Discussion on:

The pros and cons of centrally managed antivirus software

Like- trend only takes a few seconds on boot up!

We have about 65 users and use McAfee VirusScan 4.5.1. Until recently we had standalone installations which checked for fresh DATs hourly (yes, really) and ran a full drive scan at lunchtime.

We recently put ePolicy Orchestrator 2.5.1 on a server. Overall, it seems very useful. Before we implemented it, I would've boasted that our standalones did a good job of maintaining themselves, but ePO revealed some exceptions, including one of the servers.

If another FriendGreetings-style threat arises, I can fire up the ePO remote-admin app on my workstation, add the URL to the blocked list for 4.5.1's web filtering, push a wakeup call to the ePO Agents, and users lured thither will be informed that it's been blocked due to "possible hostile content."

If an immediate threat arises, such as a worm attack, I would have to say that if it can get past the real-time virus scanning (everything plus heuristics), then a full drive scan won't catch it either; but if there's a task we want run right away domain-wide, whether it's a DAT update or a hard-drive scan, we can set up the task to run "immediately" and then issue a "wake-up" call to the ePO agents on the PCs, which will pick up the new task and execute.

So overall, I have to agree... central policy creation and enforcement has a lot of value, provided it's monitored.

Heh, I didn't mean to put my McAfee post on your branch, sorry about that.

If you can get your IT folks to upgrade your hard drive to a recent-model 7200RPM unit, it will definitely reduce the impact and the time required for the daily scan. Alternately, maybe they can schedule your scan to occur after-hours if you agree to make a policy of leaving your workstation on (but locked) when you leave, and set it up to go on standby after 3 hours of idle time. Let them know it's an issue for you, and hopefully they'll try to help resolve it.

Personally, I'm running 15000rpm SCSI on my workstation: http://www.anandtech.com/mysystemrig.html?rigid=18941 It can plow through a full heuristics-enabled scan of 10Gb of data in about 20 minutes, and the system is very useable in the meantime.

Without getting into the specifics, I would say that the problem is not the tool (office scan), but the use of the tool. Why are they scanning each PC everyday? Are they not using real-time protection? Sounds like a classic mis-use of a 'tool'!

As I just said I stand by my original comments!

I don't believe they were talking about kicking off a system scan for viruses, but rather updating the antivirus software from a central location. Virus definition updates are usually invisible and unnoticeable to the end user, as they should be.

A scan of the hard drive for viruses is a whole different bag of worms and scheduling those is tricky at best because even on a fast machine they can take a half hour or more, depending on the size of the hard drive and how full it is.

At all of my sites where the AV is centrally managed. Scans are done once a week on individual machines. The server updates definitions once a day and pushes them as necessary to the workstations. The mail server has e-mail scanning powers, and our firewall is locked down tight. We haven't gotten any virii since we implemented those procedures.

Running a P400 and complaining that it is the Virus software fault for performance degradation is the laugh. Yeah Yeah I know the budget doesn't have replacement $$$ for the Old PC's. Perhaps you think that no Virus checking should be run?? Also a smaller footprint software like Symantec Corp. edition would help. I have over 20 client sites using Symantec Corp edition on networks from 5-70PC's who never know it runs....yes several clients running OLD hardware P-II 400 w/64Mb Ram and yes they notice that at times of the scan the PC is slower but they never have the opportunity to interact with the software and thus never have the opportunity to make an erroneous decision on course of action. To accomodate these client PC's we try to schedule scans around meetings, lunch and breaks even breaking up scans of type during the day to lessen the time overlap of scans and PC usage. On any of the PC's in the 1+ Ghz range I've NEVER had a user notice or complain of performance issues (out of 500+ PC's if it was an issue I'd have heard feedback).

While most of my network hardware has been upgraded, I still have a bunch of (are you sitting down?) P133's with 32MB RAM!! I use Symantec Corporate Edition and even on these old dinosaurs, Real-Time protection running in the background is unnoticeable, however the forced full system scans can take a while but it's not Symantec's fault! On my faster machines it zips through. And yes, those P133's are slated for replacement this summer, cross your fingers that the budget will allow it.

