Sybari Antigen: A Case for Multiple Integrated Scan Engines
Antigen Whitepaper
On This Page
Executive Summary
Viruses present a very real threat to an organization’s productivity and business operations. According to the 2005 CSI/FBI Crime and Security Survey, virus attacks continue to be the single largest source of IT-related financial losses for companies, with an average per-company loss of between U.S. $203,606 and $526,010 per year.
Although more companies are taking a defensive approach to virus protection, malicious code is becoming more advanced every day, and is still able to penetrate antivirus and firewall solutions. In large part, the success of these viruses is linked to a weakness in protection strategies that rely on a single scanning engine to evaluate incoming files. By using a multiple scanning engine strategy at different layers throughout the e-mail infrastructure, organizations can lower the risk of infection.
The purpose of this white paper is to describe the benefits of multiple scan engines for virus protection using solutions from Sybari®, a Microsoft® subsidiary. Sybari Antigen® is a multiple scanning engine solution that manages the detection and performance of up to eight different scanning engines in a single product, providing a greater level of defense against today’s malware.
Introduction
New viruses, worms, and blended threats are increasing in sophistication, speed, and frequency as virus writers continually evolve their code to keep up with new virus detection methods. In 2004, 78 percent of business experienced virus infections, even though 98 percent of them had antivirus protection installed. (From 2005 CSI/FBI Crime and Security Survey)
One factor that often contributes to these infections is a reliance on products that use a single antivirus scan engine to provide protection for all of the clients, servers, and perimeter devices throughout the IT infrastructure. If this single point of contact fails to detect a new threat or is targeted by the virus directly, the organization may become susceptible to malware. The solution for this vulnerability is to provide a layered approach in which different scan engines are implemented throughout the IT environment – including the gateway, SMTP connectors, messaging servers, and desktops. Using a series of highly rated antivirus engines operating simultaneously will dramatically reduce the chancesof virus infection.
However, managing multiple scan engines through separate antivirus products can not only be administratively intensive, it can also require the management of multiple vendors and additional licensing costs. The solution is to use a single product that offers the benefits of a layered approach, while consolidating administrative requirements and costs. Sybari Antigen allows organizations to use up to eight different scan engines to help detect and clean viruses before they can wreak havoc on business operations.
Multiple Scan Engines: An Overview
The problems with a single-engine approach originate from having only one system in place to identify threats – no engine is immune to vulnerability. Although the signature files used by an engine to identify viruses are generally updated several times a day, they are often released after a new virus has already hit and damage has been done. Even if an engine is 99.9 percent effective, it only takes one infection to cost an organization hundreds of thousands of dollars in lost productivity and downtime.
Furthermore, end-users relying on a desktop antivirus solution may not be able to update virus signatures as frequently as needed. These products may not update daily because of bandwidth issues, or because users do not realize the importance of regular updates. Whatever the case, the fact is that fewer than half of desktop antivirus solution users have the latest virus definitions, leaving them vulnerable to new virus outbreaks.
According to IDC, an integrated, layered approach in which multiple scanning engines are used is the most effective protection against variety and scope of known and unknown malware. There are a number of benefits to using multiple scanning engines, such as the ability to take advantage of the best technologies and reduce the risk of exposure. Layered Antivirus Products Offer Greater Protection Against Blended Threats, says IDC.
Different Types of Engines
Because viruses and other malware are evolving so quickly, the antivirus industry is always developing new technologies and solutions to proactively stop and mitigate any particular outbreak. And although those solutions can be very effective, every virus lab and scan engine is different. When it comes to protecting an organization against viruses, there is no single best engine; each one has its strengths and weaknesses.
