Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Antimalware: McAfee VirusScan Enterprise and AntiSpyware Enterprise

2007 Readers' Choice Awards Desktop and gateway enterprise antimalware products.

GOLD | McAfee VirusScan Enterprise and AntiSpyware Enterprise

Price: VirusScan, $31.90/user; AntiSpyware, $12.90/user

With Microsoft getting in the antimalware game--behind free antivirus and antispyware in Vista and its Forefront Client Security business software--standalone antimalware vendors have had to adjust their strategies and improve centralized management, spyware and rootkit protection.

Readers deemed McAfee VirusScan Enterprise and AntiSpyware Enter- prise ahead of the pack, praising the speed of signature updates to the product as well as its ability to detect, block and remove malware. Administration and configuration also scored well with readers.

Host IPS earning Its place on Desktops
Once a marginal technology, host-based IPS (HIPS) is gaining traction in the market as organizations increase attention on endpoint security. In addition to behavior-based detection of unknown attacks, HIPS typically offers application and access controls. McAfee Host Intrusion Prevention and Cisco Security Agent drew particularly strong positive response in the Readers' Choice survey.

McAfee AntiSpyware Enterprise satisfies concerns over administration by pushing its protection onto systems where McAfee's VirusScan Enterprise is installed, providing both defenses with the same engine, DAT files and management interface.

VirusScan Enterprise, like many antimalware products, moves beyond a strictly signature-based design. McAfee's tool also uses heuristics and genetic detection to provide protection from malicious code.

Another feature of the antimalware combination is its access protection rules, where customers can define how a system is used. "With [these] rules, we can lock down folders, files and processes," says Ed Metcalf, senior product marketing manger for McAfee. Metcalf suggests a user could configure VirusScan, for example, to block the execution of any non-Windows executables, close ports or prevent the alteration of any file extensions.

Users are also able to customize the update process for remote systems, and tailor updates to physical locations and connection speeds.

In addition to the management capabilities, readers praised McAfee VirusScan Enterprise and AntiSpyware Enterprise's reliability and ease of use. McAfee's focus on integration and management put it over the top. Both VirusScan and AntiSpyware Enterprise are essential parts of McAfee's Total Protection product, released a year ago.

SILVER | Websense Enterprise

Price: $19/seat, 1,000 users

Reporting and alerting features, as well as service and support, earned Websense Enterprise high marks and a share of the silver medal. The tool allows organizations to establish flexible Internet use policies and control Web access. The Web filtering tool categorizes sites, scanning the Internet for malicious code or potential attacks.

Websense Enterprise's policy interface enables users to organize their employees into groups and provision access accordingly. Policies can be set based on users/groups defined in Microsoft Windows Active Directory, Sun Java System Directory Server and Novell eDirectory accessed via LDAP, RADIUS and Citrix environments.

SILVER | Trend Micro AntiVirus, AntiSpyware
Trend Micro

Price: $39.95/user

Trend Micro's AntiVirus and AntiSpyware earned a share of the silver medal with high scores for its reporting and alert capabilities, as well as for its signature update features.

Trend Micro AntiVirus and AntiSpyware do real-time monitoring, automatically checking email attachments for known and unknown attacks, and issue alerts when an abnormality is detected. Scans can also be scheduled or customized. Trend Micro has trimmed false positives, the company says. It also offers deleted file recovery features, which can help users recover any quarantined files that may have been cleared out accidentally.

In the trenches

Keeping pace...for now

Security managers rely on layers of defense against malicious code.

Nobody knows more about the insidiousness of malware than a university security officer. On a college campus, CIOs like Jack Seuss are often faced with the challenge of securing thousands of computers. "There's really no single solution that's a silver bullet," says the vice president of IT at the University of Maryland. Malware defense requires a multitude of approaches.

Seuss has used a host intrusion prevention system that covers most campus desktops. He also automates patch updates on the majority of Windows machines, and has enabled campus-wide distribution of antivirus and antispyware software. Part of that layered-defense strategy includes user awareness.

While victory certainly cannot be declared, many security officers feel like they've done a decent job keeping up with malware--so far.

"[Last] fall was the smoothest in the six years I have been at Northeastern," says Glenn Hill, the university's director of information security. He says credit belongs to students and administrators who are actively protecting their computers and avoiding malware more than ever.

John Hornbuckle, network manager for the Taylor County school district in Florida, hasn't had an outbreak in some time, but he isn't celebrating yet. "Just because we're relatively safe today doesn't mean we will be tomorrow," he says.

With the stealthy nature of malware, a major problem involves actually finding the bad stuff. "A piece of malware may have a characteristic of this or that," says Jim Moore, an information security officer at Rochester Institute of Technology. "If it's a variant, is it a variant of malware A or malware B? Or did someone get the bright idea to take pieces of one and pieces of the other?"

Another sticking point with antimalware technologies is their signature-based design. "To defeat these products, all a malware author has to do is get his product distributed more quickly than updated signatures can be distributed," says Hornbuckle.

With the geometric expansion of virus variants, many are looking for more behavior-blocking technologies that monitor system and application behavior that runs contrary to policy, rather than matching characteristics with a known virus signature.

According to a recent Yankee Group report, vendors such as Prevx, Sana Security, Third Brigade and Determina specialize in this type of technology, competing with larger vendors like IBM Internet Security Systems, Symantec, Cisco and McAfee.

"I need a tool that baselines process and data flows, and detects aberrations," says Moore. "There are different ways of doing that, from heuristics to no-execute bit architectures."

As malware writers and antivirus vendors continuously try to outsmart the other, information security officers do the best they can with what's available. "We're holding even," says Seuss.

Article 6 of 21

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All