One is not enough when it comes to anti-virus engines and solutions In Dan Morton’s recent review of several enterprise antivirus packages, use of multiple anti-virus engines was something he considered an important characteristic. In fact, the anti-virus solution with the best score, GFI’s MailSecurity, can use multiple anti-virus engines to beef up virus scans. While working on a companion piece for Dan’s article, I noticed that the anti-virus market leaders, Symantec and Network Associates, didn’t follow this practice. They used one engine for their e-mail server products — their own.Intrigued by this, I talked to the companies involved and found just what you’d expect: Each company said they were doing it the right way. I talked to some independent consultants as well, and they seemed to agree that there were good reasons to have more than one company providing the information your anti-virus product needs to do its job. But it was hard to get anyone to commit to a full-out recommendation; there is, as the consultants noted, a performance cost to using more than one anti-virus engine.Since it was clear that there was no definitive, independent authority on this topic, I decided to give it some thought. After all, we’re clearly suffering from an authority vacuum here, and I might as well try to fill it. The first question I tackled was whether it is really necessary to have more than one means of checking your e-mail as it enters your enterprise. That seemed an easy question to answer — e-mail is, after all, your single most significant point of exposure to virus threats. If malicious code is going to penetrate your defenses, this is where it will come first. The risk is pretty high.In addition, it’s clear that many of the virus writers are in Asia, the Middle East, and Europe. A company with a presence to the east of the continental United States may have an edge in discovering a new attack and starting work on defensive measures, perhaps reacting sooner and more accurately. After all, Europe’s business hours start five or six hours before we hit the Starbucks in the eastern United States.So in addition to the fact that the European anti-virus companies have a head start, they also may have different insights into the emerging viruses and worms. On the other hand, US companies based in California, such as Network Associates and Symantec, are no slouches at writing anti-virus software — you can assume that whatever they create will work. This talent probably explains why these companies are confident in their own abilities to create anti-virus software as good as or better than any other company out there. Besides, it wouldn’t do to advise your customers to get protection from the competition, so why recommend an additional anti-virus engine if you don’t have them yourself?Now, what about the performance issues? After all, if you have to have every e-mail and attachment scanned twice, it will take longer. Fortunately, e-mail doesn’t operate in real time, so this is hardly a problem. A second or two extra before e-mail hits your server is unlikely to be noticed at all, much less cause a problem.What this means is that unless you have a very good reason to use a single-engine solution for your enterprise e-mail anti-virus gateway, take the safe road and use more than one engine. It offers at least a little extra protection, and that’s important. After all, getting just a few viruses in your enterprise is very different from not getting any at all, and it could make the difference in making sure your enterprise stays safe. SecurityCareers