Malware — viruses, worms, Trojans, and other bits of programmatic nastiness — is a multi-billion dollar problem. According to analysts at Aliso Viejo, Calif.-based Computer Economics Inc., last year’s SoBig virus alone accounted for
US$1 billion in damages, and the estimated tab for the first
wave of MyDoom last January was US$4 billion.
But the cost of cleanup and lost productivity is not the scariest part of the equation. That’s reserved for the supposedly collateral damage from back doors installed in infected systems. July’s MyDoom attack took down major search engines and flooded e-mail systems, causing great irritation and economic loss.
What people didn’t immediately realize was that it installed a back door that was subsequently used by another virus — an electronic one-two punch.
These back doors allow compromised computers to be controlled by anyone holding their secrets. Lists of vulnerable systems can be sold to spammers, who use them to spew their garbage. Sneakily installed keyloggers can scoop up passwords, bank account numbers and credit card numbers and send them to those who will make illicit use of them. Compromised machines can be used to attack other systems, either on purpose, as with MyDoom’s assaults earlier this year on SCO and Microsoft, or accidentally, as the latest MyDoom did when it took down popular search sites in its quest for e-mail addresses to spam.
And the authors are not all kiddies looking for bragging rights anymore. Criminals have discovered the potential of malware, and are taking advantage of it.
Stopping their activities requires a combination of tactics. People need to be more cautious about the files they open, the Web sites they visit and the “”free”” programs they install. Software vendors need to tighten up their code to eliminate the vulnerabilities exploited by malware. Law enforcement needs new tools and techniques to track down the bad guys. And, until all this is in place, every computer needs anti-virus software.
We asked a group of vendors to supply their corporate products, to give us a sense of what the market today offers. Six agreed to participate.
TTX Canada provided a 1.7 GHz Pentium 4 laptop with 512 MB RAM for the testing.
CA etrusT anti-virus 7.1
ETrust is unique in that it contains not one, but two scanning engines. Administrators can choose which one to use, and even alternate them in scheduled scans if desired.
The program runs on almost any platform: Windows from 95 up, Linux, several versions of Unix, NetWare, Macintosh OS X, PDAs, some smart phones and more. The administrator’s console is equally versatile, allowing enterprise control from Windows, Linux or Mac. The admin interface looks very much like a Microsoft Management Console plug-in. The administrator has a collection of 60 reports to choose from, and can lock down user settings to prevent accidental cessation of protection.
Workstations can be designated as signature caching servers, so updating is distributed to improve performance.
The program offers all of the usual amenities: on-demand scanning, scheduled scans, choice of files to scan (the default is all), and if a user remotely accesses or copies an infected file to the PC, they’re immediately locked out for a configurable time.
Grisoft Avg anti-virus network edition 7.261
AVG’s pricing is for a two-year licenCe.
AVG runs on Linux and every version of Windows from 95 up. It comes as either a standalone or a network edition with centralized deployment. Administrators can build setup packages on CD or on network shares, or push the software out to their clients from a server (they must deploy with administrator privileges on the target system). They can even configure a system to their satisfaction, then use it as a template for deployments. The configuration can be either completely locked, or can be set to allow the user to change specific parameters.
The interface has two user interfaces: Basic and Advanced. Basic has a straightforward push-button look, while Advanced resembles MMC. As expected, the administrator’s interface provides extensive monitoring and reporting of the state of protected systems; all of this information is stored in a SQL database. Grisoft even provides tools to keep this database tidy and performing well.
By default, the program runs a full scan when you start the system. However, it didn’t slow normal operations on our test system. It generates a dialogue when it’s done, which is distracting unless there’s something to report.
I found it annoying that the default installation only loaded a subset of the help files; you have to go to the Grisoft site to retrieve the full package.
McAfee virusscan enterprise 8i
VirusScan Enterprise 8i is a shiny new version of McAfee’s enterprise product, with lots of new bells and whistles. We tried a release candidate, since our deadline was a couple of weeks before official launch.
As well as standard virus protection (including some spyware detection) for Windows NT and higher (Windows 9x users are stuck at version 4.5.1), 8i now offers port blocking (which stops unknown mass mailers from sending); it will even prevent FTP or Web activity if desired. It can be configured to block access to shares, to prevent IRC communication, and to prevent creation of new executables and DLLs in system directories.
There’s buffer overflow protection for a herd of programs (including Internet Explorer), with, McAfee says, more on the way.
“”Unwanted program”” (spyware, adware, joke programs, dialers, remote administration programs, etc) detection is off by default — a bit silly given the amount of the pesky stuff around. In a nice touch, however, users can define additional programs to block, if they choose.
The current administration tool, ePolicy Orchestrator (ePO), will have been upgraded by the time you read this (a new version is scheduled for the end of August). However, the big improvements won’t arrive until next year, when ePO’s somewhat convoluted reporting system gets a major revamp. ePO performs necessary administrative tasks nicely, but it can be difficult to extract information about troublesome systems.
An unmanaged system can be converted by simply installing the ePO agent (which, incidentally, also works on Windows 98, deploying and managing the older VirusScan).