I work for a Fortune 500 company, systems around the planet. We too use Trend Micro for approx. 600 NT4/W2K systems and Exchange. It is not bulletproof but has made managing the virus issues easier. A potential problem is using different client software, NAV, that has a different signature process can trigger issue that one product recognizes(Trend) and the other ignores(NAV). I am waiting on a newer web-console version of Trend to allow better management capabilities,(hopefully due out 1Q 2003) but overall am happy with Trend.

I researched for about 6 months which product would serve my needs. I have about 8 servers and 50 workstations. In addition I have a Citrix Server that has about 30 users. I was looking for a product that would automate an otherwise time consuming task. Trend Micro's "Server Protect" (for NT Servers and my Citrix Server) and "OfficeScan" for the workstations, Win95, Win98, Win2K and Windows XP. Server Protect is almost completely automated. OfficeScan requires checking for the update, which we do daily, but pushes the updates to the workstations automatically with out their intervention when they log on. They cannot prevent nor shut down OfficeScan (protected with a password), but I can shut it down for installs. I absolutely love these products and they have saved a tremendous amout of time. TrendMicro is one of two products certified to work with Citrix.

You can set your OfficeScan server to automatically check for updates. We have ours check for updates every hour - TrendMicro often has more than one update per day. FYI, The workstations actually pull the updates when users log on - I wish they could be pushed.

If you are using the httpd based configuration, your client will update the patterns and scan engine nearly immediately.

Hi Robert,
Good article. Here are a few options, some tough but necessary, that are performed at several locations where friends are also security officers. 1st have a mirror copy of your anti-virus server on another server preferably in aDMZ or not connected to the Internet at all.
2nd have a disaster team that creates either a daily or weekly report of when all machines are updated. 3rd deny Internet & email access to any machine not updated in a pre-determined amount of time. Themost current antivirus update is like
air, you need it to live. Period. 4th & finally,
perpetual end user education, regularly train people about email & the Internet & remember these 7 words: Always err on the side of caution.
Be a little mistrustful, always wary, as previous generations said, Remember the Alamo, Remember Peral Harbor today--- Remember the World Trade Centers. The price of freedom IS eternal vigilence. Update or deny access, this is the best way.

This article mentioned the single point of failure of centralized management. I agree with that.

As far as I know, trendmicro has a solution on it products to deal with this situration.

If a user's machine cannot contact the centralized management server, it can connect to trendmicro's home site or some other predefined locations to ensure the latest pattern (signature in some vendor).

It is particular useful for those notebook/remote user.

Trendmicro again.

They can push the patterns (signature) and the scan engine to clients.

I used to use Mcafee anti-virus management edition for maintaining and rolling out the latest DAT and engine versions to my machine. In my ignorance I put total faith in the system until I discovered that it was not reporting correctly on the DAT level of a couple of the machines in the building. We found out only when a virus broke out whilst I was on my honeymoon and I came back to a riddled network. Not a good day. I have built my own upgrade and check system that works as follows:

each morning one machine looks for the next dat file on mcafees ftp site. If it finds it it downloads it onto that machine. It emails me with a success or failure message so I know it has been running okay. It then copies the downloaded file into our netlogon directory on each domain controller and runs the at command to tell each server to upgrade silently in 10 mins time.

The login script is then automatically updated to know about the latest dat file. When a user logs on, the login script checkswhat Anti-virus level is on the machine, updates it silently if it is a previous version and emails me to let me know that it has done it. If there is not the expected anti-virus on the machine, it is intsalled automatically and the user is sent an email telling them to log off and back on again to update the DAT file to the latest version. Again, I am emailled so I know what is happening.

And finally, twice a day a scan is run on the network to check what virus level everyone is at and I amemailled a report so I can see if any need doing (copy dat file to the relevant machine and at command to silently update).

Whilst ornate, it works, automatically with only a few hours delay between the dat file becoming available and all machines on my network being at the latest level. Everything is reported by email so I can soon see if there are any problems.

In the article it was stated "all workstations will be without a way to update their virus signatures?unless each machine has an Internet connection."

I would guess for most organizations we're not talking a long response period to such an event. I can't speak to other AV solutions, but with Norton AV Corp Ed., if the primary server is lost, another server can be assigned as primary, and client settings can simply be updated from the central console to reflect the new primary server. All clients need not be isolated for long, nor require access the internet to get updates.

