Re: Microsoft antivirus

[Tim Doty <tdoty () MST EDU>]

On 03/12/2013 12:00 PM, Jason Gates wrote:
> Accepted risks and environments differ between institutions, but for
> our environment I expect that security layers will inevitably fail
> and if some do, I'll sleep better knowing we would have a better than
> basic chance at preventing a compromise. Agreed, there is no magic
> bullet, but a fence is as strong as its weakest link. -jason

While I agree with your premise, I am convinced that all* AV are equally 
different. I'm no fan of Microsoft (quite the contrary), but my 
experience with FEP, while disappointing, is better than it was with 
McAfee. Either way we had drive-by infections. Either way we have too 
many users logged in with administrative rights.

For those that are able to take advantage of SCCM its possible to 
leverage the data (something we didn't have with our McAfee license). 
And, to make it even better, our jumping from McAfee was a given -- they 
tried to gouge us on license fees (a steep increase) so the money saved 
by going with FEP can be spent on other enhancements.

I'm not arguing that FEP is better than its competitors, I'm saying that 
in my experience it isn't substantially different (certainly no worse) 
and is a perfectly valid choice. That wasn't what I was saying when we 
switched, but experience can be persuasive.

Tim Doty

* not literally all, but at least reasonably common. And the samples 
I've recovered of what got by FEP are not normally detected by McAfee...

> -----Original Message----- From: The EDUCAUSE Security Constituent
> Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of
> Barros, Jacob Sent: Tuesday, March 12, 2013 11:55 AM To:
> SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Microsoft
> antivirus
>
> I'm with Jeff on this one.  Based on our technician's feedback, what
> we have found is that nothing works perfectly.  We can spend a
> fortune trying to protect endpoints from zero-day vulnerabilities
> that might not be effective.  So despite the lack of bells and
> whistles, we went with 'free' and have not regretted it.  What it
> lacks in protection we can usually make up for with AD group
> policies, software updates, user education and a good ng firewall
> (for while they are here anyway).
>
>
>
> Jake Barros  |  Network Administrator  |  Office of Information
> Technology Grace College and Seminary  |  Winona Lake, IN  |
> 574.372.5100 x6178
>
>
> On Mon, Mar 11, 2013 at 7:24 PM, Jeff Kell <jeff-kell () utc edu>
> wrote:
> > On 3/11/2013 7:06 PM, Jason Gates wrote:
> >
> > I've used FEP with SCCM and enjoy the management and reporting
> > abilities of FEP but i'm concerned about the quality of malware
> > protection. Through reading, testing and real world experiences
> > with the antivirus product i've found that its malware protection
> > is left wanting. In test cases FEP did not remove/detect all the
> > malware, leaving malware parts still installed and functioning.
> >
> >
> > Sure, it misses stuff.  But they all do.  We've gone from Symantec
> > to McAfee to Forefront and there really isn't that much of a delta
> > in terms of protection.  With current zero-day "click here to
> > infect your computer" drive-bys, nobody is going to keep you clean,
> > but it should look like they're making an effort.
> >
> > In the "big picture" of things, Forefront was much less
> > "high-maintenance" and "obnoxiously fat footprint" that the
> > predecessors.  Having updates integrated (more or less) into
> > windows updates is a plus.  I still have nighmares about EPO :)
> >
> > I've considered application white-listing, but not sure how many
> > monkey wrenches that throws into the works.  And how much of that
> > is Active Directory dependent.
> >
> > There's no magic bullet.  For no more return that you should
> > expect from an A/V these days, FF was priced right on campus
> > agreement.  We even drank the FOPE Kool-Aid for our Exchange
> > filtering...
> >
> > Jeff

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature