Anti-virus software is a necessary evil. It’s not a product anyone enjoys buying, but as tools to repel viruses and other malware are foundations of any decent security strategy, you’re almost always going to find yourself writing a cheque for it at some stage in your career.
That being the case, what should you look for when buying this class of software?
David Garrard, a consultant with Canberra security services company Commsnet, says he looks for four essential qualities in an anti-virus tool:
1. The ability to download signature updates to a central server and push these updates to desktops;
2. The ability to determine if a workstation does not have AV installed;
3. The ability to present reports on the amount of malware detected. One of the easiest ways to justify the expenditure on AV software is to be able to show how much malware is detected every month.
4. The ability to alert a central administrator that malware has been detected on a workstation.
Other important considerations when selecting anti-virus software can include:
• RAM footprint on the desktop and server, as some anti-virus software can consume significant amounts of memory and impact system performance;
• Efficiency of update distribution, as if a server is used to distribute anti-virus updates to endpoints it must do so in ways that do not clog LANs at busy times of day when users are logging in;
• Manageability, as if a central console can make it possible to detect and cleanse malware from endpoint computers, administration chores will be greatly eased.
Darren O’Loughlin, Dimension Data’s General Manager for Security, agrees that manageability is important, but also advises that when considering antivirus software it is important to think beyond viruses and malware.
“Antivirus has been around for a long time and it is a control everyone is familiar with,” he says, and adds that the overall problem of deterring viruses is “... a long-term architectural concern that you need to consider more holistically than one control element. It needs to be aligned with a threat and risk assessment.”
O’Loughlin believes such assessments need to go beyond the basic considerations of running antivirus software on desktop, servers and messaging gateways, and instead consider other emerging attack vectors he dubs “uncontrolled infrastructures”. Examples of these infrastructures include removable storage devices, mobile computing devices including laptops, smart-phones and tablet computers, and applications that come through the firewall into these devices.
Once those assessments have been made, organisations can plan antivirus purchases that will deliver the security needed in different parts of their infrastructure.
“I see organisations running Windows NT 4.0 because an application needs it, and the part of the network it is on cannot be have security patches applied because the patches break the apps,” he says. Rather than relying on off-the-shelf antivirus applications, organisations should therefore make plans to use conventional tools of this kind where applicable but plan for other security tactics elsewhere.
One of the tactics he feels is most useful is reputation-based antivirus that not only detects the presence of known malware, but also uses a network of intelligence sources to determine when an application is behaving in ways that indicate links to a known source of malicious software.
“This is where the cloud is great: it lets you get global threat intelligence if there is an outbreak in a different time zone. It’s very important given the rapidly changing nature of threats and the emergence of 0 day incidents.”
“To me, it’s architecture first, then global threat intelligence.”