Sunday, April 18, 2010

Rant on Antivirus

The question has become in my mind, and in the mind of others like me: Is it worth having antivirus software at all? It seems like every computer I fix (clean viruses), has antivirus on it. Also antivirus is the cause of much problems themselves. Even today, our Pastor's Computer would not work. The culprit, no, not a virus, but the antivirus software by Comcast. My friend who fixed it, said it basically pegged the Processor and you could not do anything at all.

I still believe in Antivirus, but in a layered approach. I think you are better off stopping as many as possible before they even get to the PC. Then isolating the browsing as much as possible, or using third party software to stop the scripts that are the cause for so much malware taking over the PC.

That aside, someone else asked this week for rating on Antivirus. Funny because I had just read an article in Maximum PC where they rated various packages. They gave Symantec a real good score, which to me is funny because I really don't care to much for Symantec. Here is another point. Opinions may differ based on the mileage that you have received. If at any point you experience trouble with antivirus software, you then form a bit of an opinion towards it.

Well, here is my little rant on what I think of various packages. Keep in mind that I am not trying to sway anyone to or from a package, although I would argue strongly for the point of Firewalls, isolation, and sand boxing when it comes to protection.

Generally this is some of the criteria I would evaluate Antivirus Software on:

1. Performance on the client: low cpu/mem (footprint), but good ratio of protection.
2. Ease of install.
3. Should not be intrusive.
4. Ease of use (schedules, updates, interface)
5. Price
6. *Important to larger installs* Management console: Roll out ease, upgrade, Maint!!!! Can't stress this enough.
7. Tech support or some kind of availability of Vendor.

1. Performance: 1. NOD32, 2. AVG (Workstation) - 1. Sophos (Server)
2. Ease of install: 1. On client they are about even: NOD32, AVAST, AVG (Standalone) 1. Sophos Workgroup or Enterprise - (but only because it works, it is still more complicated.)
3. Should not be Intrusive: 1. NOD32, AVG (Standalone) 1. Sophos (Workgroup or Enterprise).
4. Ease of use: 1. NOD32 2. AVG 3. AVAST (Worstation, Standalone) 1. Sophos (Workgroup or Enterprise).
5. Price: FREE is good for home, but not for Work: Home - I vote AVAST. Work: I do not vote. They all play games with pricing, but I would not pay for Symantec or McAffee.
6. Management Console - for home not an issue, for larger work-groups: 1. SOPHOS 2. Trend Micro 3. Pick your poison.
7. Tech Support: 1. Sophos Hands down (but you need to be under contract).

I use in my daily arsenal home/free/paid:

AVIRA (CD), AVAST (Windows and Linux) and NOD32. Also always install Malwarebytes. I also carry the slew of other Antiviurses and Spyware scanners including Combofix.
I highly recommend always setting up OPENDNS as the DNS service and turn on filtering.
I highly recommend Scanning emails AT the source: Postini or Google or whatever.
I highly recommend Scanning port 80 traffic at the source in/out - something like Barracuda or even something cheap or free.
I highly recommend Firefox with NoScript or Chrome (highest rated for security) - stay away for Internet Exploder and only use for what is needed.
One thing that at least the techies can do is sandbox your selves in a virtual machine for browsing and downloading - preferably a Linux VM with above mentioned browsers. because then, the chance of getting bit is pretty darn low.

What say you?

Delco

5 comments:

Kalen Arndt said...

Our instructor gave us a behavioral based IPS from Cisco and it's awesome. It's sad that you have to have anti-virus on all of the end points and servers in a company to be qualified for PCI or any compliance standards. Sophos was too much of a hog for me I fully switched to the Cisco IPS.

Delco said...

Cisco IPS or whatever in front of clients, and then again something behind. Even tho Sophos is a bit high on resources, they have the best Management Console I have seen so far with excellent protection and support. You always have minus/pluses. I think clients would push for them to lower resource hogging.

Kalen Arndt said...

Cloud AV is getting very interesting. I have tested Panda's version on my home servers and it runs very well! It's free and it's awesome. Cisco's client runs physically on the workstations as an AV. It only stops the behavior it doesn't remove the actual infection or files themselves. I guess you could use it directly with the other types of AV for cleaning but that seems over kill.

Delco said...

I have heard about the cloud AV, but have not looked at it. Very good thought. I will have to test. Can the Cisco client sit on a proxy and then scan or monitor port 80 traffic, or is it only an agent that sits on a pc an monitor processes?

Kalen Arndt said...

I only have it monitoring workstations because that is what the CSA client does. (http://www.cisco.com/web/go/csa). It's an endpoint client which also does ACLs for programs and the possibilities are pretty much limitless. ClearOS works very well for the proxy filtering and it will also function as a DC