Virus Prevention in the Small/Medium Business?

Morti asks: "I've been asked to select a virus scanner to be installed on the network at work. It's only a small office with six Windows XP PCs, two Linux servers and any number of Windows XP laptops that random people bring in. And I'm wondering, not just in this case but generally, what is the virus scanning / Internet security solution of choice for the small business these days? Costs need to be kept at a minimum, particularly because this business is a registered charity (a church, no less). We used to have Norton Internet Security but I'm not really keen to keep it. Besides Linux (which I've been pushing but nobody's interested), what is the most cost-effective and generally 'best' virus prevention and Internet security solution for the small/medium business?"

Re:AVG free

[arkanes]

*NOT* free for commercial use. This is important.

Re:Lots of ways

[nocomment]

oops, forgot to check "Plain old text"

here it is again with line breaks that make sense.

----

You could install an active scanner, like mcaffee or norton, on all of the machines, though this can become a headache with the machines not updating often enough. This should be done anyway.

You could also use passive scanners that are stand-alone apps that you click on and run periodically to clean viruses. This is typically the cheapest, and also by far the least reliable as it requires users to do it every once in awhile (assuming of course that you don't ant to run around to all the machines yoruself).

You could also use clamav to filter just about anywhere. Squid has a plug-in for monitoring web-traffic, amavisd-new uses it for mail filtering, and Samba can use it for scanning incoming files on file shares (this catches a lot of viruses that try to copy themselves to available shares, ie Klez).

Re:One word:

[saintp]

Oy! I understand that /.ers might not always RTFA, but can't you at least read the goddamn summary? It's a friggin' paragraph, it's not like you need to be in Mensa to understand it.

not sure what you want

[j-turkey]

Remember that there are many different types of antivirus solutions out there. I assume that you're looking for a basic desktop virus scanner. I've heard all kinds of great things about AVG, which is supposedly free, but have no experience with it. If they are ever planning on growing their network/userbase, a managed AV client/server is the way to go. Otherwise, you have to worry about different configurations and whether or not systems are being regularly updated with the latest definitions.

If you're looking for something on the mail gateway side, I would highly recommend looking into ClamAV. The price is certainly right (free/free). Supposedly, ClamAV gets definitions for the latest and greatest viruses before commercial vendors are able to...although I have no evidence to back this claim up. The main selling points for me are first, that works. Second, it's free - there are no per-seat license fees. Third, there are no subscription models to deal with.

I'll close with a short on-topic rant. I can't stand antivirus subscriptions. Having to track, budget for, and renew subscriptions is a huge PITA. It's not a service - it's software. I'm sort of bummed that so many people have accepted this subscription BS, enabling the vendors to keep pulling it.

Re:Of course no one's interested in Linux...

[Wylfing]

Funny, yes, but also a little insightful in a backhanded way. (Is that even a compliment anymore?) As someone who has been near to various charity/nonprofit organizations, it always saddens me to see them squander their donors' money on Windows and Office licenses.

I'll get on a slight rant: I've said as much to nonprofits as well as my city government. Why do you need to buy Windows and Office? Oh, they say, we need to remain compatible with everyone else. OK, I reply, what kinds of document exchange do you do? Well, they say, looking at each other, we print things out on letterhead.

So yeah, squandering is what you're doing.

Firewall, firewall, firewall

[bjprice]

Your primary danger is the laptop users. A laptop will get infected at home, the luser will bring it in and jack into your network, and the infected laptop will infect all the other windows hosts if you haven't been regularly patching them, or at least some other laptops (which were out of the office when you applied the latest patch)...

Ideally make windows clients perform a virus definitions update and then a virus scan as part of your Windows domain logon script. Make them install any outstanding Microsoft patches on logon too. Anything not on the domain doesn't get access to anything.

Keep laptops on an entirely separate subnet from your permanently resident machines and firewall all traffic between the two, whitelisting only the ports/protocols you absolutely need.

Then it goes without saying that you need active firewalling on the main internet gateway/router, email scanning/cleansing software on the mail server, and anti-spyware, anti-virus and maybe personal firewall software on each individual machine, as a start. Block dangerous filetypes at the web proxy. Disable any and all unnecessary Windows services, and don't let your users run with as administrators. Disable IE (don't just remove the icon - actually block it at the firewall) and Outlook (Express), install Firefox and Thunderbird or similar and keep them fully patched too.

All of the above won't guarantee the safety of your network, but it'll help. Remember that your lusers will actively attempt to circumvent all of your security policies however they can, and that they're all pathological liars.

As for what specific software you should use, I'd lean heavily towards Linux on all servers/routers, but can't help you on the Windows stuff. The last virus I got on an Amstrad 386 running DOS. I've been careful since then, but your users won't be - because they simply don't care.