POLL: For the sysadmins: alternatives to desktop antivirus software in the workplace? Pros/Cons?

[mechBgon]

I work at a non-profit agency. Our office has about 75 PCs with a fleet average of about 980MHz and 220Mb of RAM, all running Win2000. We use McAfee VirusScan on the desktops, in conjunction with McAfee ePolicy Orchestrator to provide a single point of administration for VirusScan. VirusScan definitely slows the PCs down, but even our old Pentium2 350's are getting by.

We deal with sensitive information on our clients (including victims of sexual abuse and rape) and it would be Very Bad for our agency for a virus to set up its own SMTP engine and mail off some of our documents to the world at large, for starters. At this time, we've got VirusScan set for maximum detection capabilities, and it's set to delete infected files on sight without prompting or attempting to clean them.

What alternatives to desktop AV software are out there, and what pros/cons do you see with them? Would you consider any of them to render desktop AV software unnecessary? Anyone got comments on antivirus appliances as an alternative? Personally, I think an antivirus appliance between us and the Internet would be a great first line of defense, but I worry about the classic floppy-borne virus doing an "inside job" on us.

TIA for your thoughts, comments and recommendations!

EDIT: by the way, our PCs have access to the Internet via a Cisco 675.

 

[Lord Evermore]

I vote that each desktop needs AV software and an AV appliance or server is needed. There are a lot of webpages that attempt to exploit holes or load virus-laden scripts, and AV software can catch that, and the possibility of a virus on floppy or CD is controlled. An AV applicance or server can also then be used for scanning email and for server storage scanning. It never hurts to have two different types of AV software scanning things, as some brands miss things that another brand catches. I don't think you can completely secure yourself from things like that with an AV appliance between you and the Net, because the appliance can't really scan and control all the software passing through it (not everything is plain text, and I don't think it could track binaries well enough to be able to "see" the entirety of a file to check for a virus, and then the possibility of compressed files comes in).

Probably should also have a software firewall such as Zone Alarm to help avoid anything that the AV misses being allowed to make an outbound connection. Or you set up a hardware firewall (or server with full firewall software) to do the same thing for the entire network, with the Cisco simply acting as a bridge. The AV software on the desktops still would be needed though, as some worms and trojans may use standard ports that the firewall might pass through (Zone Alarm eliminates that worry in large part but still isn't enough alone).

Given what your office seems to be doing and what's at risk, I think the more security you put on, the better, even if it does mean the PC's slow down a tad.

 

[mboy]

Macaffe sucks. I also think you without a doubt need desktop AV on all your workstations and servers, but feel the appliance in addition to that is probably overkill. 2 out of the last 3 virus alerts I have had at work on any of my 65 or so protected machines were from people putting in infected floppies.

I happen to use Panda Enterprise edition. You install the Admin progie opn the admins desktop (or whoever will admin it), then it auto finds the servers on your domain (domains), you push it out to them, then you install the client module on the server and it will create a script installing it to all the machines that u select it to when they log into the domain. Updates automatically to each pc when they log in the next day, or it will do it even if the oc's left logged in overnite. U can set it to auto update all the servers. Panda is one of the few that has updates EVERY single day.
Resource usage isnt terrible either.
I hear Trend Micro has decent resource usage as well.

My Co. had Macrappy when I 1st started. I hate that grabage and ended it real quick!

 

[EvilWobbles]

We use Norton (now called Symantec) Anti-Virus Corporate Edition 7.6 on our Servers and client machines and then use Symatec Anti-Virus for SMTP Gateways to scan all incoming and outgoing emails. The email gateway product has saved our butts more than a couple of times. The most recent upgrade has added SPAM detection and thus far the performance of the SPAM detection engine has been very good. We implemented Cloudmark on most desktop systems just to filter some of the SPAM. My preliminary tests show that the SAV for Gateways is detecting SPAM at almost the same rate as Cloudmark. It is currently set at a low heuristic detection threshold. I am going to turn up the detection threshold but am concerned about a rise in "false-positives." However, SAV for Gateways is definitely worth the money!

I'm still not 100% sold on the AV for servers and desktops. The program is highly configurable, pushes all the definition updates to client machines, etc. It just doesn't seem to reliably update client workstations and it generates a few false positives. The centralized management via MMC is great but there are some quirks. I recently received the 8.0 version of this software so I don't know if it has addressed some of the quirks I have seen.

Hope that helps!

 

[RaySun2Be]

We use Norton (now called Symantec) Anti-Virus Corporate Edition 7.6 on our Servers and client machines and then use Symatec Anti-Virus for SMTP Gateways to scan all incoming and outgoing emails. The email gateway product has saved our butts more than a couple of times.

Same here. When I first took over the admin, we used McAfee (what a pita), but switched to Symantec Corp, with the SMTP module installed. One of the things I liked about it was that we could schedule regular scans of the clients, and lock them so that they couldn't stop the scan (ie, laptops that aren't around at night). Updates got pushed out to the clients with no problems. We could also install the client remotely.

