There's nothing like your company's LAN and Internet access slowing to a crawl and then disappearing entirely to drive home the point that even if you are a good little Boy Scout/Girl Guide and keep all your PC patches and anti-virus signatures up to date, some of your less-than-diligent colleagues can still cause you grief.
The problem we're alluding to is the recent attack on our network by a variant of the W32/Sdbot AKA W32.HLLW.Donk worm. The worm got past RMIT's firewalls--most probably by simply hitching a ride on an unprotected laptop. Once inside the firewall it routed out all the PCs that had not received frequent Signature updates and proceeded to flood the network.
Some areas may have valid reasons for not updating; we for example carry out testing on client's disk images that we must maintain in their current state--and that can cause headaches. But in most cases it's simply a matter of neglect.
So how do you get around the problem?
The simplest method is to institute a policy, which may or may not be adhered to, that all PCs must have their AV software configured to auto update from the relevant vendor's Web site.
There is one glaring problem with this: network traffic and the associated cost. Let's say your users have configured their AV software to update once a week, not frequently enough really but this is just an illustration, and the typical signature file is 1MB. Each user will be downloading 52MB a year, not too bad until you multiply this by your number of PCs, which may be 10,000 or more--520GB is a bit rich.
For very large sites it is probably simpler and cheaper to mirror the vendor's updates on your own in-house server, thus lowering your costs significantly.
But as we have seen relying on users to "pull" the updates down from a server will probably result in less-than-perfect coverage.
A more reliable option is to set up a server to "push" the updates to the users' PCs. This also has the added benefit that the server knows when a new update is available whereas if the users "pull" the updates they must regularly poll to see if there are any updates available, again needlessly chewing up bandwidth.
Let's look at how some of the most popular virus solutions work.
ETrust AntiVirus 7.0
There are basically two sets of interfaces the user and administrator must contend with and, to be honest, neither are difficult to come to grips with. The RealTime Monitors interface appears a little bland when compared to some of the other packages but it does follow the typical Windows "tabbed pages" scheme so anyone can drive it. (Its blandness is occasionally relieved by "cute" graphics of viruses.)
Features are standard with the user able to nominate what types of files are scanned and how incidents are treated--the default for worms and Trojans, for example, is to delete. The scanner features the obligatory heuristics and also has a "System Cure" option that cleans the OS and modifies the registry so at times this may require a reboot to complete the cleaning process. As readers may be aware Vet AV is now owned by CA and as a consequence you can configure the scan engine to be either Vet or InoculateIT.
There are a couple of very useful additions that we quite like: for example, the ability to exclude processes or directories from real-time scanning and the scanner can be configured to deny access to files with specified extensions. And, should a specific user be detected as the source of a particular incident, they can be automatically quarantined from the network for a prescribed period of time.
We initially expected to be able to perform all administration tasks from the eTrust AntiVirus scanner application, which has both a Local and an Administrative view. However, the initial "push" of the application to clients on your domain or workgroup is actually handled by another dedicated application called Remote Install. It was at this point that we experienced some installation problems and had to avail ourselves of CA's tech support. Initially we were unable to "find" any of the target PCs on the network and had to tweak the settings to extend the timeout period amongst other settings. Then we were unable to push to a client that was a member of the server's domain, although we could easily push to any of the workgroup PCs. This required additional rejigging of some of the settings. Unfortunately this all occurred close to deadline so we were unable to determine if the problems were specific to our network.
Once the problems had been ironed out it was quite simple to push the AV software to the nominated PC.
From this point on all administrative tasks could be handled via the AntiVirus console.
From the console the target PC's settings can be altered and basic stats obtained. If you wish to have different sets of policies for different groups of users, new "branches" must be added to the organisational tree and the relevant users placed in each group. Different blanket policies can then be applied to each branch.
As can be seen from Figure 1 the tree structure is very easy to navigate and is divided into logical units such as "configuration settings" which includes e-mail polices and enforced policies (the latter enables the administrator to setup various Alert policies, Realtime Scan policies, Schedule Jobs, and distribute signature schedules, for example). In each case, multiple policies or schedules can be created and individually applied to various branches.
