Corporate Antivirus recommendation

[Nate_007]

Hey,

Would guys kindly give me some suggestions on some good antivirus to be used in a corporate settings? Right now we are using Symantec, and we would like to use something else.

Thanks

 

[Ketchup]

We could probably make a better recommendation if we knew why you wanted to try something else.

We use Microsoft Forefront where I work, and I use MSE at home. Never had a problem with either. Nice and light.

 

[seepy83]

It might help people make a recommendation if you say what you dislike about Symantec that's making you want to rip and replace it.

I had a little bit of experience with McAfee's product about 7 years ago, but since then I've been working somewhere that uses Symantec (Endpoint Protection since it was released, and before that Symantec AV Corp Ed.), so I can't give you any suggestions based on first hand experience.

 

[DaveVandorAmon]

Honestly - most 'corporate' AV works the same. If you rip and replace, unless you're looking for some sort of functionality your current vendor does not provide, it is a wasted effort.

As others have elaborated, if you can present your current situation in terms, we might be able to assist with the current solution.

I myself am an ePO (McAfee) admin on 4.x, 4.5.x, and 4.6.x, and was a SAV 8/9 / SEP 10 Admin in the past. I've also worked with Forefront and Trend Micro.

 

[Nate_007]

I just started as an IT support specialist here, and our Admin (my boss) told me that over the years a lot of users are still getting viruses. I was also told that they did their own tests, and when they purposely downloaded infected files, sometimes it would not even detect the infected file. They would then download a free AV and it would detect it.

Right now we are looking at ESET, so far I see a good price/price performance ratio according to various reviews/real world test results.

 

[Chiefcrowe]

Just wondering, are those people using administrator level user accounts? that could be part of the reason and if they didn't that would probably help....

I just started as an IT support specialist here, and our Admin (my boss) told me that over the years a lot of users are still getting viruses. I was also told that they did their own tests, and when they purposely downloaded infected files, sometimes it would not even detect the infected file. They would then download a free AV and it would detect it.

Right now we are looking at ESET, so far I see a good price/price performance ratio according to various reviews/real world test results.

 

[Nate_007]

Just wondering, are those people using administrator level user accounts? that could be part of the reason and if they didn't that would probably help....

Not sure, I literally just started here less than a month ago (I'm a recent grad). I guess they conducted their own test last year, I was told they been wanting to change to a different product for awhile now just did not have time to research for a new one. Since I'm here, I've been given this task. I know, no AV is perfect but what would be the next best thing after Symantec?

 

[seepy83]

Alright...since you're new there, and your Boss already has his mind made up based on their "tests" (although I'm inclined to believe there may be some poor configuration causing it to not detect the files...but that's not for you or I to determine at this point), I guess you should just pick a new AV vendor instead of trying to fix the current situation. I'd probably be looking at McAfee, MS Forefront, Trend Micro, and Kaspersky if I were you. I have no recommendation either way...just telling you what companies I would look at.

If something isn't already in place, you may want to look at implementing a product that does AV scanning at your network edge so that it can block malicious files before they even get to your desktop. Ideally, you would be using Vendor A's virus definitions at the network edge, and Vendor B's virus definitions on your hosts. But, again, since you're new there you might not want to rock the boat too much depending on what your boss is like and whether or not he is open to other people making suggestions.

Getting experience ripping and replacing one AV with other in a corp environment is something good to get under your belt. It's not always a fun and easy task.

 

[Ketchup]

I just started as an IT support specialist here, and our Admin (my boss) told me that over the years a lot of users are still getting viruses. I was also told that they did their own tests, and when they purposely downloaded infected files, sometimes it would not even detect the infected file. They would then download a free AV and it would detect it.

Right now we are looking at ESET, so far I see a good price/price performance ratio according to various reviews/real world test results.

I have heard good things about ESET. The problem with Symantec is that the name itself is a target, so attackers are going go after that one most of the time.