One small change was made in the client updating — VirusScan now retrieves DAT (signature) updates first, then updates to its scanning engine. This eliminates the need to run the process twice when the engine changes, since new engines usually depend on a specific DAT level.
Installing Panda can be a wee bit convoluted. Where most products need, at most, a licence code, Panda wants a user name and password as well. I was also somewhat bemused when a number of the dialogue boxes appeared in Spanish.
Once you get past those idiosyncrasies, the AdminSecure administrative program builds a repository and distributes the client to workstations (all versions of Windows from 95 up). Users have zero configuration choices; those who click on the Panda head in the system tray only see a list of what they can scan (files, e-mail, etc).
The administration console has a clean interface that’s easy to navigate. It lets you set up jobs to perform tasks such as installations or scans by individual workstation or groups of workstations, or with a click, you can let it auto-deploy. It scans for spyware and other unwanted programs by default. However, it only looks at predefined file extensions. You have to (and should) change this setting to all files.
The reporting screens are easily readable, and pinpoint systems with outdated software or signatures, or that need other attention. Extensive logging gives you a picture of what’s been going on.
Symantec anti-virus corporate edition 9.0
Symantec’s software will protect Windows systems from 98 up. At installation, you choose managed or unmanaged; an unmanaged system can later be converted by simply copying the configuration file pointing at the management server.
Actually, there can be several management servers, besides the one handling clients — one to download signature updates to a network distribution point, and one to receive and quarantine heuristically detected infected files, which are then automatically sent to Symantec for diagnosis. Servers may be running Windows or NetWare.
Client deployment can be pushed from the server, or pulled from a Web page or logon script, or run from CD. Symantec includes a packager that allows third-party tools like Microsoft’s SMS or Novell ZENworks to deploy the software as well.
I found it unusual that no icon appeared in the system tray on protected systems (this is configurable, according to the docs). Access to the program was through an item on the Start menu. However, all of the configuration choices were there (and can, of course, be centrally defined as well). If the client is accidentally or deliberately disabled, it will automatically restart after a preconfigured period of up to an hour. Adware and spyware detection is considered part of normal operations — there is no separate enabler for it, but it is only done during a manual scan. The
Auto-Protect feature that monitors incoming files only watches for viruses.
Logs are kept both on client and server, and can be exported to an Access database for analysis.
Trend Micro Officescan corporate edition 6.5
OfficeScan ups the ante on installation complexity by demanding a registration code, then taking you to the Trend Web site where you enter contact information. Then you get an e-mail with a user ID, password and activation code, which unlocks the features you’ve purchased.
This is overkill.
What you are actually installing is the server, which includes a policy server for Cisco NAC. It’s entirely Web-based, which means if you don’t have IIS installed, it installs an Apache server. To keep things secure, SSH is included. You do need to know enough about the network to define a port for the console; the default is 4343.
Shipping out the client to desktops is a matter of clicking on an item on a Web page (and agreeing to the running of several ActiveX controls, if your browser security is set to High).
The client (Windows 95 and higher), like Panda’s, has little control over its settings. The administrator can permit the user to unload the client, but that’s about it. Everything else is centrally managed, including the desktop firewall. Oddly, there’s no scan option on the context menu when you right-click on a file.
Reporting is extensive, and shows you systems updated, systems out of date, infected systems — all of the pieces an administrator needs. An outbreak monitor sends an alert if the number of infections hits a configured threshold.
Bad bugs need good medicine
The most important thing about anti-virus software is it detects and removes the ever-growing stream of malware that’s assaulting systems.
For that data, we checked three authorities who regularly evaluate the effectiveness of anti-virus products: Virus Bulletin, home of the VB100 rating asserting that the product finds all of the viruses in the wild at testing time; ICSA Labs; and, West Coast Labs, which doles out Level 1 Checkmark certification to products detecting all viruses in its test suite and Level 2 to those that can also remove them.
In the most recent Virus Bulletin tests, CA, McAfee and Symantec passed all of the Windows tests (McAfee failed RedHat Linux, while the other two were not tested), AVG handled Windows XP Professional, Windows Server 2003, and RedHat, but missed on Windows NT, and Panda and Trend have not been recently tested.
In ICSA Labs’ tests, all of the products were able to detect the malware thrown at them, but Panda and AVG were unable to clean it all.
West Coast’s Checkmark Level 1 and 2 went to CA, McAfee, Symantec and Trend; the others were not tested.
Corporate licensing is typically an annual expense that includes signature and engine updates (AVG’s pricing is for two years), but even if you managed to buy perpetual licences, the updates are mandatory to maintain protection. Too much new malware comes out too quickly; bypassing updates can be an expensive “”economy.””
In selecting anti-virus software, one thing to look at is the platforms you need to protect. Windows is easy — everyone supports it, though McAfee’s abandonment of Windows 9x is a strike against it. Linux users have fewer options; CA and AVG are the best bets in the group we looked at. CA is the only product in our roundup to support Mac.
Other than that, detection of malware other than viruses is a definite plus, along, of course, with robust manageability so administrators can make sure security policies are enforced.