Well, with the latest virus (Midoom or whatever else it's called) floating around, I figure that now is as good a time as any to give my thoughts on some good ways to defeat viruses (virii? - sounds too uppity to me).
At this day and age, the favorite infection vector that virus writers like to use is still email. So your first layer of antivirus security will be at your mail servers/gateways.
I have written a bit about Postini on my brother's website (http://scoble.weblogs.com as if you didn't already know), but I'm going to post about it again here and talk about it in a little more detail.
Postini is a 100% outsourced hosted email gateway. It performs several functions for incoming and outgoing email. First and foremost it is a spam filter. A damn good one at that. It captures and quarantines about 95% of all spam before it ever gets to your network. The system is totally configurable so that you can exclude certain domains from being scanned or even mails regarding your business sectors. Users can also raise or lower the threshholds for spam based on 5 separate categories (porn, get rich quick schemes etc.).
Secondly, it also scans every mail for viruses. You can also quarantine emails that have attachments of a certain type. Basically it does what every other 3rd party gateway on the market does, but it does it before the mail ever has a chance to enter into your network. Which is totally cool in and of itself. Also, because it's managed autonomously by the folks at Postini, you don't have to worry about keeping virus dat files up to date and all that. Postini was catching mails with the latest virus as soon as they were out in the wild.
About the only complaint that I currently have with Postini is that there's no way to view SMTP transaction logs to check on status of delivery for individual messages.
2nd line of defense is antivirus running on your mail servers - in my case Exchange 5.5. I use Symantec AV for Email Servers. Good product, although I prefer TrendMicro ScanMail just because it's such a rocksolid product. Both applications automatically update themselves and are fairly easy to install and administer.
3rd line is AV software on the PCs. This is the hardest of the 3 lines of defense to manage, but also the most important as it is your last line (other than user awareness, but I'll get to that). It's hard to manage because you have to keep all of your desktops, laptops and remote systems protected and up to date. Luckily there are products like Symantec AV Corp to help out with that. I've used this product since 7.5 and I just have to say that I have loved it since day one.
I used to use the McAfee enterprise AV suite and it was just a mess. When I started using these systems way back in 98 McAfee did not update the clients automatically (something that I don't believe they added until 2001 or so at which point they had lost me as a point of market penetration for about 2 years) and the client was unstable and didn't catch as many viruses as NAV (now Symantec AV) Corp did.
Symantec Corp is a server managed system that automatically keeps ALL of your systems up to date. Schedules AV scans across all systems and allows you to easily control the configuration of the AV clients on ALL systems. Not to mention that if your PCs are running Win 2k or Win XP, you never even have to visit the systems to install the AV Client. It's just such a slick product that it's a no brainer to deploy.
I'm sure that TrendMicro's enterprise product is pretty good, but I just haven't messed with it at all. I'm pretty much of the mind that if you find something that works and works well, stick with it until you come across a better solution in the field.
Another method of defense against viruses that you can use is user awareness. This basically means that you periodically send out reminders to users of what and what not to do with email attachments, internet downloads, etc.
Then lastly and least important is patching of systems. Since all of your systems should be behind firewalls, mail gateways and protected by AV systems, keeping the systems up to date isn't as important as it otherwise might be. Having said that though, ANY system that is exposed to the internet at large should be patched early and often. There are some tools available now that allow you to centrally manage updates to all of your systems in which case you don't have much excuse to not keep your systems patched. Plus patching does generally make your client's systems run better.
I'm sure if you run a larger organization there are some other methods you can use to keep protected, but those are pretty much the basics.
Something else that I should mention. It's a good idea to check regularly on Symantec's Security Response website or another similar site and to force your enterprise systems to update whenever you see that there's a new virus in the wild and a corresponding update.