the Transport Stamp to be ignored at the Mailbox server. The hidden registry key, “DisableAVStamping” can be enabled to force messages scanned in transport to also be scanned at the Mailbox. This key needs to be added as a DWORD key under Forefront Server Security\Exchange Server (contact your PSS representative if you need help adding this key). Then, a certain set of engines can be enabled at the Gateway/Hub server and a different set at the Mailbox server. Again, this will allow all messages to be scanned by all selected engines.

I’ve simplified our bias calculation since I recommend the Favor Certainty setting. But for the Neutral, Favor Performance, and Maximum Performance settings, a nifty algorithm is used under the covers to determine which engine(s) to scan with. The calculation, based on mailflow within your environment, ranks each engine based on its past performance and its age. This information allows Forefront to weight each engine so that better performing engines are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and statistically best performing engines have more influence in the scanning process.

More information on this topic can be found in our Forefront User’s Guide.

Noreen Lynch

Forefront Server Security Dev Lead