According to the December 2005 report of Commtouch
(developer of Zero-Hour Virus Protection), data collected from over 130
countries showed that about 40 new viruses or variants appear during the
preceding month. Viruses (along with their cousins, worms and Trojans) present
a major security threat to almost all computers. Because most of today’s PCs
connect to the Internet, whether via a dialup account on a home machine or
through a T-3 connection on a corporate LAN, a new infection can spread quickly
through a local network or around the world.
Most computer users and IT administrators have learned — many of them the hard way — that some sort of antivirus protection is essential. But the AV solutions
that work for a home or small business user may not easily scale to meet the
needs of an enterprise environment. Let’s take a look at how you can choose the
right antivirus solution for your company network, and one that will grow with you as that network
grows in the future.
How antivirus solutions work
Antivirus programs use several different techniques to
detect and protect against malicious code:
AV programs use a database of known virus signatures. A signature is a
specific string of binary code that functions as an identifier for a
specific virus. Each virus (and variant) has a unique signature. Since new
viruses are created and released daily, the antivirus
program must update its database frequently. Most antivirus
programs include automatic update mechanisms. They connect to their
vendors’ Web sites at a scheduled time and download new signature files.
AV programs use integrity checking to determine if files have been changed
(such changes can be due to viruses). The program can then give the user
the option to restore the file to its pre-infected state.
protect against new viruses for which definitions are not yet available,
AV programs can use heuristics. This is a method of analyzing code to
determine whether it is suspicious based on how it’s constructed, rather
than looking for specific signatures.
AV programs use a virtual machine environment called a sandbox to run the
suspicious code so as to find out how it behaves and what it does.
Antivirus programs can scan files already on a computer’s
hard disk and files (such as email messages and downloads) as they come in over
the network. The program can check files before they’re opened, and most AV programs
are configured to check executable files by default.
When antivirus solutions don’t work
Unfortunately, virus writers have many ways to circumvent or
defeat antivirus programs:
viruses that are loaded before the AV software and that cover up their
- Polymorphic viruses that change each time the virus
infects a new computer, somewhat like mutating biological viruses.
that attempt to disable the AV software itself and/or block access to AV vendors’
web sites to prevent downloading of new signatures.
Host-based antivirus solutions
The traditional method of protecting against viruses and
other malicious software is to install an antivirus
program on each workstation and on servers that connect to the Internet, such
as email and Web servers.
Host-based AV programs usually do a good job of detecting
viruses in email and are essential to protect against viruses introduced
locally (for example, via a floppy disk, USB key or CD), but don’t protect as
well against viruses that come in via Web pages or IM. More importantly, they
don’t protect the network itself; a virus must get to the local machine to be
Host-based AV programs can also cause performance slowdowns
because virus scanning uses quite a bit of processor time. Other applications
may not behave correctly when an AV program is scanning. AV programs running in
the background can also interfere with the proper installation of some
If a company relies on host-based antivirus
to protect the network, they may overlook laptops that employees bring in to
connect to the network or home computers from which employees connect remotely.
You may not be able to as easily ensure that those systems have updated AV
Finally, host-based AV programs are under the control of the
individual user. Users may turn off the AV program or change its settings, or
open files that have been quarantined.
On the other hand, host-based AV programs are relatively
inexpensive and simple to deploy on small networks.
Network-based antivirus solutions
Network-based AV solutions are deployed at the firewall or
server level. Firewall-based AV solutions stop viruses and worms at the
perimeter of the network, so they never get into the network at all.
Network-based AV solutions can be implemented in several different ways:
gateway appliances such as the Fortigate
Antivirus Firewall series and Barracuda Networks’ spam
and spyware firewalls that include virus
software or modules for application layer filtering software firewalls
such as Kaspersky Anti-Virus
for ISA Server, avast! ISA Server
Micro InterScan plug-in for CheckPointFirewall-1, and F-Secure’s Anti-virus for Firewalls that comes in
both Windows and Linux versions.
server-based AV programs that scan incoming and outgoing e-mail messages
and attachments for viruses and intercept them before they reach users’
mailboxes or are sent out over the network.
- GFI MailSecurity for Exchange and Sunbelt Software’s Messaging Ninja for Exchange,
which is also an anti-spam solution.
In a large
network environment, installing and maintaining antivirus
software on each individual host machine can be cumbersome, expensive and prone
to error (machines left unprotected or out of date definitions on some
machines). As your network grows, you should consider deployment of a
network-based solution that gives you centralized control over virus detection,
blocking and removal.
enterprise level, solutions such as StoneSoft’s StoneBeat SecurityCluster,
which combines antivirus, content security and IDS
functionality in one package based on hardware clustering. This creates a
highly scalable solution because new cluster nodes can be added as your needs
increase, so that you maintain optimal performance as the network grows.