A lot of people tend to focus mainly on the outside threat via the Internet, but you must also consider the inside threat from floppies, CD_ROMS, and other removable media that users can bring from home, as stated previously.

Running AV software on the desktops and all servers, including AV for SMTP, in addition to a good firewall can help minimize the threat from virus and hackers. Making sure all PCs and servers are up to date with security patches, as well as having configured the OS Security Policy for the servers and PCs helps as well.

 

[Woodie]

You may see benefit from both.

At the desktop is a requirement. We're also a McAfee + EPO shop, and while it's not the greatest product, it gets the job done, and is now manageable. We set our scanners for scan/clean automatic, as users stand to lose important documents (from outside the company) if we were to delete them out of hand.

We also scan on the file-servers, scan web-downloads, and scan or block email attachments. The Mcafee email scanner will open zip files, even when renamed. Blocking .exe attachments is a really good idea, plus, then you don't have to scan them. Email is our #1 vector for virus infection, but of course those files never make it to the clients.

Our environment is a bit different from yours: >22,000 clients, Win 2K with some straggling NT 4 clients. Our clients are generally older/slower than yours, however we don't get many complaints about performance. We turn off the heuristic scanning, as we see it as a low value add, high performance hit in our environment. Especially since most users store all their files/data on the file servers.

 

[reicherb]

I'm at a small/medium sized school district and are currently using McAfee. It seems to do the job, but it's an old version I general am against McAfee. We were looking at Symantec, but money is an issue when you are looking at 725 PC. We've all but decided to go with F-Prot Antivirus. It looks like a decent product and we have been given a quote of $1.50/PC. We will probably move to Symantec on the servers. To protect our GroupWise system we use a product called Guinevere to scan all incoming and outgoing E-mail and also have integrated Spam Assassin to slow down spam. I'm sure an antivirus appliance would help, but for us, it's not economically feasible.

 

[bozo1]

They way I had my last company setup was:

- Desktops running AV software. (McAfee simply because they had an existing contract.)

- Exchange server running Trend Micro's Scanmail.

- SMTP gateway running a different antivirus program. The gateway handles all incoming and outgoing messages, scans for viruses, spam filtering, etc. I've used MailMarshal, MailSweeper and GTI Mail Essentials. There are many antivirus programs that plug in to those products. I found MailMarshal to be the least troublefree and most configurable. (This was 2 years ago, things may have changed with the other products since then.)

I felt that with 3 different antivirus products, we were pretty well covered especially with some vendors being quicker than others with getting updated signatures out, etc.

 

[spidey07]

IMHO you can never really have TOO much virus protection.

Our strategy - every PC runs virus software, patterns and engines are updated every hour. Every single server runs virus software - updated every 5 minutes. HTTP and FTP are scanned with an appliance.

I couldn't imagine having PCs without virus software, just the fall out from nimda and codered are enough for me to break into cold sweats.

 

[chsh1ca]

Well, we've got NAV Corp. Edition 7.6 as well, but as our mail server is running on linux, we're using Kaspersky Anti-Virus to filter all mail directly at the MTA level. If you're using any Unix-based mailserver, I'd recommend KAV, it goes in well, and has many options for whom to alert, and such things.

I was caught somewhat off guard by the Appliance aspect, but I presume you mean a network proxy + virus scanner. If that's the case, I don't really see a need, since (at least I've noticed) that NAV Corp Edition is capable of nabbing exploit-laden HTML files, so the protection is there (if you enabled FS Real-time protection, which I wouldn't consider not doing).

It really depends on the access people have to various resources I suppose, but I don't think extra levels of security are ever a bad thing. Then comes the question of affordability though, it's always a never-ending fight for the system you want in an affordable manner.

 

[amcdonald]

Mechbogon,
My company's setup is very similair to yours.
I run mcafee enterprise (existing contract) using groupshield/epo/viruscan/etc
As far as I can tell the software is good, as nothing has ever taken root in the network.
However there are some issues with older OS pc's and updating.
My brother used to work for NAI and still has stock, so i highly recommend anything they make

 

[mboy]

The Panda I run has the ability to protect an SMTP gateway or exchange type server, in addition it also has an AV feature to protect a chekpoint firewall as well as netware and Lotus Domino servers.
I suggest those that never checked it out give it a look, pretty nice stuff.

 

[mechBgon]

I'm indebted to all of you for sharing your expertise. Thank you!

The "antivirus appliance" is my terminology for the proxy-like McAfee WebShield Appliance, by the way (link).

 

[beatle]

I'm glad nobody voted for the first one (yet) as the desktop is very open to virus attacks. To my knowledge I've never gotten a virus through email, but I've had more than my fair share from sharing "dirty floppies."

 

[Garion]

My two cents:

You are vulnerable to virus threats from:

E-mail - (block at your Exchange server at a minimum, preferrably at the SMTP gateway also, if you have a separate one
Web - Web-distributed viruses are becoming more and more common and can be quite nasty
Raw Internet - SQL Slammer, etc. work at the IP layer, trying to find exposed vulnerabilities
Desktop - Come from floppy, CD, files from customers and clients, the LAN, etc.
File Servers - Infected files, etc.

