Re: Centralized Antivirus Recommendation

[Eric Case <ecase () EMAIL ARIZONA EDU>]

I will also give Sophos a thumbs up.



The University of Arizona has site-licensed Sophos.  However, being
decentralized colleges and departments are free to spend "their" money on
different solutions.  I know one Associate Dean who was using McAfee in
"home user mode" until it came time to renew last month and went with a
different free AV tool.  He could have used Sophos but . . . you would have
to know him.  :)





As Ronald said, from the admin/management side Sophos is very easy to work
with.  With the Enterprise Console (EC), it was easy to see the current
state of all the clients (and report that up the Dean), setup email alerts,
etc., etc.



If there is one drawback to Sophos it is it was written from day-one for the
admin/management viewpoint, not the end-users viewpoint.  What I mean is it
was written for centralized management not end-user management.  I'm not
sure Sophos sells to end-users.  The enterprise characteristics were not
bolted on to a consumer product.



As an example, it was designed to update from a "Central Installation
Directory" (CID), not a vendor website.  You can publish that location via
http and have your users update from there when your CID is not available.
My users were able to get updates from my CID while they were on a different
continent.



Another thing that is different about Sophos is the updates.  Instead of one
massing update a day, the individual virus definitions are published as
needed.  You could have many updates in one day.  They are ACSII files; you
could fax them, type them back into the computer and update the engine.  The
main AV engine is updated once a month.  In addition, a single update can
cover more than one piece of malware.  If you want some machines to update
once a day and others to update every hour, no problem, the EC has you
covered with different groups.





If you assume, all AVs are close to each other in terms of detection, i.e.,
one is not twice as fast/better than the others, what will set them apart is
their management, cost and support.  I would say Sophos; "tastes great, less
filling."  :)

-Eric









Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
Sent: Monday, May 03, 2010 2:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Centralized Antivirus Recommendation



I compared McAfee, Symantec and Sophos a few years back.  We chose Sophos
based on its ease of management compared to the other two.  As for
performance, Sophos appeared to perform better.  The only thing we really
see is when the system first starts up and Sophos immediately updates
itself, but, this usually isn't too intense.  I am in the process of moving
to Enterprise Console 4 from 3.5 and then to Endpoint Security 9 from 7.
Base on the documentation, it looks really easy.



Management is much easier and faster with Sophos.  I think that is what
impressed me the most.  While others are going with a web based management
using Java, they suffer from a serious performance degradation.  McAfee had
things missing dependent on the browser you used. When we had Conficker hit
us, we were able to quickly respond.  If we used one of the others, I don't
think it would have gone as well (as well as a virus outbreak could).  We
have one of our OUs for labs tied directly to a management group and a group
policy based install for anything new that is tied to Active Directory.



Support has always been great.  We had 8 or 10 hours of help, maybe more,
deploying.  They helped design our standalone client for off-site installs,
assisted in active directory integration, and gave tips for working with the
MS SQL DB backend.  For general support, they are very fast at getting back
to you if you call and leave a message.  Most of our stuff goes through
email and is usually taken care of in a day.  For the Conficker issue I
referred to earlier, they spent a good amount of time helping to include
educating me on how the bugger worked.



The only thing we have had to deal with is an add-on for IE.  Though I
haven't had any issues, there have been others that disable the web add-on
to resolve their issue.  EC 4 and Endpoint 9 have the ability to turn this
off.  I'm hoping there is functionality to allow and disallow options for
it.



One thing we are really excited about in the new release is the software
control and PII scanning.



I've had limited experience with the other three, which includes none from a
centralized management standpoint.  But, for what it's worth, ESET tended to
block legit apps by default.  AVG has so many components, including the web
scanner that it has slowed down systems.  I no longer recommend the freebie.
Kapersky, I have no experience with.



Anyway, these are my 2 cents based on what we have dealt with for 2 years.
We are renewing for at least another one and have no plans to change.
Sometimes it's good to be kept out of the papers.



Feel free to contact me for any further information of list.



Ronald King

Security Engineer

Norfolk State University

Marie V. McDemmond Center for Applied Research

Suite 401

700 Park Ave.

Norfolk, Virginia  23504

Phone:  757-823-3918

Fax: 757-823-2128

Email: raking () nsu edu

http://security.nsu.edu



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sabourin, Justin
Sent: Monday, May 03, 2010 4:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Centralized Antivirus Recommendation



We're currently researching options to move away from our current antivirus
solution in favor of something with better detection abilities and a solid
management console/reporting server.  We're also a technology centric
institution so the performance impacts of antivirus clients are frequently
noted by our students so low overhead is also desirable.



Currently we're considering the following based on other feedback.  Your
thoughts on installation, deployment, and management are much appreciated!



.         Sophos

.         AVG

.         ESET

.         Kapersky



Justin Sabourin * Manager of Network Operations * Division of Technology
Services * Wentworth Institute of Technology * 550 Huntington Ave, Boston MA
02115



CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.