by November 1, 2004 0 comments

With a view to helping you choose the right anti virus, we figured we would try as close a ‘real-life’ scenario as possible, in the limitations of a test-bed environment. To this end, we looked at what we thought an enterprise would use and decided to select a few of the popular platforms and setups. Our testing (isolated) network consisted of: two servers running Windows Server 2003, a RedHat Linux 3.0 ES Server, and a Win XP Pro PC that we ran as a client. Most of the testing was of course done on the servers. We used one Server 2003 box as our Exchange 2003 Server (hence also functioning as a domain controller), while the other had MS SQL Server 2000 on it. We updated all systems with the latest patches, and also all anti virus software was brought up to date with the latest signatures. Here are the tests that we ran. 

We built a repository of around twenty thousand files-some pure viruses, some infected and some clean files. We even had some of the old-world viruses, mixed with the new ones. The files were variously organized into simple files and folders, zipped versions and nested-zip archives.

We used our three axis model of performance, price, and features to determine the winners, and used the Brown-Gibson model for the weightages. In pricing, we asked for per user license cost for 500 users, and also asked for the renewal rates. 

Basic file scan
We first ran a basic virus scan on our virus collection. Here, we ensured that the anti virus was configured to detect all files, including those within compressed zip files. The idea here was to check how many viruses actually get detected inside the zipped files.

All virus scanners can normally scan inside zip files, but many stop the moment they find even a single file infected. Some scanners go through all the contents and indicate how many files are infected. So we gave higher weightage to virus scanners that detected more viruses inside zip files. 

Variant tests
Variants have become a common threat these days. The viruses and trojans have become smarter. They can mutate themselves into other forms to escape detection. We checked whether each anti virus was capable of detecting multiple versions of the same virus and how many does it detect. For this, we had a separate set of folders that contained about 105 variants of all the viruses we had. 

E-mail tests
We had downloaded a batch of 500 odd mail from various sources-some spam, some containing attached or embedded viruses and worms. For each anti virus solution, this batch was injected onto our Exchange and Linux servers with the e-mail plug-ins running. Statistics regarding the number of detected spam and e-mail messages were noted. After each run of this test, we flushed the mail boxes of previously downloaded messages.

Resource usage tests
This is not exactly a ‘test’, but noting down the Memory and CPU utilization figures as reported by the Windows Task Manager. Two sets of values were noted: usage without on-demand scan and usage when an on-demand scan was in progress. Our philosophy here was that if the anti virus used up more system resources for itself, then you might need to invest in a separate ‘Anti virus Server’ (machine) in your infrastructure!

Ease of set-up and configuration
The popularity of a product depends directly on how easy and intuitive it is to use various features it exposes. Under USP, we rated the ease of installation and ease of configuration. We also noted the various types of files and archives it could scan into, the kind of features you get from its management console(s), the types of updates it guarantees and the kind of network protection features it offers. Administrative exigencies such as policy creation, enforcement and reporting were noted for comparison.

TrendMicro Enterprise Solution

Our winner, TrendMicro Enterprise gained its lead over the others purely because of its colossal feature list. The package features extensive protection solutions for your OS (file server), e-mail and networking sub-systems. Besides this, it has excellent reporting and monitoring capabilities. One thing that sets an anti virus apart from the others is its ability to transparently scan, report and take preventive action. On these three fronts again, TrendMicro takes the lead with its triplet agents that together prevent an outbreak on your network (by downloading the latest pre-signature patches from their website), limit the damage if an outbreak has already occurred, and downloads and manages patches and policies on your network.

Performance wise, the package showed good results, though we did find it to be a resource hogger (given the number of services it had to run in the background). According to TrendMicro, the anti virus requires the presence of MS Java Virtual Machine (but we could run it on Sun JRE) for the Web-based management consoles to work and neither of these are installed or distributed with the product. Different components of the product can be installed on different machines on the network and they will then use the corresponding agents to work seamlessly as one. As far as the pricing is concerned the company charges Rs 3,120 for each client license (for 500 users) for the first year which looks like a huge initial investment but the renewal charges reduces to the 30% of the initial cost which makes it one of the cheapest anti virus solution at the end of two years.

