Slashdot Mirror
Central Anti-Virus For Small Business?
rduke15 writes "I'm trying to find a centrally managed anti-virus solution for a small business network, which has around 20 Windows XP machines with a Linux server. It is too big to manage each client manually. However, there is no no full-time IT person on site, and no Windows Active Directory server — just Linux with Samba. And the current solution with Symantec Endpoint Protection seems too expensive, and too complex for such a simple need. On the Linux server side, email is handled by amavisd and ClamAV. But the WinXP clients still need a real-time anti-virus for the USB disks they may bring to work, or stuff they download from their personal webmail or other sites. I'm wondering what others may be using in similar situations, and how satisfied they are with it."
At least, we do at the school. That's a 50-station network, and amounts to about $10 a year per station after the educational discount. $20/year per station without, but you get cut rates for longer terms. I'm quite happy with Avast. At the business (20 stations, no AD when it was installed aeons ago) we used Trend Micro ServerProtect, which is no longer supported. That one was $800/25 stations flat fee and is still being updated. Neither one of those needs an AD server for its console, though they are both Windows based.
Do it without the server, and install NOD32 antivirus on the clients, with NOD32 Remote Administrator to manage them. We put this system in recently and it's very very effective. Synchronized our antivirus product and definitions quickly, and reported infections that had slipped past the unmanaged installation on one machine (it hadn't been updated for a while...). No, you don't have to install it on a Windows Server OS (although we did).
Forget thrust, drag, lift and weight. Airplanes fly because of money.
I would have to agree with this recommendation.
I've been installing NOD32 at several sites recently. The Business version of their antivirus/antispyware package does include a Management Console feature.
You'll end up paying about $39/seat for a 2 year subscription.
Also, NOD32 just won a Consumer Reports award this year.
Im security admin for a fortune 500, posting anonymous coward. Ill tell you what not to use. Don't use Panda. We have it at a european subsidiary, and I have never seen anything so crap. Never.
Now for the advice - Use something you recognise and trial it do death, antivirus detection rates are not so important as product robustness, and console usability. It's no use having something with a 99% detection rate if the 1% it doesnt detect are things like virut and conficker, and the product falls over every time you look at it. Coporate antivirus arent so much about detecting 100% of virus as reliably reporting the viruses they have found, and robustly maintaining communications with the management console so you can deploy updates.
These days no antivirus is really very good, I came to the conclusion a while ago that AV is an obsolete technology. The malware writers are just taking the piss, and Windows can never be virus free.
I don't know about other people, but around where I work, the joke is that whichever computer has Nod32 installed, it also has tons of viruses installed. Nod32 never seems to work in real life, eventhough it consistently scores high in reviews and have lots of recommendations.
(We use avira.)
I "administer" our small business IT infrastructure (well, it's just 10 computers) and our solution was to assess who needs internet access. As it turned out, the boss and the secretary need web, email and access to the accounting software on the remote side of a VPN, and the other guys don't because they use only internal documents. But they do need Windows because we use Windows-only software (SolidWorks and MasterCAM). So I've setup a fast Linux box that's on the internet, that provides web and email access through NX servers and clients (that is, the clients run on the linux box and display on the Windows workstations). USB ports are also disabled on all Windows boxes, and people who really want to see what's in a USB key have to plug it on the Linux box and have the content checked before it's transfered to a Samba share for Windows consumption. Same thing for CDs. None of the Windows boxes ever see the internet.
None of our Windows boxes are patched, updated or fitted with antivirus software, and we're doing just fine. The Windows boxes are super-fast as a result too.