Alerts can be quite finely customised to not only be sent to various targets but also the level of severity of the alert can be filtered and custom notifications configured for a large number of specific scan engine events--events such as "error scanning memory".
|Product||eTrust Antivirus 7.0|
|Price||US$65 for single user or US$35 for up to 99 seats
|Phone||1800 224 636|
|Interface is logical and easy to navigate; wide range of platforms supported.|
|Strong feature set particularly with regards to alerts and inherited properties.|
|Cost per seat is quite low for five or more users.|
|24x7 phone support; e-mail and Web support.|
Network Associates--McAfee VirusScan Enterprise 7.0 & ePolicy Orchestrator
The installation of VirusScan was quick and straightforward on the target server, however the installation of ePolicy Orchestrator (ePO) while not particularly difficult is quite a long-winded process. Admittedly our target server did not have a resident database so ePO had that little chore as well, but even so there were a total of three system reboots and rather long file copy procedures before it was all over.
The AV engine, VirusScan, has a very simple and basic interface--finding your way around it is relatively simple. Manual scans from the console are not really possible in the strict sense of the word; you must create a "task" and then run it to perform the equivalent of, for example, "quickly scan this folder". Of course you can simply right click on the target folder or drive and select the "scan for viruses" option from the drop down menu. All the usual functions can be configured or defined such as actions to carry out upon detection, when and what items are to be scanned and this includes archive files and user-defined file types rather than the time wasting "all files". The scan engine has heuristics to help detect unknown worms and macros and there is a simple but effective Alert configuration that allows the user to define the various alert types, the response and the recipients.
Deployment and administration is handled by ePO and to be blunt, while ePO is very powerful, its ease of use and steep learning curve leave quite a lot to be desired when compared to some of the other packages. Admittedly it did not help that the CD-R version of the software we received was damaged and not all the documentation was accessible.
If you are a small business with, say, a single domain and 300 or fewer PCs there is a small business wizard that takes a lot of the pain out of the configuration in that the downloading of the ePO agent to the PCs and the subsequent push of VirusScan are simplified. But start talking multiple domains and a substantial number of PCs and the basic configuration tasks are up to the administrator.
The basic steps are to first download the relevant packages to the repository using the "check in package" task. Configure ePO to push the ePO agent onto the client PCs in your domain and then run the "deployment" task after you first configure its schedule and the packages to deploy.
Once the whole shebang is initially configured, it's all relatively easy to administer and manage. Indivudual PCs can be targeted and their AV configuration tweaked remotely or a configuration policy can be applied at the Domain level to filter on down to the PCs contained therein.
Should an outbreak occur, with ePO you can scan or update your entire Enterprise quickly and define an on the fly outbreak policy to lock everything up tight until you have a chance to suss out ePO's detailed reports and design a gentler policy that only protects the identified points of entry.
|Product||Network Associates—McAfee VirusScan Enterprise 7.0 & ePolicy Orchestrator|
|Price||$56.13 per node (at 101-250 node price)|
|Phone||1800 644 646|
|Interoperability is strong but the installation and configuration of the software was more involved than most; interface not as logical as that of other vendors’ products.|
|Powerful feature set, but at times difficult to come to grips with.|
|Cost per seat is low for 101 to 250 nodes.|
|One year’s updates and business hours phone; e-mail and Web support.|
Sophos AntiVirus & Enterprise Manager
Installation of the software is relatively straightforward and certainly not as time-consuming as eTrust, for example.
The installation on the deployment server consists of the AV software and Enterprise Manager.
The interface for the AV engine itself is quick and easy and at first glance appears to lack the bells and whistles of some of the flashier interfaces. But when you attempt to configure the scan engine you find that it is actually quite powerful and flexible. Immediate scans can be performed on selected drives, scans can be scheduled, and live resident memory scanning is handled by InterCheck Server.
The executable definition files for scanning can be edited by the user and new file types added if required, although the list is quite extensive.
The scanning engine can be configured to run at normal or low priority, it can perform quick or deep scans, it scans archives, and if required, adds the scan results to a checksum file. However the Sophos scan times on quite a large collection of files was quite consistent regardless of which of the deep or quick scan options were selected.
Immediate mode configuration allows the user to select how the scan responds to a virus and can be configured to disinfect Boot Sectors, Documents, and Programs. Infected files can be renamed, deleted, moved, or copied to another location; there is also an option to irretrievably "shred" the offending file.
The Alerting options are very comprehensive and includes options to configure Network Messaging, SMTP e-mail, and set SNMP Traps.
Deploying and administering the AV software enterprise wide is the responsibility of the Enterprise Manager, which for the most part has a logical and relatively easy-to-use interface. When the app is launched the user is presented with the "library configuration view". At this point the source of the virus updates for distribution from your server, which on the Sophos parent Web site is called a Databank, is defined and the update frequency scheduled.
