Re: Anti-Virus/Malware Enterprise Options

[Eric Lukens <eric.lukens () UNI EDU>]

AppLocker policies and the Windows 8+ Smartscreen filter block most of the
malicious payloads for us. SCEP is there to clean up the payloads off the
disk, but the other two prevented them from running. Malware can still slip
by if it exploits or uses an already running process.

On Thu, Jun 9, 2016 at 9:54 AM, McClenon, Brady <Brady.McClenon () oneonta edu>
wrote:

> It’s interesting, but can be deceiving.   Working with SCEP a lot lately I
> found it doesn’t do a great job at catching malicious Word docs with macros
> used to drop malware.  However, if I execute the macros in a sandbox with
> SCEP running in every instance in my testing SCEP immediately identifies
> the payload as malware once it is downloaded.  I consider that a successful
> mitigation, but it could be seen that SCEP missed 9 malicious Word docs
> with different dropper variations all dropping the same malware payload.
> So is SCEP’s detection rate 10% or 100%?  I would say 100%, but I think
> VirusTotal data would take in to account all the missed droppers and call
> it 10%.  Just food for thought when doing/reading these comparisons.
>
>
>
> We moved from Sophos to SCEP last year.  We have now reinvested the
> savings on an additional layer of protection (although not yet implemented)
> that will run beside SCEP.  With the notion of traditional AV “being dead”
> picking up steam, and for good reasons, it didn’t seem advantageous to
> spend all our funds at that level moving forward.
>
>
>
>
>
> Brady McClenon
>
> Information Technology Security Administrator
>
> Information Technology Services - IT Security
>
> B237 Milne Library
>
> SUNY College at Oneonta
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Livio Ricciulli
> *Sent:* Wednesday, June 08, 2016 2:57 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Anti-Virus/Malware Enterprise Options
>
>
>
> I thought this link might be useful. This is what we actually measured
> last week in our system.
>
> https://www.metaflows.com/stats/antivirus_vendors/
>
> True positive rate in this case is the relative detection rate. So, for
> example, if vendor A has .46 it means that 46% of the time they detected
> malicious malware and 54% of the time other vendors detected it but they
> did not.
> Severity and prevalence (x and y) axes measure (1) the average priority of
> what they caught (for example Adware has priority 1 but ransomware has
> priority 100) and (2) the total sum of the priorities.
>
> Large bubbles trending toward a red color toward the top right are best..
>
> These measurements seem to vary week to week, depending of the outbreaks
> we see..
>
> Let me know if you have any questions.
>
> Livio.
>
> On 06/08/2016 09:17 AM, Burke, Ian R. wrote:
>
> We have been using Sophos for a few years now and are switching to their
> cloud solution. We have considered switching to the MS platform but have
> not yet taken the plunge. Sophos seems to work fairly well but is a bit
> cumbersome to manage when it comes to the stale system side of things. It
> will be interesting to see if the cloud platform helps solve this issue any.
>
>
>
> I still believe that all of these AV solutions only stop a small
> percentage of the threats and that a broader solution involving a fuller
> spectrum of protection, including user education, is critical.
>
>
>
> Ian
>
>
>
> Ian Burke
>
> Information Security Administrator
>
> Information Security – ITS
>
> http://go.middlebury.edu/infosec
>
> Middlebury College
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Garmon, Joel
> *Sent:* Wednesday, June 8, 2016 12:11 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Anti-Virus/Malware Enterprise Options
>
>
>
> We have been using Microsoft’s System Center Endpoint Protection for a
> while now.  It does a decent job at detecting virus.  But I agree that you
> really need a competent SCCM team to use it.
>
>
>
> Contact me directly if you want more information.
>
>
>
> Thank you,
>
>
>
> Joel Garmon
>
> Director Information Security
>
> Wake Forest University
>
> 336-758-2972
>
>
>
> http://infosec.wfu.edu/
>
>
>
> On Wed, Jun 8, 2016 at 11:42 AM, Brian Griffith <griffibw () whitman edu>
> wrote:
>
> Hey Doug. We recently made the switch from McAfee to SCEP. In our somewhat
> limited testing, they performed similarly. I feel slightly better about
> McAfee (leftover bias against Defender from the early days, perhaps?), but
> not enough to justify the cost. We feel like the central administration of
> SCEP is better/easier (IF you already have SCCM up and running), and you
> get prettier reports out of the box. I'm also excited about the MS APT
> product as we transition to Windows 10.
>
> Brian Griffith
>
> Information Security Officer
>
> Whitman College
>
>
>
>
>
>
> On Jun 8, 2016, at 8:32 AM, Doug Brooks <dbrooks () PARKLAND EDU> wrote:
>
> We are currently using McAfee as our AV solution but are evaluating other
> options.  We are upgrading to the latest McAfee Endpoint Security version
> for our enterprise but also want to consider other products including
> Microsoft’s System Center Endpoint Protection/Defender platform.  The
> latter would save us money but I’m not yet confident that it is a viable
> enterprise solution.
>
>
>
> I’d appreciate any feedback on McAfee, Microsoft or other enterprise-grade
> solutions that you are using.
>
>
>
> Thanks,
>
>
>
> Doug
>
> Parkland College
>
> dbrooks () parkland edu
>
>
> ------------------------------
>
> *Email to or from Parkland College employees may be subject to disclosure
> under the Illinois Freedom of Information Act. This communication is the
> property of Parkland College and is intended only for use by the recipient
> identified. If you have received this communication in error, please
> immediately notify the sender and delete the original communication. Any
> distribution or copying of this message without the College’s prior consent
> is prohibited.*
>
>
>
>
>
> --
>
> Livio Ricciulli
> w +1 (408) 457-1895
> m +1 (408) 835-5005
> Please review MetaFlows on Google
> <https://www.google.com/search?q=Metaflows,%20Inc&ludocid=13909832393819891504#lrd=0x0:0xc109a6dd5edb2730,1>



-- 
Eric C. Lukens
IT Security Compliance & Policy Analyst
Information Security
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

"Security is a process, not a product."  Bruce Schneier