Four Systems for Beating Back Enterprise Infection -- Enterprise Systems

Four Systems for Beating Back Enterprise Infection

05/24/2000

The proliferation of viruses has brought a terrible curse upon users, servers, and corporate officials alike. Coincidentally, as this article went to press, the ILOVEYOU virus was running wild. Wouldn’t it be nice if an anti-virus program could take away all that pain? This review attempts to answer that question for four products: Sophos Inc.’s Sophos Anti-Virus, Symantec Corp.’s Norton AntiVirus, Trend Micro Inc.’s NeaTSuite, and McAfee Corp.’s Active Virus Defense Security Suite.

When testing these products, we were interested in a few areas of each product, but we focused on several key product abilities: ease of management; notification abilities; automatic updating; and how well clients were managed.

One aspect of the anti-virus software we could not test satisfactorily, oddly enough, was the detection process itself. Every vendor we contacted, including ICSA, declined to participate with sample viruses of the most current types and formats due to liability and security concerns. Word and Excel macro viruses were available and were easily detected, but we were really interested in the more malicious invaders; the ones that cause the most havoc.

We settled for innocuous viruses like macro changes and ancillary tricks, such as changing the boot records and resetting it back to simulate what a virus might do to harm a computer. In our test lab we were limited to 13 clients and four servers for the test bed. While this is not sufficient to prove or rate each product’s ability in a true enterprise setting, it did allow us to gauge each product’s ability to work in a client/server environment.

To perform the review, we set up a network of Windows NT Servers, Windows 9x clients, and one NetWare server. We installed this test scenario on a permanent DSL connection to the Internet to test protection across such environments, as well as to test automatic updates.

All clients were Intel PCs based on Pentium 166-MHz computers with 64 MB of memory -- some with Celeron 433 MHz and 128 MB of memory, and two laptops from Toshiba. The NT Servers were Pentium II units with 384 MB of memory and plenty of disk space. The NetWare server was comparably equipped.

All of these devices were interconnected via a Cisco switched network platform, and routed across a private network with a proxy server, and then out to the Internet. We watched traffic as it passed along this path so we could see how the software detected activity.

Sophos Anti-Virus

While not known as one of the big boys of anti-viral software, Sophos Anti-Virus installs simply and operates like a full-featured enterprise scale product. We put it on our NT Server so we could install it to our clients. This was made possible by the creation of a network share accessible by the clients. We also created a script that would do the job when the user logged onto the network.

The product is capable of three modes of operation: networked mode, for installation on the servers; distributed mode, where the InterCheck client and server are loaded and executed on the desktop; and client/server mode, in which the user loads the product when logging on to the server. We tested both client/server and distributed. Both worked flawlessly.

The product is a client/server operation, which provides a wealth of functionality. The InterCheck server performs the centralized duties of signature maintenance and notifications to the responsible administrators. The InterCheck client does the work at the desktop level, and did so without flaw.

We configured the product to log notifications to event logs, e-mail, and messaging via the desktop. All worked as expected, except for the e-mail notices. The product has e-mail scanning capabilities, which could cause the loss of e-mail, and hence notifications, if only e-mail notices were set up for the administrator.

For such an organized product, however, it lacks an auto-update facility. As often as new viruses arrive on the scene, signature updates can often be turned out just a few days apart. If you were on a trip for several days, you may not be able to protect yourself from fast-paced new virus updates.

Other than this issue, we found the product to be adequate, but it lags in depth and distribution of the updates to clients compared with the other reviewed products. It would significantly benefit from an Internet update and distribution tool.

NeaTSuite

Trend Micro's NeatTSuite is unique in that it covers the enterprise with a PC-based anti-virus product, but it excels at protecting the enterprise from Internet-borne intruders. We were pleasantly surprised at the depth of issues NeaTSuite covers: content, HTTP traffic, and firewall services such as proxies via a product called VirusWall.

When we installed NeaTSuite, it was surprising how easy it was to pick and choose which products were needed from simple PC protection up to the most complex server operations. The suite is broken down into five major components. Control System is a Web-based management tool set used to manage the network installation from a single point of control. InterScan VirusWall monitors and protects Internet gateways. ServerProtect serves as a single- or multiple-network server protection. OfficeScan provides client desktop protection. ScanMail for Exchange, as the name implies, searches Exchange e-mail for viruses.

We tested ServerProtect, OfficeScan, and ScanMail. Understanding that this differs from the other products, we found this combination to be valuable for the primary points of internal virus attacks. Perhaps as much as 85 percent of all virus attacks comes from within, through floppies, e-mail, or other avenues.

With each of the three products, we introduced a Word macro virus into the server. We then e-mailed it to a "friend" on the internal network. ScanMail picked it up cleanly and took care of it in a prompt manner. We then shut down that mail server, started another SMTP server that was not protected, and e-mailed the original infected file to another user. OfficeScan detected the file immediately and cleaned it.

Notifications were equally adept at telling us what happened: E-mail, pop-up message boxes, printed output, pager, SNMP traps, and the Windows NT event log are all possible methods of letting you know what happened. We found that all functions tested worked like a charm.

Norton AntiVirus Enterprise Solution

Long a dominant player in this marketplace, Symantec’s Norton AntiVirus Enterprise Solution 4.0 reinforces the perspective of centralized anti-viral solutions that covers every inch of the client/server environment. The product comes with many options: Internet gateway protection, content filtering, e-mail server protection, and the usual server and desktop protection mechanisms.

