|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Virus vaccination: 4 applications tested By Steve Turvey, Technology & Business magazine November 17, 2003 URL: http://www.zdnet.com.au/reviews/software/security/soa/Virus-vaccination-4-applications-tested/0,139023452,120281007,00.htm
 
RMIT IT Test Labs take a look at the top enterprise applications for stopping viruses from ravaging your organisation.There's nothing like your company's LAN and Internet access slowing to a crawl and then disappearing entirely to drive home the point that even if you are a good little Boy Scout/Girl Guide and keep all your PC patches and anti-virus signatures up to date, some of your less-than-diligent colleagues can still cause you grief. The problem we're alluding to is the recent attack on our network by a variant of the W32/Sdbot AKA W32.HLLW.Donk worm. The worm got past RMIT's firewalls--most probably by simply hitching a ride on an unprotected laptop. Once inside the firewall it routed out all the PCs that had not received frequent Signature updates and proceeded to flood the network. Some areas may have valid reasons for not updating; we for example carry out testing on client's disk images that we must maintain in their current state--and that can cause headaches. But in most cases it's simply a matter of neglect. So how do you get around the problem? The simplest method is to institute a policy, which may or may not be adhered to, that all PCs must have their AV software configured to auto update from the relevant vendor's Web site. There is one glaring problem with this: network traffic and the associated cost. Let's say your users have configured their AV software to update once a week, not frequently enough really but this is just an illustration, and the typical signature file is 1MB. Each user will be downloading 52MB a year, not too bad until you multiply this by your number of PCs, which may be 10,000 or more--520GB is a bit rich. For very large sites it is probably simpler and cheaper to mirror the vendor's updates on your own in-house server, thus lowering your costs significantly. But as we have seen relying on users to "pull" the updates down from a server will probably result in less-than-perfect coverage. A more reliable option is to set up a server to "push" the updates to the users' PCs. This also has the added benefit that the server knows when a new update is available whereas if the users "pull" the updates they must regularly poll to see if there are any updates available, again needlessly chewing up bandwidth. Let's look at how some of the most popular virus solutions work. ETrust AntiVirus 7.0
Features are standard with the user able to nominate what types of files are scanned and how incidents are treated--the default for worms and Trojans, for example, is to delete. The scanner features the obligatory heuristics and also has a "System Cure" option that cleans the OS and modifies the registry so at times this may require a reboot to complete the cleaning process. As readers may be aware Vet AV is now owned by CA and as a consequence you can configure the scan engine to be either Vet or InoculateIT. There are a couple of very useful additions that we quite like: for example, the ability to exclude processes or directories from real-time scanning and the scanner can be configured to deny access to files with specified extensions. And, should a specific user be detected as the source of a particular incident, they can be automatically quarantined from the network for a prescribed period of time. We initially expected to be able to perform all administration tasks from the eTrust AntiVirus scanner application, which has both a Local and an Administrative view. However, the initial "push" of the application to clients on your domain or workgroup is actually handled by another dedicated application called Remote Install. It was at this point that we experienced some installation problems and had to avail ourselves of CA's tech support. Initially we were unable to "find" any of the target PCs on the network and had to tweak the settings to extend the timeout period amongst other settings. Then we were unable to push to a client that was a member of the server's domain, although we could easily push to any of the workgroup PCs. This required additional rejigging of some of the settings. Unfortunately this all occurred close to deadline so we were unable to determine if the problems were specific to our network. Once the problems had been ironed out it was quite simple to push the AV software to the nominated PC. From this point on all administrative tasks could be handled via the AntiVirus console. From the console the target PC's settings can be altered and basic stats obtained. If you wish to have different sets of policies for different groups of users, new "branches" must be added to the organisational tree and the relevant users placed in each group. Different blanket policies can then be applied to each branch. As can be seen from Figure 1 the tree structure is very easy to navigate and is divided into logical units such as "configuration settings" which includes e-mail polices and enforced policies (the latter enables the administrator to setup various Alert policies, Realtime Scan policies, Schedule Jobs, and distribute signature schedules, for example). In each case, multiple policies or schedules can be created and individually applied to various branches. Alerts can be quite finely customised to not only be sent to various targets but also the level of severity of the alert can be filtered and custom notifications configured for a large number of specific scan engine events--events such as "error scanning memory".