Antivirus products often use a mix of technologies to detect and thwart viruses. When these products are combined into a multiple engine approach, enterprises can obtain better protection. Some common technologies include the following:
| • | Signature Files. After a virus is released, an antivirus lab creates a signature file that details specific information about the virus. Then, if a virus that matches the characteristics of the existing signature file enters an IT system, the incoming file is flagged and the appropriate actions taken. Signature files are created in response to a virus outbreak. |
| • | Heuristics. Heuristics are used to find viruses and threats that have not yet had signature files developed for them. They look at many different characteristics of a file, from size and architecture to code behaviors, seeking to stop viruses before they run. These characteristics are then tallied and scored; if the score exceeds a certain number, the file is flagged as a virus. Heuristics also can detect and catch metamorphic viruses, which are viruses that mutate, and are therefore difficult to write signature files for. |
| • | Sandboxing. With sandboxing, suspicious code is isolated and executed in a virtual machine, a system that is isolated from the rest of the IT infrastructure. By allowing code to run in a protected environment, it can be determined whether the code is malicious or not. |
| • | Phishing detection. Phishing attacks occur when users receive e-mail from fraudulent senders pretending to be someone they’re not, often a bank or other trusted organization or service. The message may include a link and usually tries to get the reader to enter financial information, which is then used for fraud. Many antivirus solutions contain a phishing detection component. |
Many Sources for Scan Engines and Signature File Updates
In every virus attack, there is a time delay between the outbreak of a new virus in the wild and the release of signatures created to combat and thwart the threat. The faster a signature file is released, the less likely a chance of infection. Companies using only a single engine may be more prone to infection if their product’s particular antivirus lab is delayed in creating or distributing a signature file.
According to a test performed by an independent organization and published by Datamation in 2004, antivirus labs produce updates for virus and worm outbreaks at different time intervals. For example, one lab may produce an update for one virus within six hours—yet take 12 hours to update files for another. This may not reflect the quality of work performed by the lab; rather it reflects their geographic location, their time zone or other factors.
Using multiple scan engines can minimize these risks. If an organization has multiple threat labs working for their protection, the window of exposure for each virus outbreak is much smaller.
Sybari Antigen: A Unique Approach
Sybari Antigen provides companies with the ability to implement a layered antivirus approach, using a single, centrally managed solution. By eliminating the need to evaluate different scan engines and manage different vendors, companies can save on costs, management time, and resources.
Although there are other antivirus vendors that offer multiple engine scanning solutions, Sybari offers a unique approach. Antigen delivers up to eight distinct scanning engines along with its Multiple Engine Manager (MEM), an integrated component which controls and manages all aspects of protection. The result is a fully integrated and centrally managed product that allows organizations to implement an effective antivirus strategy quickly, easily, and effectively.
A Comprehensive Solution
One of the key values that Sybari provides is in evaluating antivirus engines from antivirus partners around the world. In this respect, Sybari has done all the work so its customers do not have to. Among the many antivirus engines currently in the marketplace, Antigen has selected eight based on a wide range of criteria. These criteria include:
| • | Technology. Every scan engine has its unique technology for detecting viruses, worms or other malware in the wild. Sybari provides a blend of different technologies so that enterprises gain the best combination of engines. The result is a more comprehensive antivirus engine management solution. |
| • | Performance and ratings. Sybari has carefully evaluated the performance and ratings of all scan engines, ultimately choosing superior performing engines. Therefore, organizations are not required to do their own time-consuming research. |
| • | Location. Sybari uses labs located around the world. This is an important— though often overlooked—consideration; scan engine labs in different time zones ensures Antigen has the latest signature fi les in case of a virus outbreak and that signature fi les are updated at all times of the day and night. For instance, a virus that originates in Singapore will first be noticed in the wild in Asia. The rest of the world might not see the effects of the new virus for a few more hours. Therefore, an antivirus lab located in Asia will get access to the new virus before others and develop definition files before other antivirus labs in Europe or the United States. |
The Role of Multiple Engine Manager
Antigen’s Multiple Scan Engine Manager (MEM) is a powerful component that manages the antivirus scan engines for each scanning layer within Antigen. MEM is responsible for balancing performance, scanning intensity and for providing uninterrupted scanning uptime, even during signature file updates. In addition, to ensure that all scan engines remain current and effective, engine and signature file updates for each and every integrated scan engine are downloaded, tested and brought online as soon as they are available. If the downloaded file is found to be corrupt or has other problems, MEM rolls back to the previous version, and alerts the administrator so the problem can be corrected prior to installation and use.
