Educause Security Discussion mailing list archives
Re: A Real-Time malware antivirus console
From: Robert Clifford <rclifford2 () CSCC EDU>
Date: Wed, 17 Jun 2009 12:08:40 -0400
I used to work for JP Morgan Chase and managed the AV program globally for 240k+ desktops/servers. The key to real time management is to port the logs hourly into a shop who can monitor them actively 24x7 and take action/open tickets if necessary. Since clients and servers check in with their parent servers once an hour (best case), your trending information will/should not be older than one hour. Since we are in the educational field, having a 24x7 shop is not realistic. I had a programmer on my team (at JP Morgan) who created scripts & web pages which grabbed the client/server information from the parent servers and ported it to a dedicated AV web site for hourly updates/review (among others, it showed overall client/server protection against Symantec's current certified definition release, the protection levels on the parent servers, virus detections/action taken, top 10 devices with infections, etc.). This approach may not be realistic either, but more possible than a 24x7 shop. Chances are, if you are stretched thin as a lot of us are, your real-time detection will come from your help desk so having a good partnership with them is critical (in the form of process, communications, and documentation). Make sure your vendor of choice certifies definitions at least once daily. From a Symantec perspective, ensure you are set up for VDTM as your primary deployment method with LiveUpdate being your backup (VDTM pushes new definitions out immediately by subnet where LiveUpdate has a come and get them approach when a device checks in with its parent server). Increase your thread count as well as this will allow defs to flow at a greater rate. You should also know how fast your definitions are reaching your environment. As Michael said below, you should only want to see alerts where the software was unable to act. When it catches malware and it's quarantined or deleted, etc., the software is doing it's job. Hope this helps. Thanks, Rob ===================== Robert Clifford Information Security/Risk Management/Business Continuity Columbus State Community College 614-287-3686 Nextel: 136*16475*123 rclifford2 () cscc edu
"Stanclift, Michael" <michael.stanclift () ROCKHURST EDU> 6/17/2009
11:39 AM >>> I currently have EPO/McAfee configured to send me an email alert when a virus is detected on a system but it could not be removed. Then I get a daily digest in the morning of yesterday's activity including things that were removed. Not "real time" like you said, but real enough for me given the limited resources we have. If I wanted, I could change the email alerts to include all virus threats detected, but I'd probably be flooding my inbox with a lot of things that are not really worth tracking down, at least for me. Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 Think before you print! -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean Sent: Wednesday, June 17, 2009 9:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] A Real-Time malware antivirus console Hi there. We are reviewing our entire organization antivirus solution. Aside of effectiveness in malware detection,I am trying to propose a solution that gives an real time overall malware threat monitoring tool.I'm looking something like real time malware monitor or console indicating real time trend of malware detection in my network which let me act right upon a malware breakup (incident response team) and not having to react after those incidents with a sad report of events hours ago. Are you aware of any corporate solution that offer this feature? McAfee and EPO can do that? Thank you
Current thread:
- A Real-Time malware antivirus console reflect ocean (Jun 17)
- <Possible follow-ups>
- Re: A Real-Time malware antivirus console Stanclift, Michael (Jun 17)
- Re: A Real-Time malware antivirus console Robert Clifford (Jun 17)
- Re: A Real-Time malware antivirus console Basgen, Brian (Jun 17)
- Re: A Real-Time malware antivirus console Curt Wilson (Jun 17)
- Re: A Real-Time malware antivirus console Valdis Kletnieks (Jun 17)
- Re: A Real-Time malware antivirus console Curt Wilson (Jun 17)
- Re: A Real-Time malware antivirus console Eric Case (Jun 17)
- Re: A Real-Time malware antivirus console reflect ocean (Jun 17)
- Re: A Real-Time malware antivirus console Gary Flynn (Jun 18)
- Re: A Real-Time malware antivirus console King, Ronald A. (Jun 18)
- Re: A Real-Time malware antivirus console Stanclift, Michael (Jun 18)