But that's *our* solution. Your mileage may vary, but I think you should make a reasonable assessment of workers' need for internet access. You may be surprised how few actually need it to do their work (IM isn't a valid reason) and you may be able to rearrange your infrastructure to make it very easy and manageable like ours.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I'd love to be able to use osx on our network, but there are some serious roadblocks. #1 is the price of the workstations. when you need 300 bog standard desktops on a tight budget, your options from apple are... lacking to say the least. #2 is compatibility. entourage is very weak as an exchange client in a business environment. OWA on non-IE browsers is not great either. CAD and ERP software is limited. #3 is the cost of (re)training employees. with windows you get the benefit of your users having the same system at home/previous job/etc. even very simple differences in the ui require real support resources. some people just don't get it, no matter what "it" is.
also, while i am a fan of osx and use it personally, i don't put any faith in the "macs are more secure" arguments. every security analysis I've seen shows that macs are actually easier to exploit (probably will improve in 10.6). maybe the small installed base just isn't worth the effort to malware creators (yet), but if you use security as justification for switching to the PHB, I think you're setting yourself up to look really bad.
-Lod
Moonsecure is an AV based on clamwin: it actually employs a real-time scanner. clamwin offers no active protection, so it is pretty much useless for most user scenarios.
In all honesty, I've given both Moonsecure and clamwin many chances over the past couple of years. I don't want to admit it, but I feel as though I've been largely disappointed with the detection rates, the interface and the speed of both AVs. I've used them mostly in a 'workbench' setting though, scanning client drives outside of the system. In comparison to the other (commercial) scanners I use regularly, I've not been impressed.
Fact: Everything I say is fiction.
I see you already placed the biggest point I could make out there. It does it also if the old version is too old or isn't a networked version.
I actually had the same problem at a site with a laptop that somehow slipped through the cracks and didn't get updated to the latest version of AVG. In my case, it was a corporate version (network edition, but it was severely outdated) and I had to manually uninstall before being able to install the new client. I think the laptop ended up on a shelf in one of the partners closet so while we thought he was working with it periodically which should have already updated it if it was on the network. When we ended up seeing a version 7 in the management console after it hit the network fir the first time in over a year, and we were one 8.5, our eyes lit up.
I'm not sure I would consider a one time walk around in order to set things up as a big negative. Especially when the case is as you mentioned. All future pushes should work pretty well. I went from 8 to 8.5 buy upgrading the console machine first and then pushing it our to everyone else. Well, everything but the one laptop I mentioned earlier.
a couple years ago i worked at a company the used NOD32 and they were often bringing infected machines in to the IT dept despite the software being updated and supposedly working. now I work at a company that used symantec, and they were often bringing infected machines in to the IT dept despite the software being updated and supposedly working. One of my current coworkers used to work at place where they used Panda. They were often bringing infected machines in to the IT dept despite the software being updated and supposedly working.
WTF?
-Lod
...may be your most secure bet. No matter what antivirus solution you implement, given enough exposure to the Internet, one of the machines will eventually get infected in the end. So, unless you're willing to migrate your entire office to Linux, the safest solution would be frequent volume shadowing, maybe combined with a good antivirus such as AntiVir (which even has a Linux version IIRC).
Intellectual Property: an immaterial non-entity, most fiercely contended by those with no proper intellect to speak of.
I can confirm this. Back when I ran AVG, I thought my system was clean and only downloaded Avast to see what it was like. I was pretty surprised to see how many viruses it found! AVG appears to work, but it doesn't come close to Avast.
Most human behaviour can be explained in terms of identity.
While I find Avast itself (Home/Pro) very nice, and reccommend it, my experience early this year with its central management tool was that it was very powerful but a severe pain in the backside to install and administer. Probably fantastic for hardcore sysadmins, but like wrestling with a greased tiger for this little grasshopper. It seriously needs some wizard-fu.
MANAGEMENT SUMMARY: AVG will cost more in workhours and years of your life than it will ever save you! USE WITH CAUTION!
