Anti-malware management 2007

This month we host a special issue dedicated to the tools we use to fight various types of malware. In our product roundup, we list around 75 anti-virus and anti-spyware products that are, generally speaking, best of breed. They all have been through the West Coast Labs certification process and their catch rates have been verified using the WildList, the authoritative listing of viruses (including BOTs and worms) actually in the wild (i.e., not just lab experiments or proofs of concept).

However, in the enterprise, these products pose a few challenges. For example, how does one implement anti-malware in a 10,000-user enterprise spread around the world? And, once implemented, how does one support it with updates and logging and alerting of events? That is the subject of this first Group Test, anti-malware management tools. You might say that these products are the glue that holds an anti-malware program together.

We looked for several things. First, some products came complete with the anti-malware product licenses in place. Others work in conjunction with a suite of anti-malware products. We were interested in what types of malware these products could manage.

Generally, we found that when a vendor says anti-malware, that is what it means. All products had anti-virus and anti-spyware, but also addressed were spam, phishing, bots, worms, trojans and the whole gamut of internet bugs. So, one of our criteria was the number of different types of malware the product could handle.

We also were concerned with how well the product logged events and how these events were presented to the administrator. Was there a robust alerting system with email and pager alerts? What were the logging options?

Finally, we wanted to know how difficult it was to manage client-side anti-malware on the desktop or laptop. Were updates to the clients automatic, for example? How is updating the data files managed? Can clients that do not have the current level of data file be forced to update?

Anti-malware is a difficult product group because we found very little differentiation in the actual anti-malware products. Where we found differentiation was in the management tools for the enterprise. This leads us to view the anti-malware market from a couple of perspectives. First, catch rate is a non-starter. All of the good products have about the same catch rates. Many boast the ability to catch zero-day exploits.

The big differences are in what the management tools do. For example, are they one-trick ponies that only catch viruses or spyware? Or do they cover a broad range of threats? There were appliance and software implementations. We found that, even with strong software implementations, the one appliance we looked at had the most comprehensive protection.

However, we had a bit of a surprise here. We expected that the appliance would have the ease-of-use score nailed. That was not necessarily the case. Some of the software products went in smoothly and performed well. While the appliances was up and running in about 15 minutes, some of the software didn’t take much longer.

Another area that surprised us was how these products actually manage anti-malware at the desktop. We expected to see, based on past experience, a bit of awkwardness. However, we saw virtually none. These tools manage smoothly, allow policy development and report well, especially the appliances.

Finally, one more thing we looked for was what, exactly, are these products managing? Are they just handling the clients or do they act as a gateway looking at data as it enters the enterprise as well? In that regard there were products that focused on the client-side and servers (data at rest), those that focused on data in motion, and those that did both. We tend to recommend as much functionality as possible here because there are multiple infection vectors possible for just about any kind of malware, and all those vectors need to be monitored.

All said, this was one of our most interesting Group Tests so far this year. As one might expect, the market is mature and the differences between products sometimes are subtle. Our advice is know what you want to do and how your resources will allow you to do it before you opt for one of these, generally good, products.

While I’m at it, I’d like to welcome a new freelancer to our SC Labs team. Kris Rowley comes to us from Norwich University. Kris helped Mike put together this month’s reviews while I was traipsing around the wilds of Europe on a military exercise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.