I would venture to guess that virtually every computer
network has had to deal with the downtime
and expense of recovering from some type of
malware infection. According to AV-Test (www.av-test.org), an independent antivirus software testing lab,
2007 saw record numbers of computer viruses, worms,
and other malware, and 2008 is continuing that trend.
Naturally, prevention is less costly than recovery—but
how do you choose from the myriad of antivirus or
anti-malware solutions on the market? Let’s look at
some things you should consider when choosing an
enterprise antivirus product, and then you can check
out the product comparison table to find the best one
for your organization.
Choices, Choices
Today’s antivirus market includes products that protect file
servers, email gateways, Web browsers, and desktops. They
may be standalone products or part of an integrated security
suite that might include a firewall, intrusion detection
system (IDS), intrusion prevention system (IPS), Network
Access Control (NAC), and spam filtering. You can choose
from desktop solutions or server-side solutions that offer
centralized control for deploying, configuring, and updating
the software and that eradicate malware threats before
they infiltrate your network. Security appliances as well
as hosted and managed security solutions that outsource
the management details of your security strategy are also
gaining in popularity. Because of the wide array of solution
types, we’ve limited the scope of this Buyer’s Guide to
server-side enterprise antivirus products.
Features and Functionality
At a minimum, your antivirus solution needs to be
compatible with your enterprise OSs and be able to
scale and grow with your organization’s needs. It should
provide frequent automatic signature updates and alert
generation when an event is detected. In addition to
detection, your solution should provide quarantine or
removal functionality and perhaps healing capabilities
for suspicious content. Antivirus technology is continuously
evolving, so here are some additional features and
functionality you should keep in mind.
Scanning engines—the more the merrier. Many
antivirus solutions use more than one engine to scan for
security threats. No antivirus scanning engine catches
100 percent of viruses. Therefore, using a product with
multiple scanning engines can usually pick up the occasional
virus or worm that might sneak by a single-engine
product.
Detection types—keeping up with new viruses
and variants. Most antivirus products detect viruses
by using signature-matching technology, which identifies
a virus by a specific code sequence. But in today’s
fast-evolving security environment, when new virus
variants crop up by the minute, signature matching isn’t
enough. Many products now use heuristic scanning
and behavior monitoring to identify typical infection
methods and suspicious behavior that might indicate
virus variants before a signature is available. Unfortunately,
these methods can also provide a high number
of false positives.
Scanning options—what, where, when. Antivirus
products should scan memory, all drives, and the registry.
Many now offer scanning of removable devices
such as USB drives. They should offer scheduled scans
and on-demand scans, and many offer continuous
background scanning. Another useful feature is the ability
to whitelist items to be ignored or excluded during
scans. Reports of the scan log files should be available or
portable to your desired format. Reports are important
tools for letting you see how many and which viruses
have been blocked and where the most popular sources
of infection are.
Viruses, worms, and Trojans, oh my. Simply detecting
and blocking a virus in an email is no longer sufficient.
An antivirus program should detect viruses, worms,
Trojan horses, Web threats, rootkits, and other forms of
malware that threaten your network security. Your solution
should also give you the ability to block certain file
types such as .exe, .bat, or .asp files.
Do the Legwork
Of course the most important evaluation criterion for an
antivirus solution is performance: high threat detection
rates, with few false positives and low impact on business
operations. However, performance is beyond the scope
of this Buyer’s Guide, so we’ll leave that part of the evaluation
to you. But fear not, there’s help. Antivirus testing
labs such as AV-Test, ICSA Labs (www.icsalabs.com),
and AV-Comparatives.org (www.av-comparatives.org)
have done the performance testing for you. So after you
have your short list of products that best meet the needs
and wants of your organization, visit one or more of these
sites for help in determining how the products stack up
against one another performance-wise. And don’t forget,
most vendors (including all those listed in the product
table) offer fully functional trial versions so you can try
before you buy.
End of Article
Register