Bias Settings
Bias settings within MEM give administrators the ability to manage the performance and protection of the multiple scan engines. They allow companies to control how engines are used for a given scan job and define different settings for SMTP and e-mail scanning. In this way, administrators have complete control in how the balance is struck between performance and virus scanning. These settings include the following:
| • | Max Certainty: After the administrator has selected the scan engines at each layer, choosing Max Certainty will set MEM to use every scan engine to scan each message and attachment concurrently. Even if one of the scan engines determines a file is infected with a virus, the remaining engines will continue to scan. This thorough scanning is essential for historical data analysis. |
| • | Favor Certainty: Favor Certainty uses 75 percent of the available scanning engines, and allows MEM to choose the right combination of each. In a four engine scan scenario, each message and attachment will be scanned by three scan engines, with the fourth invoked if further validation is required. The order of the first three engines depends on several factors, including which scan engine has the most recently updated signature files. |
| • | Neutral: Neutral mode ensures that all messages and attachments are scanned by at least half the available engines. For instance, in a four-engine scan scenario, every message will be scanned by two scan engines, with the third invoked if further validation is required. This bias setting provides the optimal balance between performance and protection. In addition, the order and combination of engines employed is based on Antigen’s engine ranking algorithms. |
| • | Favor Performance: Using Favor Performance, MEM scans messages with 25 percent of the available engines. In a four scan engine scenario, every message will be scanned by one or two engines. This setting is recommended for the Exchange Information Store, where high performance is desired. |
| • | Max Performance: With Max Performance, MEM is configured to use only one scan engine. To ensure maximum protection, the engine with the most recently updated signature files is always used. |
The bias setting can be configured as needed. For instance, administrators can define one standard for back-end servers and another for front-end servers.
Engine Rankings
MEM uses engine rankings to determine the order in which different scan engines are used. Engine rankings depend on a number of criteria, such as the number of signature files, an appropriate mix of technologies, and the engine’s “age,” which is determined by the last time its signature files were updated.
Engine rankings also rely heavily on past performance. For example, every time a particular engine detects a virus successfully, it is assigned a greater credibility. Similarly, if one engine keeps detecting viruses that are not found by other engines, it is accorded less credibility in order to reduce false positives. Using an algorithm that takes all of these factors into consideration, MEM gives better-performing engines priority during the scanning process. When a virus has been successfully detected, it is cleaned by the first engine that detected the virus. If that particular engine is unable to clean the file, the next engine in line is used.
Benefits of Antigen
Antigen encapsulates several scanning engines into a single product so that organizations benefit from the use of multiple scan engines in a single solution. It also offers MEM, which manages all aspects of antivirus engine scanning and protection. The combination of these features delivers many benefits, which range from having systems that are always running to ensuring adequate protection during a virus outbreak.
Protection against the Latest Threats
The real test of an antivirus solution comes when there is a virus outbreak. All scanning engines are updated with signature files after a virus is released and detected. Therefore, the likelihood of detection with multiple engines is much greater, because there are several labs to rely on. In addition, if a virus signature fails for one engine, an organization is not vulnerable while it is being corrected. Because Antigen uses its MEM to update the system without taking virus protection offline, organizations can be sure they have the latest updates without sacrificing protection.
Furthermore, the technology used by each scan engine is unique to its antivirus lab. Similarly, each engine has its own strengths and weaknesses. Combining multiple engines into a single product improves overall reliability and detection rates. Antigen ships with a default and standard mix of four engines, consisting of Sophos, CA eTrust Iris, CA eTrust Vet, and Norman. Up to four additional engines are available as add-ons, including Kaspersky, VirusBuster, Authentium and AhnLab. The ability to bring all of these technologies into a single, integrated and centrally managed product is a major breakthrough in the antivirus industry. By providing a complete, end-to-end, managed solution, Antigen is able to provide organizations with effective tools to combat viruses and malicious code, while eliminating the need to select, manage, or configure their own multiple engine strategy.
Reduced Downtime and Crash Protection
An antivirus engine cannot scan for viruses when it is being updated. As a result, companies have only two options. They can either take systems offline while updating—which lets messages queue up but decreases productivity—or they can let messages pass through unscanned, increasing the chances of being infected. Neither choice is optimal. Antigen’s MEM ensures that messages are scanned by all other available engines while one is being updated. As a result, organizations are assured that all their incoming e-mail and documents are being protected every hour of the day and night, with no downtime when updating a single engine.
In a single-engine model, IT systems can crash if the engine fails at a critical moment, allowing a virus to penetrate the organization completely undetected. This failure can, in turn, lead to high business costs from downtime, lost business, and hindered productivity. However, using a multiple scan engine environment can eliminate this risk. Antigen packages .dat files with the scan engine and tests new signature files before they are posted and downloaded by Antigen. As a second level of protection, if Antigen detects a corrupt file after it’s been downloaded, MEM automatically takes the corrupt engine offline and ensures that other engines continue to scan all messages and documents.
