I would venture to guess that virtually every computer network has had to deal with the downtime and expense of recovering from some type of malware infection. According to AV-Test (www.av-test.org), an independent antivirus software testing lab, 2007 saw record numbers of computer viruses, worms, and other malware, and 2008 is continuing that trend. Naturally, prevention is less costly than recovery—but how do you choose from the myriad of antivirus or anti-malware solutions on the market? Let’s look at some things you should consider when choosing an enterprise antivirus product, and then you can check out the product comparison table to find the best one for your organization.
Today’s antivirus market includes products that protect file servers, email gateways, Web browsers, and desktops. They may be standalone products or part of an integrated security suite that might include a firewall, intrusion detection system (IDS), intrusion prevention system (IPS), Network Access Control (NAC), and spam filtering. You can choose from desktop solutions or server-side solutions that offer centralized control for deploying, configuring, and updating the software and that eradicate malware threats before they infiltrate your network. Security appliances as well as hosted and managed security solutions that outsource the management details of your security strategy are also gaining in popularity. Because of the wide array of solution types, we’ve limited the scope of this Buyer’s Guide to server-side enterprise antivirus products.
Features and Functionality
At a minimum, your antivirus solution needs to be compatible with your enterprise OSs and be able to scale and grow with your organization’s needs. It should provide frequent automatic signature updates and alert generation when an event is detected. In addition to detection, your solution should provide quarantine or removal functionality and perhaps healing capabilities for suspicious content. Antivirus technology is continuously evolving, so here are some additional features and functionality you should keep in mind.
Scanning engines—the more the merrier. Many antivirus solutions use more than one engine to scan for security threats. No antivirus scanning engine catches 100 percent of viruses. Therefore, using a product with multiple scanning engines can usually pick up the occasional virus or worm that might sneak by a single-engine product.
Detection types—keeping up with new viruses and variants. Most antivirus products detect viruses by using signature-matching technology, which identifies a virus by a specific code sequence. But in today’s fast-evolving security environment, when new virus variants crop up by the minute, signature matching isn’t enough. Many products now use heuristic scanning and behavior monitoring to identify typical infection methods and suspicious behavior that might indicate virus variants before a signature is available. Unfortunately, these methods can also provide a high number of false positives.
Scanning options—what, where, when. Antivirus products should scan memory, all drives, and the registry. Many now offer scanning of removable devices such as USB drives. They should offer scheduled scans and on-demand scans, and many offer continuous background scanning. Another useful feature is the ability to whitelist items to be ignored or excluded during scans. Reports of the scan log files should be available or portable to your desired format. Reports are important tools for letting you see how many and which viruses have been blocked and where the most popular sources of infection are.
Viruses, worms, and Trojans, oh my. Simply detecting and blocking a virus in an email is no longer sufficient. An antivirus program should detect viruses, worms, Trojan horses, Web threats, rootkits, and other forms of malware that threaten your network security. Your solution should also give you the ability to block certain file types such as .exe, .bat, or .asp files.
Do the Legwork
Of course the most important evaluation criterion for an antivirus solution is performance: high threat detection rates, with few false positives and low impact on business operations. However, performance is beyond the scope of this Buyer’s Guide, so we’ll leave that part of the evaluation to you. But fear not, there’s help. Antivirus testing labs such as AV-Test, ICSA Labs (www.icsalabs.com), and AV-Comparatives.org (www.av-comparatives.org) have done the performance testing for you. So after you have your short list of products that best meet the needs and wants of your organization, visit one or more of these sites for help in determining how the products stack up against one another performance-wise. And don’t forget, most vendors (including all those listed in the product table) offer fully functional trial versions so you can try before you buy.