Central Anti-Virus For Small Business?

rduke15 writes "I'm trying to find a centrally managed anti-virus solution for a small business network, which has around 20 Windows XP machines with a Linux server. It is too big to manage each client manually. However, there is no no full-time IT person on site, and no Windows Active Directory server — just Linux with Samba. And the current solution with Symantec Endpoint Protection seems too expensive, and too complex for such a simple need. On the Linux server side, email is handled by amavisd and ClamAV. But the WinXP clients still need a real-time anti-virus for the USB disks they may bring to work, or stuff they download from their personal webmail or other sites. I'm wondering what others may be using in similar situations, and how satisfied they are with it."

We use Avast Corporate

[BabaChazz]

At least, we do at the school. That's a 50-station network, and amounts to about $10 a year per station after the educational discount. $20/year per station without, but you get cut rates for longer terms. I'm quite happy with Avast. At the business (20 stations, no AD when it was installed aeons ago) we used Trend Micro ServerProtect, which is no longer supported. That one was $800/25 stations flat fee and is still being updated. Neither one of those needs an AD server for its console, though they are both Windows based.

NOD32 Antivirus and NOS32 Remote Administrator

[BiggerIsBetter]

Do it without the server, and install NOD32 antivirus on the clients, with NOD32 Remote Administrator to manage them. We put this system in recently and it's very very effective. Synchronized our antivirus product and definitions quickly, and reported infections that had slipped past the unmanaged installation on one machine (it hadn't been updated for a while...). No, you don't have to install it on a Windows Server OS (although we did).

Re:We use Nod32

[Anonymous Coward]

I would have to agree with this recommendation.

I've been installing NOD32 at several sites recently. The Business version of their antivirus/antispyware package does include a Management Console feature.

You'll end up paying about $39/seat for a 2 year subscription.

Also, NOD32 just won a Consumer Reports award this year.

Ill tell you what *not* to use

[Anonymous Coward]

Im security admin for a fortune 500, posting anonymous coward. Ill tell you what not to use. Don't use Panda. We have it at a european subsidiary, and I have never seen anything so crap. Never.
Now for the advice - Use something you recognise and trial it do death, antivirus detection rates are not so important as product robustness, and console usability. It's no use having something with a 99% detection rate if the 1% it doesnt detect are things like virut and conficker, and the product falls over every time you look at it. Coporate antivirus arent so much about detecting 100% of virus as reliably reporting the viruses they have found, and robustly maintaining communications with the management console so you can deploy updates.
These days no antivirus is really very good, I came to the conclusion a while ago that AV is an obsolete technology. The malware writers are just taking the piss, and Windows can never be virus free.

Re:We use Nod32

[FRiC]

I don't know about other people, but around where I work, the joke is that whichever computer has Nod32 installed, it also has tons of viruses installed. Nod32 never seems to work in real life, eventhough it consistently scores high in reviews and have lots of recommendations.

(We use avira.)

It depends

[Rosco P. Coltrane]

I "administer" our small business IT infrastructure (well, it's just 10 computers) and our solution was to assess who needs internet access. As it turned out, the boss and the secretary need web, email and access to the accounting software on the remote side of a VPN, and the other guys don't because they use only internal documents. But they do need Windows because we use Windows-only software (SolidWorks and MasterCAM). So I've setup a fast Linux box that's on the internet, that provides web and email access through NX servers and clients [nomachine.com] (that is, the clients run on the linux box and display on the Windows workstations). USB ports are also disabled on all Windows boxes, and people who really want to see what's in a USB key have to plug it on the Linux box and have the content checked before it's transfered to a Samba share for Windows consumption. Same thing for CDs. None of the Windows boxes ever see the internet.

None of our Windows boxes are patched, updated or fitted with antivirus software, and we're doing just fine. The Windows boxes are super-fast as a result too.

But that's *our* solution. Your mileage may vary, but I think you should make a reasonable assessment of workers' need for internet access. You may be surprised how few actually need it to do their work (IM isn't a valid reason) and you may be able to rearrange your infrastructure to make it very easy and manageable like ours.

Re:the problem is the OS

[LodCrappo]

I'd love to be able to use osx on our network, but there are some serious roadblocks. #1 is the price of the workstations. when you need 300 bog standard desktops on a tight budget, your options from apple are... lacking to say the least. #2 is compatibility. entourage is very weak as an exchange client in a business environment. OWA on non-IE browsers is not great either. CAD and ERP software is limited. #3 is the cost of (re)training employees. with windows you get the benefit of your users having the same system at home/previous job/etc. even very simple differences in the ui require real support resources. some people just don't get it, no matter what "it" is.

also, while i am a fan of osx and use it personally, i don't put any faith in the "macs are more secure" arguments. every security analysis I've seen shows that macs are actually easier to exploit (probably will improve in 10.6). maybe the small installed base just isn't worth the effort to malware creators (yet), but if you use security as justification for switching to the PHB, I think you're setting yourself up to look really bad.

