Prevention is medicine

A guide to enterprise antivirus management systems

"Quick, do something!" the frantic manager exclaimed over the phone. "Our 400 field offices are having trouble sending and receiving e-mails. I'm getting reports from them that the e-mail server is excruciatingly slow. Can you please find out what is wrong?"

The administrator deftly accessed the console for the Lotus Development Corp. Domino server cluster that supported the field offices and began to investigate. He found antivirus processes spinning out of control on two of the servers in the Domino cluster. Both antivirus processes seemed to be having trouble with memory addressing.

Subsequent examination by the administrator found that the operating systems of the two problematic servers had been upgraded only the day before. The networking group that had done the upgrade had not bothered to check the compatibility of the server's antivirus software before performing the upgrade.

Restoring the Domino cluster to a service level expected by the field offices involved taking down the server cluster, which left more than 3,000 users without e-mail service during business hours. The administrator removed the problematic antivirus software, replaced it with another antivirus product and brought the servers back online.

A Revealing Illustration

The previous scenario shows clearly just how important it is to closely manage antivirus solutions. Not doing so can cost an agency serious money in unproductive downtime and lost revenue.

Today, antivirus software is a must-have across the entire enterprise. It used to be that you could compare and evaluate antivirus solutions on the basis of how well they detected viruses and how easy it was to update the product and its virus definitions. However, the explosion of antivirus technologies makes that comparison trickier than ever these days.

When considering antivirus technology as part of an overall security policy, it becomes increasingly important to examine other differentiating factors, such as available management tools and platform support.

For this article, we examined four of the leading market enterprise antivirus solutions, with the focus on evaluating how manageable they are and how well they would provide coverage in a mixed-platform, agencywide deployment.

To do this, we created multiple configurations that included varied desktop settings, including Apple Computer Inc. Macintosh, Linux and FreeBSD clients. (FreeBSD is an advanced operating system derived from BSD-Unix, a version of Unix developed at the University of California Berkeley.) Various file systems, gateways, groupware configurations, mail servers and enterprise server platforms were also included in this test.

What we found is that antivirus software providers such as Trend Micro Inc., Sophos, Network Associates Inc. and Symantec Corp. have begun to take manageability seriously. However, some of the solutions we evaluated do not go far enough to truly support the heterogeneous computing environments that we work in today.

In addition, some of the antivirus solutions lack support for distributed computing environments, wireless devices, network appliances and storage platforms. Agencies that buy antivirus technologies that do not support the full range of platforms in their enterprise — not just PCs — are leaving themselves open to the havoc that virus writers hope to wreak.

Trend Micro: Proactive Management

Under the banner of its enterprise security solution, Trend Micro provides comprehensive antivirus coverage. Its management tools, Trend Control Manager and Trend Virus Control System, offer centralized management of antivirus software and updates across the enterprise. Administrators can update the software and its associated pattern files across all supported platforms from a single console.

Included in the Control Manager is a feature called Outbreak Commander, which provides the latest attack information well in advance of the availability of new pattern files. The service gives administrators recommendations on how to handle the newest attacks so they can take measures against them.

In some areas, Trend Micro is well ahead of its rivals. In particular, the company has begun supporting antivirus technologies for network appliances and storage-area network solutions. These types of computing assets need to be protected so that viruses do not sneak into them and subsequently damage data or infect other parts of the enterprise.

For end users, Trend Micro provides solid coverage for Microsoft Corp. Windows desktops and wireless devices such as the Palm Inc. Pilot, and its coverage extends to remote workers' desktops, too. However, as enterprises increasingly turn to more cost-effective desktop operating systems, such as Linux, FreeBSD and Macintosh, Trend Micro should add support for these platforms. We were unable to locate a Linux, FreeBSD or Macintosh-based version of either Trend OfficeScan or PC-cillin.

For file systems, Trend Micro's ServerProtect is one of the first file system antivirus solutions to support Linux. We found Trend Micro's support of Linux, Novell Inc.'s NetWare and Windows NT and 2000 to be solid.

Agencies should also install antivirus technology on gateway devices. In this area, Trend Micro's InterScan goes further than its rivals by supporting a variety of gateways, including Sendmail Inc.'s Sendmail, Hewlett-Packard Co.'s HP-UX, Sun Microsystems Inc.'s Solaris, Linux and Windows. InterScan performed very well during our tests.

However, Trend Micro really shines when it comes to supporting e-mail antivirus technologies on mission- critical midrange and mainframe systems. In many enterprises, running an e-mail cluster on a mainframe is mandatory given the number of users. For these types of agencies, ScanMail provides the type of coverage needed to protect staffers from e-mail-born viruses.

