Antigen 6.2: Can I be the Worm Administrator?
The newest crop of Exchange antivirus products prevents users from receiving infected mail.
- By Roberta Bragg
It's a tough choice, isn't it, when the product you don't think you want,
has features that you do? By the time I received my copy of Sybari Software's
Antigen 6.2, I sure was tired of installing and reinstalling. (I think
if just one more antiviral product lands on my front porch I'm gonna kick
it behind the flower pot.) However, I'm a sucker for a pretty face with
a good backend and I gotta tell you, Antigen looks good.
Antigen 6.2 can be installed in VSAPI. mode, which utilizes the new Antivirus
API from Exchange 2000 SP1, or in ESE mode which does not. This is a nice
touch; it's useful if you're leery of installing the Exchange service
pack and yet want a full blown mail server-hosted antiviral solution.
I installed in VSAPI mode; so I could look at the product's use of the
new API's features. Another nice touch is the offer to update the viral
signatures during the installation process. If you choose this option,
Antigen will attempt to visit Sybari's site and update its engines files.
CD-ROMs can't help but have out-of-date files due to the fast nature at
which new viral files are created and loosed on us. I chose the option,
but the job failed. I'll have more on that later. This would be a minor
issue to the vigilant admin, but might give a false sense of security
to the neophyte. You should definitely make it routine to automatically
update engine files when installing any antiviral product and then immediately
schedule automatic updates.
I was happy to find some excellent information in the documentation. Too
bad it's only browser based or available via a downloadable PDF. I like
a help file that's integrated a little more, and is easily searchable.
Nevertheless, I'd rather have the stuff they provided, than a poorly-written
but searchable help file that's no help. Kudos to Sybari for including
information on registry keys—a necessary part of any admin's knowledge,
but often ignored in the product docs.
The only area that was confusing is the issue of using a proxy. While
there's a nice description of Microsoft's Proxy Server, information on
configuring Antigen to work with it or any other proxy for downloading
the updated engine files is a little confusing. Two possibilities are
listed, changing the HTTPUseWinInet registry key (which didn't exist on
my test system) or using the GetEngine program. As it turns out, GetEngine
is used by antigen if you've updated the antigen services to use the winproxy
service. Since playing with antigen was my Labor Day entertainment (so
support at Sybari wasn't available) I tried adding a HTTPUseWinInet registry
value (where? No documentation, so I guessed. What the hey, reinstalling
everything would be fun, no?).
Unfortunately, that didn't work. But on Tuesday, I didn't have to call
Sybari, because they called me. (more brownie points, guys). Turns out
I'd put the value in the right place, but since it didn't work I should
try the proxy solution (I use ISA Server instead of Proxy Server, but
the solution worked). This involved running an update to the Sybari engine
to use a newly installed service with a domain level account. Apparently
the update program uses the service account to access the proxy service
and the default installation uses the local system account, which cannot
be used for this purpose.
By default Antigen scans all messages and attachment for viruses and moves
any messages with a virus to quarantine. The Administrator gets a message
about the issue. The features of Microsoft's Antivirus API 2.0 are used
to provide background and on-access scanning. Background scanning is initialized
when the services start, and when new engine updates are made, thus ensuring
that the latest antiviral signatures are used to scan all messages.
Scanning for particular file types is configurable. Compressed files
are also expanded and scanned. There's even a provision to halt the decompression
if a configurable time limit is reached. This protects against a zip of
death attack (a layered compression model which can consume massive resources
as each zipped zip file is unzipped to reveal another zipped zip file,
which is unzipped to reveal another zip file which is…well, you get the
Are you the extra paranoid type who wants to use several scanning engines
from multiple companies? The theory is, as many of you have expressed
to me: if one vendor doesn't get it right, several improves your chances.
Antigen will let you. Provided with Antigen are five scanning engines
(Norman, NAI McAfee 4.x, Sophos, CA Inoculat IT and CA Vet) all of which
can be updated automatically. You decide the level of their usage that
ranges from all using all engines to scan all files to letting antigen
determine heuristically which scan engine to use for which files. (Its
calculations consider past success and performance.)
Antigen supports scripted installation should you have multiple servers
to install. Central administration is supported via the client application,
the ability to provide a centralized, local update resource, and the ability
to create configuration templates for application to the servers.
Antigen 6.x , when installed in VSAPI. mode, takes advantage of the Antivirus
API 2.0 in a number of ways:
- The information store is scanned immediately on installation and is
continual scanned in the background.
- As messages arrive or leave the information store, they are scanned.
- Alerts can be emailed to designated individuals and include pertinent
- Information is also posted to the event logs.
Antigen provides an easy-to-read summary of its activities and
findings. (Click image to view larger version.)
The Antigen client program can be installed separately from the
server engine. Access control between the client and the server is managed
by DCOM. You can use dcomcnfg.exe to adjust these permissions and prevent
unauthorized users attempts at connecting to the engine.
Not only can notification be emailed to an administrator, you can select
a collection of roles (viral administrator, worm administrator, email
administrator) and assign them via email address. Oh! Oh! I want to be
a worm administrator. Can't wait to give my title at the next party, convention
or business meeting.
One of the most devastating attacks on mail services has been through
email worms. These self-propagating beasties are difficult to purge from
your systems. Antigen provides a worm purging service. This service seeks
out and destroys infected messages so you don't have to—and copies
are not quarantined, thus avoiding the self-defeating activity of storing
thousands of copies of the same message. An updatable worm signature file
is used for the scanning.
Antigen provides a copy of the EICAR test file and explains how to use
it. As you'd expect, Antigen found the copies I placed in the information
store (prior to the installation of Antigen), and also in message attachments
that I sent and received.
Ever wonder if maybe you ought to have two or more virus scanners on your
mail server? Sybari Software's Antigen 6.2 allows you to do this in a
disciplined way. Copies of several virus scanning tools are included with
the product, along with the ability to schedule downloads of new viral
signatures for all of them. Which scanners are used on each file is determined
by the internal rules and historical success. Antigen makes good use of
the Antivirus API 2.0 to provide extra information to administrators and
to efficiently scan the store. If your mail server is behind a proxy,
though, expect some difficulties in configuration.
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.