Educause Security Discussion mailing list archives

Re: Exchange Server Virus Scanning

From: Graham Toal <gtoal () UTPA EDU>
Date: Fri, 17 Feb 2006 13:36:02 -0600

One of Antigen's prime selling points for us was that they ran 8 (more
now) different scanning engines including Kaspersky, Sophos,
Norman, NAI, and others. Do the other products you've talked
about have the multi-engine aspects as well?


My experience from doing this on a home-made system is that
two give the best value per $.  After that it's diminishing
returns - not from the cost of the software, but from the
cost of the machine to run it on.  These guys can eat CPU.

As I've mentioned before, we got the biggest win from adding
Greylisting - which doesn't just reject spam, it cuts your
virus load down by about 90% as well.  Before we added
greylisting, we had two spam/virus servers distributing the
load and they were starting to creak; it was about time to
add more, when we put in the greylist stage instead.  Now
the entire campus load can be run comfortably on one spam/virus
filter (plus one greylist filter in series - the greylist
system has almost zero load even in heavy traffic - it's
doing very little more work than a router)

If you are looking at commercial appliances, do ask if they
can offer greylisting.  It really is worth it.  There's a
couple of small gotchas however.  One is that if you have
multiple spamfilter or mail servers and they are load balancing
(equal valued MX records, or hardware load-balancing like an F5)
then you *must* get a greylist solution which shares its state
between the multiple servers in real time, otherwise you can
have senders back off to a different MX host and end up suffering
multiple greylist retry delays.

I'm not aware of any freeware systems that do this properly.

We got around the problem by having a single greylist appliance
in front of our two spam/virus appliances, which forwarded the
incoming calls to one of the two boxes for load balancing.  We
don't need load balancing for the greylister as the overhead is
tiny; we do need redundancy which we get from having the one
greylist box wired so  that if it fails, another one takes its
place -- or at least we should, which was the plan, but we put
it on hold for various reasons.

Tools like Heartbeat from the High Availability Linux project
make transparently adding failover relatively easy.

      http://www.linux-ha.org/SuccessStories


Graham

Current thread:

Re: Exchange Server Virus Scanning, (continued)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Michael_Maloney (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Wehner, Paul (wehnerpl) (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Hall, Rand (Feb 17)
- Re: Exchange Server Virus Scanning Tim Rhoades (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Alan Amesbury (Feb 17)
- Re: Exchange Server Virus Scanning Graham Toal (Feb 17)
- Re: Exchange Server Virus Scanning Jeremy Mooney (Feb 17)