Protecting the homefront

Are information technology managers paranoid? Or is someone really after them?

Every week, IT staff members wait for "The Next Big Virus." And for good reason. The recent rash of viruses, from SoBig.F to Blaster, is warning enough.

Microsoft Corp. officials have even resorted to an age-old tactic: the bounty. In early November, Microsoft officials announced that the company would pay successful bounty hunters up to $250,000 for information leading to the arrest and conviction of those responsible for writing certain viruses. Their concern is understandable, because the majority of viruses target the Windows operating system.

Although it's not yet clear if Microsoft's bounty is going to have any significant impact, systems administrators at agencies and departments would be wise to forge ahead with implementing strong, multilayered antivirus strategies.

In this comparison, we look at the three biggest names in antivirus technology — Network Associates Technology Inc.'s McAfee Security Active Virus Defense Suite, Symantec Corp.'s AntiVirus Corporate Edition and Trend Micro Inc.'s NeatSuite — along with a newcomer, Panda Software's EnterpriSecure Antivirus. There are, of course, a number of other players we did not include.

Anyone implementing an antivirus security strategy must first recognize that server and desktop antivirus programs, such as those tested here, are not sufficient to ensure security. On the contrary, they are the last line of defense.

In an enterprise setting, antivirus technologies should be employed at firewalls and gateways, preventing infected files and worms from getting into the network in the first place. And, to judge by what we hear from managers in the field, an even more frequently overlooked measure is a combination of policies and user education to guarantee that users do not unwittingly introduce malicious code via floppy disks and other media connected to the network.

When all else fails, it is up to the desktop antivirus solution to catch the little nasties.

All of the products we tested do a good job of catching known viruses, with each snagging nearly all of the viruses we threw at them.

Several other concerns will be of far greater importance to most agency and departmental users when selecting the right antivirus solution. First, all the security precautions in the world are useless if they're not employed. Accordingly, we took a close look at how different solutions ensure that client systems are updated on a timely basis. It's also important that IT managers can prevent users from turning off the antivirus protection.

We put the four solutions through their paces at Federal Computer Week's test center and at analyst Victor Garza's lab. At FCW's test center, we installed the solutions on a Hewlett-Packard Co. Compaq ProLiant ML350 server with dual Intel Corp. Xeon 2.2 GHz processors and 256M of system memory running Windows Server 2003.

Among the highlights of his testing, Garza found that when it comes to client and server administration, Symantec and Network Associates add to solid Windows management technology while Panda and Trend Micro go their own ways. Trend Micro has a nice Web-based front end; Panda employs its own simple and effective interface.

Garza was surprised by the Symantec product's lackluster reporting and impressed with Trend Micro's and Network Associates' use of Crystal Decisions' Crystal Reports. Panda falls somewhere in between, lacking the ability to generate graphs or charts but still offering meaningful statistical reporting.

He found that all of the products, with the exception of Symantec's tool, offer multiplatform support, a big plus for many agencies and departments.

On the other hand, Symantec's product is the most affordable, so it's definitely worth considering if you don't need support for multiple platforms.

***

McAfee provides all-around virus defense

Network Associates' McAfee Security Active Virus Defense Suite is composed of more than 20 products and tools, including applications for storage, e-mail protection and thin-client support. I tested VirusScan Enterprise, the Microsoft Corp. Windows-based ePolicy Orchestrator (ePO) and the VirusScan agent.

The ePO's primary task is to distribute signatures down through the antivirus hierarchical infrastructure. The VirusScan agent, at the end of the chain, takes care of virus detection and client protection whether infection occurs via e-mail, Web browser or physical media.

McAfee's distribution of antivirus signatures flows from McAfee's Web site to a master repository located at an agency or installation. From the master repository, policies or signatures are sent to distributed repositories located throughout the organization. Information then flows to super agents, which are usually on specific subnetworks, and then to the VirusScan agent itself. A super agent is an agent that can do the job of a repository, and it reduces the need for a dedicated server. When the ePO sends a wake-up call, the super agent distributes that call to all agents within the super agent's local subnet.