Sophos: Easy Does It

Like their counterparts at Trend Micro, the folks at Sophos are concerned about ensuring that their antivirus technologies can be easily managed across the enterprise. The company's Enterprise Manager enables administrators to centrally manage installation and updates of its antivirus applications and virus definitions.

The Enterprise Manager is easily configured to allow scheduled updates from Sophos. Once obtained, the latest versions are placed into centralized installation directories where they can be made available to other computing devices throughout the agency.

On the desktop, Sophos goes further than Trend Micro and some other rivals by offering antivirus support not only for Windows-based systems, but also Linux, FreeBSD, Macintosh, DOS and OS/2. We could not, however, locate any Sophos technology that would protect wireless devices.

Sophos assumes that most agency networks are running on either Windows or NetWare. The company's antivirus technology works very well on these platforms. However, adding support for other types of network file systems, including Linux and Solaris, would make the solution attractive to a wider variety of installations.

We used the Sophos MailMonitor on some Simple Mail Transfer Protocol (SMTP) gateway devices, and then we tested it in conjunction with Windows-based Lotus Domino and Microsoft Exchange systems. The Sophos technology worked wonderfully in these test environments and trapped every virus we threw in its way.

However, we think that Sophos should expand gateway support to include a wider array of devices, and groupware support for Domino could be expanded to include the other Lotus platforms, because most enterprise Domino installations are running on platforms other than Windows.

Sophos offers broad antivirus protection on enterprise systems. The company's antivirus tool supports IBM Corp.'s AIX, Solaris, Linux, FreeBSD, the Santa Cruz Operation Inc.'s SCO, HP-UX, Digital Unix, OS/2 and OpenVMS. We had no trouble using Sophos Anti-Virus on a number of these platforms. Expanding platform support for Sophos Anti-Virus to other enterprise-class systems will only make Sophos a better fit at even more agencies.

Interestingly, Sophos was the only solution we found that offers application interface support, called Sophos Anti-Virus Interface (SAVI). The inclusion of SAVI in Sophos' offerings provides a way for developers to create applications with built-in virus protection. An agency with outward, public-facing applications might use SAVI to ensure that data received is tested for viruses before it crosses into internal agency systems.

Network Associates: Management Muscle

In terms of antivirus management tools, Network Associates offers beefy functionality compared to its rivals. Its ePolicy Orchestrator includes centralized management, deployment and update functions. But it also includes tools to help you create and maintain an antivirus policy for your agency, and offers detailed reporting so you can stay on top of things.

The only downside to ePolicy Orchestrator is that its server component is limited to Windows platforms and its agent technology supports only Windows and NetWare systems. At the least, the technology should be expanded to include other platforms.

We liked the company's ThreatScan tool, which, when combined with ePolicy Orchestrator, let us schedule vulnerability scans for our systems. However, again, we were limited to scanning only Windows-based systems.

Of all the solutions we tested, Network Associates offers the broadest range of platform support for end-user antivirus protection. The company's McAfee Security's VirusScan and Virex products do a very good job of finding viruses that might be lurking on systems ranging from DOS-based platforms to thin clients to Unix, Macintosh, Windows and wireless devices. If your agency has a highly heterogeneous set of end-user systems, Network Associates provides a good level of coverage.

For file systems, Network Associates' NetShield performed well during our tests of some NetWare and Windows systems. However, like Sophos, NetShield is limited to these platforms. Expanding file system support to include other network file systems would increase the usability of the product.

Network Associates' WebShield did a good job of protecting SMTP- and Solaris-based gateways in our test configurations. Likewise, the company's GroupShield performed well on some Windows-based Domino and Exchange servers we had on hand. However, GroupShield's support for Domino should be expanded to other platforms to maximize its applicability.

Agencies with a variety of back-end systems will find VirusScan well prepared to protect them. We tested VirusScan on several servers where we purposefully placed viruses. VirusScan detected them all.

For Windows users, Network Associates includes a desktop firewall as part of its solution. The firewall performs very well. However, we find that Zone Lab Inc.'s ZoneAlarm Pro does a better job of protecting the desktop.

Administrators will find one element of the Network Associates solution unique. The Install Designer can help you create custom installers to deploy Network Associates antivirus technologies within your enterprise.

Symantec: All-Inclusive Support

Symantec's Enterprise Security Manager, like its rivals, goes a long way toward helping administrators better manage antivirus technologies across the agency. With the widest available platform support, Enterprise Security Manager can fit into nearly any agency.

