In an effort to help IT managers better secure their organisations, Computerworld brings you answers - provided by AusCERT's experts - on a few of the more common questions around key security technologies. Here we look at Enterprise Antivirus.
Q: What do you really need when it comes to Enterprise Antivirus?
Again, develop a comprehensive list of requirements. Aim for defence-in-depth. Having different Antivirus engines on your gateway, mail servers and and then another on your servers and desktops. This has the benefit of reduced likelihood of malicious code slipping through but may have the overhead of skilling your staff on extra products, extra products to maintain, and licensing.
In the end, it all comes down to effective risk management and cost/benefit analysis.
Q: What should be your evaluation and selection criteria and why? How should you go about comparing offerings?
1) Does the solution fit the needs of the business?
2) Does the solution offer more than just antivirus, for example: device control, host quarantining, unmanaged system detection, active directory integration and anti rootkit/antispyware capabilities?
3)Are there multiple access levels? Can the helpdesk manage alerts but not add or remove systems for example?
4) Does the vendor offer “free for home use” for employees?
5) How good is the reporting and management of the system? Does it meet the business requirements?
6) What is the detection rate of the system compared to other offerings?
7) What is the rate of false positives and false negatives?
Comparing offerings should be done using a cost/benefit analysis with input from technical staff; you want to get the greatest benefit for the lowest cost over the life of the product for the business.
Q: What are the prime considerations for Enterprise Antivirus?
1) High detection rates for “in the wild” malware
2) Low false-positive rate, and a history of timely remediation of false positives
3) Low visibility to the end user – security should be as transparent as possible to users.
4) Ease of deployment and management
5) Regular definition updates
6) Low system resource utilisation
Q: In your mind what are the key Enterprise Antivirus Do's and Don’ts?
1) Do consider using more than one vendor across the enterprise
2) Do set the update frequency to more often than once a day
3) Don’t allow end users the ability to remove or uninstall components.
Q: Last thoughts?
Antivirus should always be the last barrier in your defensive strategy, don’t treat it as a first line of defence.