For this test, we installed the enterprise solution on our main server, which becomes the "master primary server" according to Symantec. The hierarchical approach is to install one "master primary server" that feeds multiple branch servers. Periodic product updates go to this master server, and then clients and servers alike can use the internal network to retrieve updates. The effect is to drastically reduce Internet traffic, which we did test to its fullest extent -- and it worked flawlessly.

The overall installation process is a little long, but simple with the well-documented books. You install the management console, the live update facility, and then the master server. Establishing login script files makes distribution of the client setups a breeze since a share point is created for all clients to access across the network.

Running the program reveals a few changes to the layout of the user interface. The old look has been replaced with a more user-friendly look, not to mention the ease of the user’s management tools. In fact, an important aspect of the product from a server perspective is the ability to lock down access to the master server and branch servers. Only designated administrators can access and control the servers, regardless of location.

We expected no major changes in the well-proven SARC interfaces and quarantine facilities, and saw none. Little tweaks are present that gives the user a better feel of the program, but what worked great before works great now.

A few paragraphs can’t do these products full justice, but Symantec clearly holds the position of leadership in the enterprise environment. The solid performance and client management tools set Symantec ahead of the others, but behind in terms of a powerful anti-viral solution from Trend Micro, such as proxy scanning. You’ll need to evaluate each product on its own merits to decide which is right for you.

Active Virus Defense Security Suite

We had some problems with the McAfee product provided for the review. We learned in the 11th hour that the provided product was a newly released version recently shipped to manufacturing. We only had the marketing briefs to review -- there was no documentation.

We installed the products as best we could ascertain from the CD’s menu system. A product engineer was contacted, and informed us that the main product runs on Windows 9x clients, NT Workstation, and Windows 2000 servers. If you want to support Windows NT Server 4.0 computers, you’ll need to use the NetShield product.

We configured the test server, and proceeded to install the NetShield component. We discovered a problem at the onset of the test. McAfee includes options during the installation of the product to provide additional services and controls for operation of the product. But the menu option specifically warns that McAfee neither supports nor encourages the use of these advanced options during normal operations. It baffled us why they would do something such as this, presuming it was for the user to decide if they wanted or needed the advanced system information.

We felt that if these options are essential for troubleshooting a critical problem, then the user should exercise the product at that time, gathering the critical system information that may be required by McAfee to assist the user. Perhaps a separate program could be executed that would gather such data, but we had no documentation to validate if this capability exists in the new product.

The installation of NetShield went without a problem, and we configured it to automatically scan each day, check updates for new signatures, and inform us when a variety of test situations occurred. The product is highly customizable and allowed us to specify when to scan, what type of files to scan, how to report problems and issues, and how to handle an infected file.

We then configured a Windows 95 and a Windows 98 client, repeating the scenario using the Virex client product. We made extensive use of the online help files during the review of these products, which worked well. The client systems worked as we expected, since we modified the boot records and critical system files using a special file hexidecimal editor. The product detected the changes and offered us many options for handling the problem.

Overall, NetShield handled itself well and was adept at recording and reporting functions according to the test suite. The product handled client testing equally well, and we were pleased with its abilities. It provided all of the client/server protection that we anticipated, and we’re sure the product has more capabilities than this situation enabled us to evaluate.

Summary

This review was not performed as a head-to-head test to choose a winner or a loser, but as an informative review of several capable products. Each product has its strong and weak points. One of these four products should meet the needs of most any type of enterprise protection.

Sophos has a very capable server and client product. It is easy on server resources, quickly scans network resources, and is easy to operate. It lacks an automated update facility, and it does not provide any level of Internet protection, such as e-mail or Web traffic analysis and protection. It is, by all accounts, strictly an anti-virus product for client and server data files.

Trend Micro's NeaTSuite is a capable client and server protection product, but clearly excels at protecting the enterprise from Internet traffic miscues. It has many options and features specifically geared toward the Internet, such as gateways, mail server traffic, applet controls, and integrated PC protection. It is a complicated product because of the large number of options to choose from, and can take some beginners by surprise. Its VirusWall feature is a boon to enterprises looking for protection at a key entry point -- the firewall.

Symantec is the leader in the corporate enterprise, but the previous two products are close on its heels. Symantec's power of experience and improvements in the user interface are superb, but the product lacks some of the outstanding Internet tools found in the Trend Micro's NeaTSuite. You can, however, purchase separate packages for firewall and gateway protection, which we were unable to test during this review.

McAfee produced a solid product. It worked well according to the marketing information we received, but without a complete set of administrative and user documents, we cannot make a complete recommendation about the product’s overall capabilities.

Sophos Anti-Virus

Sophos Inc., Wakefield, Mass.

(781) 213-3456

www.sophos.com

Price: Licenses are based on the number of systems/units and cover all fileservers, workstations, laptops, and standalones. A file server license covers one or more file servers and a specified number of networked PCs.

Desktops: Windows 9x, NT, 3.x, OS/2, DOS, MacintoshServers: NetWare, Windows NT/2000, OS/2, Open VMS, Unix, Vines

E-mail: Exchange, Lotus Notes

NeaTSuite

Trend Micro Inc., Cupertino, Calif.

(408) 257-1500

www.antivirus.com

Price: $1145 for 25-seat user license.

Desktops: Windows 9x clients

Servers: Windows NT/2000

E-mail: Exchange, Lotus Notes, HP Open Mail, Microsoft Mail, cc:Mail

Security: Checkpoint Firewall-1 Content Protection

Internet: Applets and ActiveX, content and spam filtering, HTTP filtering