IN a recent review of several enterprise antivirus packages, the use of multiple antivirus engines was something that was considered an important characteristic. In fact, the antivirus solution that got the best score, GFI’s MailSecurity, can use multiple antivirus engines to beef up virus scans. While working on a companion piece for that review, I noticed that the antivirus market leaders, Symantec and Network Associates, didn’t follow this practice. They used one engine for their email server products — their own.
Intrigued by this, I talked to the companies involved and found just what you’d expect: Each company said they were doing it the right way. I talked to some independent consultants as well, and they seemed to agree that there were good reasons to have more than one company providing the information your anti-virus product needs to do its job. But it was hard to get anyone to commit to a full-out recommendation; there is, as the consultants noted, a performance cost to using more than one antivirus engine.
Since it was clear that there was no definitive, independent authority on this topic, I decided to give it some thought. After all, we’re clearly suffering from an authority vacuum here, and I might as well try to fill it.
The first question I tackled was whether it is really necessary to have more than one means of checking your email as it enters your enterprise. That seemed an easy question to answer — email is, after all, your single most significant point of exposure to virus threats. If malicious code is going to penetrate your defences, this is where it will come first. The risk is pretty high.
In addition, it’s clear that many of the virus writers are in Asia, the Middle East, and Europe. A company with a presence to the east of the continental US may have an edge in discovering a new attack and starting work on defensive measures, perhaps reacting sooner and more accurately. After all, Europe’s business hours start five or six hours before we hit the Starbucks in the eastern US.
So in addition to the fact that the European antivirus companies have a head start, they also may have different insights into the emerging viruses and worms. On the other hand, US companies based in California, such as Network Associates and Symantec, are no slouches at writing antivirus software — you can assume that whatever they create will work.
This talent probably explains why these companies are confident in their own abilities to create anti-virus software as good as or better than any other company out there. Besides, it wouldn’t do to advise your customers to get protection from the competition, so why recommend an additional antivirus engine if you don’t have them yourself?
Now, what about the performance issues? After all, if you have to have every email and attachment scanned twice, it will take longer. Fortunately, email doesn’t operate in real time, so this is hardly a problem. A second or two extra before email hits your server is unlikely to be noticed at all, much less cause a problem.
What this means is that unless you have a very good reason to use a single-engine solution for your enterprise email antivirus gateway, take the safe road and use more than one engine. It offers at least a little extra protection, and that’s important.
After all, getting just a few viruses in your enterprise is very different from not getting any at all, and it could make the difference in making sure your enterprise stays safe.