CA's Antivirus Software Returns

eTrust is aggressively priced

Computer Associates International Inc. (CA) announced the release of its eTrust Antivirus version 7, an update of CA’s enterprise anti-virus software. Islandia, NY-based CA’s product comes with “everything you need to protect the entire environment—from perimeter to PDA,” says Ian Hameroff, CA’s eTrust security strategist.

The new software also uses multiple scanning engines, which CA claims provides “double the protection,” and the software runs on a range of platforms, including new Linux distributions, PocketPC 2002, and support for the soon-to-be-released Microsoft Windows Server 2003. New “Roam About” capability lets enterprises better update mobile workers. When all is said and done, however, the biggest difference between CA’s eTrust Antivirus and similar products may well just be the low price—$35 per user, and less in volume.

“Their price point is about two-and-a-half times cheaper than Symantec, the market leader,” says Peter Firstbrook, a senior research analyst at Meta Group. In terms of the user base in the Global 2000 (the 2000 largest companies worldwide), he says eTrust has a six or seven percent market share. Competition is fierce—McAfee has a large number of enterprise customers, Symantec a large percentage overall, and Trend Micro a notable chunk of the gateway market.

The cost of the eTrust Antivirus individual license includes the product and protecting all devices the person uses—desktop, laptop, PDA—plus one year of maintenance and updates, including 24x7 telephone support. Signatures will always be free—unlike other anti-virus companies that levy annual signature update subscription fees. Total cost of ownership is “about 20-30 percent less than our competitors,” says Hameroff. For a limited time, users who upgrade from a competitive anti-viral product will get a free copy of eTrust Antivirus version 7, plus two years of maintenance for the cost of one.

Given CA’s current eTrust pricing, not even counting added incentives, “they're trying to buy some market share right now, they're being very aggressive, and they're re-launching the product; it's been languishing behind the market” in terms of attention and updates, says Firstbrook.

The re-launched product includes Web management capability. “Management is the core competency of CA,” remarks Hameroff. One centralized console can manage the virus updates and policy settings for an entire enterprise. Policies might specify, for example, that development computers automatically scan their hard drives for viruses twice per day, just given the sensitive work done on those computers.

Roam About, new in version 7, is technology that can “automatically and dynamically reconfigure the location where a mobile user receives their signature updates,” says Hameroff. Using it, “I am automatically rediscovered in a different part of the network and the policies automatically reapply.”

eTrust Antivirus also protects PDAs, including Palm and PocketPC 2002. That’s notable since Symantec discontinued its Anti-virus software for Palm OS last year.

One reason Symantec may not be bothering with PDA anti-virus software is because “there just aren't any known viruses yet, it isn't a huge threat—though I think it will be,” predicts Firstbrook. “It's always a percentage game. The more platforms there are, the more fun it is to exploit it,” and PDAs aren’t nearly as plentiful as Linux boxes or Microsoft Outlook e-mail clients, for starters. Eventually, of course, someone is going to target PDAs. CA thinks that likelihood will grow as increasing numbers of PDAs get wireless access.

CA added dual-scanning capability with version 6. “What we discovered was that a majority of our very paranoid customers were running multiple virus scan engines, because there's still a small chance that an anti-virus product could miss a virus,” explains Hameroff. Assuaging paranoia aside, however, such a practice might not actually catch any more viruses.

The reason anti-virus products miss viruses is “usually because it doesn't have the right pattern to look for,” notes Firstbrook, not because of the kind of scanning engine it uses. According to analyst firm Meta Group, anti-virus scans typically miss a virus one to three percent of the time simply because they don’t have a pattern or haven’t been updated. Yet CA trumpets Meta's figure and mentions in the same breath eTrust Antivirus’s multiple scanning engines as a way to close the gap.

“They keep mentioning that,” observes Firstbrook. To set the record straight, of the scan failure rate, “I’d almost say it’s higher than that” in real life. “What it's getting at is, if you look at anti-virus testing, there are a couple of organizations that do that, and there's the Wildlist (—pretty much the list of known viruses out in the wild,” he says. But there will always be unknown viruses that pop up, or software that hasn’t been updated to catch new viruses—hence the less-than-100-percent performance rate.

Having two different virus scanning engines won’t necessarily “double the power” of any product and help organizations eliminate catch that one percent to three percent of viruses that slip through. Several organizations test virus scanners by loading a virus onto a PC, then seeing how the scanning software performs. Most products perform at better than 99 percent in that test, meaning that the difference in virus-scanners is virtually nil—at least for a company thinking of paying for multiple virus-scanning engines in the first place. Failure to catch viruses is rarely—if ever (there’s little data on that fraction of one percent)—the fault of the software. It’s just the fact that the software doesn’t have the appropriate pattern to look for yet—again, because the virus is too new or the anti-virus patterns on a PC haven’t been updated recently enough.

That 99 percent figure is also a caution for companies: some viruses strike faster than updates arrive. “That still means there are viruses getting through, and that also means if you don't do a virus file update on a regular basis, you'll have an issue. The point is that putting in anti-virus is only one part of the equation, you still have to maintain the software, and in the early parts of the outbreak, where there are no virus definition files, then you're sitting there waiting,” says Firstbrook.

CA also notes that it releases virus files daily, unlike competitors—but that’s a non-issue. Other vendors “also push it out when it's needed, so it doesn't really matter if it's daily or not,” Firstbrook says.

What will really help eliminate the small number of viruses that still slip past anti-virus software, he says, are efforts by other vendors to create outbreak management systems. Even when it takes a little while to identify a new virus and craft scanner updates (which is what happened when the I Love You virus first hit), companies can at least get a warning that something bad is circulating. Network administrators can pull the plug on the mail server until an update comes through, or in the case of the aforementioned virus, just block all e-mails with “I Love You” in the headline. Hopefully future, devastating viruses that come along unannounced will be similarly easy to spot while everyone waits for virus scanning updates.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.