Unless you’ve been living in a cave for the past year or run a Mac, you’ve probably encountered one or more of the viruses and worms that have plagued corporate networks around the world. If you haven’t been infected, you’ve at least received a few zillion e-mails carrying some variant of SoBig or
Klez or Gibe or Swen or any of many hundreds of other unfriendly chunks of code released by low-lifes worldwide.
These vandals, whose “”products”” take down networks, steal passwords, surreptitiously install backdoors so their authors can later grab control of the computer for nefarious purposes, or simply destroy data and even entire computers, have spawned a growing industry: anti-virus products.
With almost 115,000 incidents reported this year to Carnegie Mellon’s CERT Co-ordination Centre, a clearing-house for virus and security vulnerability reporting and expertise, compared to just about 82,000 in all of last year, it’s painfully evident the bad guys are pulling ahead, especially considering that an “”incident”” can involve hundreds or thousands of computers, and can span an extended period.
Cleaning up the mess costs a bundle in lost time, productivity and repair of physical and logical damage. The estimated cost of the SoBig-F variant that attacked in August was about $US1 billion, and its worst consequences were actually forestalled by quick action by governments and anti-virus vendors in finding and shutting down its update servers.
This means an anti-virus program is no longer an option as part of a computer’s software image.
These programs come in multiple flavours, ranging from standalone clients for small businesses to corporate-friendly systems that make sure the program’s detection is up-to-date and it’s always running.
Obviously, we did not have any viruses to test on. For detection and removal information, we relied on several third-party testing agencies who routinely evaluate and grade the effectiveness of anti-virus products.
But if the system’s virus protection burdens it so much you can’t use the computer, it’s not a good solution, so we also had a look at how the system ran while each product was active. For system performance stats, we ran FutureMark’s PCMark2002.
Testing was conducted on a modest 733 MHz Pentium III with 256 MB RAM running Windows XP Professional. It’s easy to produce software that runs like a maniac on a powerful system: We wanted to see how the folks in the trenches with less-than-state-of-the-art computers would fare. | Trend Micro OfficeScan 2004
As you can no doubt tell from its name, OfficeScan is the corporate offering from Trend Micro’s anti-virus arsenal.
OfficeScan comes in three pieces. The first lives on a server and manages deployment and updating of its client software centrally.
OfficeScan client software is shoved out to the desktops, configured according to administrator preferences. A Web-based reporting system keeps an eye on the network, and serves as a command post for the control of outbreaks. From the console, an administrator can slap restrictions on network use to prevent virus spread.
Network Associates (McAfee) VirusScan 8
In a corporate environment, Virus Scan’s management component, ePolicy Orchestrator (ePO), watches over the network, pushing software and signature updates to desktops automatically and even re-enabling the anti-virus protection if a user shuts it off for some reason. It just needs to install the ePO agent — a two minute task — and the agent will install the desktop software.
Administrators can control the product at a granular level, configuring what is scanned and when. A plug-in for Outlook supplements the desktop and e-mail server scanning capabilities of the enterprise suite, though it does slow down the passage of e-mail, sometimes to unacceptable levels.
Symantec Norton Anti-Virus 2004
Norton Anti-Virus had the second smallest effect on the computer’s performance. Like McAfee, it looks for adware and spyware as well viruses in files from any source.
Automatic updates are enabled by default, and occur regardless of activation status. The program is configured to scan all files, and cleans infections without pestering the user for input.
At the enterprise level, the product is known as Symantec AntiVirus, and has a central console that keeps a sharp eye on the state of the enterprise’s virus protection.
It can monitor and enforce policies across multiple platforms, identifying nodes protected by its own clients, or by CA, McAfee, Panda, Sophos or Trend Micro.
Sophos Anti-Virus
Sophos is licensed for a fixed period — the expiry date is even printed on the licence sticker along with the activation code. The enterprise product uses its server for all of the heavy lifting — it customizes and installs the program, and checks every hour for updates to distribute (this is configurable, if that’s too busy for your network).
If you manually install the desktop program, its reliance on the server becomes evident — it doesn’t update to the latest version during installation as the other products do, and its default configuration doesn’t clean infected files.
The package comes with ample documentation, including a very nice guide to viruses that explains concepts and precautions in end-user-friendly language.
The program had the largest effect on the computer’s performance, gobbling almost seven per cent of CPU capacity.
Computer Associates eTrust Anti-Virus
Etrust comes with all pieces on its CD — the desktop client, network components, administration client — the works. It’s also unique in that it contains not one, but two virus-detection engines. Users (or administrators) can choose which one to use at any given time, perhaps alternating for maximum effect.
By default, options are configured to scan all files — an excellent idea, since virus authors keep finding ways to infect more and more file types — and the program blocks a list of particularly vulnerable file types. Heuristics (smarts that help the program detect unknown viruses) are off by default. For some reason, though, if an infected file can’t be fixed, it’s restored to its proper location. That doesn’t make much sense. Infected files should be segregated or removed. The server scanning component can be configured to remove files.
The administration console looks like most Windows 2000 snap-ins — a two-paned Explorer-like window — and gives the administrator good control over the desktop software. It can specify when and how they’re updated, and what and when systems will be automatically scanned.
Any client can be configured to serve updates to other machines on the network to keep Internet traffic to a minimum.
Panda Anti-Virus
When Panda installs, its namesake’s furry face appears in the system tray as a reminder the beast is protecting you. I was somewhat startled when I opened the program itself and a little voice welcomed me. Talking software can be a tad distracting.
The enterprise administrator installs an agent only; users have no interaction with the anti-virus software.
Within the desktop application, the default configuration only scans specific extensions. Signature updates are daily, and may be obtained from multiple sources: the Internet, or a server on the corporate LAN, or even from a floppy disk.
Although the marketing material talks about telephone support, I was unable to find a phone number on the Web site; perhaps this is provided privately to customers.
