Re: Anti-Virus/Malware Enterprise Options

["McClenon, Brady" <Brady.McClenon () ONEONTA EDU>]

It’s interesting, but can be deceiving.   Working with SCEP a lot lately I found it doesn’t do a great job at catching 
malicious Word docs with macros used to drop malware.  However, if I execute the macros in a sandbox with SCEP running 
in every instance in my testing SCEP immediately identifies the payload as malware once it is downloaded.  I consider 
that a successful mitigation, but it could be seen that SCEP missed 9 malicious Word docs with different dropper 
variations all dropping the same malware payload.  So is SCEP’s detection rate 10% or 100%?  I would say 100%, but I 
think VirusTotal data would take in to account all the missed droppers and call it 10%.  Just food for thought when 
doing/reading these comparisons.

We moved from Sophos to SCEP last year.  We have now reinvested the savings on an additional layer of protection 
(although not yet implemented) that will run beside SCEP.  With the notion of traditional AV “being dead” picking up 
steam, and for good reasons, it didn’t seem advantageous to spend all our funds at that level moving forward.


Brady McClenon
Information Technology Security Administrator
Information Technology Services - IT Security
B237 Milne Library
SUNY College at Oneonta







From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Livio 
Ricciulli
Sent: Wednesday, June 08, 2016 2:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Anti-Virus/Malware Enterprise Options

I thought this link might be useful. This is what we actually measured last week in our system.

https://www.metaflows.com/stats/antivirus_vendors/

True positive rate in this case is the relative detection rate. So, for example, if vendor A has .46 it means that 46% 
of the time they detected malicious malware and 54% of the time other vendors detected it but they did not.
Severity and prevalence (x and y) axes measure (1) the average priority of what they caught (for example Adware has 
priority 1 but ransomware has priority 100) and (2) the total sum of the priorities.

Large bubbles trending toward a red color toward the top right are best..

These measurements seem to vary week to week, depending of the outbreaks we see..

Let me know if you have any questions.

Livio.

On 06/08/2016 09:17 AM, Burke, Ian R. wrote:
We have been using Sophos for a few years now and are switching to their cloud solution. We have considered switching 
to the MS platform but have not yet taken the plunge. Sophos seems to work fairly well but is a bit cumbersome to 
manage when it comes to the stale system side of things. It will be interesting to see if the cloud platform helps 
solve this issue any.

I still believe that all of these AV solutions only stop a small percentage of the threats and that a broader solution 
involving a fuller spectrum of protection, including user education, is critical.

Ian

Ian Burke
Information Security Administrator
Information Security – ITS
http://go.middlebury.edu/infosec
Middlebury College

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Garmon, 
Joel
Sent: Wednesday, June 8, 2016 12:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Anti-Virus/Malware Enterprise Options

We have been using Microsoft’s System Center Endpoint Protection for a while now.  It does a decent job at detecting 
virus.  But I agree that you really need a competent SCCM team to use it.

Contact me directly if you want more information.


Thank you,

Joel Garmon
Director Information Security
Wake Forest University
336-758-2972

http://infosec.wfu.edu/

On Wed, Jun 8, 2016 at 11:42 AM, Brian Griffith <griffibw () whitman edu<mailto:griffibw () whitman edu>> wrote:
Hey Doug. We recently made the switch from McAfee to SCEP. In our somewhat limited testing, they performed similarly. I 
feel slightly better about McAfee (leftover bias against Defender from the early days, perhaps?), but not enough to 
justify the cost. We feel like the central administration of SCEP is better/easier (IF you already have SCCM up and 
running), and you get prettier reports out of the box. I'm also excited about the MS APT product as we transition to 
Windows 10.

Brian Griffith
Information Security Officer
Whitman College



On Jun 8, 2016, at 8:32 AM, Doug Brooks <dbrooks () PARKLAND EDU<mailto:dbrooks () PARKLAND EDU>> wrote:
We are currently using McAfee as our AV solution but are evaluating other options.  We are upgrading to the latest 
McAfee Endpoint Security version for our enterprise but also want to consider other products including Microsoft’s 
System Center Endpoint Protection/Defender platform.  The latter would save us money but I’m not yet confident that it 
is a viable enterprise solution.

I’d appreciate any feedback on McAfee, Microsoft or other enterprise-grade solutions that you are using.

Thanks,

Doug
Parkland College
dbrooks () parkland edu<mailto:dbrooks () parkland edu>

________________________________
Email to or from Parkland College employees may be subject to disclosure under the Illinois Freedom of Information Act. 
This communication is the property of Parkland College and is intended only for use by the recipient identified. If you 
have received this communication in error, please immediately notify the sender and delete the original communication. 
Any distribution or copying of this message without the College’s prior consent is prohibited.


--
Livio Ricciulli
w +1 (408) 457-1895
m +1 (408) 835-5005
Please review MetaFlows on 
Google<https://www.google.com/search?q=Metaflows,%20Inc&ludocid=13909832393819891504#lrd=0x0:0xc109a6dd5edb2730,1>