You should have protection for pretty much all of these, if you can possibly afford it. The "Raw Internet" category is kind of virus, kind of known vulnerability that a real firewall (not a 6 75, which just runs NAT) could block. Run software on your desktops and servers, at a minimum.

- G

 

[Smilin]

We use 3 layer protection:

At the SMTP Gateway and all other email servers.
At the file servers
At the desktop

Each of these layers has failed at one time or another but we've never had an outbreak of any sort. Definately keep AV on the desktop and add layers as you can afford.


Opinion:
I dropped mcafee some time ago and went with Symantec. I've never been happier. I'm especially enjoying the group function on the new 8.0. Mcafee is great for individual PC's but IMHO it sucks for enterprise.

 

[amcdonald]

Running mcafee enterprise has never failed me in more than 1 & 1/2 years.
with epo configrued properly there would have to be a major hole in mcafee to penetrate all layers.
Plenty of 'attempts' are caught daily. nothing has ever infected.
No upkeep necessary on the av system, just an occasional checkup to see that it is working.

 

[Buddha Bart]

Originally posted by: spidey07
IMHO you can never really have TOO much virus protection.

Our strategy - every PC runs virus software, patterns and engines are updated every hour. Every single server runs virus software - updated every 5 minutes. HTTP and FTP are scanned with an appliance.

I couldn't imagine having PCs without virus software, just the fall out from nimda and codered are enough for me to break into cold sweats.

Wow thats anal!
How did nimda and codered hit you that hard? Are the server guys really that sloppy about patching machines in the DMZ?

bart

 

[Woodie]

How did nimda and codered hit you that hard? Are the server guys really that sloppy about patching machines in the DMZ?

Our DMZ was fine...it was the sister company, and their *very* loosely configured firewall that killed us. Needless to say, we've tightened up THAT firewall.

 

[spidey07]

Originally posted by: Buddha Bart

Originally posted by: spidey07
IMHO you can never really have TOO much virus protection.

Our strategy - every PC runs virus software, patterns and engines are updated every hour. Every single server runs virus software - updated every 5 minutes. HTTP and FTP are scanned with an appliance.

I couldn't imagine having PCs without virus software, just the fall out from nimda and codered are enough for me to break into cold sweats.

Wow thats anal!
How did nimda and codered hit you that hard? Are the server guys really that sloppy about patching machines in the DMZ?

bart

It was the PCs that got us...that and having a virus system that didn't auto-update very well.

 

[mechBgon]

Originally posted by: Garion
My two cents:

You are vulnerable to virus threats from:

E-mail - (block at your Exchange server at a minimum, preferrably at the SMTP gateway also, if you have a separate one
Web - Web-distributed viruses are becoming more and more common and can be quite nasty
Raw Internet - SQL Slammer, etc. work at the IP layer, trying to find exposed vulnerabilities
Desktop - Come from floppy, CD, files from customers and clients, the LAN, etc.
File Servers - Infected files, etc.

You should have protection for pretty much all of these, if you can possibly afford it. The "Raw Internet" category is kind of virus, kind of known vulnerability that a real firewall (not a 6 75, which just runs NAT) could block. Run software on your desktops and servers, at a minimum.

- G

Again, all this advice is very appreciated! We have a Cisco 1605-R between our LAN and the Cisco 675, but I'm not positive whether it does have the firewall capabilites that Cisco describes as "optional," and my understanding is that these are administered using a rather arcane Telnet procedure (which I have no training with). So I don't know how it's been configured, it was there when I came. Before you smack me for not knowing this, remember I'm just the part-time help.

What do y'all think of this Cisco PIX 501 as a "middleweight" firewall, if we wanted to get something that's administerable via a Web interface? Any other nominees from Netgear or other companies? I showed my supervisor the PIX 501 and the price didn't scare him, but the licensing thing struck me as rather silly. With 75 PCs, I guess we'd want the version that has 50 concurrent connections, not 10. If Netgear or another vendor has a worthy alternative that's not saddled with this odd limitation, and/or costs less without giving up the stuff that counts, I'd like to hear

For instance, how about the FVL328 or the other models shown here? It looks like it's free of the user-licensing setup, at least.

Thanks again everyone

BTW, we've got McAfee GroupShield on our Exchange server and Netshield on the file servers, yeah. Our email traffic isn't enormous but GroupShield stops inbound virus-bearing email just about every day. We've blocked exe, com, bat, scr, vbs, pif and so forth.

 

[Woodie]

FWIW...in our enterprise...we see about 1/3 the viruses reported (cleaned or deleted) are from the email gateways, and 2/3 are from the desktops. (100-300 total reported per day)

At the desktop, the majority are downloaded Internet files (Nimda and others) and the rest are from "Removable Media", so likely to be from infected home machines. I don't know the detailed breakdown.