Network Associates--McAfee VirusScan Enterprise 7.0 & ePolicy Orchestrator
The AV engine, VirusScan, has a very simple and basic interface--finding your way around it is relatively simple. Manual scans from the console are not really possible in the strict sense of the word; you must create a "task" and then run it to perform the equivalent of, for example, "quickly scan this folder". Of course you can simply right click on the target folder or drive and select the "scan for viruses" option from the drop down menu. All the usual functions can be configured or defined such as actions to carry out upon detection, when and what items are to be scanned and this includes archive files and user-defined file types rather than the time wasting "all files". The scan engine has heuristics to help detect unknown worms and macros and there is a simple but effective Alert configuration that allows the user to define the various alert types, the response and the recipients. Deployment and administration is handled by ePO and to be blunt, while ePO is very powerful, its ease of use and steep learning curve leave quite a lot to be desired when compared to some of the other packages. Admittedly it did not help that the CD-R version of the software we received was damaged and not all the documentation was accessible. If you are a small business with, say, a single domain and 300 or fewer PCs there is a small business wizard that takes a lot of the pain out of the configuration in that the downloading of the ePO agent to the PCs and the subsequent push of VirusScan are simplified. But start talking multiple domains and a substantial number of PCs and the basic configuration tasks are up to the administrator. The basic steps are to first download the relevant packages to the repository using the "check in package" task. Configure ePO to push the ePO agent onto the client PCs in your domain and then run the "deployment" task after you first configure its schedule and the packages to deploy. Once the whole shebang is initially configured, it's all relatively easy to administer and manage. Indivudual PCs can be targeted and their AV configuration tweaked remotely or a configuration policy can be applied at the Domain level to filter on down to the PCs contained therein. Should an outbreak occur, with ePO you can scan or update your entire Enterprise quickly and define an on the fly outbreak policy to lock everything up tight until you have a chance to suss out ePO's detailed reports and design a gentler policy that only protects the identified points of entry.
Sophos AntiVirus & Enterprise Manager
The installation on the deployment server consists of the AV software and Enterprise Manager. The interface for the AV engine itself is quick and easy and at first glance appears to lack the bells and whistles of some of the flashier interfaces. But when you attempt to configure the scan engine you find that it is actually quite powerful and flexible. Immediate scans can be performed on selected drives, scans can be scheduled, and live resident memory scanning is handled by InterCheck Server. The executable definition files for scanning can be edited by the user and new file types added if required, although the list is quite extensive. The scanning engine can be configured to run at normal or low priority, it can perform quick or deep scans, it scans archives, and if required, adds the scan results to a checksum file. However the Sophos scan times on quite a large collection of files was quite consistent regardless of which of the deep or quick scan options were selected. Immediate mode configuration allows the user to select how the scan responds to a virus and can be configured to disinfect Boot Sectors, Documents, and Programs. Infected files can be renamed, deleted, moved, or copied to another location; there is also an option to irretrievably "shred" the offending file. The Alerting options are very comprehensive and includes options to configure Network Messaging, SMTP e-mail, and set SNMP Traps. Deploying and administering the AV software enterprise wide is the responsibility of the Enterprise Manager, which for the most part has a logical and relatively easy-to-use interface. When the app is launched the user is presented with the "library configuration view". At this point the source of the virus updates for distribution from your server, which on the Sophos parent Web site is called a Databank, is defined and the update frequency scheduled. It was at this point that we became a little unstuck. We set the download Web site to the Sophos default and could not manage to connect using the supplied