OT: Corporate Anti-Virus

[Wulf2k]

Anybody have experience with AV for 150+ PCs?

We're probably replacing Symantec around here (because it doesn't catch a damned thing before it gets a chance to run. Also, it's poopy.) and I was wondering if anybody had suggestions for any of the other offerings out there.

Remote administration/deployment is obviously a super-duper plus. Any sort of non-biased comparison would be handy too. Trying to do searches just results in marketing propaganda from everybody involved.

I'm leaning towards Trend at the moment.

 

[Kat]

I am not at all familiar with requirements for corporate AV setups and all that, but I have been using Avast Anti-Virus for a few years now and have been very pleased. It automatically updates without any system lag whatsoever, gives warnings when a virus is detected and allows you to abort the connection before harm can be done.

There is a free version for the average user and also a professional version. I'm not sure if it will meet your needs, but its definitely worth checking out.

 

[Scuzzlebutt]

I work for a fairly large national corp that uses trend. Along with bluecoat/websense it keeps roughly 30,000 remote employees from frackin up any of theirs or the central core systems.

 

[Skylark SP]

I've been keeping an eye on Sunbelt Software's Vipre Enterprise Antivirus. They finally got the VB100 endorsement, although they don't have ICSA or other major independent lab cert as far as I know.

I am considering recommending that my office leave Symantec Endpoint Security (we are nearing renewal time), and switch to Vipre Enterprise. I have had a love-hate relationship with Symantec products (the migration process from version 10 to 11 on our small corporate network was a nightmare and racked up many hate points ) but overall, when they behave, my experience is that their software products do a very good job at what they are supposed to do. However, even with Sunbelt's competitive 50% discount to entice new business, Symantec can undercut them both on per seat licensing cost, and support. I am having trouble making a decision. :-/

-Skylark

 

[CroakerTnT]

Our university uses AVG anti virus. No idea how well it works, but you might check it out.

 

[Wulf2k]

Scuzz, how are Trend's remote installation / monitoring features? Are you a user or administrator of the system? Have you used enterprise Symantec to give a bit of a comparison?

Skylark, are there any features in particular that Vipre has that the others don't? What makes it the one you want to go to, even with the higher price?

Thanks for the suggestions.

 

[Scuzzlebutt]

Im in middle management, I don't have anything to do with the admin. I really cant offer any technical advice other than if it can keep our systems safe from the average moron this company hires then it must be pretty decent.

 

[Skylark SP]

Skylark, are there any features in particular that Vipre has that the others don't? What makes it the one you want to go to, even with the higher price?

One of the most attractive features is that it is lighter on system resources, and full system scans require substantially less time to complete than the comparable Symantec products. The premium enterprise edition has some very fine level admin controls and configuration options.

If I don't have to sacrifice detection thoroughness to get better performance, that is a big deal, particularly since we have workstations that while performing adequately with Symantec products on WinXP, probably will not perform adequately with Windows 7 with the same workstation hardware, and we are incurring some heavy expenditures this year in upgrading our domain to SBS 2008 along with new server hardware, so that means new workstation hardware has to wait. While we can continue to run WinXP clients under 2008, doing so means we don't get to take advantage of some of the new OS features.

I have not yet installed Vipre Enterprise on a test 2008 domain, but I am hoping I can get around to that soon.

-Skylark

 

[Wulf2k]

I'm looking into Vipre, and if they deliver on their marketing-speak it looks like a pretty decent option.

Thanks for the tip, I'd never heard of it before.

 

[Skylark SP]

I'm looking into Vipre, and if they deliver on their marketing-speak it looks like a pretty decent option.

Thanks for the tip, I'd never heard of it before.

Welcome!

I'm not surprised that you haven't heard of it. It hasn't seemed to have made much stir from a marketing standpoint, although it has popped up in trade journals more lately. I've been keeping track of them since they came out of the beta release in 2008. After it went to production release, I didn't feel it was "all there", but now with the VB100 endorsement, and the new edition that combines all of the endpoint security options in one (offered a la carte when I checked in the past, pricing got confusing) I think they are finally "there" for corporate environments. As you say, if they deliver on their marketing points, it might be a good way for smaller environments to break out of the Symantec compound.

-Skylark

 

[Skylark SP]

I finally made a decision and recommended that our office switch from Symantec to Vipre Enterprise Premium. They are offering a substantial additional discount if we purchase a 3 year plan up front (works out to around $11 per seat annually), but being a new product for us, I think it might be better to go with just a year subscription initially. We'd miss out on the discount for subsequent 2 years if it performs to expectations and we decide to renew, but then at least we aren't faced with tossing away 2 years of prepaid service if we decide to abandon it.

