14 DAY TRIAL // Microsoft is working to fix a memory consumption issue affecting customers of its Antigen and Forefront security solution, indicating that at fault is the Norman antivirus engine. According to Microsoft, Forefront Security for Exchange Server, Forefront Security for SharePoint, Forefront Security for Office Communications Server, and the Antigen family of products were all affected by issues associated with Norman version 5.93.6. Molly Gilmore, a program manager on the Forefront Security Rapid Response Engineering team, explained that Forefront Server and Antigen product lines were both affected, but that most complaints came from Antigen customers.
“On February 27, 2009, Microsoft Antigen customers began reporting significant increases in the amount of memory utilized by the Norman Virus Control engine. Memory required by Antigen scan jobs that had the Norman engine enabled started to exceed 350 MB per scanning process. For some customers, the impact was a significant reduction in available memory for other applications and processes and an allocation of all of the available system page pool by Antigen. There were also fail-over events reported by customers running Antigen in a clustered environment,” Gilmore explained.
At the start of March 2009, Microsoft identified the issues as being the Tuesday, February 24, 2009 update package 0902240003 for the Normal antivirus engine. According to Gilmore, the problems with memory consumption were generated by the performance improvements brought to the table by Norman 5.93.6. The enhancements were designed to increase the availability of the engine in the context in which Forefront Server and Antigen unload and reload Norman following the implementation of every signature update.
“Part of the intended performance improvements in Norman 5.93.6 included a change to store signature definition information that was previously written to disk to be kept in memory. The result was an average increase of about 50 MB of memory usage each time the Norman engine loaded. Each scan job running within Antigen (and Forefront Server) will load an instance of an enabled engine so that the cumulative result of an Antigen deployment with four Realtime scan jobs would be an additional ~200 MB of memory allocated by the Norman engine on the server,” Gilmore explained.
Responding to the issues reported, Microsoft rolled back the latest Norman version to that released on February 13, 2009. The Redmond company continues to look for a permanent solution to the problem. But for the time being “if you have downloaded a Norman update package with a version of 0902260005 or greater, then you have replaced the version of the Norman engine that requires higher amounts of memory with one that had been successfully deployed to customers previously,” Gilmore stated.