Product Reviews

Antigen 6.2: Can I be the Worm Administrator?

The newest crop of Exchange antivirus products prevents users from receiving infected mail.

• By Roberta Bragg
• 12/01/2001

It's a tough choice, isn't it, when the product you don't think you want, has features that you do? By the time I received my copy of Sybari Software's Antigen 6.2, I sure was tired of installing and reinstalling. (I think if just one more antiviral product lands on my front porch I'm gonna kick it behind the flower pot.) However, I'm a sucker for a pretty face with a good backend and I gotta tell you, Antigen looks good.

Installation
Antigen 6.2 can be installed in VSAPI. mode, which utilizes the new Antivirus API from Exchange 2000 SP1, or in ESE mode which does not. This is a nice touch; it's useful if you're leery of installing the Exchange service pack and yet want a full blown mail server-hosted antiviral solution. I installed in VSAPI mode; so I could look at the product's use of the new API's features. Another nice touch is the offer to update the viral signatures during the installation process. If you choose this option, Antigen will attempt to visit Sybari's site and update its engines files. CD-ROMs can't help but have out-of-date files due to the fast nature at which new viral files are created and loosed on us. I chose the option, but the job failed. I'll have more on that later. This would be a minor issue to the vigilant admin, but might give a false sense of security to the neophyte. You should definitely make it routine to automatically update engine files when installing any antiviral product and then immediately schedule automatic updates.

Documentation
I was happy to find some excellent information in the documentation. Too bad it's only browser based or available via a downloadable PDF. I like a help file that's integrated a little more, and is easily searchable. Nevertheless, I'd rather have the stuff they provided, than a poorly-written but searchable help file that's no help. Kudos to Sybari for including information on registry keys—a necessary part of any admin's knowledge, but often ignored in the product docs.

The only area that was confusing is the issue of using a proxy. While there's a nice description of Microsoft's Proxy Server, information on configuring Antigen to work with it or any other proxy for downloading the updated engine files is a little confusing. Two possibilities are listed, changing the HTTPUseWinInet registry key (which didn't exist on my test system) or using the GetEngine program. As it turns out, GetEngine is used by antigen if you've updated the antigen services to use the winproxy service. Since playing with antigen was my Labor Day entertainment (so support at Sybari wasn't available) I tried adding a HTTPUseWinInet registry value (where? No documentation, so I guessed. What the hey, reinstalling everything would be fun, no?).

Unfortunately, that didn't work. But on Tuesday, I didn't have to call Sybari, because they called me. (more brownie points, guys). Turns out I'd put the value in the right place, but since it didn't work I should try the proxy solution (I use ISA Server instead of Proxy Server, but the solution worked). This involved running an update to the Sybari engine to use a newly installed service with a domain level account. Apparently the update program uses the service account to access the proxy service and the default installation uses the local system account, which cannot be used for this purpose.

Provisions
By default Antigen scans all messages and attachment for viruses and moves any messages with a virus to quarantine. The Administrator gets a message about the issue. The features of Microsoft's Antivirus API 2.0 are used to provide background and on-access scanning. Background scanning is initialized when the services start, and when new engine updates are made, thus ensuring that the latest antiviral signatures are used to scan all messages.

Scanning for particular file types is configurable. Compressed files are also expanded and scanned. There's even a provision to halt the decompression if a configurable time limit is reached. This protects against a zip of death attack (a layered compression model which can consume massive resources as each zipped zip file is unzipped to reveal another zipped zip file, which is unzipped to reveal another zip file which is…well, you get the picture.)

Are you the extra paranoid type who wants to use several scanning engines from multiple companies? The theory is, as many of you have expressed to me: if one vendor doesn't get it right, several improves your chances. Antigen will let you. Provided with Antigen are five scanning engines (Norman, NAI McAfee 4.x, Sophos, CA Inoculat IT and CA Vet) all of which can be updated automatically. You decide the level of their usage that ranges from all using all engines to scan all files to letting antigen determine heuristically which scan engine to use for which files. (Its calculations consider past success and performance.)

Antigen supports scripted installation should you have multiple servers to install. Central administration is supported via the client application, the ability to provide a centralized, local update resource, and the ability to create configuration templates for application to the servers.

Antigen 6.x , when installed in VSAPI. mode, takes advantage of the Antivirus API 2.0 in a number of ways:

• The information store is scanned immediately on installation and is continual scanned in the background.
• As messages arrive or leave the information store, they are scanned.
• Alerts can be emailed to designated individuals and include pertinent information.
• Information is also posted to the event logs.

Antigen provides an easy-to-read summary of its activities and findings. (Click image to view larger version.)

Kool Rules
The Antigen client program can be installed separately from the server engine. Access control between the client and the server is managed by DCOM. You can use dcomcnfg.exe to adjust these permissions and prevent unauthorized users attempts at connecting to the engine.

Not only can notification be emailed to an administrator, you can select a collection of roles (viral administrator, worm administrator, email administrator) and assign them via email address. Oh! Oh! I want to be a worm administrator. Can't wait to give my title at the next party, convention or business meeting.

One of the most devastating attacks on mail services has been through email worms. These self-propagating beasties are difficult to purge from your systems. Antigen provides a worm purging service. This service seeks out and destroys infected messages so you don't have to—and copies are not quarantined, thus avoiding the self-defeating activity of storing thousands of copies of the same message. An updatable worm signature file is used for the scanning.

Results
Antigen provides a copy of the EICAR test file and explains how to use it. As you'd expect, Antigen found the copies I placed in the information store (prior to the installation of Antigen), and also in message attachments that I sent and received.

Summary
Ever wonder if maybe you ought to have two or more virus scanners on your mail server? Sybari Software's Antigen 6.2 allows you to do this in a disciplined way. Copies of several virus scanning tools are included with the product, along with the ability to schedule downloads of new viral signatures for all of them. Which scanners are used on each file is determined by the internal rules and historical success. Antigen makes good use of the Antivirus API 2.0 to provide extra information to administrators and to efficiently scan the store. If your mail server is behind a proxy, though, expect some difficulties in configuration.