Educause Security Discussion mailing list archives
Re: Anti-Virus/Malware Enterprise Options
From: Eric Lukens <eric.lukens () UNI EDU>
Date: Thu, 9 Jun 2016 13:28:45 -0500
AppLocker policies and the Windows 8+ Smartscreen filter block most of the malicious payloads for us. SCEP is there to clean up the payloads off the disk, but the other two prevented them from running. Malware can still slip by if it exploits or uses an already running process. On Thu, Jun 9, 2016 at 9:54 AM, McClenon, Brady <Brady.McClenon () oneonta edu> wrote:
It’s interesting, but can be deceiving. Working with SCEP a lot lately I found it doesn’t do a great job at catching malicious Word docs with macros used to drop malware. However, if I execute the macros in a sandbox with SCEP running in every instance in my testing SCEP immediately identifies the payload as malware once it is downloaded. I consider that a successful mitigation, but it could be seen that SCEP missed 9 malicious Word docs with different dropper variations all dropping the same malware payload. So is SCEP’s detection rate 10% or 100%? I would say 100%, but I think VirusTotal data would take in to account all the missed droppers and call it 10%. Just food for thought when doing/reading these comparisons. We moved from Sophos to SCEP last year. We have now reinvested the savings on an additional layer of protection (although not yet implemented) that will run beside SCEP. With the notion of traditional AV “being dead” picking up steam, and for good reasons, it didn’t seem advantageous to spend all our funds at that level moving forward. Brady McClenon Information Technology Security Administrator Information Technology Services - IT Security B237 Milne Library SUNY College at Oneonta *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Livio Ricciulli *Sent:* Wednesday, June 08, 2016 2:57 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Anti-Virus/Malware Enterprise Options I thought this link might be useful. This is what we actually measured last week in our system. https://www.metaflows.com/stats/antivirus_vendors/ True positive rate in this case is the relative detection rate. So, for example, if vendor A has .46 it means that 46% of the time they detected malicious malware and 54% of the time other vendors detected it but they did not. Severity and prevalence (x and y) axes measure (1) the average priority of what they caught (for example Adware has priority 1 but ransomware has priority 100) and (2) the total sum of the priorities. Large bubbles trending toward a red color toward the top right are best.. These measurements seem to vary week to week, depending of the outbreaks we see.. Let me know if you have any questions. Livio. On 06/08/2016 09:17 AM, Burke, Ian R. wrote: We have been using Sophos for a few years now and are switching to their cloud solution. We have considered switching to the MS platform but have not yet taken the plunge. Sophos seems to work fairly well but is a bit cumbersome to manage when it comes to the stale system side of things. It will be interesting to see if the cloud platform helps solve this issue any. I still believe that all of these AV solutions only stop a small percentage of the threats and that a broader solution involving a fuller spectrum of protection, including user education, is critical. Ian Ian Burke Information Security Administrator Information Security – ITS http://go.middlebury.edu/infosec Middlebury College *From:* The EDUCAUSE Security Constituent Group Listserv [ mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Garmon, Joel *Sent:* Wednesday, June 8, 2016 12:11 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Anti-Virus/Malware Enterprise Options We have been using Microsoft’s System Center Endpoint Protection for a while now. It does a decent job at detecting virus. But I agree that you really need a competent SCCM team to use it. Contact me directly if you want more information. Thank you, Joel Garmon Director Information Security Wake Forest University 336-758-2972 http://infosec.wfu.edu/ On Wed, Jun 8, 2016 at 11:42 AM, Brian Griffith <griffibw () whitman edu> wrote: Hey Doug. We recently made the switch from McAfee to SCEP. In our somewhat limited testing, they performed similarly. I feel slightly better about McAfee (leftover bias against Defender from the early days, perhaps?), but not enough to justify the cost. We feel like the central administration of SCEP is better/easier (IF you already have SCCM up and running), and you get prettier reports out of the box. I'm also excited about the MS APT product as we transition to Windows 10. Brian Griffith Information Security Officer Whitman College On Jun 8, 2016, at 8:32 AM, Doug Brooks <dbrooks () PARKLAND EDU> wrote: We are currently using McAfee as our AV solution but are evaluating other options. We are upgrading to the latest McAfee Endpoint Security version for our enterprise but also want to consider other products including Microsoft’s System Center Endpoint Protection/Defender platform. The latter would save us money but I’m not yet confident that it is a viable enterprise solution. I’d appreciate any feedback on McAfee, Microsoft or other enterprise-grade solutions that you are using. Thanks, Doug Parkland College dbrooks () parkland edu ------------------------------ *Email to or from Parkland College employees may be subject to disclosure under the Illinois Freedom of Information Act. This communication is the property of Parkland College and is intended only for use by the recipient identified. If you have received this communication in error, please immediately notify the sender and delete the original communication. Any distribution or copying of this message without the College’s prior consent is prohibited.* -- Livio Ricciulli w +1 (408) 457-1895 m +1 (408) 835-5005 Please review MetaFlows on Google <https://www.google.com/search?q=Metaflows,%20Inc&ludocid=13909832393819891504#lrd=0x0:0xc109a6dd5edb2730,1>
-- Eric C. Lukens IT Security Compliance & Policy Analyst Information Security Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 (319) 273-7434 http://www.uni.edu/elukens/ "Security is a process, not a product." Bruce Schneier
Current thread:
- Anti-Virus/Malware Enterprise Options Doug Brooks (Jun 08)
- Re: Anti-Virus/Malware Enterprise Options Brian Griffith (Jun 08)
- Re: Anti-Virus/Malware Enterprise Options Garmon, Joel (Jun 08)
- Re: Anti-Virus/Malware Enterprise Options Burke, Ian R. (Jun 08)
- Re: Anti-Virus/Malware Enterprise Options Livio Ricciulli (Jun 08)
- Re: Anti-Virus/Malware Enterprise Options McClenon, Brady (Jun 09)
- Re: Anti-Virus/Malware Enterprise Options Eric Lukens (Jun 09)
- Re: Anti-Virus/Malware Enterprise Options Garmon, Joel (Jun 08)
- Re: Anti-Virus/Malware Enterprise Options Brian Griffith (Jun 08)