If the workstation has not got internet access then how will it get the virus? Disk/CD-Older virii that should already be covered, Email-That server should be protected (ideally by a different AV program), Network-How did the machine it is coming from get infected?
Yes it is still possible, but the odds are much lower than normal.

We're using InoculteIT from CA since 1999 and we had only 1 case who damaged 1 workstation (it was a messenger's attack). It's an acceptable performace at local/real time file scanner and at Exchange and firewall servers looks great. I think it's another really enterprise solution to look for.

I also use InoculateIt and have for several years. It works so good that I never think about it except when I add a new workstation to the network and have to load and configure it in the central administration screen.

I also have it set up on my Exchange Server and have it both scanning all attachments and blocking certain specified file extensions. Haven't had a virus outbreak since installing it.

I've used a few other virus solutions in the past and ended up un-installing them because of the huge slowdown they caused. With InoculateIt, there is no impact at all.

I would gladly pay extra for InoculateIT, I have had no problems since installing it 3 years ago. I work in a subsection of a large government department and we are the only section never to be infected.

I have seen many computers where the person who always has trouble will have the latest software installed vs the employee who never calls the help desk still has 3 or 4 viruses running in the background with corporate virus edition version 4.x......... What needs to be implemented are better users that are not scared in calling the help desk more often.... Again its these same users that dont call that have many minor issues with the pc and never call until the computer is completely dead andscream and yell for a new one.
And it's those screaming end users that blame it for every problem they started in the first place by bringing software from home that is already infected.

True centralized antivirus management, when PROPERLY implemented, takes charge and doesn't rely on the end user to be smart enough to update/replace or even install the right software.
What it (centralized management) DOES is to push the most current software AND virus definition files to the end users pc WITHOUT the need for their permission (it is the company's property after all), and if they try to use email or software that has been infected, say from home, the Up-To-Date AV will capture/kill/report the incident to the administrator and then the end user will have their hands full explaining why they were using home software on the company pc without IT's or administration permission! What's great about all this is that it takes almost no interaction by the IT dept since a properly configured central managed AV does all the work automatically right up to the report, at which point the IT dept has the responsibility of either working with that user or reporting them to management.
End Of Story...

At least minimum training should be implemented. Even in our small organization this is so. Please do not treat users as lower life forms however!

Norton Corporate Edition has worked well for us. I currently have it installed at 4 centers and I for one love it, it has saved me sooo much time and effort.

As far as the single point of failure goes with NAVCE you can set up multiple AV servers to handle signature updates. In the event of an extended outage of one server switching the clients to another server is a matter of copying over one 6kb file.

NAVCE also allows you to update the virus defs for the server (which in turn will update the other servers which in turn updates clients) manually as well as on a schedule. So you can have the updated defs on the clients machines within an hour or so of Norton releasing the updates if you so desire.

Basically since installing NAVCE I only have to check the server to for any viruses found and if there is any action required my part to clean up/delete quarantined files.

Granted the scans to slow the client machines down but the Administrator can resort to scanning during the day for machines that don't get left on at night.

Certainly more Pros than Cons from my perspective...

As for resource usage while scanning, you can always set the CPU usage for the client scan. At the lowest setting the user usually doesn't even know its running a scan.

As for single point of failure, as I recall you don't even have to copy over a file - just re-roll-out NT clients from the new (or different) server...

I've distributed all of my clients among 4 different NAV servers.

I've many clients. What can i do to switch client pc to another NAV server in case any NAV server fails? (preferably without reinstallation. Any better way to handle this?)

My company had just signed an agreement with F-Secure in August 2001. We were starting to implement it to replace an old version of Dr Solomon. After being striked by Nimda in September 2001 the implementation was done on 250 clients in three days.
The reason we choose F-Secure was the administration of signature updates. This is done more or less automatically when you use the Administration software. The client software checks if the server has any updates available at each logon and several times per day. The downloads are very small, so once you have a basic install you can even have the update taking place over a slow modem.
There is no need to schedule the updates, it will update as soon as something is available. There is no maintenance needed after the basic installation. Installations and updates can be done remotely from the server.
There are probably other packages that does the same, but F-Secure has worked excellent for us.
Bengt

I know this discussion is about Centrally Managed AntiVirus Software, but can you also post a forum on a comparison of all of the Centrally Managed AV Software Products? Highlighting what features each has to offer and their usability.

