Microsoft Antigen nails viruses but stumbles on spam

Malware protection impresses, but optional anti-spam module can't hack it

Viruses and spam both pose an increasing threat these days, and not just to your data or productivity. Rather than hackers trying to break security systems for their own amusement, most current threats are financially motivated and can cost a company millions. And with viruses and phishing attacks growing increasingly more criminal in intention every day, securing financial, customer, and other critical data requires a rock-solid system of defense.

With all of the anti-virus and anti-spam vendors out there, many administrators may not be aware that Microsoft has its own product in this space: Antigen for SMTP Gateways Version 9.0, with Antigen Spam Manager (an optional module). (Microsoft picked up the Antigen technology when it acquired Sybari Software in 2005.)

Antigen’s anti-virus component proved effective in my testing, stopping all live and test viruses received. And the product allows for flexibility, as admins are free to decide whether to cover their bases thoroughly by activating all nine included filters or to speed up processing by enabling only one or two.

The anti-spam component, however, was a disappointment, identifying only 82 percent of spam. Worse, it misidentified far too many legitimate messages as spam.

Installation of Antigen requires only Windows 2000 or 2003 Server for the SMTP version; the Exchange version can be installed on an Exchange 2000 or 2003 server. The latter offers additional functionality, such as allowing users to create and maintain their own anti-spam whitelists rather than requiring the administrator to intervene and add addresses to the allowed-senders list.

Installation is easy and well documented. You may need to equip your system with additional Microsoft components -- such as the Microsoft SQL Server Desktop Engine, Microsoft MSXML Parser, or the SMTP server components -- before installing Antigen. Luckily, that’s easy to do, and the manual walks you through the process well. Antigen uses the Microsoft SQL Desktop Engine (based on Access) rather than the full SQL Server, which may cause performance issues with large installations. It does offer a separate administration utility that can manage all Antigen instances running in the enterprise, however.

Click for larger view.

One issue I had with default installation is that it sets the anti-virus component to update once a day, and in the case of the anti-spam filter, only once and never again, unless you manually change the settings. If you don’t set this to once an hour or once every 15 minutes, you may very well find your network infected with a new virus or barraged by a new spamming method.

You can create multiple rule sets and set each to filter using different anti-virus engines or different anti-spam rules. The anti-virus engines are Antigen Worm, CA InoculateIT, CA Vet, Command, Kaspersky, Microsoft Anti-Virus, Norman Data Defense, Sophos Anti-Virus, and VirusBuster. Using all of them increases the odds of catching a new virus, although at the cost of boosting scan times and latency considerably.

Rule sets can be applied to groups of users or groups of incoming e-mail addresses so that mail from certain ISPs is examined more stringently than mail from partners, for instance. You can also create different notification behaviors so that select ISPs can be notified when spam is detected.

You can also create rule sets for filtering various types of content -- such as message content, subject lines, and attachments -- on incoming and outgoing messages based on default or custom lists of words or files. Default lists include profanity, racial slurs, sexual discrimination, and spam-related words. You will probably want to edit these lists and may not want to enable the spam-related words list at all, given that they include many terms that come up in legitimate e-mail as well.

You can quarantine e-mail identified as spam for a set period and then delete it or mark it with a header so that Exchange can put it in the Junk folder. With the Exchange version of Antigen, if users check the Junk folder and release messages, they have the option of whitelisting the sender so that other messages won’t be filtered out. For viruses, the default behavior is to delete the virus and notify the sender and recipient that a virus was stopped.

With the SMTP version of Antigen, the administrator must release messages from quarantine by entering the address or domain at the management console or by importing a text file with multiple addresses. Finding out why a message was marked as spam requires searching through the logs, which can be a somewhat cumbersome process -- the actual message is not marked with the reason it was quarantined in a header entry, as they are with many other anti-spam products.

The whitelisting process would not be much of an issue if it wasn’t necessary to use on such a regular basis. In my 10-day testing period, my e-mail system received 10,888 messages, of which 8,932 were spam. Antigen caught 82 percent of the spam, a relatively low number, and out of 1,956 legitimate messages, there were 55 false positives, including 31 newsletters, 17 legitimate marketing messages, and seven critical false positives (sent by an individual user, not a bulk mailing). There were an additional 89 false positives that would not have been misidentified had I been using the whitelist feature.

Click for larger view.

In contrast, the last version of Symantec’s Brightmail I tested had one total false positive out of more than 10,000 messages, and it caught 95 percent of spam without tuning, whitelisting, or adjusting the update interval.

Antigen for SMTP Gateways Version 9.0 provides excellent anti-virus capabilities, giving administrators a lot of choice in filtering engines, and thus a better chance of catching new viruses. Also useful is the ability to treat incoming messages from trusted sources differently from general e-mail, as well as Antigen’s content filtering functionality.

On the other hand, given that pricing per user for the Antigen Spam Manager component is similar to that of Brightmail, it’s hard to recommend the former: Brightmail provides superior performance and management and a greater level of granularity in its reports.

InfoWorld Scorecard
Setup (20.0%)
Ease of use (20.0%)
Performance (25.0%)
Value (10.0%)
Manageability (25.0%)
Overall Score (100%)
Antigen for SMTP Gateways Version 9.0 7.0 7.0 9.0 8.0 8.0 7.9
Microsoft Antigen Spam Manager 7.0 7.0 6.0 7.0 7.0 6.8