eTrust Antivirus 7.0 pulls double duty
- 06 August, 2003 11:52
Computer Associates’ eTrust Antivirus 7.0 is similar to enterprise antivirus solutions from other leading vendors such as McAfee, Symantec and Trend Micro. But CA’s solution distinguishes itself in several important ways, making it worthy of serious consideration to protect your company’s systems.
The first difference between eTrust Antivirus and the competition is that it comes equipped with two separate virus scan engines, increasing the probability that it will catch rogue viruses, worms, or Trojan horses.
Secondly, the solution covers an unusually broad range of server and client platforms, including Linux, Mac OS, Novell’s NetWare, Sun’s Solaris, and Microsoft’s Windows. That’s much better than Symantec’s AntiVirus Enterprise Edition, which does not support Mac OS, and better still than the Windows-centric McAfee solution.
A third distinguishing difference is its sheer ease of use. The client software is simple and ties tightly to the server. And the server is much easier to configure and monitor than other antivirus products we’ve seen.
Finally, and most interestingly, the policy-based management system allows mobile users to change their usage profiles automatically, so that their antivirus protection will behave differently depending on where they are, in a hotel room or coffee shop as opposed to directly connected to the enterprise LAN.
We were disappointed, however, that it really is a standalone client/server product. There are no integration points with other members of CA’s eTrust family, including its access management and intrusion detection systems (IDSs). Antivirus only plugs into CA’s Unicenter-TNG network management system.
The biggest change to the Antivirus offering is the inclusion of two virus scan engines, InoculateIT and Vet. We didn’t see any differences between them, and CA didn’t provide any reasons to prefer one over the other, other than that the engines were developed independently.
Presumably, the benefit of having two virus scan engines is that coding or design flaws in one wouldn’t be in the other, thereby improving reliability. Having two virus checkers also minimises the chances that a clever virus writer will figure a way to fool two engines. In fact, that philosophy pushes some security administrators to install antivirus solutions from competing vendors at different places on their network.
By having two engines in one product, administrators can increase security through diversity without doubling their costs or administrative headaches. With eTrust, administrators can choose to deploy either engine or both. Unfortunately, it’s not possible to configure individual users or servers to use both virus engines at the same time or on the same machine.
For some servers, such as email or file servers, the ability to run both engines would be a plus. We would even suggest the ability to use one engine for real-time scanning of incoming/outgoing traffic and the other for scheduled sweeps of stored files on the disk. Perhaps CA will add that to a future release.
As it is, the company suggests configuring some users to use one engine and other users, the other engine. That way, if a virus manages to evade one engine, then there is a chance that the other engine will catch it as it propagates through the network. Our recommended scheme is to use one for servers and the other for clients, to catch messages being passed back and forth.
To be clear, we don’t consider the dual engines a good enough reason to deploy eTrust. If we were paranoid enough to install multiple virus engines, we’d still want them to be provided by different vendors.
What sways us to recommend Version 7.0 is that it is so easy to manage. You can administer individual users remotely from the management station or set policies and enforce them across the network.
The software also quickly and accurately finds machines on the LAN that are running the eTrust Antivirus software. It can also be configured with redundant antivirus policy and signature servers, adding a bit of robustness to the solution.
Based on the results of discovery scans, administrators can assign each machine to a threat group, each with its own policies for signature updates, assigned virus engine, and predetermined course of action when a virus is detected (such as automated deletion or file quarantine).
For our test, we configured Windows and Linux servers to be in one threat group and Macintosh and Windows workstations to be in another. On a production network, we would assign mobile users and telecommuters to their own group and assign them more rigorous policies due to their greater likelihood of contamination.
The only truly innovative feature in eTrust Antivirus 7.0 is the ability for clients to automatically reconfigure their threat group placement depending on their location. When connected to the LAN, a laptop can be set to download new signature files from a LAN server; but when connecting remotely, it can be told to use another signature and policy server, perhaps at the enterprise’s DMZ.
eTrust Antivirus also hooks into email servers — that is, if your company uses Lotus Notes or Microsoft Exchange. Our test lab does have an Exchange 2000 server, and we were able to easily install the eTrust plug-in for Exchange. It was able to catch emailed viruses immediately upon their delivery to the SMTP server. It’s too bad that eTrust doesn’t contain hooks for Groupwise or Sendmail.
As with other antivirus clients, the eTrust workstation client can monitor incoming and outgoing SMTP, POP3, or IMAP4 traffic, as well as FTP or HTTP traffic.
Antivirus 7.0 is similar to other enterprise antivirus solutions, but CA’s system is easier to manage and supports a wider range of server and desktop clients, including Macintosh and Linux. The system also dynamically assigns systems to specific policy groups.