X
Tech
Home Tech Hardware

Guarding Against Viruses is Getting a Lot Harder

The rules of virus management have changed dramatically during the past three years. Even enterprises with much internal security expertise and generous budgets to tackle the problem have found it hard to protect themselves from an onslaught of virus thre
Written by A. Hallawell, Contributor

The rules of virus management have changed dramatically during the past three years. Even enterprises with much internal security expertise and generous budgets to tackle the problem have found it hard to protect themselves from an onslaught of virus threats.

Viruses and malicious-code programs are now more frequent and effective in their mission. Malicious-code programs are infecting the enterprise at an unprecedented, rapid-fire rate—often before the antivirus vendor (e.g., McAfee, Sophos Anti-Virus, Symantec, or Trend Micro) can create an update or before the enterprise can distribute the update to its Simple Mail Transfer Protocol (SMTP) gateway and desktops. Moreover, most small and medium businesses (SMBs) don’t have the resources to institute 24x7 internal testing and distribution of new updates, which are common among larger enterprises.

The means of virus infection is also changing. E-mail systems remain the most dominant method by which enterprises are infected. However, as Nimda and Code Red demonstrated—and as instant messaging vulnerabilities and the advent of Web services portend—Web servers, Web applications, and active content eventually will have to be protected from malicious-code attacks. The already-strained method of signature-based detection used on desktops, file servers, and at the Internet gateway will not suffice for these newer threats. However, through 2003, e-mail will remain the primary vector for malicious-code infections for most SMBs; therefore, SMBs can wait for evolving approaches (e.g., policy enforcement middleware) that tackle these newer Web-based threats to mature.

The SMB antivirus campaign
Gartner offers SMBs the following recommendations for an effective antivirus program:

Protect the base
Desktop protection always will be the most important line of defense for an effective antivirus strategy. If SMBs have no control over the desktops, they should at least ensure that up-to-date security signatures get to the SMTP gateway. However, the gateway alone can’t ward off some malicious-code infections—e.g., Web-based e-mail and files if they are not blocked at the firewall. SMBs should ensure that all desktops, including those of remote users, and the SMTP gateway are protected with up-to-date signatures. Real-time or scheduled scans also should be required on all file servers.

Distribute updates promptly
SMBs should evaluate carefully the management and functionality of antivirus solutions—especially for antivirus desktop products. Solutions that come preconfigured and that can be installed, updated, and managed centrally are critical requirements for SMBs.

Guard the e-mail gateway
Antivirus appliances, such as those from McAfee or Symantec, that scan for viruses at the SMTP gateway may be a cheaper option than buying a software product that requires a separate server. Gateway appliances typically also bundle in content filtering.

Consider outsourcing
Managed antivirus services (e.g., My ASAP from McAfee), messaging service providers (e.g., Electric Mail, MessageLabs, Mirapoint) and managed security service providers are other SMB sources for antivirus protection. These service providers will remotely manage antivirus products on desktops, file servers, and, most commonly, the SMTP gateway and firewall. If SMBs lack the resources to manage the constant updating of antivirus signatures and the frequent upgrading of antivirus product versions, managed antivirus services could provide them with better antivirus protection. Costs for managed antivirus services range from approximately $1 to $4 per user per month.

Limit the number of antivirus products used
Larger enterprises typically use two or more antivirus products because they must rely on the timely distribution of vendors’ updates. Gartner recommends that SMBs limit the number of antivirus products they manage to only one vendor. Using two antivirus software solutions often will be too costly for some SMBs. If they are committed to a dual antivirus vendor strategy, they should use a different antivirus vendor at the SMTP gateway from what’s used for desktops, or they should opt for a service provider for some antivirus functions.

Evaluate antivirus vendors
SMBs should use the following criteria when considering which antivirus vendors to choose:

  • Product quality on a specific platform--e.g., Windows 2000 or Lotus Notes. Elements to consider include how often product patches are released for that product version, as well as performance/compatibility.
  • Management and distribution functionality within the antivirus solution--i.e., what mechanisms are available for easy and automated updating of desktops and other systems. SMBs should also assess how the antivirus vendor makes available updates, especially in outbreak situations. For example, if the vendor provides updates only from its Web site, SMBs may be unable to download the update because of high demand at the site. If no alternative method of obtaining an update exists, SMBs should ask what high-availability solutions the antivirus vendor uses on its Web site and demand service levels for obtaining the update from the site in an outbreak situation.
  • Research and customer support and service--e.g., how quickly does the antivirus vendor typically produce an update in an emergency situation? Are alert and virus intelligence services included, as well as customer support contacts (especially in outbreak situations)? The quality of the updates is critical for SMBs because they often don’t have the capability to test updates. SMBs should negotiate firm service-level agreements to ensure quality updates.
  • Incident-response plan--SMBs should name a manager as the virus-alert and incident-response liaison to their antivirus vendors, and outfit their key enterprise and vendor contacts with pagers or other alert devices. With knowledge of an impending outbreak, attachment blocking at the SMTP gateway should be used to block relevant file types. SMBs should also ensure that as soon as the new update is available from the antivirus vendor, the SMTP gateway is updated immediately.

Bottom line
SMBs must use antivirus protection at their gateway and on desktop devices. However, because of the rapid and ever-changing nature of viruses, as well as the difficulty and expense of maintaining in-house expertise, SMBs also should consider outsourcing antivirus security.

"Guarding Against Viruses is Getting a Lot Harder"
By A. Hallawell
Gartner originally published this report on March 13, 2002.

Editorial standards
Show Comments

Related

The AGM Pad P2 tablet.

I did not expect this $170 Android tablet to be as impressive as it is

Makita Impact XPS Mag Boost and a set of Wera Screw Grippers

My 2 must-have tools to make DIY projects a lot less frustrating (and they're cheap)

Best Buy Essentials TV antenna review | Best TV antenna

The best indoor TV antenna you can buy: Expert tested