According to the December 2005 report of Commtouch
(developer of Zero-Hour Virus Protection), data collected from over 130
countries showed that about 40 new viruses or variants appear during the
preceding month. Viruses (along with their cousins, worms and Trojans) present
a major security threat to almost all computers. Because most of today’s PCs
connect to the Internet, whether via a dialup account on a home machine or
through a T-3 connection on a corporate LAN, a new infection can spread quickly
through a local network or around the world.

Most computer users and IT administrators have learned — many of them the hard way — that some sort of antivirus protection is essential. But the AV solutions
that work for a home or small business user may not easily scale to meet the
needs of an enterprise environment. Let’s take a look at how you can choose the
right antivirus solution for your company network, and one that will grow with you as that network
grows in the future.

How antivirus solutions work

Antivirus programs use several different techniques to
detect and protect against malicious code:

  • Most
    AV programs use a database of known virus signatures. A signature is a
    specific string of binary code that functions as an identifier for a
    specific virus. Each virus (and variant) has a unique signature. Since new
    viruses are created and released daily, the antivirus
    program must update its database frequently. Most antivirus
    programs include automatic update mechanisms. They connect to their
    vendors’ Web sites at a scheduled time and download new signature files.
  • Some
    AV programs use integrity checking to determine if files have been changed
    (such changes can be due to viruses). The program can then give the user
    the option to restore the file to its pre-infected state.
  • To
    protect against new viruses for which definitions are not yet available,
    AV programs can use heuristics. This is a method of analyzing code to
    determine whether it is suspicious based on how it’s constructed, rather
    than looking for specific signatures.
  • Some
    AV programs use a virtual machine environment called a sandbox to run the
    suspicious code so as to find out how it behaves and what it does.

Antivirus programs can scan files already on a computer’s
hard disk and files (such as email messages and downloads) as they come in over
the network. The program can check files before they’re opened, and most AV programs
are configured to check executable files by default.

When antivirus solutions don’t work

Unfortunately, virus writers have many ways to circumvent or
defeat antivirus programs:

  • Stealth
    viruses that are loaded before the AV software and that cover up their
    activities.
  • Polymorphic viruses that change each time the virus
    infects a new computer, somewhat like mutating biological viruses.
  • Viruses
    that attempt to disable the AV software itself and/or block access to AV vendors’
    web sites to prevent downloading of new signatures.

Host-based antivirus solutions

The traditional method of protecting against viruses and
other malicious software is to install an antivirus
program on each workstation and on servers that connect to the Internet, such
as email and Web servers.

Host-based AV programs usually do a good job of detecting
viruses in email and are essential to protect against viruses introduced
locally (for example, via a floppy disk, USB key or CD), but don’t protect as
well against viruses that come in via Web pages or IM. More importantly, they
don’t protect the network itself; a virus must get to the local machine to be
detected.

Host-based AV programs can also cause performance slowdowns
because virus scanning uses quite a bit of processor time. Other applications
may not behave correctly when an AV program is scanning. AV programs running in
the background can also interfere with the proper installation of some
applications.

If a company relies on host-based antivirus
to protect the network, they may overlook laptops that employees bring in to
connect to the network or home computers from which employees connect remotely.
You may not be able to as easily ensure that those systems have updated AV
protection.

Finally, host-based AV programs are under the control of the
individual user. Users may turn off the AV program or change its settings, or
open files that have been quarantined.

On the other hand, host-based AV programs are relatively
inexpensive and simple to deploy on small networks.

Network-based antivirus solutions

Network-based AV solutions are deployed at the firewall or
server level. Firewall-based AV solutions stop viruses and worms at the
perimeter of the network, so they never get into the network at all.
Network-based AV solutions can be implemented in several different ways:

Scalability considerations

In a large
network environment, installing and maintaining antivirus
software on each individual host machine can be cumbersome, expensive and prone
to error (machines left unprotected or out of date definitions on some
machines). As your network grows, you should consider deployment of a
network-based solution that gives you centralized control over virus detection,
blocking and removal.

At the
enterprise level, solutions such as StoneSoft’s StoneBeat SecurityCluster,
which combines antivirus, content security and IDS
functionality in one package based on hardware clustering. This creates a
highly scalable solution because new cluster nodes can be added as your needs
increase, so that you maintain optimal performance as the network grows.