Problem solve Get help with specific problems with your technologies, process and projects.

Your desktop antivirus product may be leaving you wide open to attack, part three

Malware guru Ed Skoudis puts several AV products to the test.

3. Managing antivirus

No matter how adept desktop antivirus products are at detecting malware, they won't have much practical benefit for your organization without robust enterprise management capabilities, including remote configuration, status checking, data aggregation and analytical reports.

Reining in users

Every tool we evaluated has options that prevent users from making arbitrary changes to antivirus configuration.

Grisoft, Network Associates, Trend Micro and Symantec offer solid, fine-grained configuration of the client interface, letting security managers control whether the user can alter dozens of different settings. For example, each of these tools allows admins to prevent users from disabling real-time scans or changing the signature up-date schedule.

Sophos, however, won't lock out users with local admin privileges. This is a serious concern because -- as noted earlier -- many organizations grant desktop users this level of control.

Reporting on the enterprise

By aggregating data across the enterprise, good antivirus reports allow quick identification and mitigation of the biggest areas of risk. For example, reports summarizing infection history can show which users are regularly getting infected, which business units within the enterprise are keeping signatures up to date and which departments have the largest number of users who disable their antivirus products.

We found a mixed bag of reporting capabilities among the tested antivirus products. Network Associates and Trend Micro were the best, providing aggregate summaries of top infected hosts, descriptions of the most widely detected malware and detailed infection histories.

Both F-Secure and Sophos offered report options showing the most common infections, the most infected hosts and the signature update status for hosts. However, neither tool gave an at-a-glance summary of the infection or update status of the enterprise.

CA, Grisoft, Kaspersky, Panda, PestPatrol and Symantec provided minimal reports -- essentially event logs from each client that needed to be manually aggregated or, in Symantec's case, parsed with a separately purchased tool.


Interface useability

After installing each management tool and managed client, we judged the overall admin experience, including the determination of malware infestations across the enterprise, ease in updating signatures, simplicity of scheduling scans and alteration of managed client configurations on the fly.

Symantec and Trend Micro offered the most intuitive interfaces. Symantec provided an easy-to-use GUI for pushing installations to clients and instantly determining the status of the antivirus tool running on an individual host. Trend Micro's interface excelled in its ability to show the status of infections across the enterprise at a glance, with high-level alerts about particularly nasty specimens, and to drill down into detail with a simple point and click.

Network Associates' management GUI was solid, though not as intuitive as Symantec's or Trend Micro's. However, it was more complex than it probably needed to be.

The F-Secure and Grisoft interfaces were somewhat frustrating. With F-Secure, we had difficulty quickly determining the protection status on a given desktop. The "Alerts" tab in the management interface showed new attacks, but the "Status" tab showed no such indication, implying that the given host wasn't having any difficulties.

We found similar results with Grisoft, compounded on several occasions when the GUI locked out the admin for up to 30 seconds while checking the status of a disabled client -- not a trivial point when managing mid- to large-sized enterprises. Additionally, the task scheduler was difficult to use.

Communicating on the network

Antivirus vendors use a wide variety of network protocols to communicate with managed clients, polling them for status, updating configuration settings and deploying new signature files. We sniffed each of these tools to determine the implications of allowing communication across an enterprise network.

We are leery of using Windows NetBIOS, SMB and Microsoft RPC networking for antivirus management because an increasing number of worms ride on those protocols, including last summer's Nachia/Welchia and Blaster. If your antivirus management server gets infected, it will rapidly spread the contagion to all of its managed clients.

Although most enterprises' internal networks allow wide-open Windows NetBIOS, SMB and Microsoft RPC access, many organizations are working to proactively filter and segment Windows network protocols on their internal networks. If a worm does sneak in, enterprises want to be able to apply filters on the fly to limit propagation.

CA, PestPatrol and Sophos all require Windows networking protocols for enterprise management functions, which open the door to many worms. If a worm spreads using these protocols, you can't filter it without affecting your ability to control your antivirus tool.

HTTP/HTTPS is a safer alternative. Admittedly, we've seen our fair share of HTTP-based worms, including Code Red and Slapper; they compromise unpatched Web servers to propagate. However, in most organizations, keeping Web servers patched is easier than keeping all of the Windows machines up to date, making HTTP/HTTPS a safer protocol for antivirus management. F-Secure, Network Associates and Trend Micro offer management capabilities using HTTP/HTTPS, along with a smattering of proprietary protocols.

Integrating with VPN for enforcement

Some antivirus products offer enforcement capabilities to assure VPN users are running up-to-date antivirus software. Both Network Associates and Trend Micro interoperate with Check Point Software Technologies' Secure Configuration Verification (SCV) VPN solution, while Symantec works with Nortel and Check Point VPNs. When a user establishes a VPN connection, a corporate VPN gateway or local VPN software interrogates the antivirus client. If the antivirus tool is disabled or has an out-of-date signature base, the VPN won't let the client machine establish a connection to the corporate network. The client is forced to activate and/or update the antivirus tool before gaining access to the corporate network.

The bottom line

Our analysis makes it clear that antivirus products aren't the end-all, be-all defense against malicious code. As an industry, we haven't licked the ADS problem quite yet. antivirus has barely made a dent detecting spyware, backdoors and *nix malware, and enterprise-wide management and reporting capabilities vary significantly.

Trend Micro's solution, with its easy-to-understand GUI and HTTP networking, was the strongest overall based on our criteria.

It provided useful reports and fine-grained management, although its default ADS settings left something to be desired.

Network Associates came in a close second, besting Symantec in a head-to-head comparison of the antivirus giants. Network Associates' stellar ADS handling, combined with its solid management interface, comprehensive reports and fine-grained control of users, earned it high marks. Symantec offered a solid admin GUI, but its rating was hurt by weak built-in reporting capabilities and troubling default settings for identifying ADS-borne malware.

Panda's product was strongest among the small- and mid-sized vendors, providing solid detection capabilities and a decent management interface.

PestPatrol was an interesting product. The Corporate Edition's client has no user interface -- it's completely transparent. If a user takes a laptop off of the network, PestPatrol will have no way of informing the user of what's happening, nor can the user invoke an on-demand scan. On the plus side, there's no way for a user to even think about changing settings. In addition to virus and worms, PestPatrol was adept at detecting malware overlooked by other solutions -- some spyware and Netcat and VNC backdoors.

About the author
Ed Skoudis, CISSP (, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).

This was last published in June 2004

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.