Personally, I hate McAfee. I have hated every version I have come across over the years. Why? It bogs down the system too much, and it just doesn't catch malware/ viruses (I have run into this twice this year alone.)

Good luck, and congrats on the job!

 

[Nate_007]

Alright...since you're new there, and your Boss already has his mind made up based on their "tests" (although I'm inclined to believe there may be some poor configuration causing it to not detect the files...but that's not for you or I to determine at this point), I guess you should just pick a new AV vendor instead of trying to fix the current situation. I'd probably be looking at McAfee, MS Forefront, Trend Micro, and Kaspersky if I were you. I have no recommendation either way...just telling you what companies I would look at.

If something isn't already in place, you may want to look at implementing a product that does AV scanning at your network edge so that it can block malicious files before they even get to your desktop. Ideally, you would be using Vendor A's virus definitions at the network edge, and Vendor B's virus definitions on your hosts. But, again, since you're new there you might not want to rock the boat too much depending on what your boss is like and whether or not he is open to other people making suggestions.

Getting experience ripping and replacing one AV with other in a corp environment is something good to get under your belt. It's not always a fun and easy task.

Thank you for this. Yes I'm still a total newbie in the IT world and would need all the advice I can get, but I think my boss seems open to any suggestions. He encouraged me in the beginning to be creative and offer any inputs and new ideas to the company. So how would I suggest such case? What about an IDS in the network and AV on hosts?

 

[DaveVandorAmon]

First things first is always to start on the ground floor and inventory your organization's current policies, practices, and processes.

A second thing, as Chiefcrowe already suggested is limited user environment and role-based access controls. These are a good way to reduce the attack surface or scope to start.

Then you should speak with whomever is in charge of IT security and discuss with them what the ramifications are, get any back-story, etc.

Sometimes managed AV is a security function or capability run by IT operations but governed by Security. You'll then need both groups to bless it (or someone to agree on ownership, or demarcation of ownership and accountability).

The size of your company, it's distribution, etc. will all play a factor in whatever is decided.

It sounds to me as if choosing a AV vendor is really the least of your problems.

 

[Ketchup]

Nate_007, one question I forgot to ask. Are all these viruses coming from within the workplace, or from people who take laptops home and do "who knows what" with them?

 

[Nate_007]

First things first is always to start on the ground floor and inventory your organization's current policies, practices, and processes.

A second thing, as Chiefcrowe already suggested is limited user environment and role-based access controls. These are a good way to reduce the attack surface or scope to start.

Then you should speak with whomever is in charge of IT security and discuss with them what the ramifications are, get any back-story, etc.

Sometimes managed AV is a security function or capability run by IT operations but governed by Security. You'll then need both groups to bless it (or someone to agree on ownership, or demarcation of ownership and accountability).

The size of your company, it's distribution, etc. will all play a factor in whatever is decided.

It sounds to me as if choosing a AV vendor is really the least of your problems.

Thanks for this. Our company is not that big, about 70+ end users. Our IT department that does all the tech stuff is basically just three people including me (not counting programmers), so I get to do a bit of everything. We currently do not have AD setup because we only provide laptops for our end users. So basically the users probably use these laptops to do personal stuff when they are at home.

 

[seepy83]

Thanks for this. Our company is not that big, about 70+ end users. Our IT department that does all the tech stuff is basically just three people including me (not counting programmers), so I get to do a bit of everything. We currently do not have AD setup because we only provide laptops for our end users. So basically the users probably use these laptops to do personal stuff when they are at home.

Am I reading this correctly...it is a 70+ employee company, and you don't have AD (Active Directory) set up? Your environment must be a complete nightmare to manage. Get AD set up before you go planning to switch AV software.

If the company is willing to invest in having a proper network, then you're in a great place if you can play a role in getting AD set up (even if that role is 90% learning). You have the potential to learn a lot here.

 

[Nate_007]

Am I reading this correctly...it is a 70+ employee company, and you don't have AD (Active Directory) set up? Your environment must be a complete nightmare to manage. Get AD set up before you go planning to switch AV software.

