Enterprise antivirus: Best practices for smooth deployments

Dominic Vogel emphasizes the importance of proper planning for deploying a new antivirus product, particularly in large enterprises. Here are his best practice guidelines to follow.

Despite questionable effectiveness against current polymorphic malware threats, endpoint antivirus solutions still play a fundamental role in any enterprise's security strategy. They provide strong first-line defence and are the most visible form of computer security. Once you have gone through the process of choosing a vendor and product that meets your requirements, the next hurdle is how to handle company wide deployment. Even though these solutions come with extensive documentation and "getting started" wizards, deployment in medium-to-large enterprise settings (1000+ endpoints) or across multiple global locations, is by no means a trivial task. It does not matter whether you go with McAfee, Symantec, Trend Micro, F-Secure, ESET, BitDefender, AVG, or any other player in the AV market. Proper planning is an absolute must in order to ensure a smooth and transparent implementation. You can get away with minimal planning in a small business setting, but doing so in a large corporate environment is simply irresponsible. Try following these guidelines when transitioning to a new AV package.

The pilot episode

Potential solutions are generally piloted during the evaluation stage. This is the time when you want issues and problems to arise, so you can suitably address them before wide-scale deployment (or even before purchasing the product). Make sure the pilot group is an adequate cross-section of the company (make sure that computers from finance, IT, marketing, executive, and other departments are all included) otherwise certain complications may arise at inopportune times (you do not want the CFO calling you during his presentation to the board because his AV program is on the fritz). Be sure to document all issues and corresponding fixes or workarounds. This document will form the blueprint of your future deployment plans.

Failure to communicate

Before pushing out the new clients to all employee workstations (laptops/desktops/mobile devices) communicate to your desktop support team and IT service desk that a new antivirus client will be installed on all company computers over the course of the coming days/weeks/months (be sure to inform them of the expected timeline). An engaged IT support staff acts as an enabler for widespread acceptance of the new antivirus program. Provide the support staff with any necessary training so they will be able to address any concerns or questions that may arise from the "user" populace.

I would also recommend posting notice on the company intranet or common areas, so all company staff are aware of the impending modifications. Transparency is vital, as not informing your colleagues of these changes will only lead to mass confusion and resentment (especially if something goes awry). Develop a project plan with milestone dates, resource allocation, and identify any potential risks. Take a few minutes every day, to inform your superiors of the project status. You will be amazed at how much smoother the deployment goes when you take the time to plan.

Down to basics

Current enterprise antivirus programs are bundled with so many features (host intrusion prevention, host firewall, behaviour monitoring, and device control, just to name a few) and intricacies that deploying the solution with all the bells-and-whistles can lead to unexpected complications. Adopt a "bare-bones" approach by first deploying only the basic AV protection. Once a stable deployment has been completed, further functionalities can be added in a staggered approach).

Determine deployment method(s)

In order to deploy the AV product/client across multiple offices and sites, multiple deployment methods will be required. Luckily, most corporate AV offerings allow for many options. For main offices with high speed LAN connections (most business networks have connection speeds of 10Mbps, 100Mbps or 1Gbps), remote deployment from the central console over the internal connections will suffice. For remote offices connected over WANs of varying bandwidths, pushing multiple client installs over the wire during business hours probably isn't the smartest choice. Depending on latency issues, your best bet would be to create client install packages (most enterprise AV solutions have tools that help you create such packages) that can consequently be installed locally on computers at the satellite offices.

Policies first

Before installing a single client, the policies (scanning exclusions, scheduled scans, usability options, update times etc.) need to be reviewed and revised according to your business and technical requirements. Try to avoid using the "off-the-shelf" policies as they are too general. Apply some optimizations to the policies before embarking on massive deployments.

Assess network and infrastructure demands

Familiarize yourself with the network and infrastructure demands of the new antivirus server(s). Determine how updates are distributed from the AV servers to the endpoint clients. Is it minimal traffic? How about updates to satellite offices? By determining the requirements of the AV product and the current capabilities of your network, you can properly address any possible bottlenecks before they bring the network traffic to a crawl (and a noose around your neck).

Quick Draw McGraw

Don't try and be a hero by attempting to install to all 1500 computers and servers within a day. The big bang approach seldom works for large environments. Start off by installing the clients on "low-priority" computers (such as the interns') and get some quick wins under your belt. Start with chunks of 5-10 computers (then checking if any issues) and then gradually doubling that number over the course of multiple days (or weeks) until all the endpoints are reached. Most products come with compliance tools that help you determine how many of the networked computers have the AV client installed. Servers should be completed afterwards by following a similar pattern (start with non-critical servers first and leave mission critical servers for afterhours).

Remove previous AV product(s)

Completely removing all traces of the previous AV client is an absolute must as having two different AV products competing for system resources and clashing during real-time scanning will lead to severely degraded and erratic system performance. This will lead to an unruly and bloodthirsty mob banging on your door. Unfortunately, successfully removing and uninstalling enterprise antivirus products can be more difficult than dealing with a used car salesman. They are notoriously difficult to fully uninstall (especially the registry entries). For centrally managed products, it is possible to remove the AV suites remotely. However, these remote uninstalls occasionally hit snags and further work (attempting local uninstall or even re-imaging) may be required.

A pain-free antivirus transition cannot be guaranteed as there are many variables that need to be taken into account. These recommendations, while not bullet proof, will help ensure that any disruptions are kept to a bare minimum.


Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.