Comparing E-mail Server Virus Protection Solutions |
by Robert Grupe, Product Management, McAfeeB2B Groupware
So you`ve been assigned the task of selecting virus protection for your messaging and groupware server. Or maybe you already have a solution in place, but are having second thoughts because your organization seems to be disrupted by new viruses more than it should be.
As someone who deals with anti-virus (AV) all the time, it surprises me that most people (and magazine reviewers as well) evaluate groupware AV products simply by installing on a test server and then counting features. While this does say something about the product`s installation process and interface design, it is not an accurate indicator of a product`s ability to do what it is intended for - protecting against viruses, worms, Trojans, zombies, malware, and the like. This article is the first of a two-part series that is intended to help readers assess and evaluate AV solutions. This installment will help readers to assess their AV needs and point out a few things to look for in AV products.
Assessing Your Needs
Before evaluating AV solutions, it is important to clearly define the selection criteria that you will use to find a product that best suites the needs of your organization.
Defining Your Platform Requirements
The first and easiest task is to choose possible candidates that support your existing or planned messaging system. You need to specify what groupware applications, operating systems, type of clustering, and localized languages you need supported. In reviewing product literature, it is sometimes difficult to determine exactly which product`s version is applicable to your platform needs. Provide your possible vendors with a listing of your platform requirements - including software version, service pack level, and information about any applied patches - they will then be able to confirm which version you should evaluate, along with any possible updates. Updates may not apply only to the vendor`s software, sometimes there are operating system or groupware updates that might be recommended or required for optimum performance or security. Additionally, you should also inform the vendors of any other applications that may reside on the same server (such as backup software, administrative utilities, etc.,) in case there are any known conflict issues.
When the virus protection software finds an infected item, how do you want to be notified, and what responses would you the product to like it to perform? Is the deletion of the item and an e-mail notification sufficient, or would you prefer that the item be cleaned (if possible) and delivered to the recipient and then a notification be sent to your mobile phone? If there is a virus outbreak that is affecting your messaging server, what actions would you want it to perform? For instance, you may want it to check the vendor`s Web site for the latest virus definition files, perform a complete scan of the groupware stores, and then, if necessary, shut down your external e-mail ports.
With most organisations connected to the Internet 24/7, viruses can infect systems even in the middle of the night after everyone has gone home. Having a vendor with round-the-clock virus research centers can make the difference between having a new virus antidote within minutes of a new virus being detected anywhere in the world, or waiting half a day or more after you get to work. In those situations, how long can your business afford to be off-line while you implement updates and restore infected systems?
And then what about assistance performing maintenance updates on your systems? Over the next couple of years, you probably will update parts of your operating system, groupware application, and change security settings. Each one of these actions could have unforeseen consequences upon the successful operation your AV installation. If you encounter difficulties, would you want a vendor that could go onsite to assist you in getting your systems back online, or would you handle that all on your own? While most products are internationally available for purchase through the Internet, support and consulting services vary regionally.
Many organizations are centralizing their core IT operations, and if your organization has multiple groupware servers, you may also want centralized AV administration capabilities. Multiple server virus alerting, infection logging, and management reporting are all features that can be incorporated either within the standard features of some groupware AV products or through additional management AV solutions.
Short Listing Your Candidates
Virus Detection Effectiveness
Fundamental to any anti-virus product is, of course, its ability to detect viruses. ICSA Labs and West Coast Labs are two independent organizations that evaluate AV products; however, while they certify that a given product is able to detect viruses, they do not evaluate overall effectiveness against all known and new threats. With over 58,000 computer viruses known at the moment, and with hundreds more being created each month, it is important to review the results of independent testing groups such as Virus Bulletin, the University of Hamburg, the University of Magdeburg, and University of Tampere (see below for links).
Readers should be aware, however, that these tests do not tell the whole picture. Typically they only evaluate file scanners - not messaging or groupware solutions, which have different considerations such as such as the scanning of MIME and other messaging formats. Be suspicious of any vendor who is unwilling to submit their products for independent testing. Historically, this has been done to hide from poor evaluation results or because they have been shunned due to insecure practices.
