Lab

Corporate anti-virus software

Hardly a week goes by now without a virus causing mayhem, making anti-virus measures an essential part of a data-protection plan. The new breeds of viruses are a far cry from the boot sector and file infector varieties of a few years ago, as these mass-mailers are capable of causing untold damage and destruction. They can bring a company to its knees in a matter of days and in the process cost huge sums in lost business.

The nature of the virus has changed dramatically since the first examples were released into the wild over 20 years ago. A recent study by Network Associates even highlights parallels with biological viruses. Many attacks are seasonal, for instance - Christmas is a particularly bad time with a large number of email invites and jokes flying around. Points of origin and patterns of infection also bear close similarities - the majority of software viruses emerge in Asia and generally spread across the globe from east to west as each time zone starts its working day. It's clear that companies must protect themselves against this onslaught, and in this month's group test we bring together ten of the top anti-virus products designed specifically to protect networks.

Unlike the managed services route (see p186), the standard procedure for all these products is to place anti-virus utilities on each workstation and server. In most cases, the tools to manage them all are delivered from a central location. Local protection is provided by a real-time scanner, which keeps a close eye on all incoming and outgoing files and checks them first before allowing access. On-demand scanning facilities are also available, allowing users to run more in-depth checks on their files at scheduled intervals. Email protection is of paramount importance and these products will scan incoming and outgoing messages and attachments before passing them on.

It's worth noting that Outlook 2002 has basic built-in protection measures of its own for file attachments. Its Level 1 setting blocks access to a long list of file extensions including EXE, COM, SCR, VBS and BAT, and these settings can't be modified without the use of third-party applets. All other attachments are considered a Level 2 security risk and you're asked to save the file to the hard disk rather than opening it. However, the Level 1 setting can easily be overcome by renaming the file before sending it.

One feature common to nine of the anti-virus products on review is a complete reliance on a signature or definition file. This contains coding from each identified virus or worm to allow the scanning program to detect and identify the virus. However, this method means that vendors will always be on the defensive and can only ever react to a new outbreak rather than prevent it happening. This creates a chain of events that starts with the news of a new virus on the loose. The virus or worm then has to be captured and analysed, a new definition file created and posted on the vendor's website. Administrators then have to download and apply the file to every instance of the anti-virus software running on their network.

All products have the ability to check for updates at regular intervals, but how often should this be set to run? The Internet has broken down many barriers to viruses, as it offers fast delivery methods straight to your doorstep, most commonly via email.

The bottom line is that until these update methods are changed to a more proactive solution, the majority of the anti-virus software vendors will never get ahead of the authors. Some large firms already have anti-virus software implemented, but are taking no chances by using a range of products to protect different levels of their network infrastructure. This approach is costly, but it can provide better protection should one vendor fail to respond to a threat or not update its software quickly. Another problem can become apparent on slower systems - the virus identity files are now so large the scanning process can have an adverse impact on general performance.

Reporting and notification need to be good as well so that potential threats to the network are highlighted and dealt with promptly. We found the level of responses to positive detection generally very good, although report details varied considerably.

One particular user may be a regular, although not intentional, source of infection and if the software doesn't specifically identify them it could take weeks to locate the problem. The main thing to remember is the quicker a virus is dealt with the easier the clean-up operation will be. If the virus is isolated and contained within a single workstation, it will be just a matter of repairing the infected files where possible or deleting them and restoring from the latest backup copy. Either way, it's sheer folly for a company not to have any virus protection, but even if you do it's worth checking out the next few pages where you'll find plenty of information to help make your next buying decision.