Product Details
Product Rating
BitDefender
eSafe
eTrust Antivirus
Hauri ViRobot
Kaspersky Anti-Virus
Norman Virus Control
ScanMail for Microsoft Exchange
Symantec AntiVirus
For its strong performance and excellent template system, Best Buy goes to Kaspersky Anti-Virus. Recommendeded is e-Trust, which is well balanced for handling outbreaks.
Anti-virus (2004)
Anti-virus solutions have had to earn their corn this year, but how many do what they should, and are some more efficient than others? By Jon Tullett
It is a safe bet that most if not all anti-virus software in the market today will stop any given virus. But what is the real impact of a virus or worm outbreak, even if your AV does protect you?
Incidents cause thousands upon thousands of infected messages to bombard mail servers, clogging up message queues and overloading mailboxes. This can place a heavy burden on the mail server software and on any associated system, such as anti-virus, anti-spam or content filtering, as well as having a knock-on affect on mail archival and network overhead.
We tested a range of anti-virus products to see how they would handle a serious virus outbreak, looking for features such as reporting and outbreak controls, and investigating how the standard reporting mechanisms performed when presented with a massive workload.
A key differentiator was performance. We measured the time the server took to queue all the incoming mail, and the lag in processing that mail into the target mailbox. Compared to the performance of the server when the test was run with no anti-virus software loaded, a useful benchmark of overhead and efficiency can be derived.
The findings were mixed. Most importantly, none of the software missed any viruses or lost any valid messages. The overhead imposed in queuing the mail was slight - only a few minutes delay added on in most cases. But the time to process and deliver the mail, which is the stage at which the actual scanning is happening, varied wildly, with some products hardly delaying the server at all, while others introduced massive latency.
This is mainly due to the way products scan for viruses. Most scan the email in the background as fast as they can, meaning that when under heavy load some messages will arrive in the user's account unscanned: the AV software will then get a second pass at the message when it is opened or delivered to a mailbox such as a PST file or via POP3.
Third benchmark
So a third benchmark is the number of messages that the product has scanned in transit. This will have implications for managers of mail servers in distributed environments, needing to weigh up overall latency versus the delay that will result if mail is disinfected when the remote system retrieves each message.
Two products behaved very differently here. Where most showed varying degrees of efficiency and numbers of unscanned messages, Hauri ViRobot and Symantec Antivirus did not. ViRobot scans nothing in transit, leaving that task to the delivery process and, as a result, delivered mail at blinding speed, but with all 10,000 messages arriving unscanned. At the opposite extreme, Symantec's product ran very slowly, but scanned every single message - not one unscanned email arrived at the far end.
For the sake of comparison, we ran Hauri's test again, looking at the time it would take to deliver all the messages to an Outlook PST file (thus forcing the scan). Outlook adds latency of its own, so we compared this to the same setup (delivering to PST) without AV, and found a roughly 50 percent overhead, which is quite slow.
None of the products did what we would have liked, which is to detect an outbreak, and then take steps to adjust its reporting accordingly. Email, log-file and SNMP alerts are great, but not 10,000 of them at a time. In some cases, this filled up the Windows' application log, which could prevent other software from reporting important information. It is not impossible that this fact could be exploited by an attacker, knowing that applications might not be able to log events correctly during a virus outbreak.
An exponential reaction could be a better option - report each alert until, say, ten identical worms have been seen, then assume an outbreak is under way and stop announcing infections, but report progress at 100, then 1,000 and so on. Or simply collapse all identical alerts into a single summary, offering the ability to extract the original data for analysis but keeping the immediate view more abstract.
While all the software on test does a good job integrating with Exchange and stopping individual viruses, most could use some work dealing with the realities of a major virus outbreak.
Fortunately, most of the products can be tweaked and tuned to improve their handling. Logging can be reduced, performance adjusted and the server could be configured better. But applications are often deployed with settings only slightly optimized from their defaults, and then left unattended.
With modern worms and viruses designed to spread through networks at lightning speed, these heavy outbreaks are going to continue. We feel the anti-virus vendors should be doing a better job of delivering software designed with worst-case scenarios in mind, but to be fair, today's AV software is vastly more capable of handling this sort of abuse than it was a year ago - improvements have been made in speed, integration, reporting and reliability across the board.
