Central Anti-Virus For Small Business?

rduke15 writes "I'm trying to find a centrally managed anti-virus solution for a small business network, which has around 20 Windows XP machines with a Linux server. It is too big to manage each client manually. However, there is no no full-time IT person on site, and no Windows Active Directory server — just Linux with Samba. And the current solution with Symantec Endpoint Protection seems too expensive, and too complex for such a simple need. On the Linux server side, email is handled by amavisd and ClamAV. But the WinXP clients still need a real-time anti-virus for the USB disks they may bring to work, or stuff they download from their personal webmail or other sites. I'm wondering what others may be using in similar situations, and how satisfied they are with it."

Re:I'm guessing here, but...

[profplump]

Those are all great things. But A) they won't actually stop people from bringing viruses into the office. They might *help*, but you'll still need an A/V client from time to time and B) those things are not going to happen reliably someplace that doesn't even have a full-time IT guy.

Re:ClamWin

[Opportunist]

Terrible detection rate. Sorry, but when an AV suit finds about 2/3 of the threats, you can just as well go without one.

Start with sensible policies.

[Opportunist]

Antivirus suits are the last line of defense. Not the first!

The first is the user and sensible usage policies. When people can download and execute arbitrary software and plug in USB sticks at random, you have bigger problems than the choice of your AV.

One proposal

[freedom_india]

1) You need an anti-virus solution in the Linux box. Assuming that is your only gateway to the external internet, putting up a anti-virus enabled firewall and stopping unwanted protocols is enough to filter out most stuff.
2) Disable USB and DVD drives on every PC. Physically. Period.
Its cheap and fast.

the obvious solution.. on /.

[stillpixel]

run Linux on all your machines.. and keep a good XP VM image on each machine...if it gets nasty.. delete and start over..that is standard Windows IT procedure anyhow you know.. just wipe the machine and reinstall.

Re:Start with sensible policies.

[GF678]

The first is the user and sensible usage policies. When people can download and execute arbitrary software and plug in USB sticks at random, you have bigger problems than the choice of your AV.

So what would you recommend?

I don't disagree with you; smart and sensible policies are the best defense. But then again, I service schools, and schools have kids and parents (and teachers) who aren't going to follow the rules, so AV is still necessary. I can't lock down the USB ports (physically or otherwise); I'd have a rebellion on my hands.

BTW - I'm an engineer by trade, just acting as an IT jockey in the meantime, so I don't know all the best tricks of the trade yet. But it'd be helpful to know. :)

Re:NOD32 Antivirus and NOS32 Remote Administrator

[RudeIota]

Suggesting: don"t use MS Windows.

Yes, and don't venture into the outer world either... You'll obtain the swine consumption.

Re:the obvious solution.. on /.

[bryhhh]

I'm assuming from your post that you aren't running AV? That's how I read it anyway, as you don't include an AV solution (which is what this post is all about)

Security Lesson #1: Usability, Secure, Cheap - pick any two.

Anyone can put up a solution that provides two of these, however I think the solution you have put together provides only one.... Cheap!

Working from a VM? Not usable - at least not for typical office workers. No AV protection? Insecure

Allow me to elaborate on insecure...

Fair enough, you 'reset' your virtual machines when shit happens, but what about when a virus sends out spam from one of your IPs and gets your blacklisted? What about when a virus/trojan/whatever leaks confidential business information? and how do you know if things get nasty if you aren't running AV?

The viruses you need to worry about, are the ones you probably wouldn't detect without AV protection, as these are the ones most likely to do your business harm.

Never McAfee

[dltaylor]

McAfee is horrendously insidious. Should you ever want to use a different product, it is damn near impossible to remove. After the IT guy at a job spent 7 hours trying to get rid of it (he did, mostly) when they switched to Kaspersky, I spent another three with regedit and a few Cygwin tools hunting down the rest. I think I got it all, since Outlook has finally quit trying to use it.

