Re: A Real-Time malware antivirus console

[Robert Clifford <rclifford2 () CSCC EDU>]

I used to work for JP Morgan Chase and managed the AV program globally
for 240k+ desktops/servers.  The key to real time management is to port
the logs hourly into a shop who can monitor them actively 24x7 and take
action/open tickets if necessary.  Since clients and servers check in
with their parent servers once an hour (best case), your trending
information will/should not be older than one hour.

Since we are in the educational field, having a 24x7 shop is not
realistic.  I had a programmer on my team (at JP Morgan) who created
scripts & web pages which grabbed the client/server information from the
parent servers and ported it to a dedicated AV web site for hourly
updates/review (among others, it showed overall client/server protection
against Symantec's current certified definition release, the protection
levels on the parent servers, virus detections/action taken, top 10
devices with infections, etc.).  This approach may not be realistic
either, but more possible than a 24x7 shop.

Chances are, if you are stretched thin as a lot of us are, your
real-time detection will come from your help desk so having a good
partnership with them is critical (in the form of process,
communications, and documentation).

Make sure your vendor of choice certifies definitions at least once
daily.  From a Symantec perspective, ensure you are set up for VDTM as
your primary deployment method with LiveUpdate being your backup (VDTM
pushes new definitions out immediately by subnet where LiveUpdate has a
come and get them approach when a device checks in with its parent
server).  Increase your thread count as well as this will allow defs to
flow at a greater rate.  You should also know how fast your definitions
are reaching your environment.

As Michael said below, you should only want to see alerts where the
software was unable to act.  When it catches malware and it's
quarantined or deleted, etc., the software is doing it's job.

Hope this helps.






Thanks,

Rob
=====================
Robert Clifford
Information Security/Risk Management/Business Continuity
Columbus State Community College
614-287-3686
Nextel: 136*16475*123
rclifford2 () cscc edu

> > > "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU> 6/17/2009
11:39 AM >>>
I currently have EPO/McAfee configured to send me an email alert when a
virus is detected on a system but it could not be removed. Then I get a
daily digest in the morning of yesterday's activity including things
that were removed. Not "real time" like you said, but real enough for me
given the limited resources we have. If I wanted, I could change the
email alerts to include all virus threats detected, but I'd probably be
flooding my inbox with a lot of things that are not really worth
tracking down, at least for me.

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231

Think before you print!


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean
Sent: Wednesday, June 17, 2009 9:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] A Real-Time malware antivirus console

Hi there.

We are reviewing our entire organization antivirus solution.
Aside of effectiveness in malware detection,I am trying to propose a
solution that gives an real time overall malware threat monitoring
tool.I'm looking something like real time malware monitor or console
indicating real time trend of malware detection in my network  which
let me act right upon a malware breakup (incident response team) and
not having to react after those incidents with a sad report of events
hours ago.
Are you aware of any corporate solution that offer this feature?
McAfee and EPO can do that?

Thank you