VirusScan Enterprise 8.0
Prices start: $39 per user
At its core, McAfee's VirusScan Enterprise 8.0 (VSE) is, well, an antivirus application. But its embedded event response capabilities coupled with McAfee's ePolicy Orchestrator
Designed for Windows environments, VSE performs continuous or on-demand scans of files and e-mails (supporting Microsoft Exchange and Lotus Notes), catching malware through signature-matching and heuristics. VSE also detects and blocks unwanted programs, such as adware and spyware, and provides multiple response and remediation options.
VSE sports several useful tools that monitor and block potentially dangerous scripts. It blocks inbound and outbound traffic to a specific range of ports, and helps detect and prevent buffer overflows by monitoring commonly exploited API calls.
VSE ships with predefined rules for monitoring and blocking specific actions (such as never allowing executable files in the temp folder); custom rules can be easily added by simply clicking the "Add" button in the VSE interface. The intuitive management console lets security managers define monitoring and blocking parameters.
By default, VSE blocks connections to any remote system attempting to access an infected file in a shared folder. Similarly, connection attempts to remote computers running malicious spyware are blocked.
During our testing, VSE effectively blocked everything thrown at it. We set up firewall rules that prohibited outbound FTP and inbound HTTP connections, and restricted access to certain network shares on the VSE workstation. We attempted to install Gator, a prolific piece of adware, and the VNC remote control applications. VSE detected and quarantined both.
Buttressing VSE's security functionality is EPO's impressive management and endpoint security capabilities.
Using VSE like a host-based agent, EPO checks connecting devices for security status and policy compliance. Through its System Compliance Profiler module, it can adjust VSE configuration settings and check Windows machines for patch and service pack status. However, it can't push patches or configuration changes to non-AV applications and OSes. EPO can also manage Symantec and Trend Micro AV applications, but functionality is limited.
EPO can detect untrusted devices on the network, but blocking or isolating untrusted devices must be done manually or through another application.
Security managers will appreciate EPO's predefined reports and events dashboard. There are approximately 40 predefined reports that list information such as DAT and engine versions, hosts most commonly infected and infection rate analysis.
VirusScan Enterprise 8.0 is definitely more than an AV application, but it's not quite a full-featured firewall or an IPS. Bundling it with ePolicy Orchestrator 3.5's strong management, reports and limited endpoint security capabilities gives VSE added dimension.
About the Author
Steven Weil is a contributor to Information Security magazine.
This review orginally appeared in Information Security magazine.
This was first published in August 2005