I would venture to guess that virtually every computer network has had to deal with the downtime and expense of recovering from some type of malware infection. According to AV-Test (www.av-test.org), an independent antivirus software testing lab, 2007 saw record numbers of computer viruses, worms, and other malware, and 2008 is continuing that trend. Naturally, prevention is less costly than recovery—but how do you choose from the myriad of antivirus or anti-malware solutions on the market? Let’s look at some things you should consider when choosing an enterprise antivirus product, and then you can check out the product comparison table to find the best one for your organization.
Choices, Choices
Today’s antivirus market includes products that protect file
servers, email gateways, Web browsers, and desktops. They
may be standalone products or part of an integrated security
suite that might include a firewall, intrusion detection
system (IDS), intrusion prevention system (IPS), Network
Access Control (NAC), and spam filtering. You can choose
from desktop solutions or server-side solutions that offer
centralized control for deploying, configuring, and updating
the software and that eradicate malware threats before
they infiltrate your network. Security appliances as well
as hosted and managed security solutions that outsource
the management details of your security strategy are also
gaining in popularity. Because of the wide array of solution
types, we’ve limited the scope of this Buyer’s Guide to
server-side enterprise antivirus products.
Features and Functionality
At a minimum, your antivirus solution needs to be
compatible with your enterprise OSs and be able to
scale and grow with your organization’s needs. It should
provide frequent automatic signature updates and alert
generation when an event is detected. In addition to
detection, your solution should provide quarantine or
removal functionality and perhaps healing capabilities
for suspicious content. Antivirus technology is continuously
evolving, so here are some additional features and
functionality you should keep in mind.
Scanning engines—the more the merrier. Many antivirus solutions use more than one engine to scan for security threats. No antivirus scanning engine catches 100 percent of viruses. Therefore, using a product with multiple scanning engines can usually pick up the occasional virus or worm that might sneak by a single-engine product.
Detection types—keeping up with new viruses and variants. Most antivirus products detect viruses by using signature-matching technology, which identifies a virus by a specific code sequence. But in today’s fast-evolving security environment, when new virus variants crop up by the minute, signature matching isn’t enough. Many products now use heuristic scanning and behavior monitoring to identify typical infection methods and suspicious behavior that might indicate virus variants before a signature is available. Unfortunately, these methods can also provide a high number of false positives.
Scanning options—what, where, when. Antivirus products should scan memory, all drives, and the registry. Many now offer scanning of removable devices such as USB drives. They should offer scheduled scans and on-demand scans, and many offer continuous background scanning. Another useful feature is the ability to whitelist items to be ignored or excluded during scans. Reports of the scan log files should be available or portable to your desired format. Reports are important tools for letting you see how many and which viruses have been blocked and where the most popular sources of infection are.
Viruses, worms, and Trojans, oh my. Simply detecting and blocking a virus in an email is no longer sufficient. An antivirus program should detect viruses, worms, Trojan horses, Web threats, rootkits, and other forms of malware that threaten your network security. Your solution should also give you the ability to block certain file types such as .exe, .bat, or .asp files.
Do the Legwork
Of course the most important evaluation criterion for an
antivirus solution is performance: high threat detection
rates, with few false positives and low impact on business
operations. However, performance is beyond the scope
of this Buyer’s Guide, so we’ll leave that part of the evaluation
to you. But fear not, there’s help. Antivirus testing
labs such as AV-Test, ICSA Labs (www.icsalabs.com),
and AV-Comparatives.org (www.av-comparatives.org)
have done the performance testing for you. So after you
have your short list of products that best meet the needs
and wants of your organization, visit one or more of these
sites for help in determining how the products stack up
against one another performance-wise. And don’t forget,
most vendors (including all those listed in the product
table) offer fully functional trial versions so you can try
before you buy.