Not only can administrators manage antivirus technologies with Enterprise Security Manager, they can also manage other security-related technologies, including those needed to protect databases and Web servers. Enterprise Security Manager supplies a good level of detailed reporting and it can be tied into other system management tools, such as IBM's Tivoli software.

On the desktop, Norton AntiVirus Corporate Edition went the distance on our test end-user systems, which included DOS, Windows 98 and 2000, Macintosh, and OS/2 systems. However, we did not find any support for other systems we had on hand, such as Linux, FreeBSD and handheld devices.

We could not locate any specific Symantec technologies that were identified as file system antivirus tools. However, the company does offer support for some file system platforms, including NetWare and Windows, via its AntiVirus Corporate Edition. We did not find any support for agencies that might be using Unix- or Linux-based file systems.

Symantec offers two products to support gateway devices. Symantec Web Security protects Solaris and Windows-based Web technologies, such as HTTP and FTP. Norton AntiVirus for Gateways also supports Solaris and Windows installations.

Symantec AntiVirus also afforded us a good level of protection for our Windows-based test configurations for Domino and Exchange. The tool ferreted out everything evil we threw at it. Although we did not try AntiVirus on an IBM S/390 mainframe, we did test it on a midrange AS/400 Domino installation. We were not satisfied with the results, because the software kept coming up with errors and seemed to consume large amounts of memory on the CPU.

If you want to protect back-end agency servers, Symantec offers coverage for NetWare and Windows platforms. However, we could not locate any Symantec tools that would let us protect Unix, Linux or Macintosh servers. Expanding available tools to include these platforms and other types of back-end systems would increase Symantec's applicability at more agencies.

Like Network Associates, Symantec offers a desktop firewall for Windows-based users. The Symantec firewall does a good job of monitoring and protecting these types of end users. Like rival Trend Micro, Symantec also has begun offering antivirus protection for network appliances.

Choosing the Right Tool

After evaluating these tools, it is clear that there is no single solution that completely supports the broad range of computing assets at most agencies. Like many illnesses, computer-related viruses come in many forms. Worse yet, virus writers are becoming more savvy about targeting computing assets to wreak the most havoc.

Although the greatest proliferation of viruses is found in Windows systems and frequently in Microsoft's e-mail client and Web server, viruses are written to target almost every platform, system or device you can imagine.

The best approach to evaluating and deploying antivirus technology is to identify all of the computing assets currently in your environment and any planned implementations. You'll likely need to adopt different tools from more than one provider.

For example, by deploying tools from each of the vendors in our test configuration, we were able to protect almost every type of computing platform we had on hand.

Antivirus vendors need to continuously and vigorously expand their offerings to make them as complete as possible given the wide array of equipment and operating systems in use. Also, agency administrators need to stay on top of their antivirus tools to ensure that they are compatible with all systems and that virus definitions are frequently updated.

Biggs is a computer engineer in the financial sector and a freelance writer based in Northern California. She has more than 15 years of business and IT experience.

REPORT CARDS

Trend Micro Inc.

Score: A-

(800) 228-5651

www.trendmicro.com

Trend Micro's antivirus products are priced individually.

Trend Micro offers good manageability that includes alert capabilities. It is a strong contender for mainframe systems. The only downside we found was limited platform support for desktop computers. Otherwise, this is a stellar enterprisewide solution.

***

Sophos

Score: B+

(781) 973-0110

www.sophos.com

The suite of antivirus products from Sophos costs $54 per user for 50 users. Licensing fees include technical support for employees' home PCs.

Its management tools work well. The company offers broad platform support for desktop computers, but not for wireless devices or Linux and Unix file systems. It needs to support Lotus Development Corp.'s Domino.

***

Network Associates Inc.

Score: B

(888) 847-8766

www.nai.com

The suite of antivirus products from Network Associates costs $74 per user for 100 users. Technical support is available for an additional cost.

Network Associates' solutions offer the broadest range of end-user support of the four suites we tested. However, the products lack support for Linux and Unix file systems. But the suite does include a tool that administrators can use to build custom antivirus installations.

***

Symantec Corp.

Score: B-

Symantec Corp.

(408) 517-8000

www.symantec.com

Symantec Corp.'s products are priced individually.

Symantec offers beefy management tools for antivirus administration, and the company's gateway products work especially well. However, its antivirus support for desktops is limited to only a few platforms, its Domino antivirus protection on IBM Corp.'s AS/400 is lacking, and it does not support Unix and Linux systems.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.