While many IT directors focus their antivirus attention on catching malicious code at the network border, complete virus protection includes regular file scanning to make sure nothing slips past the antivirus gateway.
We looked at server-based antivirus scanners from three vendors — McAfee (Network Associates), Sophos and Symantec — and found dramatic differences in their approaches to keeping the heart of a network virus-free.
All three were adept at recognising basic virus infestation (the two-pronged approach combining virus signature dictionaries with malicious code heuristics is becoming standard in the industry). But they varied widely in their approach to managing virus scanning across clients on the network, supporting those clients, and reporting infestations back through management consoles and enterprise management frameworks.
Sophos is the minimalist of the group; a straightforward virus-scanning engine that protects a server without trying to become part of the network-management tool suite.
McAfee and Symantec both take a component-based approach with scanning applications and management consoles as separate products. Both can manage antivirus activities on large numbers of servers and workstations, although the McAfee management console is the only one that will manage the scanning engine of another company — Symantec — as well as its own.
To test these products’ capabilities, all of the antivirus software was loaded into a test network consisting of two Windows 2000 servers and six workstations running Windows XP Pro. The controlling server was a Dell PowerEdge 2600 server; the secondary server was a Compaq ProLiant ML 350 server. I tested all of the scanners with the Eicar antivirus test files (eicar.com) in text, executable, ZIP, and double-ZIP configurations, with the files placed in various locations on the server and around the network.
McAfee VirusScan Enterprise 7.0
The McAfee (Network Associates) antivirus solution consists of at least two pieces, e-Policy Orchestrator 3.0 (ePO) and the antivirus products. ePO is the management console and administrative heart of the system, controlling McAfee VirusScan Enterprise scanner and any other McAfee antivirus products. It is perhaps the most ambitious of the management consoles of the four, and it places the greatest demands on its host server.
The host server must have a SQLServer database engine installed, in addition to standard Windows NT networking components such as DHCP and DNS. The database stores information on clients and alerts that may be generated by any of the McAfee, Symantec or Dr Ahn antivirus products supported and monitored by ePO.
Setting up ePO is complex because the services it provides are comprehensive and support not just antivirus but also firewall and gateway client software. In my testing, the McAfee Virus Scanner correctly recognised a virus presence, quarantined the file, and sent an alert through ePO to the network administrator.
To complete the circle of protection, ePO also provides emergency virus signature-file updates and propagation through the network in the event of a new virus outbreak.
With support for up to 250,000 clients and an interface equipped for several languages, the combination of McAfee, ePO, and some variety of scanning engines would be a solid choice for extremely large, international networks.
Sophos Anti-Virus/ Enterprise Manager
Sophos Anti-Virus takes a big step toward ease of use compared to the other products in this test, showing a very simple user interface on its Anti-Virus scanner.
Sophos’ approach uses a combination of virus signatures and heuristics to identify virus payloads. It concentrates on scanning files on the server’s disks — a separate piece of software is available to scan email for virus-infected attachments.
Setting up the system for basic operation took little time or effort. Sophos Anti-Virus, which offers either workstation or network-server installation with a short list of options, had by far the fastest installation and setup time among the products reviewed.
The basic Anti-Virus scan engine effectively found the virus signatures in my test. For managing multiple servers or a server and multiple clients, Sophos Enterprise Manager comes into play. Once again, straightforward design and execution is the watchword, with an emphasis on deploying and updating client scanner software.
Sophos’ software seems readily suited to two very different user groups. The first is the large organisation, with solid network management already in place, seeking straightforward antivirus protection, because Sophos is unlikely to conflict or collide with any other security or management software.
A company looking for simple-to-install antivirus software that doesn’t require a great deal of network knowledge for successful deployment would also find this product useful. In this case, Sophos’ simplicity makes it easy to get solid anti-virus protection.
Symantec AntiVirus Corporate Edition 8.0
Symantec provides a component-based approach to enterprise antivirus protection. As with the other two products in this review, McAfee and Sophos, enterprise management is separate from the active scanning component, and there are “snap-in” components within the scanner for individual applications.
The design of the component architecture is apparent upon deployment; the antivirus server must be installed first to set up security groups, with individual clients then created and deployed through the server interface.
Individual servers and workstations are managed through the Symantec Event Manager interface, which uses a Windows NT Management Console for its displays and actions.
Parameters controlled by the management console include the behaviour of snap-in components for scanning MAPI (Messaging API) email traffic and Lotus Notes messages. In addition, update behaviours (using Symantec’s LiveUpdate technology) actions to be taken upon positive identification, and alerts for groups, individual servers, or workstations can be set from the central console.
If an enterprise is very large, yet has other facilities to control network policies and firewall-based security, Symantec is a solid candidate to fill its antivirus scanning needs.
After putting these antivirus scanners through their paces, it’s clear that each has its security bearings and would be a solid component of a complete enterprise antivirus strategy.
None of these products fails in the basic mission of virus detection, and the differences in management approaches give companies several choices when seeking the one product that will best mesh with their particular IT philosophy and architecture.