I currently use Symantec's NAV Corp. Ed. 7.5 and have bought into the new upgrade to the Symantec Antivirus Enterprise Edition. After years of using the old Norton AntiVirus Corporate Edition, I finally have it set perfectly and am just wondering the new version stacks up.

I only have a small 10 user network and we elected to utilize the McAfee Virus Defense ASaP.

It was okay at the beginning. Then they took all control of the Virus Scans and Updates away from us. We can no longer perform scans and updates when the business has slack time or at night.

It seems to never fail, that when we are accomplishing invoicing and shipping, trying to get our products out the door before closing, that McAfee will start its update and scan.

Their update and scan takes control of the systems and slows the work stations to a crawl and, if we are trying to process online UPS information, will even lock-up the system.

My administrator work station is a Win 2k Pro P4, 1.4Ghz with 1Gb RAM and even it slows down dramatically when the McAfee kicks in. So, I ended up setting the McAfee Service to Manual and control it that way. What a pain!!!

When I contacted McAfee they said we had to live with it, there was no way to schedule the update and scans for a specific time outside of their normal business hours? Whatever happened to supplying customer needs?

I can't wait for this contract to end so I can switch to either Panda, which I used to replace my personal McAfee at home, or Trend Micro.

Ande

A lot of the posts following this articles have related to the speed of the scan itslef rather than the update of the clients.

The author mentioned the amount of data that the system often needs to transfer to maintain the patterns.

A number of my clients have used LANDesk to manage this process as it has a multicasting technique that removes the need for virus servers and individual transmissions of pattern updates e.g. with 3000 machines, a single updat of 1MB will take 3Gig, whereas with the multicast method, only 1MB per subnet is required.

I wondered if others have considered this sort of approach and what sorts of success/dificulties have been encountered.

I recently re-subscribed to NAV/NSW. I have NSW 2002. The Utilities and the OBC has been a life saver more times than none..let alone their mgmt of the virus definitions. I must right now..if any one has problems with Norton/Symantic..its only because they are not contacting support. I had an error in Quarantine which said I needed to re-install NAV..its been there for about 4 monthes..because i didnt want the headache of re-installing. To make a long story short..after about 5 e-mails..and thetech on the other end was very patient..I got it complete with all the new system updrades and this years addons..still in 2002 version but the addons cover ALL installs..for $14.95 a year. I call that better than some online services Ive had in thepast. Ill point out too..with Direct X9, Zone Alarm Pro latches GREAT with NAV..so does MailWasher Pro. My system hasnt ran this good! Even before the Diect X OR the error message!!
Just ask for help

I have installed but some virus does't take by it. I forget some thing in the configuration.

i have inculateIT and its works well, but it does have troubles discovering all pcs on the LAN/WAN. any suggestions?

Even though a bit pricy, Panda has the best solution for any situation, and scans all sytems/ports/exchange/pop3/smtp, plus rather than updating the full signature file (1 to 2mb) it just brings in the latest definitions (34kb to 147kb) (updated daily) making the updates MUCH faster. The scan engine is also much faster than all the other products mentioned here.

We moved to exchange 2000 in March 2002. We were running Netscape Messaging server on unix prior to this. I admit I was a little hesitant with switching to Exchange based on all the bad virus episodes and server crashes I'd heard of from anyone that was running Exchange 5.5, but after a few months evaluating it, I was confident that it was not the same beast.

We went with Sybari Antigen which was highly recommended by multiple sources as an excellent Exchange AV solution. It was.

We went live the weekend before Klez hit the internet. That first week, we caught over 200 emails with the Klez virus, not to mention all the other ones. This is with a user population of only about 200.

We have never had a problem with viruses making it through our Exchange server, and having Norton AV CE on the laptops and desktops, it provided a dual security solution.

I remember when the latest trend was to run 2 firewalls from different vendors in series with a DMZ between them on your internet connection. That was to protect your systems by making it much more difficult for hackers to get through. Once they cracked one type of firewall, they suddenly found themselves with a completely different type with different vulnerabilities.

Same theory applies to protection against email viruses. They have to make it through 2 layers. Double the protection.