Re: Microsoft antivirus

[Jason Gates <jasongates () SOUTHERN EDU>]

I've used FEP with SCCM and enjoy the management and reporting abilities of FEP but i'm concerned about the quality of 
malware protection. Through reading, testing and real world experiences with the antivirus product i've found that its 
malware protection is left wanting. In test cases FEP did not remove/detect all the malware, leaving malware parts 
still installed and functioning.

Some supporting info:

Av-test.org even shows that microsoft has failed certification for 2 years.
http://www.av-test.org/no_cache/en/tests/test-reports/

A small business lost $170,000 from malware that microsoft security essentials didnt detect (A dumbed down version of 
FEP, correct?)
http://krebsonsecurity.com/2013/01/big-bank-mules-target-small-bank-businesses/

Looking at Av-comparatives analysis of different AV vendors ability to perform also gives cause for concern regarding 
FEP
http://www.av-comparatives.org/images/docs/avc_sum_201212_en.pdf

Quite frankly, everywhere I read I see that FEP performs poorly compared to other antivirus vendors, so i'm surprised 
at the discussion here. Perhaps I am missing something?
-Jason


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Santabarbara, Angelo
Sent: Monday, March 11, 2013 6:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft antivirus

We are also going down this same route.  We have been testing FEP with about 200 lab machines and all of our Microsoft 
servers.  Overall, it seems to do a better job than McAfee and with SCCM we do have visibility and control over what it 
is doing.  SCCM is not the easiest deployment, but we already had it running as we've been using FIM since November.  
Upon install we've actually found many infections that were not detected by McAfee.  Based on this, the cost savings, 
and the smaller resource footprint, we will be switching all of our machines to FEP this summer.

Angelo D. Santabarbara
Director of Networks & Systems
Siena College
518-782-6996
ASantabarbara () siena edu<mailto:ASantabarbara () siena edu>

***Siena ITS staff will NEVER ask for your password or other confidential information via email.***

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, is for the sole use of the intended recipient(s) and 
may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is 
prohibited. If you received this e-mail and are not the intended recipient, please inform the sender by e-mail reply 
and destroy all copies of the original message.

On Mon, Mar 11, 2013 at 3:54 PM, Tim Doty <tdoty () mst edu<mailto:tdoty () mst edu>> wrote:
On 03/11/2013 02:24 PM, Ed Zawacki wrote:
I just wanted to say that I appreciate all of the comments I've received
on this topic to both me directly and to the list.

One interesting observation is that of the people who responded, it
seems that nearly everyone that switched to MS FEP seems happy with it.
A few weeks ago, I was looking at Gartner's magic quadrant for endpoint
protection as well as a report they did on FEP a year or so ago and they
seemed to be underwhelmed. Odd.

Here's another University of Missouri response. Although all campuses are on FEP (I believe) there are five member 
institutions so situations vary.

I can say that how well you will like it depends on how it is deployed and managed. For example, I don't have any 
access to the SCCM so there is no visibility or reporting. And, those that do have access to it here don't take 
advantage of it.

> From an effectiveness stand point it hasn't seemed particularly effective. It has happy to allow an old virus 
> (financial data stealer) to continue operating (the system had been infected before the change to FEP) and in general 
> web-based infections seem to occur without a hitch. Maybe it stops some of them, but as I have no visibility into the 
> SCCM I can't tell.

However, it isn't like the previous product (McAfee) was doing any better from an effectiveness standpoint and we 
didn't have visibility into its activity/alerting either. For me, the major difference has been submitting samples and 
in that respect Microsoft seems better now than it was a year ago, though it does vary significantly. Time from 
submission to update has ranged from very fast (may have been less than a day, I don't remember for sure) to well over 
a week.

Tim Doty
System Security Analyst
Missouri S&T