An excellent choice for your enterprise, TrendMicro makes up in sheer features and pricing what it lacks in raw resource-linked performance. RQS# E66 or SMS 131166 to 9811800601

eTrust Anti Virus

eTrust was consistently strong in all of features, performance and price, matching but slightly lagging behind

Perhaps one of the favorite features amongst us was its simply fabulous and extensive reporting and logging module, which gave so many different types of information. eTrust also seemed to take up quite a lot more system resources, but the number of viruses and variants detected were fewer (at par with TrendMicro). Where it really lost out was in its pricing strategy; had it offered a similar pricing as the winner, we would have seen a much closer finish. However, if you use a lot of different platforms on your infrastructure, eTrust would be the way to go, since its list of supported OSs and versions is long and comprehensive, a lot of different flavors of Windows, Linux and UNIX, not to mention the Mac OS and NetWare. It has a comprehensive list of supported applications, even MS ISA Server and Proxy Server can be plugged in for network security.

Add to this list features like over 60 pre-defined reports templates and complete remote management, and you get an unbeatable product combination. Unbeatable and it came in second? Yes, only because of its pricing, a little less than Rs 8 lakh for a 500 user purchase. If your budget is a little higher, eTrust would be the way to go. RQS# E67 or SMS 131167 to 9811800601

McAfee VirusScan Enterprise 8.0i

McAfee for the enterprise comes in two basic modules-the VirusScan (files) and GroupShield (messaging). This anti virus has amongst the best security capabilities beyond anti virus scanning of the lot, with features like a ‘rules based’ IDS, a firewall with every desktop, and even buffer overflow protection. It even gave amongst the best performance of the lot, with real low memory usage, and detection of just about every virus in our list, whether it was nested within multiple zip files or a variant. Had the pricing been a little more aggressive, this would have won hands down. At a price of nearly Rs 10 Lakh for a 500 user installation, it stands out as the second costliest product for the first year and the costliest on second year renewals on our list of contenders.

The company offers two streams of licensing/support policies (AVD and AVS) for your network clients and each are priced differently. And although it had a fairly long features list, there were no agents, and it could do nowhere near as much as eTrust on its reporting side. The administrative console is Spartan- the number of options available are few and each of these allow you to edit on a limited number of parameters. And yes, we could not find a Web-based UI for the management console (there is one for its Exchange component). 

McAfee also requires you to install Sun JRE and quite luckily, it is distributed on the CD-ROM and installed when you launch its GroupShield console for the first time. RQS# E68 or SMS 131168 to 9811800601

avast! 4 Server Edition

avast! was way behind in features and performance, but turned out to be the cheapest of the lot. With an aggressively low pricing policy of a tad under Rs 3 Lakh, it remains cheaper than TrendMicro even after the latter’s whopping price decrease of 70% on renewal. The product is nowhere as feature rich as offerings from TrendMicro, McAfee or eTrust. Out there, avast! seems to be primarily used for defending e-mail systems. 

However, we found it performing even better than eTrust and TrendMicro in the number of virus variants it detected. It also used up much lesser CPU, although it took up a lot more memory!

Funnily for an enterprise product, avast! features a ‘skinned’ interface, accessible through the ‘Enhanced User Interface’ option on its management console. Its ‘iNews’ feature seeks to bring to your console the latest on new threats and cures. On the reporting front, while you can set up a location for the logs to be saved into (for a scan or scheduled task), we found it does not actually save it there (bug?) and we had to go to the default location inside its Program Files folder to get it. For a certain task, it can only overwrite or append to the existing log file, which means if you run the same scan twice, you will only
get a single file, however, you can still see separate reports for each scan-session in the console.