AVG network is a huge mistake I made as an admin... Sure the cost is low, the central management is OK, and the virusscanner was pretty decent... Only with newer versions you get these free bonus PITA's:
- Bloat like the Linkscanner that 'enhances' your webbrowser by making it slower or freeze and crash
- Firewall that will sometimes lock for no reason at all (making me have to go to the server to reset it since remote management is made impossible)
- Updates that automatically f**k the PC, there was one well known AVG-update-crash that you'll probably remember but beside that there have been numerous other updates that have a success rate of installing of less than 50%, so you'll have to fix half the PC's manually.
- Updates that will turn the real-time-protection off automatically and not turn it on again (WTF, is this a 'pro' version used in networks and on servers?)
In the end, if you configure AVG to *only* install the AV part (only thing Grisoft is somewhat good at), and stay as far away from the crappy firewall and other bloat you'll save yourself a lot of trouble (and headache).
AV is inherently a flawed idea... As you've found out, not every AV picks up every *known* piece of malware, and none of them will pick up new malware that has only just been developed (and people are developing new stuff all the time)...
Take some of the files that avast found and upload them to virustotal.com, and see just how many other AV products don't find it... You will also find that there is plenty of other malware out there which avast won't find... Anything that's missed by both avast and avg could potentially still be sitting on your machine.
Also, malware authors don't just sit still, malware is big business and the people writing it are constantly looking for new ways to avoid detection, and that often involves specifically targeting the most popular types of AV in order to find effective ways to bypass them. AV by it's very nature will always be one step behind the authors of malware... AV will always just be a low hanging fruit exercise, it will never be able to get anything...
The only place i use AV is on my email server, not because i'm especially concerned about the actual malware itself, but because malware detection works as another method to remove some unwanted junk mail.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Perl scripting is the answer. Install a free anti-virus, and setup a script checking. Check the anti-virus files and registry entry. You can get all the information you need, program virus version, database version, and use a central server to store the logs. Using scripts you can force anti-virus updates and restart. I have a lot of experience with Trend Micro and all the anti-virus parts are daily checked with Perl scripts (during the night), to make sure the clients behave.
Love many, trust a few, do harm to none.
AVG was lightweight until version 8.5. Now the footprint is as bad as McAfee or Symantec (around 100MB of memory used by each).
Big! Strong! Wow! Tada-O!
Take a look at the Trend WorryFree managed service. Doesn't need a central server on-site and you still get a centrally managed solution.
AV is inherently a flawed idea... As you've found out, not every AV picks up every *known* piece of malware, and none of them will pick up new malware that has only just been developed (and people are developing new stuff all the time)...
That's one reason why application whitelisting would work better. Only allow "good" known apps with a valid signature or saved CRC of some sort are allowed to execute. Any unknown apps either get canned, or request the user's permission to run -- these unknown apps can be added to the whitelist by the user.
Of course, you still have to worry about security flaws in the "good" apps allowing remote execution / etc so then you'd want to combine the whitelisting with some sort of sandboxing / limiting privileges on apps.
I work for an NGO in the Philippines as well. Similar situation as you - we're a Linux shop almost entirely now, spanning about a hundred machines or so and growing. People complained for the first few weeks, then got over it. Financially we drag in 8 or 9 digits a year (in Peso), though given our customers are in a situation where they need food, right the hell now, we tend not to have a whole lot left over for the IT budget. I'm ok with this. However! And you should take note. Whenever we use commercial software (to appease our accountants and graphic artists) we still PAY for it like everyone else. If a desirable piece of (free) software says 'for home use only' then we suck it up and pay for the commercial version, or we don't use it.
I presume you are a registered NGO with an SEC number and such. This means you are also incorporated, have a board of directors, by-laws, etc., viewed legally as a corporation. Someone spent a lot of money to get those credentials, so shake the tree a bit.
Read the fine print sir, free versions of Avast and AVG should not be installed on corporate machines. Even in the Philippines. Why would you be doing this? Tell your boss to skip a lunch or two at the Peninsula and eat at Starbucks instead so you can get some extra cash for your basic tool set. You may need to phrase this with your boss a little more creatively though :-)