RE: recommendations for centrally managed corporate antivirus solution

["Mark Brunner" <mark_brunner () hotmail com>]

Missed the original post, but here is my 2¢ on the subject.

Any centrally managed A/V solution is better than none at all, or an
unmanaged solution, by a country mile.  Trend Micro is in use at one of the
places that I work, and it is a good, robust product if configured correctly
and properly maintained.

Trend is adding some great things in the malicious site detection arena as
well, in their home user A/V space and these changes are moving into their
corporate solution.  TMCM is a system that requires a little more attention
to administration than some others, but it is in my experience a decent and
effective part of an overall A/V solution.  Trend releases more updates more
often than others that I have used.  Several in any given day, they are very
responsive to variant submission, and more thorough in their analysis.  They
will issue a "bandage" patch very quickly to help you in incident response
efforts, usually within the hour.

Symantec's offering is probably the most mature, requiring less management
attention, but it too suffers from the occasional glitches regarding child
server and client update issues as Randy describes.  They are finally moving
into the behavioral analysis realm, and it is about time.  I used to work
for them, and remain proud of their products and efforts.  Their
tech-support is, well, somewhat slow, and they issue incident response
signatures somewhat slower than Trend.

My experience with McAfee is limited, but I found their products to be VERY
admin intensive, and unreliable.  I had many signature updates from them
cause server crashes and outages.  Your mileage may vary, and it has been a
few years since I looked at them.  This perception may be outdated...

BitDefender and Sophos should also get honorable mention, as they are both
very good and capable products.

The best solution IMHO is a layered defense when dealing with A/V.  I
believe in mix and match.  Check any submission at VirusTotal and you will
see that no one product catches them all.  There are appliances around now
that work as gateways that can provide multiple A/V products in a single
device, if you add a mail scanning application, a browser aware, centrally
managed endpoint solution coupled with a desktop firewall, you have a solid
control mechanism for malware and other ingress points.

This may sound like an extreme solution, multiple A/V at the gateway, mail
server A/V, and endpoint product, but you have to consider all of the attack
surfaces available and the fact that these evil little bunnies are always
adapting their attacks and delivery systems.  There are people at the other
end that want to get their warez onto your systems.

I can recommend Trend Micro and Symantec, but would also suggest looking at
GFI and others.  Check the Gartner "Quadrant" reports and Secure Computing
for direct comparison and roadmap projections.  Somewhere out there is a
solution that closely matches your needs.

Hope this blind response is in order with the original question.  If not,
heck it was only 2¢...
Cheers,
Mark

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Randy Wyatt
Sent: Friday, February 15, 2008 10:38 AM
To: security-basics () securityfocus com
Subject: Re: recommendations for centrally managed corporate antivirus
solution

  At the moment,  I can not recommend TrendMicro,  I have seen more
than 15 virii escape detection and essentially shut down an office
network
with around 100 users.  It really did not seem that the clients would
stay in sync with the servers for the anti-virus signatures.

The company I work for switched to avast anti-virus and it is much
better at keeping current, but the scans seem to take forever
especially on large files.

Best Regards,
Randy