The company’s website features a discussion forum for users to discuss their malware troubles. avast! was also a choice among few products that featured protection for P2P applications and had the ability to send alerts via MSN Messenger. RQS# E69 or SMS 131169 to 9811800601

MicroWorld eScan 2003

eScan supports the lowest number of platforms-just Windows and RedHat Linux. For the enterprise, you need to use both the Corporate Edition (file scanner) and the MailScan (for SMTP mail). The copy we received did not have a file-scanner for Linux and the MailScan component supported RHL versions 7, 8 and 9. eScan gains heavily on the performance over other products, for one simple reason-it uses the lowest amount of memory and CPU during scans. It shared the top spot as far as variant detections are concerned. We would have liked to see a Web-based management console for eScan. It is not that eScan is lacking, but that TrendMicro, eTrust and McAfee had it so much better. For example, the number of flavors of Linux OSs supported can be improved. 

The vendor claims support for ‘over 22 types of mail servers’ and all CVP-compliant firewalls, including groupware like MS Exchange and Novell GroupWise. Installation, configuration (through the management console) and definition updates are very easy. You can create policies to push updates to the clients. It has a configurable cap on the maximum sized file that you can scan (in MB), making it useful if you have large files or CD dumps on your scan-list.

On the virus-detection front, only single-level archives are scanned/reported, regardless of the number of actual files and malware. The variants detected are at par with other products. For a 500 user purchase, eScan comes for Rs 1,624 per user, pushing your bill to around Rs 8 Lakh. All that said, it is in no way a lean product and compares favorably with its rivals.
RQS# E70 or SMS 131170 to 9811800601

Memory consumed (Kb)

  Ease of set
When idle When
utilization (%)
Scan within
zip files
variants detected
4.0 Server Edition
3 16,704 34,728 25 3 83
3 11,948 12,176 41.5 3 73
VirusScan Enterprise 8.0i
3 5,736 19,250 33.5 3 97
eScan 2003 (eScan Corporate, MailScan)
2 5,332 5,594 15 2 97
Anti Virus
2 21,780 23,052 90 3 39
Enterprise Solution (ServerProtect, OfficeScan Corporate, IMSS, IWSS,
ScanMail, SPS)
3 12,000 12,000 36 3 73
of set up:
How easy it was to set up and configure. 1-No predefined
settings, 2-Predefined but limited settings, 3-Lots of predefined &
custom settings
Amount of RAM (in Kb) used when no on-demand/scheduled scans
were running
Amount of RAM (in Kb) used when on-demand/scheduled scans
were running
utilization (%):
Amount of CPU used (%age) when on-demand/scheduled
scans were running
within zip files: 
many levels of a zip file it scanned. 1-As a single file, 2-The zip and
its immediate contents, 3-The zip and each zip inside it recursively
variants detected:
number of variants of different viruses it detected. Total number was 105

SOPHOS Anti Virus

SOPHOS lagged behind the rest in both features and pricing, although it was the second best priced product in our list. Its per-seat price is only just higher than offered by avast! for the 500 user range. Very strangely, this product seems to use a large number of system resources-both memory and CPU-while scanning. Even when idle, it uses up a whopping 21 MB
of RAM-by far the highest used by any product in this shootout.

Although it supports reasonable number of server and desktop OSs, the number of application and groupware supported is minimal. Another area we found it lags in is reporting-with fewer options and types of reports available. For its reports, SOPHOS requires the presence of a MS SQL Server (which you have to acquire and install separately) somewhere on your network, so that it can store its logs on it. This database is also made use of by its PureMessage (plug-in for Exchange) to store the quarantined messages. It then uses Crystal Reports to display and print the information for you depending on variously selectable views. Installation is also a little exasperating, when clicking on the ‘Install’ buttons and links on its Web-based CD-interface leads to further Web pages instead of the installer itself. Also, all the agents available are for

