How to Evaluate, Compare and Implement Enterprise Antivirus

Antivirus software has been around-well, nearly as long as viruses. But thanks to the ever-growing variety of threats to the PC environment, this is a fast-changing market that is undergoing two major trends:

1. Movement beyond signature-based protection. Malware is constantly growing and mutating, making it impossible for vendors to identify and protect against individual threats using signatures. Consider that in the spring, Symantec announced it had detected nearly 1.7 million malicious code threats since it began tracking them in 2007, representing a 265 percent growth in malicious code signatures.

In addition to signatures, vendors now use additional techniques, such as application control (also called whitelisting), which allows only approved code to run; and host intrusion protection systems (HIPS), also called heuristics, which monitors code behavior. If behavior deviates from "normal," HIPS deems it suspicious or malicious and prevents it from running. HIPS works in preexecution mode, runtime mode or both.

2. Expanded functionality. Many of the large antivirus software vendors have expanded their stand-alone tools into suites that not only guard against malware but protect against hackers and data loss.

"The general trend is that security software on the endpoint is getting fatter and more fully functional," says John Oltsik, an analyst with Enterprise Strategy Group (ESG). Specifically, antivirus, antispyware and firewall software is merging with endpoint operations, data loss prevention and full-disk encryption, he says. Another capability that is commonly offered is network access control, adds Natalie Lambert, an analyst at Forrester Research. These tools control client access to networks based on their compliance with policy, she says.

In some cases, vendors are also merging security with operational functionality, such as patch and configuration management, endpoint provisioning and backup. "The larger vendors will sell security alone, but they're convincing customers that they ought to manage it all as one thing," Oltsik says. It will be a slow uptake, he says. "Right now, the products and technology are two years ahead of where IT organizations are," he says.

Enterprise Antivirus DOs and DON'Ts

DO consider the suite advantage. According to Lambert, the prime AV differentiation is what vendors are bundling into their client security suites. Increasingly, as users face challenges ranging from malicious code to data loss and insecure machines connecting to the corporate network, they want to solve them in a single sweep, not with point products. "Every product you put on the machine will slow it down more, add another console to manage and add another license and something you have to buy," Lambert says. "Why take the hit several times when you can get a less expensive product with more capabilities from one vendor?"

Page Break

The director of information security at a large manufacturer of packaged foods agrees. He says his company has been able to reduce the number of security products his organization manages as Trend Micro has added features and capabilities, such as client firewall management and spyware removal. Whereas his organization used to have five or six consoles to manage security products, it is now down to two.

Michael Bell, senior network engineer at marketing firm CMS Direct in Minneapolis, values the fact that Sophos includes many layers of security in one package; in fact, he's looking forward to Sophos integrating a client firewall, which is currently offered as a separate module.

DON'T accept poor performance. Antivirus software is renowned for being a resource hog, but some vendors are putting a premium on being performance-oriented. For instance, according to Bell, Sophos uses techniques such as indexing to perform fewer resource-intensive scans.

Robert Amos, manager of infrastructure systems at NuStar Energy, also sees performance improvements over his former system now that he uses Microsoft Forefront. A lot of antivirus products he's used had huge performance issues, he says, but Forefront performs a scan every six hours, and Amos says he's not always aware when it's running.

DO investigate whitelisting. Whitelisting, or application control, is an emerging capability that Lambert says is superior to HIPS because it prevents malware from running on systems rather than monitoring activity. With whitelisting, administrators maintain a list of approved applications for their environment, disallowing non-approved software from running.

The problem with whitelisting, says Oltsik, is that in a Web 2.0 world, people often download new software, whether for their own productivity or their personal use. It may work well in a fixed function, such as order entry or the call center, he says, but if you have people communicating with outside partners, or marketing people doing research, "you'll be forever getting calls from people who are trying to download and can't," he says. "The question is how draconian you want to be in your enforcement," he says."

DO research other emerging client security tools. In addition to whitelisting, according to Lambert, there are four additional emerging tools that should be considered in endpoint protection, as they solve more complex threats. These include device control, which lets administrators create policy around acceptable devices that can or can't be accessed by a PC; full-disk encryption, which encrypts the hard drive when the machine is shut down; file encryption, which protects individual files when users save them to a designated location; and data leak prevention, which monitors and enforces data usage policy. Typically, less than 30 percent of organizations have invested in these tools, she says, but security managers should begin to experiment with them.

Page Break

DON'T give up on HIPS. Although HIPS solutions are still immature and have a high false-positive rate, they should still be paired with antimalware solutions, Lambert says. She sees application control eventually replacing HIPS but says it will still be useful in protecting machines against problems like buffer overflows.

At CMS Direct, Bell is happy that Sophos offers HIPS capabilities as part of its scanning engine. He uses it to block downloads of potentially unwanted applications, such as adware. Instead of the system automatically blocking applications that act suspiciously, he says, you can choose to be alerted and then use the centralized policy management capability to either authorize the use of the flagged applications or block them.

DO consider reputation services. As part of its work to displace other tools in its environment with the capabilities offered by Trend Micro, the packaged food company is testing the vendor's reputation services capabilities to see if it can replace its current URL filtering tool. Reputation services works by checking every Web address that users attempt to visit and blocking access to those found in a list of known malicious sites.