-Skylark

 

[Wulf2k]

Does that mean you got around to installing it on a test domain and visited www.kelmogonewild.com for a thorough viral test?

Or just trusting the marketing on this one?

 

[kelmo]

*chuckles*

 

[Skylark SP]

Does that mean you got around to installing it on a test domain and visited www.kelmogonewild.com for a thorough viral test?

Or just trusting the marketing on this one?

First of all, no anti-malware system on the planet can repel computer destroying potential of that magnitude.

My seriously outdated 2000/2003 test network at my office simply could not handle the Windows 2008/Exchange 2010 environment I attempted to set up, to get an idea how it would work in our production environment. (It was already a stretch using it for 2003, and it would be amusing how long it takes the 2008 DC to boot and load screens, if I weren't actually trying to obtain useful info from the testing. The only system I have with 64-bit capable processor on hand to function as the DC is an aging workstation and it just can't handle it.) Therefore for the purposes of recommendation, I am taking a leap of faith based on their VB100 rating, and possibly smashing my ancient test DC with a hammer.

I ordered a new bare bones server box for my home test lab last week, that meets the minimum system requirements for SBS 2008, which should be arriving in a couple of weeks. I'll be setting it up with eval version of SBS 2008, and Vipre and seeing how it performs with a standardized virus test file, so I will at least get to see some results first hand.

-Skylark

 

[Wulf2k]

Well, I've got a test system set up for VIPRE.

I really want to like it, but I'm hesitant in the first hour of trying it out. I tried to deploy to a machine last night right before the end of the day, and nothing happened on the workstation, with no indication that anything was even trying. After 5 minutes of nothing happening, I turned it off and left for the day. Seemed to work fine after coming back and trying this morning.

The deep scan I'm performing has been at 100% completed for 20 minutes, and is still scanning. I do however want to roll this out, if for no other reason than to tell people that they have to watch the animation of files going through the X-ray machine, then call me immediately if they see anything inside of one.

I'm noticing minor delays in the machine while the scan is going. Not as bad as some other scanners, but not as good as others too.

Maybe I just need caffeine.

Edit: Oh, and apparently it won't deploy to SP2 machines.

Re-Edit: 93 minutes and counting, 73 of those minutes occurring after it said it was 100% complete....

Re-Re-edit: 1 hour, 41 minute total scan time. Found 6 false positives in UBCD.

Also, it doesn't stop the eicar test file from running, though it does detect it in a scan. I'd be fine with it not caring about the test file in general, but the fact that it detects it but won't stop it from running concerns me.

 

[BellaBella]

As Kat said, id go with Avast. Ive been using it for like 4 years now. Never had 1 problem. Theres a free version and full version. Ive used the free one for like first 3 years, and decieded to go full and pay the money.

 

[Skylark SP]

Wulf,

That is discouraging by way of first impressions. Have you contacted their support yet about any of your findings? Just in browsing their user community forum, their development team seems pretty responsive, even for trial installations. I didn't find any specific mention of issues deploying to Windows XP SP2 machines, but there were a couple of threads in which opening a few specified TCP ports for bi-directional communication between agent/server were suggested (I know I had to do that to get Symantec clients to report properly to, and be managed by the central management server), as well as instructions for how to use MSI package deployment for NON domain situations. In your case though, with a domain, the deployment tool shouldn't be offered if it doesn't work, particularly when they indicate Windows XP SP2 clients are fully supported, so that would definitely be something to get to the bottom of prior to committing to purchase.

I found some mentions on other sites with user reviews regarding the EICAR file, and there is a discussion thread on the Vipre support forum, which does go into some detail on it. They also have a thread for reporting false positives.

I could find no results for issues related to the scan animation continuing to run, and the elapsed time increment, long after the scan showed as completed.

Thanks for sharing these details. I am hoping my new server hardware comes soon so I can get a test environment set up as well. Let me know what else you find in your testing process.

-Skylark

 

[Wulf2k]

Well, I ended up liking VIPRE more than my first impressions would have suggested.

So far I've got it narrowed down to either VIPRE or Kaspersky. I like the 'idea' of VIPRE more, but there are definitely some rough edges. Deploying the Symantec removal tool crashes the client machine. Which probably needed a reboot anyway, but it's just not pretty....

