Re: Centralized Antivirus Recommendation

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

I'd have to second that.  Even though we're researching our options, I
have to say ePO 4.x is extroardinarly powerful.  I went from practically
choking on epo3.6.x to actually liking epo 4+.

When I actually compare it to the other AV packages we've considered thus
far, they are clearly less flexible on the management side, but of course
management is not the only variable to think of so we're keeping an open
mind when it comes to desktop performance etc.  Mcafee 8.7i made some
performance improvements and the new Mac version runs much better too. 

With ePO, I can do thinkg like automatically tag, classify, report or
organize machines based on everything from OS and OS version to subnet, or
almost any generally useful computer property you can imagine. 
Correlation with userame, mac address, ip and computername is also done
automatically and clients can be located by by these.  But more
importantly once you spend an hour or so figuring out the dashboards and
queries you can do things like setup graphs to display infections or
malware rates per subnet, buidling or whatever your logical network
topology will allow you to define.  

It can gives you a way to keep users where they are supposed to be grouped
at any point in time.  (For example with other av, I can't automatically
move users to the right group efficiently.)  It's most useful for me to
group users by subnet.   When you have a NAC that uses vlan switching or
remediation subnets to install the AV and manage access this becomes a
potential issue.  Once in production and their IP changes the students are
no longer a member of that subnet in which they installed the AV. With
ePO, because it updates all parameters on every communication (interval
determined by you), your clients can be organized much more efficiently
than systems that require you to manually move users.  Having command-line
options install options for grouping helps, but not all we've tested have
this option.    

        One thorn in my side with Mcafee though is that they do not provide to my
knowledge a simple integrated tool to spit out a simple installer file for
pc and mac users so we must make our own installer/uninstaller packages.  
There's no reason for this level of extra effort.  I don't like the
recommended install from an SMB share idea recommendation of many vendors
because we use NAC (which is web-oriented) and smb shares are not the same
thing as web pages or web shares so we need single file installers since
our students' computers are not joined to a domain therefore they cannot
access shares and we cannot not push installers to them.   Even open
shares require some credentials which adds unnecessary complexity in
directions.  Other AV vendors make this a tad easier by providing you an
ability to spit out an install file.  The "Universal " installers (ex,
Mcafee shell script installer) for unix makes good sense for programmers,
but it makes no sense for the legions of Mac users who got Macs in the
first place because they thought PCs were complicated and clumsy. 
Requiring them to use terminal and sudo and know how to change to some
obscure case-senitive directory to install or uninstall something they
could do with a wizard makes zero sense to me.

(Okay, I'm off my soapbox now)

