Educause Security Discussion mailing list archives
Re: Centralized Antivirus Recommendation
From: "Schoenefeld, Keith" <schoenk () ILLINOIS EDU>
Date: Tue, 4 May 2010 08:35:35 -0500
In our testing of Sophos it was a solid product. The huge downside for us was that we were trying to manage multiple domains (still > 8) via a single central management server. Epolicy Orchestrator makes this fairly easy, one has to have a user account on each domain that can iterate the OU/Computer structure (a guest user is generally sufficient), then configure things to update at a reasonable interval. Sophos uses the computer account of the enterprise console server to synchronize the OU/Computer structure. Since a computer can't be a direct member of multiple domains, this wouldn't work for our configuration. Initially, Sophos recommended that we simply run one management console per domain (not likely), then later offered to write us some scripts (or provide us, more likely) that would do an out of band pull of this information from the domains, then import it into the Sophos Console. After some discussions, that seemed like a good way to break things very effectively as each new version is released, and we continued our relationship with McAfee. In fairness to McAfee: Epolicy Orchestrator, with little effort, is an extraordinary centralized management and reporting system. Yes, it's Java based (runs a Tomcat server on the back end, so it's a resource hog on the server and can be slow-ish at times on the front end), but in spite of that ePO 4.5 (the latest version) runs pretty well until you load it up with 40 million events (and even then it was our very old and underpowered SQL server that fell over). We're in the process of reorganizing our AD structure to reduce the number of domains and forests that we have, so Sophos (or some other vendor with similar limitations) is again a possibility. <rant> Last, one comment in case managers are still reading: Management of Antivirus software _needs_ to be pulled out of the security office. This software, like any other endpoint management software, needs to be run by those that are providing centralized IT resources for endpoint management. Security needs to be involved in helping make the risk decisions related to what default settings should be enabled and should be able to leverage any centralized logs resulting from any endpoint management system, but should not be responsible for managing these systems. As an additional point, WSUS is just another endpoint management system. </rant> -- KS On 5/3/10 9:10 PM, "Eric Case" <ecase () EMAIL ARIZONA EDU> wrote:
I will also give Sophos a thumbs up. The University of Arizona has site-licensed Sophos. However, being decentralized colleges and departments are free to spend ³their² money on different solutions. I know one Associate Dean who was using McAfee in ³home user mode² until it came time to renew last month and went with a different free AV tool. He could have used Sophos but . . . you would have to know him. :) As Ronald said, from the admin/management side Sophos is very easy to work with. With the Enterprise Console (EC), it was easy to see the current state of all the clients (and report that up the Dean), setup email alerts, etc., etc. If there is one drawback to Sophos it is it was written from day-one for the admin/management viewpoint, not the end-users viewpoint. What I mean is it was written for centralized management not end-user management. I¹m not sure Sophos sells to end-users. The enterprise characteristics were not bolted on to a consumer product. As an example, it was designed to update from a ³Central Installation Directory² (CID), not a vendor website. You can publish that location via http and have your users update from there when your CID is not available. My users were able to get updates from my CID while they were on a different continent. Another thing that is different about Sophos is the updates. Instead of one massing update a day, the individual virus definitions are published as needed. You could have many updates in one day. They are ACSII files; you could fax them, type them back into the computer and update the engine. The main AV engine is updated once a month. In addition, a single update can cover more than one piece of malware. If you want some machines to update once a day and others to update every hour, no problem, the EC has you covered with different groups. If you assume, all AVs are close to each other in terms of detection, i.e., one is not twice as fast/better than the others, what will set them apart is their management, cost and support. I would say Sophos; ³tastes great, less filling.² :) -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Monday, May 03, 2010 2:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Centralized Antivirus Recommendation I compared McAfee, Symantec and Sophos a few years back. We chose Sophos based on its ease of management compared to the other two. As for performance, Sophos appeared to perform better. The only thing we really see is when the system first starts up and Sophos immediately updates itself, but, this usually isn¹t too intense. I am in the process of moving to Enterprise Console 4 from 3.5 and then to Endpoint Security 9 from 7. Base on the documentation, it looks really easy. Management is much easier and faster with Sophos. I think that is what impressed me the most. While others are going with a web based management using Java, they suffer from a serious performance degradation. McAfee had things missing dependent on the browser you used. When we had Conficker hit us, we were able to quickly respond. If we used one of the others, I don¹t think it would have gone as well (as well as a virus outbreak could). We have one of our OUs for labs tied directly to a management group and a group policy based install for anything new that is tied to Active Directory. Support has always been great. We had 8 or 10 hours of help, maybe more, deploying. They helped design our standalone client for off-site installs, assisted in active directory integration, and gave tips for working with the MS SQL DB backend. For general support, they are very fast at getting back to you if you call and leave a message. Most of our stuff goes through email and is usually taken care of in a day. For the Conficker issue I referred to earlier, they spent a good amount of time helping to include educating me on how the bugger worked. The only thing we have had to deal with is an add-on for IE. Though I haven¹t had any issues, there have been others that disable the web add-on to resolve their issue. EC 4 and Endpoint 9 have the ability to turn this off. I¹m hoping there is functionality to allow and disallow options for it. One thing we are really excited about in the new release is the software control and PII scanning. I¹ve had limited experience with the other three, which includes none from a centralized management standpoint. But, for what it¹s worth, ESET tended to block legit apps by default. AVG has so many components, including the web scanner that it has slowed down systems. I no longer recommend the freebie. Kapersky, I have no experience with. Anyway, these are my 2 cents based on what we have dealt with for 2 years. We are renewing for at least another one and have no plans to change. Sometimes it¹s good to be kept out of the papers. Feel free to contact me for any further information of list. Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Fax: 757-823-2128 Email: raking () nsu edu<mailto:raking () nsu edu> http://security.nsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sabourin, Justin Sent: Monday, May 03, 2010 4:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Centralized Antivirus Recommendation We¹re currently researching options to move away from our current antivirus solution in favor of something with better detection abilities and a solid management console/reporting server. We¹re also a technology centric institution so the performance impacts of antivirus clients are frequently noted by our students so low overhead is also desirable. Currently we¹re considering the following based on other feedback. Your thoughts on installation, deployment, and management are much appreciated! · Sophos · AVG · ESET · Kapersky Justin Sabourin * Manager of Network Operations * Division of Technology Services * Wentworth Institute of Technology * 550 Huntington Ave, Boston MA 02115 CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system.
Current thread:
- Re: Centralized Antivirus Recommendation, (continued)
- Re: Centralized Antivirus Recommendation Mike Hanson (May 03)
- Re: Centralized Antivirus Recommendation Mark Rogowski (May 03)
- Re: Centralized Antivirus Recommendation Eme Ejike (May 03)
- Re: Centralized Antivirus Recommendation Alex Keller (May 03)
- Re: Centralized Antivirus Recommendation Dexter Caldwell (May 03)
- Re: Centralized Antivirus Recommendation Valdis Kletnieks (May 03)
- Re: Centralized Antivirus Recommendation Lanham, Sean (May 03)
- Re: Centralized Antivirus Recommendation King, Ronald A. (May 03)
- Re: Centralized Antivirus Recommendation Jay Fowler (May 03)
- Re: Centralized Antivirus Recommendation Eric Case (May 03)
- Re: Centralized Antivirus Recommendation Schoenefeld, Keith (May 04)
- Re: Centralized Antivirus Recommendation Dexter Caldwell (May 04)