username and password. We had, during the configuration, set the option to "auto detect configuration" for the Internet. Unfortunately this did not detect our configuration and we were directed to disable the option by Sophos tech support after which the connection was established without a hitch. To delve any deeper into the deployment and admin click on the "Start SAVAdmin" button--this launches the Sophos AntiVirus Administrator. This application also employs a simple tree structure to navigate though your network and once PCs are "discovered" they, along with their attributes, are displayed on the right-hand side of the tree. The range of attributes displayed is quite extensive and includes not only the PC's current OS but also access details and complete details on the AV installation on the system right down to the version number of the Dat files and whether a particular aspect of the AV is active or not. From here, AV updates can be pushed to single or multiple systems and while the update process initially appears relatively complex, given the simplicity of the rest of the processes, this is only the case because Sophos has included additional powerful features as can be seen in Figure 3. SAVAdmin also enables the administrator to remotely view the target PC's scan and error logs. Should anyone on your network have an unprotected PC or out-of-date software, EM can identify the offenders and it can be configured to automatically update them. Additional administrative support is provided by EM Reporter, which collates virus alerts generated by your Sophos AV and produces customisable reports to keep the administrator abreast of the unsavoury activity on the network. And, although we did not test it, Sophos also provide a solution for nomadic employees who occasionally wander in and out of your network with potentially dangerous notebook computers: Remote Update. This provides "on the road" updating of the notebook via a network or Web site provided by the employer.
Trend Micro--AntiVirus
The desktop AV interface is quite standard so it's easy to understand and navigate. The ability to unmark certain folders so they are not targeted by the AV scanner is very useful. (It stops our precious virus collections being nuked by the AV scanner.) The scanner can be configured to run real-time scans on POP3 mail and also scan outlook mail folders. Users who sync their PDAs to the desktop are not ignored and are catered for with the Wireless Protection Manager. The AV scanner also employs its own form of heuristics in an attempt to detect new threats. Actually pushing OfficeScan onto a remote client PC could not be simpler using the Admin servers OfficeScan NT Remote Install (see Figure 4). Simply select the domain or workgroup, then the relevant PCs and click on "apply"--if you have authorisation for the selected PCs, OfficeScan is pushed down onto each desktop. This is all performed via your browser so you can remotely administer the server as well as clients. The great news for administrators is that you are in control of every facet of the client's AV, right down to scheduling and scan settings. You can lock the AV down so the client has absolutely no control, or you can free up various aspects of the AV to give your users some degree of freedom. The window that handles the default settings is pretty draconian and sadly we can think of some users we would leave with the default settings. The OfficeScan general interface is very easy to navigate, as is Control Manager for that matter--so simple that nary a glance at the manuals was needed to remotely deploy and configure the AV software. The only confusion that does arise is which application do you use to manage various aspects--OfficeScan Corporate Edition or Control Manager--as the names and the relevant tasks may be a tad misleading. In general, a great deal of the administration and management is performed by the former while the latter provides reporting, overarching deployment plans, product updates, alerts, and an extensive "Outbreak Commander". Control Manager has simple point and click policies for half a dozen of the most common and annoying virus and worms and these can be added to as they arise from Trend's web site. When we performed the update the policies jumped to almost 40 in number and included the latest variations of Sobig, for example. The administrator has the ability to perform emergency "manual" outbreak management but this is found in OfficeScan not Control Manager and simply offers the options to block selectable shared folders and ports and deny write access to files or folders for a selectable time period.
