General discussion


Adequate anti-virus coverage

By TTate ·
I'm not here to discuss which vendor's product is better than another. I am simply looking for information on good security metrics and practices.

Auditors are always interested in uncovering failures in automated systems and how to mitigate them. This is not a a bad thing for sure. However, what would a good measurement be for out of date anti-virus coverage on a population of computers in a global company? For example, if there are 5000 computers on a company's network and all AV signatures are within the past 3 days on 90% of the computers, would you feel that the environment is adequately covered? What about the 10% that may have AV signatures more than a week old? How do you suggest mitigation for those computers in your environment and is 10% too high or is it really a good number?

Thanks for your feedback.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Really tough question

by Tig2 In reply to Adequate anti-virus cover ...

In general I would say that 90% is good enough. At the same time I will say that one of the 10% joined the network with an issue and infected 90%.

I don't know that there is a sure path to mitigation in an issue like this. I wish that there was.

From an audit standpoint, I think that proof of concept to automatically update the desktop with the most current sigs should work. But then you also have to present your mobile strategy.

I assume (bad plan, but I will run with it for now) that the 10% that you are talking about are mobile users. What strategy have you emplaced (regardless of known compliance) to update AV sigs for that group? And can you document that process? Those are the points that you will be asked about.

At the end of the day, I really need more information in order to tell you if you have a good process in place. 90% is a good start!

Collapse -

I would say

by w2ktechman In reply to Adequate anti-virus cover ...

that good strategy is to force AV on the intranet. Restrict (black-list) known bad sites, and force a firewall on mobile systems, and use VPN SW to log in remotely, at minimum.
You can run a script that when they try to log-on from remote, that it checks the firewall settings as well. Some SW can even monitor your current AV defs. This can be added to the script as well.
But before rejecting access for not meeting criteria, they will need to be able to access a web site with clear and easy instructions to come into compliance for a successful logon. This site will need to be outside the Intranet (on the Internet) for them to access .
Although these solutions will only be additinal guards in place, the network itself will need a good firewall, AV, Anti-Spam, Antispyware solutions.

Collapse -

Well said to both replies!

by TTate In reply to Adequate anti-virus cover ...

The low percentage of machines with AV DAT signatures 5 or more versions behind are due to the following factors and are within normal operating parameters: a device may be in storage; a device may belong to a user that has been out of the office and the machine not started on the network for a period where 5 or more DATs were released; a device may be infrequently used. In all cases, our AV architecture ensures these types of devices will receive the most recent DAT update when they next log into the network. As a compensating measure, reports are distributed to the site admins showing machines with AV DAT signatures that are 5 or more versions behind. Admins are tasked to ensure if a device is on the list is active, and on the network, it will be checked and updated to ensure active and up-to-date anti-virus coverage. Other compensating measures in our environment include: anti-virus software running on servers and inbound & outbound e-mail virus scanning. We don't have the technology implemented to quarantine machines not within policy. It's not because it's not the right thing to do. We don't have it because of many other competing activities requiring attention by the limited number of IT staff.

Security is never a zero-failure state. To say otherwise is like saying because you have four tires on a car and a spare that you will never have a flat tire. That will never be the case. In security, threats and risks are always changing and new challenges arise hourly. As a testament to effective AV coverage, there has been little impact from virus-outbreaks on our network. Can we do things more effectively or efficiently? Of course, but that comes at a cost in people, technology and/or time. So, in this case, we use technology to manage the majority of systems and depend on our people to handle the minority. If they cannot get to managing the exceptions because of competing requirements, then we either have to accept the state of the minority as an acceptable risk or improve our ability to handle competing needs.

Bottom line, I think the small percentage of out of date systems is acceptable for a company that may have little in asset management tools and a small number of staff. Anything lower would be a stretch of either personnel or technology resources.

Again, thanks for your insights and comments.

Related Discussions

Related Forums