It was at this point that we became a little unstuck. We set the download Web site to the Sophos default and could not manage to connect using the supplied username and password. We had, during the configuration, set the option to "auto detect configuration" for the Internet. Unfortunately this did not detect our configuration and we were directed to disable the option by Sophos tech support after which the connection was established without a hitch.
To delve any deeper into the deployment and admin click on the "Start SAVAdmin" button--this launches the Sophos AntiVirus Administrator.
This application also employs a simple tree structure to navigate though your network and once PCs are "discovered" they, along with their attributes, are displayed on the right-hand side of the tree. The range of attributes displayed is quite extensive and includes not only the PC's current OS but also access details and complete details on the AV installation on the system right down to the version number of the Dat files and whether a particular aspect of the AV is active or not.
From here, AV updates can be pushed to single or multiple systems and while the update process initially appears relatively complex, given the simplicity of the rest of the processes, this is only the case because Sophos has included additional powerful features as can be seen in Figure 3. SAVAdmin also enables the administrator to remotely view the target PC's scan and error logs.
Should anyone on your network have an unprotected PC or out-of-date software, EM can identify the offenders and it can be configured to automatically update them.
Additional administrative support is provided by EM Reporter, which collates virus alerts generated by your Sophos AV and produces customisable reports to keep the administrator abreast of the unsavoury activity on the network.
And, although we did not test it, Sophos also provide a solution for nomadic employees who occasionally wander in and out of your network with potentially dangerous notebook computers: Remote Update. This provides "on the road" updating of the notebook via a network or Web site provided by the employer.
|Product||Sophos AntiVirus & Enterprise Manager|
|Price||Price $84 (per PC for 25 licences)|
|Phone||02 9409 9112|
|Relatively simple to drive and supports a wide range of environments including Mac.|
|Solid package with a powerful set of features.|
|Moderate cost per seat.|
|24x7 phone and fax support; e-mail and Web support.|
Installation of the Trend Micro product is reasonably demanding and was not as automated and straightforward as the other vendors' products tested. We should note, however, that we did not receive a retail version of the product and the supplied CD-R had a collection of patches and rollouts that probably do not appear in the retail pack. The product also consists of three applications--ServerProtect, OfficeProtect Corporate Edition, and Trend Micro Control Management for centralised control.
The desktop AV interface is quite standard so it's easy to understand and navigate. The ability to unmark certain folders so they are not targeted by the AV scanner is very useful. (It stops our precious virus collections being nuked by the AV scanner.)
The scanner can be configured to run real-time scans on POP3 mail and also scan outlook mail folders. Users who sync their PDAs to the desktop are not ignored and are catered for with the Wireless Protection Manager. The AV scanner also employs its own form of heuristics in an attempt to detect new threats.
Actually pushing OfficeScan onto a remote client PC could not be simpler using the Admin servers OfficeScan NT Remote Install (see Figure 4). Simply select the domain or workgroup, then the relevant PCs and click on "apply"--if you have authorisation for the selected PCs, OfficeScan is pushed down onto each desktop.
This is all performed via your browser so you can remotely administer the server as well as clients.
The great news for administrators is that you are in control of every facet of the client's AV, right down to scheduling and scan settings.
You can lock the AV down so the client has absolutely no control, or you can free up various aspects of the AV to give your users some degree of freedom.
The window that handles the default settings is pretty draconian and sadly we can think of some users we would leave with the default settings.
The OfficeScan general interface is very easy to navigate, as is Control Manager for that matter--so simple that nary a glance at the manuals was needed to remotely deploy and configure the AV software.
The only confusion that does arise is which application do you use to manage various aspects--OfficeScan Corporate Edition or Control Manager--as the names and the relevant tasks may be a tad misleading.
In general, a great deal of the administration and management is performed by the former while the latter provides reporting, overarching deployment plans, product updates, alerts, and an extensive "Outbreak Commander".
Control Manager has simple point and click policies for half a dozen of the most common and annoying virus and worms and these can be added to as they arise from Trend's web site. When we performed the update the policies jumped to almost 40 in number and included the latest variations of Sobig, for example.