Kaspersky looks like it can do more, but it's not presented as nicely as VIPRE.

I think the deciding factor will be my www.kelmogonewild.com test. I'm gonna put a PC on the DMZ and download as much malware as I can, then see which AV lets less through.

 

[Skylark SP]

Thanks for the update. I had considered Kaspersky as well - seems like it has always had complaints regarding its UI, but I've never seen anything but good reviews on its performance at malware defense.

On my end, I got the budget/purchase approval on Vipre, but I still haven't got around to testing it.

Also, that cartoon is great.

-Skylark

 

[Wulf2k]

I must say, I'm very disappointed in the malware writers out there.

Less than 25% of the actual malware I'm coming across is programmed well enough to even try to exploit my unpatched IE6. Between the javascript errors, the poorly programmed flash that fails to link to an exe, and the dead domains, I've only been able to find five things that reached VIPRE. It's blocked all 5 so far.

Maybe I need to upgrade to IE7 to maintain malware infection-vector compatibility.

 

[Wulf2k]

Final tally, VIPRE blocked:

2 PDF exploits
4 generic!BT trojans
1 bofexploit
1 generic expliot pak!cobra
and 1 js redirector

Rebooted the machine, did my various manual checks, looks like it's running clean, no malware got through. Now to re-image and check with Kaspersky.

 

[Critical Gaming]

I've been seeing tons of "fake-ware" infested machines. Malware programs like "Internet Security 2010". Literally 75% of my work at the repair shop is cleaning those up.

They've been getting smart to my renamed process explorer "iexplore.exe" though. Some have been deleting registry trees that direct you to safe mode. You just get a reboot.

God I can't wait to upgrade jobs

Do you get a lot of those?

 

[Skylark SP]

"Scareware" is definitely a problem now, and lately has comprised a lot of my malware removal activities, along with phishing spam. No matter how much you try to tell users not to click on links, sometimes they do, and also sometimes the way those pop-up boxes fly around, it is very easy to do by accident. So annoying that we have to deal with this sort of thing!

-Skylark

 

[Wulf2k]

I see a non-ignorable amount of the fake antivirus crapware. It's usually pretty simple to remove if you think outside the box a little, but you're right that they're closing more and more 'holes' each time. Symantec usually only detects them after they're manually disabled, it never seems to stop them in the first place.

If you can't remove it manually in five minutes though, a better use of your time will be to just pull the drive, slave it to another machine, and run a scan from there with MBAM.

I'll remove them manually, directly on the infected machine just for the challenge of it, and to figure out exactly what it does. Usually I still don't trust the machine afterwards. If it was 75% of my job though, I'd just set up a few trusted machines with autorun off, get a few IDE -> USB converters, and browse Stratics while 75% of my job is doing itself. Things are so much simpler when you take control away from the malware.

 

[Skylark SP]

get a few IDE -> USB converters

~$25 USD spent for this made life a lot easier for me!

I CablesToGo.com

-Skylark

 

[Critical Gaming]

Yeah, I have 3 of those at work, lol. MBAM, CA Antivirus, and SpyHunter3 work pretty well.

Have you ever heard of ComboFix? Its a nifty little DOS script you use in SAFE MODE that installs the recovery console and adds an entry into boot.ini for it, then kills all processes and runs through your drive deleting anything deemed malware, this includes entire directory structures that most malware programs don't delete, as well as any registry entries that are related. It's self-updating too, and usually takes between 10-20 minutes to run.

Basically I'll do enough work to get the thing to boot in safe-mode, then run combofix. I trust the machine 99% after running it.

 

[Skylark SP]

Well, we purchased licenses for Vipre Enterprise for all computers in our company, although we have another month left in our existing software subscription.

I am running through more detailed deployment testing on my lab network. So far, as long as I use Active Directory to deploy, it seems to work fine.

The biggest obstacle I have faced so far is the "readying your environment" part. It is time consuming to make the role based policies (example for Domain Controllers, Email servers, etc.) and adding all the recommended exceptions per the Microsoft KB articles.

I ended up creating a Group Policy linked to the domain for the firewall port exceptions Vipre needs to communicate with agents. What isn't clear is whether or not Vipre's own firewall settings have them excluded by default. In the documentation it specifically says for the Enterprise Premium version, a firewall template is included with the ports automatically configured as open. However, I see no such templates in the "available templates" when I am configuring policies.

I am keeping my deployment scenarios confined to the lab for now.

-Skylark