If the company is willing to invest in having a proper network, then you're in a great place if you can play a role in getting AD set up (even if that role is 90% learning). You have the potential to learn a lot here.

Since I'm not the admin, sorry if I'm not being clear with my explanations. I am basically learning as I go, they do not have time to run down the topology with me in great details. They have some kind of AD, but it is not setup to manage the laptops. We do not have desktops, 20% of our users work from home so we only deploy laptops to all our end users. So basically, with my understanding so far, we do not have a common domain setup for all laptops. So yes it is a nightmare to manage. So I am already thinking, I may have to deploy each AV on each laptop one by one. I will double check this with my boss, well I'm the new hire so I really cannot complain.

 

[DaveVandorAmon]

I see. Your best bet if you're looking for a short-term solution would be something cloud based (ugh, I hate that term).

I'd start with trying to get a handle of how thing are laid out and managed. Try to ask questions in a way that is not offensive and don't ask why based questions yet. Just remember that the boss gave you this job and frame all discovery in those certain terms.

Ideally, centralizing as much as you can makes your job easier. Plus you'd like to find out the answers to why without triggering alarms. Freshers need this data to understand their environment, and a lot of times admins get very defensive when newbies ask questions that are perceived as challenge to their expertise (or IMO lack thereof.).

Doesn't sound to me like your org is ready for the financial or operations investment yet. You still need protection on those machines. I'd consider developing a ramp-up strategy for how you address what needs to be addressed today for today with idea that it will develop over time into something long-run stable and standardized.

 

[Chiefcrowe]

Some great ideas here for managing the environment...

but about AV, I like System Center Endpoint Protection but I have a feeling that ESET is easier to set up the central admin console.

 

[Exterous]

Hmm... no AD setup? Well I will give you my experiences but they are AD based - which can be pretty important for management and deployment. I have worked with Blink, Kaspersky and Trend Micro and only liked TM of the three.

When I moved away from Kaspersky I seriously looked at ESET. Seemed like a great product with a small, fast footprint. One of the things I really liked was the ability to push software packages other than ESET through their admin console. I tested it through AD groups but IIRC you can create your own groups within it for non-domain setups. You might find that very helpful since it sounds like you have no group policy options.

Sadly ESET was more expensive than TM so we went with TM - not that there is anything wrong with the AV part of TM just ESET had some nicer features and ran a bit faster on some of the ancient machines we have laying around.

As for TM its pretty easy to manage - although I don't think it allows for custom groupings outside of AD (but I'm not sure). One of the benefits for you if you have to touch every machine is that it installs very quickly. I find it installs in an average of 2min (assuming 'scan before install' is not checked) although there will be some network usage to update once its installed.

I did find the webpage install a bit of a pain as it required a bunch of activeX exemptions be added for our setup. You may not run into the issue though and, if thats the case, you can just send people a email with a link for them to click on and install the software on their own

Another plus for TM is that the licensing is incredibly easy. Aside from VMs they make no distinction between pc, server or TM server. You could install a TM management server on every single computer you have a TM license for if you wanted. I don't know if you are planning on expanding to or have remote sites but this can be very useful in terms of setting up remote update servers

Nate_007, one question I forgot to ask. Are all these viruses coming from within the workplace, or from people who take laptops home and do "who knows what" with them?

I would love to enable the feature that requires routing of company laptops taken home through our firewall but I have neither the bandwidth nor the buy in

 

[DaveVandorAmon]

Not for nothing, some security is better than no security, but I really don't want to make a recommendation for something internal and infrastructure based, from hearing the presented details about this environment.

OP, I would really discuss in the short-term getting something like System Center 2012 Endpoint on a subscription basis and cloud managed for your org's laptops if that is where the concern lies. Then discuss more middle-term and long-term people, process, technology with your boss.

Your org is small enough that it may not see any value making investments to infrastructure or may not have someone to properly guide them - get something cloud based to solve today's problem and road-map out the long term solution after getting some breathing room.