The administrator has the ability to perform emergency "manual" outbreak management but this is found in OfficeScan not Control Manager and simply offers the options to block selectable shared folders and ports and deny write access to files or folders for a selectable time period.
|Price||$67.98 per user for 51 to 100 users|
|Vendor||Trend Micro Australia|
|Phone||1800 642 421|
|Very easy to use and configure, the simplest of all the packages tested with a good range of OS and platform support.|
|Wide array of features.|
|Moderate pricing on a per seat basis.|
|Comprehensive standard service and support policies with the option of a fee for Premium services.|
We had intended to perform a full evaluation of NOD32 and, given its reputation as the top AV package in terms of Check Point certification, we were quite eager to include the package. Unfortunately, as the package currently stands, remote deployment is script-based—hardly user friendly—and, as the new Remote Administrator is due out in an October or November timeframe it’s pointless to evaluate this feature. However, we did take a quick look at the standalone AV scan engine and its local management tools.
The interface is simple and navigation is logical. The detection engine scans incoming files and memory utilising a resident process named AMON, a second process called IMON scans e-mails.
Most configuration options can be accessed by one of two methods: from NOD32’s interface directly, or by launching NOD32 Control Centre (the latter providing additional config options in most cases; indeed it is the only way to configure IMON, for example).
The scan engine actions upon detecting are virus can be configured by the user and if clean is selected for example the user can decide what action is taken if the virus cannot be cleaned. Diagnosing methods are configurable right down to the point where the Heuristic sensitivity can be set to Deep, Standard, or Safe modes, file extensions can be selected or simply all files scanned.
Alerts are a tad simplistic but this may be improved in the new remote administrator.
Scan Schedules and product updates are configured in Control Centre whose simple tree structure is quite easy to navigate. The AMON configuration options from Control Centre also allow the user to exclude certain files and/or directories from being scanned.
|Product||eTrust Antivirus V7||McAfee VirusScan Enterprise 7.0 & ePolicy Orchestrator||Nod32 Antivirus System|
|Company||Computer Associates||Network Associates||NOD32 Australia|
|Phone||1800 224 636||1800 644 646||07 3204 5000|
|RRP inc GST||US$65 (approx A$99); US$35 per user (approx AU$53) for 1-99 users||$56.13 per node (101-250 node price)||Single PC = $75 (1 Year)/ $120 (2 Years). Site licenses on a sliding scale reducing to $13.50 for 2000 or more clients.|
|Warranty & support||24x7 phone, e-mail, and Web support.||One year's updates and business hours telephone; e-mail and Web support.||Phone support for licensed users, 9am-5pm EST Monday-Friday, is included at no cost.|
|On demand/On access scanning?||Yes/Yes||Yes/Yes||Yes/Yes|
|Antivirus actions||Report, delete, rename, quarantine, cure||Clean, delete, quarantine, deny access||Ã¢â‚¬"|
|Automatic virus data files and engine updates?||Yes, updated daily. More frequent as needed||Can be set to run daily, weekly, monthly; at system startup, logon, or idle||AutomaticÃ¢â‚¬"checks for update every 1 hour by default|
|Method of centralised deployment||Push and Pull||PullÃ¢â‚¬"can be initiated on demand||Push|
|Supported environments||Windows, Linux, Sun, Solaris, Novell Netware, Apple Macintosh, PalmOS, HP-UX (beta), Microsoft Exchange, Lotus Notes Domino, Microsoft ISA Server, Check Point FW-1, NG Apache Proxy||NT, 2000, XP (note: VirusScan 4.5.1 is included on CD and supports Win 95/98/Me), Windows Server 2003, MS Cluster Server, Citrix MetaFrame 1.8 & XP support||Windows95/98/Me/NT/2000/2003/XP, DOS, Linux, BSD, Microsoft Exchange, Lotus Notes/Domino, Novell Netware|
|Product||Sophos Anti Virus & Enterprise Manager||OfficeScan, ServerProtect & Trend Micro Control Manager|
|Company||Sophos Australia||Trend Micro Australia|
|Phone||02 9409 9100||1800 642 421|
|RRP inc GST||$84/PC (25 users)||$61.80 per user for 51-100 users (ex GST)|
|Warranty & support||Phone, fax, e-mail, web. RRP inclusive of 24/7 support.||30-day warranty. The first year of standard support is included.|
|On demand/On access scanning?||Yes/Yes||Yes/Yes|
|Antivirus actions||Disinfect, quarantine, copy, rename, delete, shred (secure erasure)||Clean, quarantine, delete|
|Automatic virus data files and engine updates?||Yes. Updates published as required, typically daily.||Yes. Pattern files are released bi-weekly or during a yellow/red alert.|
|Method of centralised deployment||Pull (Web-to-server), Pull (server-to-server) or push (server-to-server), Pull (server-to-workstation)||Generally push (depends on the desktop environment for client installation)|
|Supported environments||Windows NT/2000/XP/2003, Windows 95/98/Me, NetWare, OS/2, Unix/Linux, Mac OS 8.1+ and 9, Mac OS X, OpenVMS, DOS/Windows 3.1x||Client/Server, thin-client, Windows, Novell, Linux|
Is the software compatible with your existing operating system?
