Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Antivirus Suites: Doing the Safety Dance

The first question is the easier of the two to answer--what's required is an integrated AV suite that covers all known infection vectors (paths into the network); a well-thought-out incident-response plan; 24x7 vendor support; thorough user training; and copious amounts of network staff time before, during and after an outbreak. This may sound like more work than we'd like, but it has proved an effective virus-containment strategy for many.

The second question, how to mitigate infection risk during the window of vulnerability, was more difficult to answer, but virtually all AV vendors are polishing "outbreak-management" systems that can minimize the damage if properly implemented. The basic AV signature-scanning technology employed by every product we tested is, at best, a double-edged sword. Although the technology works well to keep thousands of "in the wild" viruses from making an unwelcome comeback, it's purely reactive. There's always a significant delay from the time a virus is discovered until a defensive signature is installed at the user's desktop. This time lag creates a windows of vulnerability--an Achilles' heel in products that virus writers have learned how to exploit. For example, Sobig.F came with its own remarkably efficient SMTP server that let it propagate to millions of machines during the window of vulnerability.

Some of the AV systems we tested came with lots of bells and whistles. But we didn't lose sight of the main reason you buy these products and used that premise to define our areas to test: installation, configuration and management consoles and features; e-mail system scanners; server file system scanners; client (desktop) scanners; perimeter scanners, where available; outbreak-management tools; and automated software and signature deployment, update, and policy management for all the aforementioned items.

We also scrutinized strategy versus product fit to see if the reality matches the marketing. For example, when it comes to outbreak management, the marketers are quick to say, "Sure! We do that!" But do vendors have the infrastructure in place to deploy useful policy recommendations within hours. Note also that the key to scalability is relational databases that keep track of the population. Computer Associates, Network Associates and Trend Micro all include relational databases as part of their product suites.

Although we found neither a silver bullet nor revolutionary technology, we did find considerable evolutionary improvements. You should expect to see some of these features showing up in new AV products:

• Broader use of outbreak policies: When a virus is first discovered, its basic attack mechanisms are understood long before signatures are available. Within hours of an outbreak, vendors can release policy-setting templates that deny a virus access to its propagation channel. For example, if a virus comes in a specific attachment form--say, .vbs encapsulated in a zip file--the Outbreak policy would recommend stripping all zipped .vbs files at the mail server or perimeter for the next several days, even if the company's normal policy doesn't require this. Expect robust outbreak management to be a standard offering from all AV vendors within a year.

• Broader use of personal firewalls: To control blended threats, some vendors may require personal firewalls, which can be managed en masse from a central AV policy-management console. However, such firewalls pose problems. For example, they must be locked down from user configuration; otherwise, every time an application wants to access the network, it will ask the user what to do, and the user invariably will say yes. We expect much debate over the widespread use of these firewalls in the months to come.

  • 1