SOPHOS is available for quite a few platforms, besides Windows, and includes NetWare, Linux and various Unices. Plus, it even has a desktop anti virus for the Mac. It was the second cheapest of the lot, charging 950 per user license for 500 users. It charges the same for
the renewal rate. RQS# E71 or SMS 131171 to 9811800601

Anti Virus Specifications

Virus Specifications
Product Price
Updates Supported
Frequency Server Desktop Application
Reporting Security Management 
4.0 Server Edition
per server + 525 Per user per year for 500 users
from the Internet only
a Week
Linux, UNIX, NetWare
Qmail, Sharepoint (Portal, Services), MS Proxy Server, ISA Server
reporting of infections & vectors, 
Exportable into RTF, PDF, HTML
file – based AV and spam-filter, 
Script blocker, Can setup SNMP traps, Alerts through MSN
Messenger, Command- line scanner, P2P Policies
& Deskto;p UI, Manage policies 
and enforcement,  avast! iNews for e-bulletins
e-Trust 7.1
Per user per year for 500 users
from the Internet,  Download from Internet & distribute
Weekly Windows,
RedHat Linux, SuSE, UNIX,  Solaris, HP-UX, NetWare
RedHat Linux, Mac OSX
Lotus Notes/Domino, ISA Server, Apache
pre-defined  templates,  Threat analysis (Source & 
Vector), Extensive report viewer, Extensive policy mgmt tool, can 
manage policies and reports by Domain/Users/ timeline
and blocks  undesireable scripts, ActiveX components and
improperly signed executables, Can setup SNMP Traps, Standard 
file-based AV and spam-filter
& Desktop UI, Manage plugin products locally/remotely, Manage
policies and enforcement, User management for eTrust, Remote server
and desktop  anti-virus deployment
Virus Scan Enterprise 8.0i
750 + AVD 2000 per  node 
OR AVS  1500 per
node  for 500 users
from the Internet, Download from Internet & distribute across
Weekly Windows,
Lotus Notes/Domino
threat & patch analysis for  entire network,  Predefined templates, 
Reports can be sent directly to policy-module to enforce
access control
based IDS (Ports, Shares, Network Drives), Desktop firewall, Detects
and blocks undesireable programs, scripts, ActiveX components and
improperly signed executables, Features  Buffer Overflow Protection, Can setup SNMP Traps, Standard
file-based AV and spam-filter
UI,  Manage plugin
products locally/remotely, Manage policies and enforcement, Remote
server and desktop anti-virus deployment l Can configure time spent
scanning each type of file
eScan 2003 (eScan  Corporate,
per user per year for 500 users
from the Internet only
Weekly Windows,
reporting of  infections
and vectors
file-based AV and spam-filter
UI, Manage plugin products locally, Manage policies and enforcement
Per user per year for 500 users
from the Internet only
Monthly Windows,
NetWare, OpenVMS,UNIX
Mac OS,  Mac OSX
Lotus Notes/Domino
report templates, Threat analysis (Source & Vector), Reporting
server can be installed separately,  
Reporting users SQL server 
for storage
file-based AV and spam-filter
UI, Manage plugin products locally, Manage policies and enforcement
Micro Enterprise Solution (ServerProtect, OfficeScan Corporate)
per user for the first year, 936 per user from second year onwards
from the Internet, Download from Internet & distribute across
Weekly Windows,
NetWare, Linux, UNIX
Lotus  Notes/Domino, Apache, Qmail
predefined report formats, Exportable into RTF,  PDF, HTML,
Uses Crystal Reports.
file-based AV and spam-filter, Policy-based IDS  (ports, shares, network drives), Protection for  PDAs
and Wireless devices, Desktop firewall, Detects and blocks undesireable programs, scripts,
ActiveX components and improperly signed executables.
& Desktop UI, Manage plugin products locally/remotely, Manage
policies and enforcement, Plugin & Product management (including
licencing), Remote deployment & 
scanning, remote server and desktop anti-virus deployment

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.