The primary advantage of this architecture is speedier updates. Using a "ping-initiated, client-pull" method, a VirusScan agent at the end of the chain wakes up with a ping from a repository or super agent. The VirusScan agent then initiates the pull of a signature from the repository or super agent up the chain. In an emergency, a VirusScan agent wake-up call can be initiated by the ePO, and all managed machines will pull down the latest information from the ePO server.

Control and administration of this antivirus infrastructure are performed with the policy-based ePO. Not only does ePO control the McAfee-based antivirus software, it can also manage other tools in the McAfee arsenal, whether on the desktop, file server, gateway and even other vendors' antivirus software.

Those familiar with Microsoft Management Console will be comfortable with ePO, which plugs into it, as does Symantec's antivirus product.

Based on parameters set on the ePO, the VirusScan agent checks the ePO server for new policies, which determine parameters such as how often the VirusScan agent should initiate a scan, what files and directories it should scan, how often it should update its signatures and the location for obtaining updates.

If for some reason the VirusScan agent is unable to contact the ePO distribution network, it will, as a last resort, contact Network Associates dire ctly to get the latest virus signatures.

The ePO uses a SQL-based database to store policy information on various deployment and VirusScan parameters. Administrators can choose to use the included Microsoft Data Engine or the more robust Microsoft SQL Server as the database of choice.

We were also impressed with the number of languages the ePO product supported, though this may not matter to many agencies and departments.

The ePO is also used for generating graphical reports, based on a Crystal Decisions' Crystal Reports engine, that track various antivirus compliance levels, such as inactive agents, no antivirus protection and unresolved infections. Detection reports present information on various infection results and a variety of other statistical information on VirusScan agents and are also generated via the ePO.

Some of the extras that come with VirusScan Enterprise include McAfee's ThreatScan tool, which scans for antivirus-centric vulnerabilities, such as checking whether ports that are commonly accessed by Trojan horses are open.

We found platform support very good, with the ability to use McAfee's antivirus products in Windows, DOS, Unix, Apple Computer Inc.'s Macintosh and Novel Inc.'s NetWare environments, as well as on wireless personal digital assistants.

In addition, the McAfee Installation Designer can be used to design custom installations for antivirus deployments within an agency or office. The tool allows the administrator to customize client deployment options for networked clients, such as setting additional files to be copied during installation, changing registry settings and changing the installation directory.

***

Symantec offers easy-to-use management suite

Symantec clearly holds a commanding position in the desktop antivirus market, thanks in large part to its easy-to-use management tools.

Symantec's antivirus solution has three primary components: the Symantec System Center, the Symantec Corporate Edition Server and the Symantec AntiVirus Corporate Edition (SAVCE) client. The System Center is the central management console, which assists the Microsoft Management Console to ease server management. For many IT managers, a virtue of the console is a familiar interface, despite its limitations such as stability problems under high levels of demand.

The System Console uses push technology to get definitions to clients using a hierarchical management system. Antivirus definitions flow from Symantec primary servers to secondary servers, also called "parent servers," and then finally to the clients. Once the primary server receives a definition, it pushes the definition to the parent servers.

The clients, on the other hand, have to wait. The clients use a ping/push method to talk to the parent server, and the clients communicate, by default, every hour with the parent server. Because there isn't real-time communication between the parent server and the client, the client will first ping the parent server and then move event data to the parent server if any events took place, such as a detected virus. The parent server will then decide if there is a new antivirus definition or policy file that needs to go to the clients.

The advantage to this method is that it's consistent for incremental antivirus definition delivery. In an emergency, a parent server gets an antivirus definition update and will push that definition to the clients within three minutes.

During testing, I found it odd that client/server communications use User Datagram Protocol, a connectionless protocol. Using UDP can cause problems across router boundaries, such as dropped or blocked packets. Accordingly, you may find that the parent server and clients need to be on the same subnet, which would entail employing more servers.