While most anti-virus products can detect common, in-the-wild viruses, not all are designed to effectively clean infected data. Quarantining infected data is an effective way of stopping viruses from doing further damage, but it can take hours for IT departments to locate and restore an uninfected version of the data. By automatically cleaning the infected information, workflow interruptions and IT administrative involvement can be minimized.
Heuristic Scanning Ability
Heuristic scanning looks for suspicious code and new derivatives of known viruses. This can be a powerful tool in providing higher levels of protection to your organization, but it does require additional processing resources, and can sometime result in false alarms. By choosing a product with good heuristic scanning capabilities, you can minimize false alarms and reduce your chances of being infected by new virus types.
Messaging Denial-of-Service Attack Protection
Usually people think of denial of service (DoS) in terms of hackers or zombies flooding gateway ports, but mass mailer viruses can result in a DoS for messaging systems. Some groupware AV solutions can monitor messaging traffic patterns and then provide additional levels of protection if an outbreak is detected. This would be especially important to organizations that use messaging devices on subscription wireless networks since virus outbreaks will generate unwanted bandwidth usage and rapidly fill the memory of mobile devices.
With groupware platforms, there are different ways that the contents that can be scanned, and typically each method has its own merits with the selection depending upon each organization`s requirements. For instance with Microsoft Exchange 5.5 SP3 and higher, AV products are available to scan for viruses using M-API, AV-API 1.0, or ESE methods. M-API uses the most server resources but it provides the greatest flexibility; whereas AV-API 1.0 provides the highest efficiency but has some reporting limitations. So for smaller organizations with lightly-taxed Exchange servers, M-API scanning would provide the richest reporting options, but for heavily loaded servers, the AV-API solution will provide the least impact.
Periodic updates to provide protection from newly discovered threats are as important as the anti-virus program itself. With hundreds of new viruses being written each month, anti-virus programs must be updated vigilantly. Typically this is done on a regular basis such as once a week, but every once in a while more frequent updates may be necessary to react to new, fast-spreading virus outbreaks. When comparing AV solutions, evaluate what steps are necessary to ensure that the AV product is up-to-date, how and where updates are available, and what alternate updating methods are available should the primary source be inaccessible due to network interruptions.
Some products are limited to the number of downloads that are possible over a given period of time, but in times of intensive new virus activities, you don`t want a product that can no longer be updated. Make a list of various virus outbreaks and then ask the vendors how their customers where affected by each of those incidents. Were they protected before the outbreak? How long did it take for new virus detection files to be posted? What tools were available to help clean up their systems afterwards?
Having the ability to block contents based on executable file types can provide automatic protection against many new viruses, even if your vendor`s virus scanner does not have a detection for that particular virus. As part of your organization?s security policy, you should establish which file types you will allow and then block all others. Some of the simpler e-mail borne viruses also have tell-tale text in the subject line or message bodies. By establishing rules to block those words or phrases, you can insulate your users from those annoyances.
One of the best ways to determine the suitability of an AV product is to attain user references. It can be very useful to get references from AV customers who are organizations similar to your own. In addition, users should also finding about out how the vendor is regarded within the security industry as a whole. Some vendors have refused to participate in recognized security organizations because their products are not well regarded, and others have been banned from participation due to insecure practices. When reading virus detection evaluations, read the small print, and if a particular vendor?s product is not present, try to find out why.
This concludes the first part of this two-part series. This article has offered an overview of assessing AV software, including how users should assess their needs, as well as recommending a few features to look for in AV software. In the next installment in this series, we will take a look at reviews of AV software and explore how users can evaluate AV products for themselves.
Robert Grupe is a Senior Product Manager in the McAfeeB2B division of Network Associates with responsibility for enterprise electronic messaging and groupware content security solutions. In previous careers, he has been an IT director, online developer and marketing consultant, and other stuff in the aerospace and electro-optic industries.