The pros and cons of centrally managed antivirus software

For the small or home office user, retail antivirus programs such Norton AntiVirus 2003, McAfee VirusScan 7.0, and F-Secure Anti-Virus Personal Edition offer adequate protection and are easily managed. But for the enterprise tech with dozens or even thousands of PCs to protect, such products require too much oversight and place too much control with the end user. To resolve this dilemma, enterprises often choose a centrally managed antivirus solution.

The most well-known providers of centrally managed antivirus software are Symantec (Norton), McAfee, and F-Secure. These companies each offer enterprise solutions that can be maintained by one or more techs with little to no end-user intervention. Although each product offers a unique set of features, they all share the advantages and disadvantages common to centralized antivirus solutions. Before you recommend such a solution to your boss, however, you should be familiar with these common characteristics.

Reduce network traffic and administration time
Most virus signature/definition files are somewhere between 1 MB and 2 MB. Not a bad download for one machine to handle, but with just 50 machines, that number jumps to between 50 MB and 100 MB. In addition, stand-alone antivirus programs often require each computer to have an Internet connection. This means opening a port in your firewall (if you have one) for all machines and downloading the same data repeatedly.

With a centrally managed antivirus solution, you have the benefit of downloading the virus signatures/definitions and software updates to a single server, thus requiring only one machine to be connected to the Internet on that port. Once the update files are downloaded, the PCs can then pull them from the server and not the Internet. This is an attractive solution for organizations with limited Internet bandwidth or organizations that don't provide an Internet connection for every PC.

Not only can centrally managed antivirus solutions reduce network traffic, but they can also significantly reduce the time techs spend on managing the antivirus system and troubleshooting end-user problems related to antivirus software. Asking end users to regularly update their antivirus software can be tiresome at best and downright dangerous at worst. I know of help desks that routinely e-mail end users, reminding them to update their antivirus software, only to be flooded with a wave of “How do I do that?” questions. Worst yet, many end users simply ignore the e-mails altogether.

Some IT organizations use login scripts to automate antivirus updates, but this too is often fraught with difficulty as users can close the script's command window without letting the task complete. Because centrally managed antivirus software often runs quietly in the background, no end-user intervention is required, nor does the end user realize the process is occurring. Simply set your organization's update schedule and let the software do the work.

A single point of failure
Despite their advantages, centrally managed antivirus solutions are not without drawbacks. Because such systems store the virus signature/definition files in a single location—usually a network server—this server becomes a single point of failure for the entire system. If the server crashes, all workstations will be without a way to update their virus signatures—unless each machine has an Internet connection.

Timing your updates is also an important consideration with a centrally managed solution. Because new viruses are being continuously discovered, virus updates are sometimes released on an irregular basis. This can cause a problem if your organization doesn't use a fairly frequent update schedule.

Let's say your system updates all PCs on Monday, but a new virus was discovered on Wednesday. In this scenario, your PCs wouldn't have the updates required to combat this new threat. This illustrates that although centrally managed antivirus systems can reduce administration time, they don't eliminate administration altogether. When a new virus is discovered and an update is released, you should quickly determine whether the virus poses a threat to the organization and, if it does, download the most recent updates and then push those updates to the PCs. Unfortunately, this isn't always possible.

Pull rather than push
One of the inherent limitations of the many centrally managed antivirus solutions is that virus updates and changes are typically performed on a “pull” rather than a "push” basis. What this means for the IT department is that changes made to the centralized system require the workstation to check in on its own timetable for the updates rather than the server notifying all workstations that there are changes that need to be downloaded.

In the case above, this would mean that some workstations would be vulnerable to a new virus for several days. The other option is to configure the workstations to “check in” with the update server on a more regular basis, anywhere from once to multiple times a day. But be aware that this solution can create enough traffic to degrade your network's performance, depending on its capacity.

Benefits far outweigh drawbacks
Overall, a centrally managed antivirus system is, in my opinion, something that no enterprise can afford to be without. While the drawbacks can seem troublesome, they are greatly outweighed by an increase in security and a reduction in network traffic and administration time.

TechRepublic originally published this article on 8 January 2003.