Simple Configuration and Use
Antigen simplifies the configuration of multiple engines. Administrators need only select the specific licensed scan engines they want for each scan job, along with an appropriate engine bias setting. These settings allow the MEM to manage the engines for each scan job, while providing an ideal way for administrators to balance reliability and performance for their particular environments.
Server Optimization
Although the use of multiple engines has been proven to enhance reliability, additional scanning could have an impact on server performance. Antigen’s MEM ensures that multiple scan engines optimize performance and ensure e-mail protection that doesn’t overtax server resources, even during outbreaks. This is accomplished in part by using algorithms designed to achieve a targeted balance between performance and reliability.
Other Antigen technologies also contribute to achieving optimal performance. In-memory scanning, for example, dynamically allocates available application memory to scan messages, which, in turn, provides real-time protection while maintaining server efficiency.
Best Practices: A Virus Outbreak Scenario
The following scenario demonstrates how Antigen can be implemented and managed to best minimize a virus threat:
Fabrikam, a fictitious manufacturing company, employs approximately 1,000 employees. The company is geographically dispersed, with corporate headquarters and product design in London and manufacturing plants in France, China, and India. With people located around the word, everyone relies on e-mail messages to communicate with others and keep production on schedule. Downtime associated with viruses would be disastrous for the business.
Fabrikam needed a powerful antivirus solution for its Microsoft® Exchange Server 2003 messaging and collaboration environment. As a result, the company implemented Antigen for Exchange and Antigen for SMTP Gateways. Because of the importance of its messaging system, the company also decided to use all eight scanning engines.
Following Sybari’s recommended bias settings, MEM is configured to run at the Max Certainty setting on the front-end SMTP servers. Antigen for SMTP Gateways also allows the company to block files and file types they do not want entering the system. Meanwhile, Favor Performance is used for global servers running Exchange – all eight scanning engines are used for the front-end Exchange servers while two scanning engines are used for the back-end servers. The two different settings ensure a favorable balance between security and performance, and they also recognize that e-mail coming from the outside poses much more of a risk than e-mail being routed internally.
One of the front-end servers will have HTTP download access from www.sybari.com, so that it can pull updated files. Fabrikam follows the best practice of configuring the schedule to repeat the update process every hour, in order to make sure that the most current updates are in place.
For a few months after the installation, Antigen detects and removes a few nondestructive viruses using a combination of heuristics, sandboxing, and identifying signature files. Then, there is a virus outbreak.
The new virus is a destructive worm that self-propagates through an e-mail attachment. If a user opens the attachment, the virus sends out another message to everyone in the address book. From there, it replaces system files with copies of itself so that after the computer is turned off, it will not operate again. The virus was first spotted in the wild in Asia. Because one of Antigen’s antivirus labs is located in this region—which just happens to be eight hours ahead of the London office—Antigen had a new signature file before anyone in London was aware of the threat. Fabrikam’s administrators configured Antigen to Delete: Remove Infection right away. Therefore, before London users are able to download their mail from their Exchange server in the morning, Antigen would recognize the virus and delete it.
But what about unknown viruses that cannot be detected by signatures? Since Antigen relies on a variety of technologies, even unknown viruses are usually detected before Fabrikam users get the infected file. All of the scanning engines in Fabrikam’s deployment of Antigen uses heuristics to detect suspicious mail, which is then flagged and deleted.
Conclusion
In today’s environment of evolving malware, single scanning engine products are no longer sufficient. In order to ensure that all systems are operating, organizations need to implement a layered scanning solution that uses multiple engines to ensure maximum virus detection.
Sybari’s Antigen provides companies with the ideal multiple engine scanning solution. Antigen works with leading antivirus labs around the world and integrates a range of scan engines, providing organizations with a layered strategy in a single product. In addition, Antigen automates the management process by using MEM, which gives administrators the flexibility to define the level of scanning control they need and continually adjust it to meet a changing environment. As viruses, worms, and other malicious code continue to evolve and grow more sophisticated, so should antivirus solutions. Antigen does just that by providing a wide range of benefits—from verifying and testing new signature files, to eliminating engine downtime and optimizing server resources—ensuring that companies are protected every minute of the day.
For More Information
The following links provide a more in-depth look at Antigen.
| • | Review the FAQ |
| • | Read latest news |
| • | Download a Free 30-Day Trial Version of Antigen |