Gentlemen, Start Your Engines

  • Article

37

So... over the last couple of days, I have had the need to scan 1.2 Terabytes of data for viruses and malware, using as many different engines as possible.

Don't ask...

This should be a snap! I thought... Microsoft makes an Antivirus that can simultaneously scan using 5 engines at the same time!  I'll just load up ForeFront Client Security and go to town.

Except... I spent 20 minutes on the site and could not find ANY mention of the different engines included with ForeFront Client Security.   <Arggh!>

Fortunately, I work for a company in Redmond that has something to do with the Forefront products... I fired off an email to the ForeFront team, and learned that ForeFront Client Security comes with ONE engine... the Microsoft Engine.  It is actually the other products in the ForeFront suite that include the multiple engines (which are, BTW: AhnLab, Authentium, CA, Kaspersky Labs, Norman Data Defense, Microsoft, Sophos, and VirusBuster).  Why is it that ForeFront Client Security has only one engine? In response to that question, I received the following:

A key reason why we (and other vendors) don’t incorporate multiple engines into client security products is that each AV engine tries to hook into the kernel for real-time scanning. Having multiple engines accessing the kernel simultaneously would slow down machine performance. With e-mail, there isn’t the issue of hooking into the kernel (as it’s scanning e-mail) – also, any latency (which is very minimal in Forefront for Exchange/SharePoint) from the scanning of e-mail by multiple products isn’t noticeable by end-users (whereas any slowdown in PC performance would be very noticeable).

Makes sense.

So how did I workaround the problem?  I installed Windows SharePoint Services 3.0, and the 120 day trial of ForeFront Security for SharePoint.  Created a Document library, and copied my data into the Document Library where it was scanned by 5 AV engines at once.

And how did everything turn out?  Just fine, until someone accidentally kicked a drive loose from the RAID 0 array.  Apparently you aren't supposed to set a rack-mount server on the floor, without a faceplate, in a high-traffic room. 

<sigh...>