I’m playing with the Microsoft Forefront Security for Exchange Server, which is in beta right now. I do note that the evaluation/beta now supports 32-bit Exchange 2007. Remember, though, that you can’t run 32-bit Exchange 2007 — and thus 32-bit Forefront — in a production environment!
We’ve got some nice 64-bit Dell machines to play with, so our Exchange 2007/Forefront installation is purring along nicely. So far, I’m pretty impressed with it; it’s not loading up our test hardware nearly as much as I thought it would be. 64-bit Exchange server rock on toast, that’s all I have to say.
One thing that caused me a bit of consternation, though, was when I was checking the auto-update configuration options for the various engines. One of Forefront’s claims to fame (coming from the Sybari Antigen lineage) is that it features multiple malware engines, allowing admins to mix and match the engines they think best fit their needs. I was expecting to see the nine engines listed in the Forefront whitepaper (AhnLab, Authentium, CA InoculateIT, CA Vet, Kaspersky, Microsoft, Norman, Sophos, and VirusBuster), but I was surprised to see a tenth engine: the Worm List.
It turns out that this isn’t really a separate engine, but rather a performance measure. Instead of wasting CPU time and resources scanning messages that are known worms, Forefront uses a separate list to keep track of worms that can be immediately deleted without the risk of losing a legitimate message. This list is updated as a separate entity from any of the scan engines because it allows Forefront to delete matching messages without passing them to the active scanners.
So, that’s why you see ten engines to update when Forefront only offers nine!