Avoid it like the plague.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:One proposal

[freedom_india]

Usability != USB Drives.
In most of the corporates i have worked for, my USB ports have been disabled and my DVD drive missing.
I didn't feel least constricted, if that is what you mean.
If i needed a software, i had to follow the stupid process, but i did not miss a USB drive or a DVD drive for work.
Minimalist physical configurations leave you less worrying about issues.
You are probably too young and inexperienced in the corporate world. That's why you seem to equate USB with PSU.

Re:I'm guessing here, but...

[Anonymous Coward]

You obviously don't work in IT do you?

Have a central computer with realtime scanning

[Anonymous Coward]

and disable the cdrom and usb disks in windows. Thats the best you can probably do

He could provide a single computer with CDROM and USB access, running one copy of an AV with realtime scanning, to enable people to transfer files to their computer via Windows filesharing AFTER the AV has scanned the files.

Re:We use Nod32

[Bert64]

heuristics won't help either, malware authors will have pirate copies of all the latest av products and will tweak their malware until the heuristics no longer detect it before they start deploying it.

Re:the problem is the OS

[Bert64]

OSX is supposedly getting exchange support, on the other hand is Apple really the problem?

We have a similar situation where i work, exchange doesn't interoperate with the increasing number of linux and mac workstations... The problem is exchange not interoperating with anything else (as well as having a whole host of other problems and hidden costs), which is why it's being replaced.

Re:ClamWin

[Bert64]

I've not found any other AV to really be much better, i've seen machines installed with up to date mcafee which are spamming the users with ads... went through the box manually to find what was doing it and uploaded the binaries to virustotal.com, less than 10% of the av engines detected it even tho the programs hooks itself into ie and displays unwanted popup ads constantly (for typical spamvertised things like penis enlargement pills etc)

Re:I'm guessing here, but...

[Bert64]

What about users who get hit by drive by infections on websites that should be trustworthy (because the sites got owned, or malware is delivered through third party ads)?
What about users who open pdf files or msoffice documents containing exploit code and malware?
What about users who simply insert media infected with autorun malware?
How about malware emails coming from trusted senders (either because those people are infected themselves, or because the mails are spoofed)

There are plenty of infection vectors which don't involve users doing things they're not supposed to be doing.

Re:We use Nod32

[Anonymous Coward]

"and no viruses". What does that mean? How many has it caught and sequestered? The mark of good virus protection isn't "how few I've had since installing it" but "how many it's detected and stopped"

Re:Start with sensible policies.

[fudgefactor7]

True, true. However, there is one flaw in that argument, which is one that I used all the time: corner office syndrome. People who have "rank" and are things like "President of such-and-such" seem to think they are immune to policy. We had one who signed (I was a witness) the official PC and computer use policy agreement, where it said that not following directives would result in penalties, up to and including termination of employment. He was the President of the company and answered literally to only two people. Guess what? The dude didn't care, and did what he wanted all the time. We ended up wiping and restoring his data almost monthly. Policies are worthless unless they can be applied to everyone, regardless of rank, equally. My opinion: the guy should have been fired. Reality: every 6 months we bought him a brand new laptop (he controlled the purse-strings too). Brilliant.

Re:We use Nod32

[paradxum]

I do an aweful lot of consulting for small businesses. And I use Kaspersky Business Space security.

nod32 and kaspersky have similar performance impact (much less than most... including symantec and mcafee) and similar success rates at catching viruses (again, much better than symantec and mcafee)

Both nod32 and kaspersky have administrative consoles that manage the network via a server (think policies, update distribution.)

Why do I generally recommend kaspersky.... it's a couple hundred dollars cheaper....

One little hint. If you run a linux server, most admin servers run only on windows (using msde sql server junk.) Not a big deal if you just load up vmware/xen/whatever. A small windows partition solves this problem without jumping though huge hoops.

Oh, and the stay-away froms....... avg, ca (never catches stuff), symantec (tends to hose up the system) .... this is just from a tech that has fixed a couple hundred computers with those installed.

Virtualization?

[2obvious4u]

Isn't this a good reason to use virtualization?

Step 1: Have a centralized, protected, backed up file server.
Step 2: Create a standard clean OS and application installation image.
Step 3: Daily or weekly flash back to the clean installation (since all user data will be on the file server see step 1 - if its not they'll learn very quickly)
Step 4: Profit.