D/C

The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> In our testing of Sophos it was a solid product.  The huge downside for us
> was that we were trying to manage multiple domains (still > 8) via a
> single
> central management server.  Epolicy Orchestrator makes this fairly easy,
> one
> has to have a user account on each domain that can iterate the OU/Computer
> structure (a guest user is generally sufficient), then configure things to
> update at a reasonable interval.  Sophos uses the computer account of the
> enterprise console server to synchronize the OU/Computer structure. Since
> a
> computer can't be a direct member of multiple domains, this wouldn't work
> for our configuration.  Initially, Sophos recommended that we simply run
> one
> management console per domain (not likely), then later offered to write us
> some scripts (or provide us, more likely) that would do an out of band
> pull
> of this information from the domains, then import it into the Sophos
> Console.  After some discussions, that seemed like a good way to break
> things very effectively as each new version is released, and we continued
> our relationship with McAfee.
>
> In fairness to McAfee: Epolicy Orchestrator, with little effort, is an
> extraordinary centralized management and reporting system.  Yes, it's Java
> based (runs a Tomcat server on the back end, so it's a resource hog on the
> server and can be slow-ish at times on the front end), but in spite of
> that
> ePO 4.5 (the latest version) runs pretty well until you load it up with 40
> million events (and even then it was our very old and underpowered SQL
> server that fell over).
>
> We're in the process of reorganizing our AD structure to reduce the number
> of domains and forests that we have, so Sophos (or some other vendor with
> similar limitations) is again a possibility.
>
> <rant>
> Last, one comment in case managers are still reading:
>
> Management of Antivirus software _needs_ to be pulled out of the security
> office.  This software, like any other endpoint management software, needs
> to be run by those that are providing centralized IT resources for
> endpoint
> management.  Security needs to be involved in helping make the risk
> decisions related to what default settings should be enabled and should be
> able to leverage any centralized logs resulting from any endpoint
> management
> system, but should not be responsible for managing these systems. As an
> additional point, WSUS is just another endpoint management system.
> </rant>
>
> -- KS
>
> On 5/3/10 9:10 PM, "Eric Case" <ecase () EMAIL ARIZONA EDU> wrote:
>
> > I will also give Sophos a thumbs up.
> >
> > The University of Arizona has site-licensed Sophos.  However, being
> > decentralized colleges and departments are free to spend ³their²
> money on
> > different solutions.  I know one Associate Dean who was using McAfee in
> ³home
> > user mode² until it came time to renew last month and went with a
> different
> > free AV tool.  He could have used Sophos but . . . you would have to
> know him.
> > :)
> >
> >
> > As Ronald said, from the admin/management side Sophos is very easy to
> work
> > with.  With the Enterprise Console (EC), it was easy to see the current
> state
> > of all the clients (and report that up the Dean), setup email alerts,
> etc.,
> > etc.
> >
> > If there is one drawback to Sophos it is it was written from day-one
> for the
> > admin/management viewpoint, not the end-users viewpoint.  What I mean
> is it
> > was written for centralized management not end-user management.  I¹m
> not sure
> > Sophos sells to end-users.  The enterprise characteristics were not
> bolted on
> > to a consumer product.
> >
> > As an example, it was designed to update from a ³Central Installation
> > Directory² (CID), not a vendor website.  You can publish that location
> via
> > http and have your users update from there when your CID is not
> available.  My
> > users were able to get updates from my CID while they were on a
> different
> > continent.
> >
> > Another thing that is different about Sophos is the updates.  Instead
> of one
> > massing update a day, the individual virus definitions are published as
> > needed.  You could have many updates in one day.  They are ACSII files;
> you
> > could fax them, type them back into the computer and update the engine.
> The
> > main AV engine is updated once a month.  In addition, a single update
> can
> > cover more than one piece of malware.  If you want some machines to
> update
> > once a day and others to update every hour, no problem, the EC has you
> covered
> > with different groups.
> >
> >
> > If you assume, all AVs are close to each other in terms of detection,
> i.e.,
> > one is not twice as fast/better than the others, what will set them
> apart is
> > their management, cost and support.  I would say Sophos; ³tastes
> great, less
> > filling.²  :)
> > -Eric
> >
> >
> >
> >
> > Eric Case, CISSP
> > eric (at) ericcase (dot) com
> > http://www.linkedin.com/in/ericcase
> >
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> > Sent: Monday, May 03, 2010 2:12 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Centralized Antivirus Recommendation
> >
> > I compared McAfee, Symantec and Sophos a few years back.  We chose
> Sophos
> > based on its ease of management compared to the other two.  As for
> > performance, Sophos appeared to perform better.  The only thing we
> really see
> > is when the system first starts up and Sophos immediately updates
> itself, but,
> > this usually isn¹t too intense.  I am in the process of moving to
> Enterprise
> > Console 4 from 3.5 and then to Endpoint Security 9 from 7.  Base on the
> > documentation, it looks really easy.
> >
> > Management is much easier and faster with Sophos.  I think that is what
> > impressed me the most.  While others are going with a web based
> management
> > using Java, they suffer from a serious performance degradation.  McAfee
> had
> > things missing dependent on the browser you used. When we had Conficker
> hit
> > us, we were able to quickly respond.  If we used one of the others, I
> don¹t
> > think it would have gone as well (as well as a virus outbreak could). 
> We have
> > one of our OUs for labs tied directly to a management group and a group
> policy
> > based install for anything new that is tied to Active Directory.
> >
> > Support has always been great.  We had 8 or 10 hours of help, maybe
> more,
> > deploying.  They helped design our standalone client for off-site
> installs,
> > assisted in active directory integration, and gave tips for working
> with the
> > MS SQL DB backend.  For general support, they are very fast at getting
> back to
> > you if you call and leave a message.  Most of our stuff goes through
> email and
> > is usually taken care of in a day.  For the Conficker issue I referred
> to
> > earlier, they spent a good amount of time helping to include educating
> me on
> > how the bugger worked.
> >
> > The only thing we have had to deal with is an add-on for IE.  Though I
> haven¹t
> > had any issues, there have been others that disable the web add-on to
> resolve
> > their issue.  EC 4 and Endpoint 9 have the ability to turn this off. 
> I¹m
> > hoping there is functionality to allow and disallow options for it.
> >
> > One thing we are really excited about in the new release is the software
> > control and PII scanning.
> >
> > I¹ve had limited experience with the other three, which includes none
> from a
> > centralized management standpoint.  But, for what it¹s worth, ESET
> tended to
> > block legit apps by default.  AVG has so many components, including the
> web
> > scanner that it has slowed down systems.  I no longer recommend the
> freebie.
> > Kapersky, I have no experience with.
> >
> > Anyway, these are my 2 cents based on what we have dealt with for 2
> years.  We
> > are renewing for at least another one and have no plans to change. 
> Sometimes
> > it¹s good to be kept out of the papers.
> >
> > Feel free to contact me for any further information of list.
> >
> > Ronald King
> > Security Engineer
> > Norfolk State University
> > Marie V. McDemmond Center for Applied Research
> > Suite 401
> > 700 Park Ave.
> > Norfolk, Virginia  23504
> > Phone:  757-823-3918
> > Fax: 757-823-2128
> > Email: raking () nsu edu<mailto:raking () nsu edu>
> > http://security.nsu.edu
> >
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sabourin, Justin
> > Sent: Monday, May 03, 2010 4:01 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Centralized Antivirus Recommendation
> >
> > We¹re currently researching options to move away from our current
> antivirus
> > solution in favor of something with better detection abilities and a
> solid
> > management console/reporting server.  We¹re also a technology centric
> > institution so the performance impacts of antivirus clients are
> frequently
> > noted by our students so low overhead is also desirable.
> >
> > Currently we¹re considering the following based on other feedback. 
> Your
> > thoughts on installation, deployment, and management are much
> appreciated!
> > ·         Sophos
> >
> > ·         AVG
> >
> > ·         ESET
> >
> > ·         Kapersky
> >
> > Justin Sabourin * Manager of Network Operations * Division of Technology
> > Services * Wentworth Institute of Technology * 550 Huntington Ave,
> Boston MA
> > 02115
> >
> > CONFIDENTIALITY: This e-mail (including any attachments) may contain
> > confidential, proprietary and privileged information, and unauthorized
> > disclosure or use is prohibited. If you received this e-mail in error,
> please
> > notify the sender and delete this e-mail from your system.