Engine Definition Creep and it’s effect on your Server

  • Article

The Latest “common” issue we have been experiencing with Microsoft Antigen 9.x is higher than normal memory utilization on servers that for the most part have been running without issues for years.

This issue did not occur overnight but this is a gradual change. Some customers believe that this is a new issue but hopefully this post can shed some light on the subject.

In the beginning Antigen 5.5 was a single engine scanning product. Its stand out feature at the time was that it could choose a separate engine for Real time and another engine for SMTP scanning.

6.0 introduced our multiple engine manager that allowed each file to be scanned by all 5 engines at the same time.

At the time 6.0 was released we were able to package all 5 engines with the installer and have the package size under 50Mb and our scan processes utilized no more than 75Mb. In comparison, the same engines (5 in 6.0 an 4 in 9.1 due to CA consolidation) today our scan processes will normally average 190-225Mb per scan job.

So why the increase?

In the last few years we have seen an increase of malicious software (up over 400% from year 2007 to 2008) and this in turn has increased the size of virus definitions. A good example is the Norman engine. In 2005 the engine definition was 1.7MB. 4 years later the engine definition has increased to 49MB (almost as large as the original 8.0 install package with 9 engines) . This has translated into an increase in memory utilization.

What’s the Solution?

The first step toward a solution is to take a look at your setup and determine if you are set up optimally. Antigen scan starts up two scan processes per storage group by default and two SMTP scan jobs by default.

You should avoid using the spam cure engine on backend servers. The spam cure engine can take up to 500MB alone due to its spam detection. A recommended environment would be a front end SMTP server with Antigen for SMTP providing edge protection from viruses and Spam and a back end Mailbox server without Spamcure.

Stagger your engines for maximum performance/Protection. On a 4 storage group server, moving Norman only to the SMTP scan will return 800MB of memory to the system.

Reducing the amount of engines at any one location. You can improve performance and still have the unmatched protection that multiple scan engines provide by setting each scan location to 3-5 engines. If you have a front end SMTP server you can set all the engines on that server and then stagger the 5-9 engines across your back end SMTP and Mailbox scanners. This way you would have overlapping/layered protection and an increase in available memory.