ForeFront Security for SharePoint: Scheduling and Pausing Manual Scans
Hi all:
I'm running ForeFront for Sharepoint v 10.1.0802.0, SP2, against an existing series of content datbases that total about 2.5 TB of data. This data was NOT previously protected by any antivirus software, so I would now like to go back through to scan existing documents to be sure we are completely clean. I have 4 Web Front Ends available. This raises 2 questions:
1) I'd like to NOT be scanning the old data during normal hours, due to performance considerations. I can already schedule a manual scan: can anyone tell me how to pause it, then have it resume where it left off when peak times are past?
2) Can anyone tell me a good way to confirm when the AV scan of all the old data is complete? I'd hope ForeFront was "smart" enough to not have a web front end re-scan an area another one had already scanned, but I do not see how it would do this--the VirusVendorID; VirusStatus and VirusInfo columns in the content DB do not seem to be consistently updated, based on running a scan and then checking them.
Thanks in advance for the help,
Mark Schlegel
Všechny reakce
- Hi Mark, ok:-
1) The scheduled scan job cannot perform a pause of the scan unfortunately. To accomplish this you would have to manually start and pause the scan using the "Quick Scan" within the Forefront Administrator MMC (Operate->Quick Scan)
2) Sharepoint WFE (Web Front End) servers use a network load balance design rather than a clustered design, as such the information that Forefront has located on one WFE server is not shared to the other WFE servers. As such, if you start a scan on one WFE server and another on a different WFE server, you would have 2 scans running on the database. This said, Forefront does use a virus stamp which means that when a document is scanned, a stamp is added (or altered) on that document which will denote which engine and version of that engine was used in the scan. From this Forefront can ensure that the same engine with the same engine version is not used again to scan this document.
I hope this answers your query,
Alex Alex:
Thank you for your response, it's very helpful.For 1), we'll learn to live with it, I guess. We'll have to see how resoruces are sued in real life.
For 2), it sounds like ForeFront's operation approximates what we want, in that we don't want to waste resources rescanning with the same engine via one WFE, then another,etc. We are beginning with only one engine enabled on each of 4 WFE, and we have set each for MS Malware plus one other engine, which is different on all 4 WFEs. As we can track performance, we will add more engines to each WFE.
In your opinion, is it best to designate one WFE as the scanner for Manual checks of existing data, or does something like the above in 2) sound liek what is used more often?
Thanks again for the quick information,
Mark- Hi Mark,
If all WFE servers are the same then it doesn't really make any difference if you designate one server or use a different one each time. If you have different hardware specs for your WFE then it would make sense to use one of the higher spec machines as the manual scan will place extra load onto the server. If you find that the server becomes unresponsive during the scan and this is affecting your sharepoint users then I would recommend removing the server from the NLB before starting the scan. This should stop users from experiencing issues when interacting with Sharepoint, but you must ensure that the remaining servers can cope with your workload without this server. It may be better to leave this server in the NLB and have a smaller number of users affected.
With regards to selecting only one engine for scanning, this will reduce the amount of memory that each scanning process uses but you also lose the ability for Forefront to decide which engine is best to scan the particular document type. Normally you have to make a compromise between usability and security. If you remove engines, you should increase the Bias setting. The Bias setting bascially work as
Neutral = half of the selected engines
Max Certainty = all of the selected engines
Max Performance = 1 engine
So Forefront has a default configuration of 5 engines enabled and Bias set to Neutral, which means that 2 to 3 engines will be used. If you reduce the number of engines enabled to 2, you must then increase the Bias setting to Max Certainty to provide a similar level of protection. Obviously you may need to trade off your protection level for performance or maybe you could lose performance to increase your protection.
I hope this explains this a bit better.
Alex