LiveUpdate is another method for getting updates for all Symantec products — including antivirus definitions, policies or even engine updates — directly from Symantec or from a LiveUpdate server on the network. According to Symantec officials, roughly 70 percent of all of their clients use LiveUpdate to get updates for their products.

We found the new network audit function useful. It provides feedback on whether network-attached hosts are protected by Symantec or another third- party antivirus products or whether they are not running any antivirus software and therefore are vulnerable to attack.

The major weakness I found in the Symantec solution was its reporting capabilities. As one agency systems administrator, who asked not to be named, complained, "There is virtually no reporting. There is no customization on what gets saved onto an export file, and that export file is always just plain text."

I agree. It is worth noting, however, that an optional product that didn't come with our installation, the Symantec Event Manager, can be used for centralized graphical reporting.

Another weakness, at least for some agency and department users, is that the Symantec solution does not support Linux and Unix.

On the plus side, the product has the Symantec Packager to ease client distribution to both networked and nonnetworked systems.

In the future, we would like to see SAVCE be more like Symantec Client Security, which integrates a firewall, an intrusion-detection system and antivirus software into a single client.

***

Protects networks and clients

Trend Micro's NeatSuite is just that: a comprehensive package for providing antivirus protection from the edge of the network all the way down to the client. By incorporating several components into a single package, the company is differentiating itself from its competitors, Symantec and Network Associates' McAfee business unit.

NeatSuite consists of a central management server, Trend Micro Control Manager (TMCM), ScanMail for Microsoft Exchange and IBM Lotus Notes, ServerProtect for file server protection, InterScan VirusWall, the InterScan Messaging Security Suite and the InterScan Web Security Suite for Internet Gateway protection of Simple Mail Transfer Protocol, HTTP, FTP and Post Office Protocol 3 traffic. NeatSuite also includes OfficeScan Corporate Edition to protect client desktops.

Unlike the Symantec and Network Associates products, which use Microsoft Management Console, TMCM uses a Web-based approach.

Trend Micro first examines how to prevent viruses from entering an organization, then how to protect e-mail and file servers and finally clients. Although competitors have solutions for gateways, e-mail and file servers, their infrastructure solution doesn't come in a single box. This integrated approach makes Trend Micro's suite easier to manage.

NeatSuite has seven components, including TMCM, but they can be installed in any order and are not dependent on one another. Each requires its own management server, and those servers, in turn, can communicate with a TMCM server for centralized administration and management. I found NeatSuite's centralized management easier to use than the tools provided in either the Symantec or Network Associates solutions.

NeatSuite uses a two-way communications channel to communicate with gateways, servers and clients in real time via a Web-based front end. Therefore, as soon as a browser presenting TMCM information is refreshed, the most up-to-date statistics on the network virus infrastructure are available. I liked this real-time approach to management and information gathering, but during an antivirus emergency, it's not clear that the few minutes saved by gathering real-time statistics are going to make a difference.

Most NeatSuite applications work only with a Windows-based management component, but OfficeScan can be managed using either a Windows- or Web-based installation. I chose to install the Web-based management console, which requires Microsoft's Internet Information Server (IIS) to be installed and only works on Windows NT and 2000 servers.

I then installed TMCM, which rolls all other NeatSuite servers into a single, centralized management facility and works with Lightweight Directory Access Protocol. If that is not in place, Trend Micro installs its own database to store virus statistics, versioning information on the scan engine and all virus statistics, and specifics about each machine name and IP address.

Trend Micro's technology includes a rudimentary port-based firewall and support for wireless personal digital assistants. OfficeScan can reinstall clients or restore client policies to their original configurations if they have been off the network for an extended period.

Also, administrators can password-protect the antivirus client so that users can't make any changes without the appropriate privileges. Administrators can also allow or prevent users from controlling the client.

