How to Evaluate, Compare and Implement Enterprise Antivirus

Performance counts, but CISOs and analysts say it's not by any means the only point for comparison

Antivirus software has been around-well, nearly as long as viruses. But thanks to the ever-growing variety of threats to the PC environment, this is a fast-changing market that is undergoing two major trends:

1. Movement beyond signature-based protection. Malware is constantly growing and mutating, making it impossible for vendors to identify and protect against individual threats using signatures. Consider that in the spring, Symantec announced it had detected nearly 1.7 million malicious code threats since it began tracking them in 2007, representing a 265 percent growth in malicious code signatures.

In addition to signatures, vendors now use additional techniques, such as application control (also called whitelisting), which allows only approved code to run; and host intrusion protection systems (HIPS), also called heuristics, which monitors code behavior. If behavior deviates from "normal," HIPS deems it suspicious or malicious and prevents it from running. HIPS works in preexecution mode, runtime mode or both.

2. Expanded functionality. Many of the large antivirus software vendors have expanded their stand-alone tools into suites that not only guard against malware but protect against hackers and data loss.

"The general trend is that security software on the endpoint is getting fatter and more fully functional," says John Oltsik, an analyst with Enterprise Strategy Group (ESG). Specifically, antivirus, antispyware and firewall software is merging with endpoint operations, data loss prevention and full-disk encryption, he says. Another capability that is commonly offered is network access control, adds Natalie Lambert, an analyst at Forrester Research. These tools control client access to networks based on their compliance with policy, she says.

In some cases, vendors are also merging security with operational functionality, such as patch and configuration management, endpoint provisioning and backup. "The larger vendors will sell security alone, but they're convincing customers that they ought to manage it all as one thing," Oltsik says. It will be a slow uptake, he says. "Right now, the products and technology are two years ahead of where IT organizations are," he says.

Enterprise Antivirus DOs and DON'Ts

DO consider the suite advantage. According to Lambert, the prime AV differentiation is what vendors are bundling into their client security suites. Increasingly, as users face challenges ranging from malicious code to data loss and insecure machines connecting to the corporate network, they want to solve them in a single sweep, not with point products. "Every product you put on the machine will slow it down more, add another console to manage and add another license and something you have to buy," Lambert says. "Why take the hit several times when you can get a less expensive product with more capabilities from one vendor?"

Tags anti virus

Show Comments