We had intended to perform a full evaluation of NOD32 and, given its reputation as the top AV package in terms of Check Point certification, we were quite eager to include the package. Unfortunately, as the package currently stands, remote deployment is script-based—hardly user friendly—and, as the new Remote Administrator is due out in an October or November timeframe it’s pointless to evaluate this feature. However, we did take a quick look at the standalone AV scan engine and its local management tools. The interface is simple and navigation is logical. The detection engine scans incoming files and memory utilising a resident process named AMON, a second process called IMON scans e-mails. Most configuration options can be accessed by one of two methods: from NOD32’s interface directly, or by launching NOD32 Control Centre (the latter providing additional config options in most cases; indeed it is the only way to configure IMON, for example). The scan engine actions upon detecting are virus can be configured by the user and if clean is selected for example the user can decide what action is taken if the virus cannot be cleaned. Diagnosing methods are configurable right down to the point where the Heuristic sensitivity can be set to Deep, Standard, or Safe modes, file extensions can be selected or simply all files scanned. Alerts are a tad simplistic but this may be improved in the new remote administrator. Scan Schedules and product updates are configured in Control Centre whose simple tree structure is quite easy to navigate. The AMON configuration options from Control Centre also allow the user to exclude certain files and/or directories from being scanned. Specifications
Interoperability
Futureproofing
ROI
Service How we tested Aim
How it worked
All test servers were connected via the same switch and the Lab gateway to the Internet. Each server was allocated a pre-defined static publicly accessible IP address and each mail server was assigned a fully qualified sub-domain name. Each server was also assigned an external e-mail account. Vendors were encouraged to implement their rule sets so they were "tight to catch as much spam as that package is capable of", but not too tight to block everything--false positives were to be avoided as much as possible. The use of current black and white lists was acceptable. Once the install/configuration period was over, the vendors were not allowed to see or access their systems again. Static tests
We used a Microsoft internal testing tool to send the static control messages to the servers. This tool was initially developed to test mail servers under load. We adapted its use to allow us to take messages that we have collected (provided their headers have not been corrupted) and then send with original or new headers. The scores you see are based on the results of these static tests, although they are very similar to the results achieved in the live tests as well. Live tests
We used a Linux-based Sendmail server to combine all messages to a single account, then forward them to the multiple test accounts, which left the headers as if the messages had been sent directly from the spammers. After running these two tests using the vendor's suggested configurations, we spent a bit of time altering the vendors' rule configurations to see if tweaking the products could alter their results. Although this did not contribute to the overall scores, because of the subjective and human factors involved, it gave us some valuable information on the ease of use and effectiveness for administrators who will need to constantly tweak the systems once they are in use. A note on results
A note on servers
Company: Michalak Manufacturing. This company wants to roll out antivirus protection to its corporate desktops and servers. Approximate Budget: Open. Requires: Antivirus software for desktops and servers, and deployment software to manage the distribution of definitions. Concerns: The company is most concerned with the ability to centrally manage the software and to control the distribution of virus definition files so that systems are upgraded as quickly as possible. The software's ability to block viruses in desktop e-mail clients is also a big concern. Trend Micro Antivirus
eTrust AntiVirus V7 is also a very powerful and easy-to-use package that may also be worth a close look, and it gets an Honourable Mention. Subscribe now to Australian Technology & Business magazine. About RMIT IT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own--only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There are basically two sets of interfaces the user and administrator must contend with and, to be honest, neither are difficult to come to grips with. The RealTime Monitors interface appears a little bland when compared to some of the other packages but it does follow the typical Windows "tabbed pages" scheme so anyone can drive it. (Its blandness is occasionally relieved by "cute" graphics of viruses.)
The installation of VirusScan was quick and straightforward on the target server, however the installation of ePolicy Orchestrator (ePO) while not particularly difficult is quite a long-winded process. Admittedly our target server did not have a resident database so ePO had that little chore as well, but even so there were a total of three system reboots and rather long file copy procedures before it was all over.
Installation of the Trend Micro product is reasonably demanding and was not as automated and straightforward as the other vendors' products tested. We should note, however, that we did not receive a retail version of the product and the supplied CD-R had a collection of patches and rollouts that probably do not appear in the retail pack. The product also consists of three applications--ServerProtect, OfficeProtect Corporate Edition, and Trend Micro Control Management for centralised control.