Is the software accurate and flexible enough to suit your needs into the future?
Does the price justify the performance and will you achieve productivity gains by using the software?
What options are available for service and support, and how much do they cost?
How we tested
To test participating vendors' anti-spam software applications and their own technical configuration of the same in an effort to provide some statistics on the effectiveness of the current technologies ability to successfully filter desirable and undesirable e-mail messages.
How it worked
We provided each vendor with a server running Microsoft Exchange Server 2000 on Windows 2000 Server. All vendors were invited to send a technician to the Labs on the same day to install and configure their own products and the Exchange servers. The technicians could either install their product on the same server or on a separate server also running Windows 2000 Server.
All test servers were connected via the same switch and the Lab gateway to the Internet. Each server was allocated a pre-defined static publicly accessible IP address and each mail server was assigned a fully qualified sub-domain name. Each server was also assigned an external e-mail account.
Vendors were encouraged to implement their rule sets so they were "tight to catch as much spam as that package is capable of", but not too tight to block everything--false positives were to be avoided as much as possible. The use of current black and white lists was acceptable. Once the install/configuration period was over, the vendors were not allowed to see or access their systems again.
A pre-collected set of over 1800 e-mails were sent from a few static mail accounts, and the results collected. We ran through these tests several times to ensure their accuracy, and to determine the effect, if any, of the packages' learning capabilities.
We used a Microsoft internal testing tool to send the static control messages to the servers. This tool was initially developed to test mail servers under load. We adapted its use to allow us to take messages that we have collected (provided their headers have not been corrupted) and then send with original or new headers.
The scores you see are based on the results of these static tests, although they are very similar to the results achieved in the live tests as well.
Following the static tests, the packages were run on a number of live external mailboxes, providing a live test scenario with real-world mailboxes and real world external mail servers.
We used a Linux-based Sendmail server to combine all messages to a single account, then forward them to the multiple test accounts, which left the headers as if the messages had been sent directly from the spammers.
After running these two tests using the vendor's suggested configurations, we spent a bit of time altering the vendors' rule configurations to see if tweaking the products could alter their results. Although this did not contribute to the overall scores, because of the subjective and human factors involved, it gave us some valuable information on the ease of use and effectiveness for administrators who will need to constantly tweak the systems once they are in use.
A note on results
Any results achieved by this testing only have a limited lifespan before becoming redundant, due to the nature of the applications themselves, and the dynamic nature of the spam they are trying to filter. The bad guys will always be trying new ways to get around the good guys' defences, which the good guys will always be trying to improve.
A note on servers
Due to the large number of servers required for this test, since each vendor required up to two servers for their products, we were unable to provide enough identical servers to run the tests. We therefore hired all the servers from PC Hire. Each vendor contributed the costs of hiring their own server(s), and we'd like to thank PC Hire for helping us keep these costs to a minimum. We'd like to make it clear that--as always--vendors were not charged to participate in the tests, and were only required to pay the cost of the server hire.
Company: Michalak Manufacturing. This company wants to roll out antivirus protection to its corporate desktops and servers.
Approximate Budget: Open.
Requires: Antivirus software for desktops and servers, and deployment software to manage the distribution of definitions.
Concerns: The company is most concerned with the ability to centrally manage the software and to control the distribution of virus definition files so that systems are upgraded as quickly as possible. The software's ability to block viruses in desktop e-mail clients is also a big concern.
Trend Micro Antivirus
While arguably not the most powerful enterprise AV package overall, Trend Micro's OfficeProtect Corporate Edition is nevertheless feature packed and very flexible. What sets OfficeProtect--and its attendant applications ServerProtect and Control Manager--apart when compared to the other packages reviewed is the wonderful simplicity of its interface. The Web-based user interface for product deployment is so easy to drive that for basic rollout functions, and many of the complex functions as well, the documentation can be ignored completely. This cannot be said for any of the other packages tested.
eTrust AntiVirus V7 is also a very powerful and easy-to-use package that may also be worth a close look, and it gets an Honourable Mention.
Subscribe now to Australian Technology & Business magazine.
About RMIT IT Test Labs