Managing Antivirus Software - Keep the Reinstall Away

Thursday, October 14, 2010

Bozidar Spirovski

E973b16363b3de77b360563237df7e32

Having an anti-virus on your computer systems is one of the standard best practices for every computer user, regardless of whether you are home user or a business.

Although there are a lot of users (both corporate and home users) that consider the anti-virus a useless weapon, it still provides a very real protective layer on your computers.

No anti-virus is 100% effective, but even at 80% effectiveness, it means a whole lot less problems with malware.

Here are some simple guidelines for selecting and managing your anti-virus environments:

Home Environment

Managing an anti-virus in a home environment is relatively easy. Most users have 2-4 computers in the home, and they need to set-up an anti-virus on everyone of them. The most important elements are

  • Regular updating of signatures from the manufacturer
  • Active real-time protection
  • Regular (weekly or monthly) scheduled scan

In order to keep your home anti-virus system in good condition, you need to

  • Set the antivirus to perform automatic cleaning with quarantine (no delete) - this way even if you get a false positive, the file isn't deleted and you can rescue it from
  • Check the update version - check whether updates are still current and there are no issues with updating
  •  Review the last scan results - this way you will be alerted if malware is identified
  • Review the quarantine - to find if false positive files were captured by the anti-virus and need to be 'rescued'

Choosing the Product

Then it's about the price and functionality. The home user can choose a free product, or they can buy antivirus protection. Here is a sample of criteria to review when choosing the anti-virus:

  • Legitimate antivirus software - What you need to be very careful about when implementing a home antivirus environment is that the product be really an anti-virus. Wikipedia references the SpyWare Warrior that more and more malware masquerades as legitimate anti-virus. In order to avoid these malware decoys, you can reference the Wikipedia list of anti-virus software .
  • Range of malware that you are protected from - Can the engine detect virus, spyware, rootkits, etc.?
  • Behavior-blocking - Does the antivirus monitor system calls with a heuristics engine to prevent vulnerability exploitation attempts and zero day virus breakouts?

Corporate Environment

Managing an anti-virus in corporate environment is a lot more work. There are hundreds, even thousands of computers that need to be protected. In such an environment you need to battle the following battles:

  • Keeping clients up-to-date - when updating hundreds of computers, there will be issues - computers that are off, computers where the antivirus software has failed for any reason, issues in communication with the update server
  • Keeping clients compliant to policy - same as above, updates to policy may fail or be in significant delay
  • Preventing the anti-virus servers from overloading - updating hundreds of systems can cause hogging of the update server or the Internet link.

In order to keep your corporate anti-virus system in good condition you need to:

  • Set up updating frequency according to corporate policy - updating the anti-virus in a corporate environment needs to be planned - updates may be needed more then once per day, but if you make the updates too frequent you'll end up overloading the antivirus server with requests.
  • Balancing the load of management and updates in a distributed environment - When you have branches, it is wise do distribute the burden of updates and management to branch servers and administrators.
  • Implement additional policy elements- anti-virus software may also be used to enforce corporate policies of not running some software in certain parts of the day (example - block media player from 9 to 12 and from 2 to 5)
  • Schedule automated scans - similar to the home users, scheduled scans are good for confirming that nothing is sleeping in downloaded documents, unopened files etc.
  • Schedule automatic reports - Your best for keeping the corporate antivirus infrastructure in good condition is an automated report. This way, a report on the number of non-updated

Choosing the Product

When implementing a corporate anti-virus solution, the criteria of choosing a legitimate (non-malware) antivirus is not important - there are no malware products designed to operate as a corporate antivirus systems.

And even if someone tries to make such a malware, it will be immediately identified, since corporate anti-virus solutions are constantly evaluated - both by independent technology sites and companies, and by other manufacturers of anti-virus solution - to assess the competition.

But there are other criteria for corporate anti-virus that need to be evaluated. Here is a sample of criteria:

  • Range of malware that you are protected from - Can the engine detect virus, spyware, rootkits, etc.?
  • Behavior-blocking - Does the antivirus monitor system calls with a heuristics engine to prevent vulnerability exploitation attempts and zero day virus breakouts?
  • Expanded functionality - System firewall. Does it provide blacklists and white lists for addresses and domains?
  • Policy control - Does the antivirus provide controls to enforce corporate policies regarding use of certain elements of the computer system? For example, an antivirus system may provide policies to prevent running of certain applications, although they are not malware, or prevent access to usb storage devices etc...
  • Signature Updates - How large and frequent are signature and other updates? This can range from one per day to multiple updates per day. This is a very significant issue - a signature that is updated once per day, it can be quite large, so in a large corporation the update process will hog the central antivirus server.

Conclusion

Depending on whether you are running a home or corporate environment, you face different challenges with antivirus solutions.

But regardless of environment and product, you will be very grateful that you are running an antivirus the day someone you know looses data or re-installs their computer due to a virus corruption.

Cross-posted from Short Infosec

Possibly Related Articles:
4384
Viruses & Malware
Software
Antivirus malware
Post Rating I Like this!
Ba542f3617078b0be2f95e64e425e190
Evandro Rodrigues Excellent post Bozidar!
I just like to comment about corporate environments: It´s very important that administrator get full control of antivirus software through a management tool, it means, block all kind of configuration to the end user. Most of infected environments is due to an end user that disabled the antivirus software because the system was low, or antivirus blocked some activity, and other reasons. So, take full control through a antivirus centralized management tool.
1287147038
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.