Well, with the latest virus (Midoom or whatever else it's called) floating around, I figure that now is as good a time as any to give my thoughts on some good ways to defeat viruses (virii? - sounds too uppity to me).
At this day and age, the favorite infection vector that virus writers like to use is still email. So your first layer of antivirus security will be at your mail servers/gateways.
I have written a bit about Postini on my brother's website (http://scoble.weblogs.com as if you didn't already know), but I'm going to post about it again here and talk about it in a little more detail.
Postini is a 100% outsourced hosted email gateway. It performs several functions for incoming and outgoing email. First and foremost it is a spam filter. A damn good one at that. It captures and quarantines about 95% of all spam before it ever gets to your network. The system is totally configurable so that you can exclude certain domains from being scanned or even mails regarding your business sectors. Users can also raise or lower the threshholds for spam based on 5 separate categories (porn, get rich quick schemes etc.).
Secondly, it also scans every mail for viruses. You can also quarantine emails that have attachments of a certain type. Basically it does what every other 3rd party gateway on the market does, but it does it before the mail ever has a chance to enter into your network. Which is totally cool in and of itself. Also, because it's managed autonomously by the folks at Postini, you don't have to worry about keeping virus dat files up to date and all that. Postini was catching mails with the latest virus as soon as they were out in the wild.
About the only complaint that I currently have with Postini is that there's no way to view SMTP transaction logs to check on status of delivery for individual messages.
2nd line of defense is antivirus running on your mail servers - in my case Exchange 5.5. I use Symantec AV for Email Servers. Good product, although I prefer TrendMicro ScanMail just because it's such a rocksolid product. Both applications automatically update themselves and are fairly easy to install and administer.
3rd line is AV software on the PCs. This is the hardest of the 3 lines of defense to manage, but also the most important as it is your last line (other than user awareness, but I'll get to that). It's hard to manage because you have to keep all of your desktops, laptops and remote systems protected and up to date. Luckily there are products like Symantec AV Corp to help out with that. I've used this product since 7.5 and I just have to say that I have loved it since day one.
I used to use the McAfee enterprise AV suite and it was just a mess. When I started using these systems way back in 98 McAfee did not update the clients automatically (something that I don't believe they added until 2001 or so at which point they had lost me as a point of market penetration for about 2 years) and the client was unstable and didn't catch as many viruses as NAV (now Symantec AV) Corp did.
Symantec Corp is a server managed system that automatically keeps ALL of your systems up to date. Schedules AV scans across all systems and allows you to easily control the configuration of the AV clients on ALL systems. Not to mention that if your PCs are running Win 2k or Win XP, you never even have to visit the systems to install the AV Client. It's just such a slick product that it's a no brainer to deploy.
I'm sure that TrendMicro's enterprise product is pretty good, but I just haven't messed with it at all. I'm pretty much of the mind that if you find something that works and works well, stick with it until you come across a better solution in the field.
Another method of defense against viruses that you can use is user awareness. This basically means that you periodically send out reminders to users of what and what not to do with email attachments, internet downloads, etc.
Then lastly and least important is patching of systems. Since all of your systems should be behind firewalls, mail gateways and protected by AV systems, keeping the systems up to date isn't as important as it otherwise might be. Having said that though, ANY system that is exposed to the internet at large should be patched early and often. There are some tools available now that allow you to centrally manage updates to all of your systems in which case you don't have much excuse to not keep your systems patched. Plus patching does generally make your client's systems run better.
I'm sure if you run a larger organization there are some other methods you can use to keep protected, but those are pretty much the basics.
Something else that I should mention. It's a good idea to check regularly on Symantec's Security Response website or another similar site and to force your enterprise systems to update whenever you see that there's a new virus in the wild and a corresponding update.
What we've found to be the biggest problem is people who still use Outlook & Outlook Express to pop personal mail from within the company.
As Lotus Notes is the standard mail client we normally aren't troubled by virii.
We could block pop but we're not quite ready for the outcry from the end users :-)
We have blocked SMTP so at least their infections won't spread but its still a nuisance chasing down these Virus Alerts.
Posted by: Raj | Friday, January 30, 2004 at 12:32 AM
We use a similar AV scanning and spam blocking service: eDoxs. eDoxs has the distinction of having nearly zero false positives. I've looked at Postini and if I weren't already so happy with eDoxs I might consider them. I believe Postini can be configured with different thresholds for each user so the spam whiners can have the option of reviewing their own quarantine of blocked spam to find the real messages their 99% threshold blocked.
The other thing that is attractive about Postini is the option to NOT deliver any mail to addresses that are not on your userlist. That way all the spam doesn't keep getting delivered to [email protected] for years after he has been fired. And this effectively prevents any "brute force" spam attempts to random userids on your domain.
To work around that, we use an additional layer of spam filtering which is an "appliance" installed device running Corvigo. Corvigo provides users with the configurable thresholds and a couple times a day will send them an HTML table listing the messages it has blocked (in addition to eDoxs.) They can click a link to review these messages in a "safe" zone on the appliance and have the option to deliver them or remove them.
Posted by: DataComGuy | Friday, January 30, 2004 at 01:30 PM
Chicago Public Schools has Trend deployed to 60,000 machimes, give or take a few, plus servers & exchange. ScanMail is doing a great job on my Exchange boxes with the current MyDoom issue. Trend OfficeScan has done great on the client machines, for me at least.
Posted by: Brian Desmond | Friday, January 30, 2004 at 09:45 PM
Yeah, I like ScanMail. Just never had any experience with their desktop AV software, but I'm sure it's equally as good.
I'm actually starting to recommend Trend's products to friends and family who need AV for their personal PCs. Symantec included DRM in latest version of NAV and I avoid DRM'd products like the plague.
Dunno why the software and media industries have forgotten the lessons they learned in respect to copyprotection in the mid to late 80s...Namely that it doesn't work and puts off customers.
Posted by: Alex Scoble | Friday, January 30, 2004 at 10:46 PM
I support a small non-profit that didn't have any IT department before I got here. I still haven't taken time to install AV at the desktop (though we have it on laptops that travel). So far, after two years, it has been less trouble to keep users aware than to manage client AV software.
I can count on one hand the number of times we have had infections, and it wasn't that much work to get rid of. I have virus alerts sent to my in-box and sometimes take action to block ports at the firewall and scan my network for infections.
Of course this is a small shop--and cheap. Don't know if we'll get bit badly sometime, but I don't think it's likely at this point.
Posted by: Jonathan Camenisch | Saturday, January 31, 2004 at 07:23 AM