If your client workstations don't have floppy disk drives, you may not need antivirus software on individual workstations. For example, if your workgroup is standalone and does not communicate with the outside world, you have to install antivirus software only on the shared server. If you have an Internet connection, you can install a gateway-based product between the workgroup and the firewall--and still get away with not installing antivirus software on the client machines. However, for small workgroups, it is less complicated simply to install antivirus software on each client, thereby obviating the need to configure a separate gateway server.

Whichever configuration you choose, the most important qualification of antivirus software is its ability to detect and remove viruses from your system. Obviously, it is impractical for you to evaluate independently how each product fares against the 15,000 to 20,000 known viruses--or even the 300 viruses that cause 95 percent of public infections. Fortunately, somewhat objective third-party perspectives are available. The most widely recognized is probably the International Computer Security Association (iCSA), formerly NCSA (see www.ncsa.com). To gain iCSA certification, a particular piece of antivirus software must have achieved a 100-percent detection rate on those viruses currently in widespread distribution (dubbed the "Wild List") and a 90-percent detection rate on the sampling of other known viruses (more specifically, iCSA's collection of known viruses, which it calls the "virus zoo").

It's important to note that vendors must pay for iCSA certification ($7,500 for consortium membership and $4,000 per platform). Consequently, the iCSA list is not a comprehensive picture of the available products--some smaller vendors simply may have chosen not to pay the fees. And while there are other sources for validation of virus products on the Web, be cautious--some sites, like The Virus Bulletin (www.virusbtn.com), are maintained by vendors of antivirus software.

Protecting Against New Viruses The challenge in protecting against viruses points to nefarious people who continue writing new viruses, which your antivirus software won't recognize and kill. The solution to this problem is online updates--a feature offered in different forms by all major antivirus vendors that lets antivirus software update itself via an Internet or dial-up connection.

Online updates are available in two main forms. The first and more common approach involves the client software periodically downloading new software and data files directly from the vendor. The second method utilizes an intermediate server that is installed in the workgroup. This server downloads the necessary updates and distributes them directly to the clients in the workgroup. The difference between these approaches is shown in the diagram on page Q4. The first approach (direct update) affords simplicity, but individual clients must separately download the required data files (which can be more than 1 MB, depending on the product). If your Internet connection is slow or the vendor server is overloaded, the download time could be very long. As a result, users cancel the download, which substantially increases your workgroup's exposure to new viruses. With the server-based approach, the client update occurs over the fast LAN connection. (Only the original server download is slow, and this is largely invisible to workgroup users.) We strongly recommend that you test this approach in your environment before implementation.

Philip Carden is a managing consultant with Renaissance Worldwide, an international business and technology consulting firm. He has co-authored two books on security. Send your comments on this article to him at pcarden@rens.com.