DO value ease-of-use. No one has extra resources to apply to security, which makes ease-of-use an important issue. That means vendors are paying more attention to dashboards and easier reporting, management and deployment.

Bell is impressed with his product's central management and at-a-glance dashboard, as he can quickly see when clients are out of compliance. Bell says he didn't use the dashboard feature of his former software because it was not easy to understand; clients would sometimes report that their upgrades were 30 days out of date. "Within five minutes, you can see that everyone is updated," he says.

Similarly, the director at the food manufacturer says advanced reporting modules have eased the job of reporting to senior managers on network protection. Previously, reporting required manual compilation of multiple reports. Today, reporting is automated and posted to the intranet.

DO consider multiple scanning engines. No scanning engine is perfect, which is why some vendors (for example, Microsoft and Symantec) are starting to use multiple scanning engines to increase the chances of catching malware. "Different engines have different blind spots," says Dan Blum, an analyst with the Burton Group.

With Forefront's multiple scanning engines, it's like choosing two different companies for their scanning abilities and putting both on one machine, says Amos. "If one is a little bit weaker at detecting malware than the other, you get double protection," he says. He plans to roll out four different agents for scanning.

Page Break

DO consider software as a service. As in other product areas, many vendors are delivering some antivirus capabilities as a service, such as antimalware, reputation services, signature updating and reporting. This can be more cost-effective, and although larger enterprises may keep most capabilities in-house, according to Blum, users might adopt a hybrid model in which they use on-premises systems for the centralized workforce, but SaaS for users in outlying offices.

In some cases, vendors are using a hybrid software and services model to offer additional or beefed-up capabilities, such as multiple scanning engines or a reputation database. "It's a way to provide something much greater than what you can cram on a single CD," Blum says.

DO have a zero-day attack strategy. A major weakness with today's systems is protection against zero-day attacks. "There's a pretty high failure rate, as high as 50 percent, when a typical package is faced with a new type of malware it hasn't seen before," Blum says.

The packaged food company offsets the problem through a desktop lockdown strategy. Working on the premise that most malware operate by trying to write to the registry, the system folder or the root of the drive, the company has configured its desktops to prohibit that behavior.

DON'T forget malware removal capability. It's one thing to detect a virus and quite another to clean up the damage. A big reason Bell chose Sophos is because in the years he was using other systems, such as Trend Micro, McAfee and Symantec, he always noticed that Sophos offered removal tools before other vendors did. In fact, after being infected twice in the last couple of years by a virus that caused his company's PCs to send spam, he used tools from Sophos to remove it. "That protection became a big deciding factor for our company to switch over," he says. His current system didn't recognize the virus, he says.

Similarly, Amos says Forefront's cleanup and removal capabilities are superior to his former system's. "It would notify us but was unable to clean it because what was infected was an open file or a system file that it couldn't act on," he says. It required the desktop group to boot the machine in safe mode and manually remove entries in the registry or delete files. With Forefront, that work is unnecessary, reducing labor by one headcount in the desktop group, he says.

DO consider costs carefully. With ever-expanding security needs on the desktop, users are seeking ways to reduce costs. According to Lambert, a best-of-breed client security tool such as antimalware has an average list price per PC of $40 (and up to $80 for other tools such as full-disk encryption).

One way to keep costs down is to get as much coverage as possible with one system. The food company, for instance, has reduced its total cost of ownership by reducing the number of security consoles it needs to manage.

Page Break

Amos is enjoying cost savings of $35,000 per year by using Forefront, mainly because of a change in Microsoft's licensing policy. His company had been using Forefront to protect SharePoint and Exchange, but he didn't even consider this software when he was researching new antivirus software for the PC environment. This was mainly because the PC and server environments were administered through separate infrastructures. His top reason for seeking a new antivirus vendor was to reduce the cost per machine. Any new product, however, would have required a complete redesign of how the current infrastructure collected signatures and did reporting, mainly because the company has a very distributed environment-100 locations outside of corporate headquarters.

It happened to come up in conversation that as part of its enterprise licensing agreement, the company could use Forefront for its workstations, with no additional charge. Now, Amos uses one standardized tool to protect, monitor and report across all systems. "We have a small staff, with one person wearing multiple hats, so the more there is in one single application for them to become familiar with, the better use of that resource," he says. Forefront is also integrated with Active Directory, which enables easy distribution to new machines, he says.

Burton Group's Enterprise Antivirus Selection Criteria

Enterprise AV selection considerations, according to Burton Group analyst Dan Blum:

- Price. Inquire about annual subscription costs and additional charges for antispyware, cleaning, host intrusion protection system capabilities, etc. Ask whether suite pricing is flexible if you don't require every module.

- Scanning engine. Are there multiple agents for antivirus, antispyware, application control, etc.? If so, do they cause management or performance inefficiencies?

- Behavior-blocking functionality. Does the system monitor system calls to prevent vulnerability exploitation attempts?

- System firewall. Does it provide blacklists and whitelists for addresses and domains?

- Application control (whitelisting). Does it provide up-to-date and customizable whitelists and blacklists? A learning engine?

- Cleaning/remediation. Does it provide virus, spyware and difficult rootkit cleaning?

- Client updates. How large and frequent are signature and other updates? This can range from one per day to multiple updates per day.