So after having had the discs sat on my desk for months, I finally had a go at installing ForeFront on a VM. Here are my first impressions.
Installation – Surprisingly easy. Just fill in the boxes, and away it goes. It will need an account that can access the SharePoint content databases. I don’t know if this would be much more complicated for a multiple server farm (I doubt it, looking through the help files). And the eval version I’m trying with has a surprising long 120 day test period.
Admin interface – Well, pretty ‘industrial’. It’s not too bewildering though, to the typical admin; I managed to understand it without difficulty.
Antivirus Engines – Yes, it comes with them. And with several different AV Engines. I don’t know what the deal Microsoft cut with the AV engine companies is like, but that’s a great idea. Whenever I mention that Forefront uses Third-Party AV engines you can see a look of fear in customers eyes as the think they’ll have to by a separate licence for that.
I like the theory behind multiple engines, too; that it means your ‘unprotected’ time is minimised to the fastest of the antivirus company’s updates (and your own update schedule!) It also means that you don’t have a monoculture; if someone finds an exploit for one VM, well, it probably won’t work for them all.
Speaking of virus definition updates, they can be scheduled…
…and you can have a central update server that grabs the updates and distributes them throughout a farm, apparently.
Scanning can be realtime and/or a scheduled activity.
You can also do quick scans of parts of your SharePoint System.
Administration in SharePoint – Well, you can configure the scanning in SharePoint. Allowing Scan on Upload and/or download is nice (and, in my opinion, essential!)
Does it work? – Well, I tested Forefront by trying to upload an Eicar file. Getting it past our own antivirus on the host proved impossible, but fortunately cutting and pasting the code got it into my VM. Trying to upload a text file with the Eicar code in it resulted in:
Reports – Pretty simple, but adequate. We can see a list of incidents and what happened, and Items that have been quarantined.
We can also set up notification emails:
Content Filtering – Forefront can also do content filtering too – basically, matching keywords against content, to allow you to monitor it for questionable content. The filters can be complex rules, I gather, but unfortunately I don’t seem to have Microsoft’s example filter list.
Actually, it’s worth noting, there are filters for text in the content of the site, and also for file names. You can then configure your scan jobs to use these different lists.
One thing I did find was on the ‘Action’ options for filters was the option to ‘Block: Prevent Transfer‘. I tried this, and hit a snag. I editted a SharePoint page to contain a matching term, and published it. I was shown an error:
Not a very useful error in explaining what’s happening. Worse, now I can’t get to my page to removed the offensive term. When I turned off the ‘‘ option, the exception went away – but although I was now informed of the offensive content, users could see it too. I guess that makes sense though – blocked content would block the edit page too!
Conclusion – Not flashy, not sexy, but seems to do what it says on the tin. Should be a part of system.