Protecting your network from email viruses and spam has become a full-time job; finding the right antivirus software can make all the difference in whether it's a job well done. To help you, I tested the Microsoft Exchange Server versions of the top five products from the Best Antivirus/Mail Server category in Windows IT Pro's 2004 Readers' Choice awards: Computer Associates International (CA) eTrust Antivirus 7.1 Option for Microsoft Exchange, McAfee Active Mail Protection, Sybari (recently purchased by Microsoft) Antigen for Microsoft Exchange 8.0, Symantec Mail Security for Microsoft Exchange 4.6, and Trend Micro ScanMail for Microsoft Exchange 7.0. (Pick up next month's issue of Windows IT Pro to discover this year's winners.)
My lab consisted of two virtual machines—a domain controller (DC) and an Exchange server—on one dual-processor host system. I evaluated the products on the basis of their virus-scanning accuracy, spam- and content-filtering capabilities, and management functionality. I used virtual machines to provide a consistent test environment, but the overhead of the virtual machines magnified the performance differences between the products. Therefore, although I evaluated the products' performance against a baseline and against one another (as I explain in the Web sidebar "Performance," http://www.windowsitpro.com, InstantDoc ID 46978), I didn't consider performance to be the deciding factor in my final decisions.
I configured the Exchange server with 512MB of RAM, gave it exclusive use of one CPU, and put its virtual hard disk on a different disk than the host OS. For my antivirus tests, I disabled each product's spam- and content-filtering functions but left all other options at their defaults. I chose 4303 unique viruses from various virus-exchange Web sites; I chose viruses labeled win32, worm, macro, or .bat (i.e., batch file). Some vendors, such as McAfee and Symantec, try to catch all viruses, regardless of threat level. Others, such as Trend Micro, target their antivirus-definition files toward real-world threats that you'll find in the wild. The first approach resulted in high accuracy but poor performance in my tests; the second approach had the opposite effect. Because many of the viruses I chose aren't currently common in the wild (and because performance differences on production servers will likely be less drastic than they were in my tests), I suggest you consider the product's virus-catching approach as only one aspect of the products' overall capabilities. I used Microsoft SMTP server on the host machine to deliver 4303 virus-infected attachments to one user on the Exchange server, then repeated the test. Table 1 lists the number of viruses that each product caught (best of the two passes).
One way that malicious entities get past antivirus systems is by compressing or encoding malicious content. Therefore, I also sent a compressed or encoded copy of the Melissa virus, as well as a .zip file compressed within a .zip file to determine whether each product supported recursive archives; they all did. (I didn't test encrypted .zip files because encryption prevents the in-transit viewing upon which these products depend.) Table 2 lists the archive formats that each product was able to scan. To my dismay, none of the products were able to scan ISO images, which can be especially troublesome if infected with a virus.
Spam and content filtering (i.e., searching incoming or outgoing content for key words or phrases) are increasingly important in today's atmosphere. The McAfee, Sybari, Symantec, and Trend Micro products all supported content-filtering of both messages and attachments, either natively or through add-ons. (CA provides content-filtering through a separate product, eTrust Secure Content Manager, which was unavailable for review because of an upcoming release.) Content-filtering products must be able to read a file's format to filter its content, so I tested each product with eight common document formats. Table 3 shows the results.
After my accuracy and performance tests, I added a second Exchange server to test each product's management capabilities. Let's take a closer look at the individual products and their test results.
eTrust Antivirus 7.1 Option for Microsoft Exchange
CA eTrust Antivirus Option for Microsoft Exchange is an add-on to CA eTrust Antivirus, the file system–based antivirus product. eTrust Antivirus scans only for viruses and performs no spam or content filtering.
CA offers two virus scanning engines—Vet and InoculateIT—but eTrust Antivirus can scan with only one engine at a time. eTrust also performs heuristic scanning to detect viruses even before new definition files are released, but the documentation offers no additional explanation of the factors that the product uses for heuristics.
eTrust integrates with a CA Unicenter TNG module, but you don't need that product to manage remote servers from any console. Configuration was simple and involved only the small dialog box that Figure 1 shows. Another console let me view logs and monitor quarantined files but lacked detailed reporting or alerting based on detection rates (to help identify outbreaks).
eTrust offered an excellent balance of accuracy and performance in my tests, falling only slightly short of Symantec's and McAfee's products. I can't give the product my complete blessings without having reviewed Secure Content Manager, but if you're looking only for antivirus capabilities at an excellent price, I highly recommend eTrust Antivirus.
Active Mail Protection
McAfee Active Mail Protection bundles three of the company's products: GroupShield for Microsoft Exchange (which Figure 2 shows) provides antivirus functionality, SpamKiller for Microsoft Exchange delivers spam and content filtering, and ePolicy Orchestrator (ePO) offers integrated security-policy management.
McAfee's Active Mail Protection suite was designed with enterprise-class management in mind. ePO (which is really more of a framework) let's you distribute GroupShield and SpamKiller to multiple Exchange servers and centrally manage policies, alerts, and reporting. The product uses a Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE) back-end and can be managed by remote consoles from anywhere on your network.
Active Mail Protection came out on top for virus-scanning accuracy in my tests but took the second-longest time to deliver messages. The product came out on top as far as supported file formats go, catching 13 file types. SpamKiller's content filtering doesn't support regular expressions—a powerful, standardized syntax for searching text—but it does support simple wildcards. Active Mail Protection also includes extensive categorized lists of predefined filtered words to target inappropriate content. You can build custom lists and assign words a high, medium, or low severity for granular content control. I consider regular expressions a prerequisite for filtering of any type, but if you can live without them, Active Mail Protection might be the best solution for you. I rated Active Mail Protection a close second in this review; my decision came down to my personal preferences for specific features: the regular expressions–based content filtering and Microsoft Management Console (MMC)–based multiserver management console that Symantec offers.
Previous
Register
