by November 1, 2004 0 comments



The anti-virus world has seen a lot of changes recently, having had to keep pace with the growing number of security threats.
For one, it’s more of a solution rather than a single product you install on a machine. Today if you want to deploy anti-virus on your network, you have to first determine what you want to protect on the network. The list includes servers, workstations, applications and even PDAs. Since it spreads across so many elements, you have to worry about managing it, keeping it updated and defining the course of action if (God forbid) a virus strikes. For this, you have to check whether an anti-virus solution helps you achieve all these tasks efficiently. Another trend in anti-viruses is that they’re becoming more feature rich and incorporating other security features such as anti-spam, firewalls and intrusion detection/prevention. This poses a major challenge for an enterprise that needs to decide which anti-virus solution to implement. In this storywe’ll talk about what parameters to look for. It’s based on our experience with six anti-virus solutions we tested, so you’ll also be able to check how each fares against all these parameters.

OS support
First check how many OSs are running on your network, both at the desktop and server level. Then check out which vendor’s anti-virus is available for the OSs you want to protect. Apart from Windows, the AV solutions (included in our shootout) came with support for various Linux distros and UNIX flavors, S/390, Mac OS and NetWare. You can look at the feature table for the OSs supported by each the anti-virus we tested. 

Application plug-ins
Next define the applications you want to protect. Although you would assume that most vendors would support things such as your Web server and mail servers, you would be surprised to note how few actually have it in their default packages.

Java vs Java

Since Microsoft discontinued MS Java Virtual Machine (MSJVM), anti-virus vendors who used that have been switching to Sun Java (JRE). Check which type/version of Java your solution uses. Note that MSJVM is no longer available to download.

Database servers seem to be another area that is largely ignored by vendors. A valid question is-aren’t these the common and most violent points of attack? After all, who can forget Slammer, Blaster and Code Red? So check what sort of protection is available for your applications. Some applications for which anti-virus support is easily available include MS Exchange, Lotus Domino, ISA Server and
SharePoint. 

Management support
A number of vendors seem to think that simply licensing a product for ‘server’ usage adds the ‘enterprise’ tag to it. Do check
if you can indeed configure, manage and use the reporting features of your chosen AV solution in a real-life
deployment-from your workstation PC over a LAN. Your solution should also have in it, the capability to handle things over a simple Web browser to ensure quick and easy manageability, without having to run down to the server room if something should occur. Other features to look for in the management console include the ability to remotely configure, deploy or uninstall any of the anti-virus elements. 

Policies and enforcement
Check if you can define and enforce policies in the anti-virus control. Can you create file-scan or filtering policies, update them? Some solutions have methods to deny access to computers or users if they are not running fully patched systems. Can you create policies to deal with transient systems, ie, notebooks and wireless devices – over whose locations or entry/exit into the infrastructure you cannot enforce much control on. Do take care to note the difference here between a reporting policy and an enforceable policy. A solution could have all the above policing features, but it may not be able to enforce any of them. That is to say, it can report to you if some user or machine is in violation, but no more. Check for solutions that provide you enforceability for your policies. Ultimately, this translates into lesser calls around to determine who’s got that Blaster infection on their machine.

Agents
Although they sound ridiculous in importance, they are of immense background value to your solution. Agents are what allow various components (possibly deployed across servers) to communicate and integrate with each other. Some agents also connect to their vendors’ Web servers and services to download updates and upgrades. These are important. Make sure your solution has some of these. If your solution comes with a lot of components that can be installed separately, chances are that there are corresponding agents as well. There would be: update agents, reporting agents, scan agents, notification/alert agents, policy agents and security agents.

Reporting and logging
Just as important it is to have policies around, it is important to know what’s been happening in your system. Imagine a call from your boss at 3 AM asking “What happened to my presentation files?” Instead of having to run recovery software to figure out who messed with them, you could lookup your AV’s logs and tell him “Sorry sir, but they were infected and so placed in quarantine.” 

It is also important where and how your software logs the information. Some vendors put it into the Windows Event Log , while others in an SQL Server or MSDE database, which is used by a Crystal Reports engine to show various views. Both are okay, but make sure the output results are something you can use. The ‘big ones’ can display a variety of reports-we found one that had scanned our network while we slept and told us what systems on our LAN were ‘hotspots’ for future problems and why. If your anti virus can do half your work by figuring out why something is wrong and what you could do about it, consider it money well-spent.

Technical support and updates
Check how often the vendor provides virus definition updates and how they are delivered first to your servers and then to the rest of the infrastructure. There are various ways this can happen-by a background autoupdater that runs while you sleep or, manually downloading and running the update files from a website. You should also be able to place the update files in a central location and instruct the anti virus on your workstations to download it, or to create policies to automatically install
them from your management console.

When something goes wrong with the software that’s supposed to protect data, it is nice to have someone to talk to about it. To this end, find out if your vendor offers any kind of support programs. A few vendors will also sign agreements with you-perhaps for an extra fee- with clauses like “if we cannot give you a patch for that new virus within…”. Yes, while a court-case is not of much use when data is lost, the life-line here guarantees that if something should go wrong, there is someone putting in that extra effort to do what they can to help you.

Pricing and licensing
Be very careful when you check out the pricing, because it can be pretty confusing. There can be a per server cost, per user cost and separate cost for the management console. All software we received said they came with one-year’s worth of free updates. Check if you can get more. Some vendors choose to price their products with a ‘divide by quantity’ approach. So, that 500-user (or node) licensed product someone is selling for Rs 500 actually means it costs rupees two-and-half lakh. Some of them quote the server and client components separately. A few actually charge you extra for support-of course, this means you get that extraedge in technical support. These prices are usually yearly-subscriptions, since the companies release a new version every year and require you to re-purchase them in that time-frame. This turns out to be a large and recurring investment from this perspective. Do you want to spend that half-a-lakh extra every year just because it sends you alerts via MSN?

In the end, remember that AV products are just as hard to re-trench and change over an enterprise as any other software. Sometimes, you have to re-build entire systems to make some vestiges go away. This makes it worthwhile to consider your options carefully, before making the purchase.

By Anindya Roy, Sushil Oswal, Sujay V. Sarma

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.