I was disappointed that OfficeScan lacks automated reporting and trend analysis. The recording of virus activity is a manual process based on logs. To record data for monthly and annual reports, it would first have to be exported in comma-separated values format and then imported into a spreadsheet. This would have to be done separately for each server product, unlike with the Network Associates solution. But once the data is captured by TMCM, the suite has the ability to generate reports via Crystal Decisions' Crystal Reports.

Trend Micro also offers a tool — the Vulnerability Scanner — for detecting vulnerabilities that viruses often target, though the tool works only on Windows NT and Windows 2000.

Unlike Symantec's and Network Associates' products, NeatSuite supports Unix and Linux. The solution also supports Windows, Sun's Solaris, DOS (command-line only) and Novell's NetWare environments for both servers and clients — a plus for agencies and departments that have mixed environments.

NeatSuite includes a packager for client deployments, which can take place over the Web via OfficeScan and IIS.

***

Panda ready to compete

Panda Software's EnterpriSecure Antivirus is a full suite of products for holding back the virus tide, including waves coming from e-mail, the Internet or clients. With a complete set of products for Microsoft Windows and Linux messaging and a robust administrative console, Panda holds its own with the big three on the antivirus market.

EnterpriSecure consists of many applications in a single box to ensure that an agency or installation remains virus-free. The two primary components that we evaluated were the AdminSecure centralized administrative console and ClientShield for the desktop. In the EnterpriSecure box, Panda also includes FileSecure for file server protection on systems based on Windows and Novell's NetWare, ExchangeSecure and DominoSecure for Windows messaging protection, ProxySecure for Microsoft proxy, ISASecure for Microsoft Internet Security and Acceleration Servers and CVPSecure, protection for firewalls.

EnterpriSecure also offers Linux-based antivirus messaging protection with QmailSecure, PostfixSecure, MIMESweeperSecure, SendmailSecure and CommandlineSecure for disinfecting third-party applications for Windows and Linux.

Panda built AdminSecure for Windows-based antivirus management. Although not as location-independent as Trend Micro's Web-based console, I liked the logical layout of the AdminSecure console. However, Panda allows for a remote console to be used with the component.

Like its competitors, the company focuses on a multitiered approach to deploying and managing antivirus clients and signatures.

The primary components in an EnterpriSecure deployment consist of AdminSecure, which is also a repository server element that contains the antivirus data and engine files. The administrative server is a SQL-based application that contains the data about which clients' information streams to an AdminSecure administrative server. Panda also has the ability to use an existing networked SQL server, as opposed to the one the company provides during installation.

Another primary component to Panda's solution is the agent communication software, which is XML-based and is pushed to client or server machines to create a secure communications channel back to the AdminSecure server and subsequently to the SQL-based back end. Once this channel is formed, it will allow the AdminSecure server to enumerate all the machines connected to the administration server to enable the antivirus software's deployment.

The AdminSecure server is also a primary repository for antivirus signature files that are downloaded from Panda's labs. If needed, secondary servers can be created to manage the distribution of antivirus signatures and engine updates.

Once the communication agents have been distributed to servers and clients, it's easy to distribute the antivirus software from the repository server and update the antivirus definitions on those servers or clients. Groups can be created easily in AdminSecure, and policies, scheduled scans and file types to scan are readily managed.

Although I found the reporting capabilities of the AdminSecure server adequate, the reports weren't as presentable as those of its competitors, which use Crystal Reports.

On the desktop, the antivirus ClientShield module consists of three armored components: the ClientShield antivirus client, the communications agent and a hardened watchdog process that checks the status of the antivirus client. If the antivirus client is turned off or disabled by either a malicious worm or a user, the watchdog agent will restart ClientShield. Additionally, an administrator at the AdminSecure administrative console sees this event in real time. Administrators are able to disable to disable the ClientShield menu so that users cannot make any changes.

It's worth noting that Panda does not offer any firewall capability with ClientShield nor does it provide a vulnerability assessment tool. Company officials promise, however, that assessment tools will be included in a future release of the product.

Garza is a freelance author and network security consultant in the Silicon Valley area of California.