Re:ClamWin

[RudeIota]

Moonsecure [moonsecure.com] is an AV based on clamwin: it actually employs a real-time scanner. clamwin offers no active protection, so it is pretty much useless for most user scenarios.

In all honesty, I've given both Moonsecure and clamwin many chances over the past couple of years. I don't want to admit it, but I feel as though I've been largely disappointed with the detection rates, the interface and the speed of both AVs. I've used them mostly in a 'workbench' setting though, scanning client drives outside of the system. In comparison to the other (commercial) scanners I use regularly, I've not been impressed.

Re:AVG

[sumdumass]

I see you already placed the biggest point I could make out there. It does it also if the old version is too old or isn't a networked version.

I actually had the same problem at a site with a laptop that somehow slipped through the cracks and didn't get updated to the latest version of AVG. In my case, it was a corporate version (network edition, but it was severely outdated) and I had to manually uninstall before being able to install the new client. I think the laptop ended up on a shelf in one of the partners closet so while we thought he was working with it periodically which should have already updated it if it was on the network. When we ended up seeing a version 7 in the management console after it hit the network fir the first time in over a year, and we were one 8.5, our eyes lit up.

I'm not sure I would consider a one time walk around in order to set things up as a big negative. Especially when the case is as you mentioned. All future pushes should work pretty well. I went from 8 to 8.5 buy upgrading the console machine first and then pushing it our to everyone else. Well, everything but the one laptop I mentioned earlier.

Re:It depends

[Rosco P. Coltrane]

nobody aside from the boss and secretary need email?

Well, I didn't count myself in :) We're a small firearms manufacture, so the boss and the secretary need email to answer customers, and the boss needs the web to check on the competition (he's not into porn at all, not the type). The secretary doesn't need the web, but I left it for her because she sometimes has no work for hours and she doesn't really like to read. She also does the accounting, so she needs her distributed accounting software client. As for the other guys, they work mostly at the workbench, mounting the guns. They need PCs to consult technical documents such as plans, steel compositions or art drawings, and they also need them to work with 3D models of parts, to feed the milling machine. None of these computers need to be on the internet, they are just glorified document viewers and machining tools.

As I said, every situation is different. In a software development outfit, the sort of solution we have here wouldn't work at all, but for us it works. The OP says he manages a "small business network": for all I know, it could be a printing shop, or a garage, not necessarily all white collars. That's why I mentioned what we implemented here at my company.

Re:We use Nod32

[LodCrappo]

a couple years ago i worked at a company the used NOD32 and they were often bringing infected machines in to the IT dept despite the software being updated and supposedly working. now I work at a company that used symantec, and they were often bringing infected machines in to the IT dept despite the software being updated and supposedly working. One of my current coworkers used to work at place where they used Panda. They were often bringing infected machines in to the IT dept despite the software being updated and supposedly working.

WTF?

A good and fast volume shadow policy...

[Klistvud]

...may be your most secure bet. No matter what antivirus solution you implement, given enough exposure to the Internet, one of the machines will eventually get infected in the end. So, unless you're willing to migrate your entire office to Linux, the safest solution would be frequent volume shadowing, maybe combined with a good antivirus such as AntiVir (which even has a Linux version IIRC).

Re:We use Nod32

[rdnetto]

I can confirm this. Back when I ran AVG, I thought my system was clean and only downloaded Avast to see what it was like. I was pretty surprised to see how many viruses it found! AVG appears to work, but it doesn't come close to Avast.

Re:We use Nod32

[Sabriel]

While I find Avast itself (Home/Pro) very nice, and reccommend it, my experience early this year with its central management tool was that it was very powerful but a severe pain in the backside to install and administer. Probably fantastic for hardcore sysadmins, but like wrestling with a greased tiger for this little grasshopper. It seriously needs some wizard-fu.

Re:AVG

[thijsh]

MANAGEMENT SUMMARY: AVG will cost more in workhours and years of your life than it will ever save you! USE WITH CAUTION!

AVG network is a huge mistake I made as an admin... Sure the cost is low, the central management is OK, and the virusscanner was pretty decent... Only with newer versions you get these free bonus PITA's:
- Bloat like the Linkscanner that 'enhances' your webbrowser by making it slower or freeze and crash
- Firewall that will sometimes lock for no reason at all (making me have to go to the server to reset it since remote management is made impossible)
- Updates that automatically f**k the PC, there was one well known AVG-update-crash that you'll probably remember but beside that there have been numerous other updates that have a success rate of installing of less than 50%, so you'll have to fix half the PC's manually.
- Updates that will turn the real-time-protection off automatically and not turn it on again (WTF, is this a 'pro' version used in networks and on servers?)

In the end, if you configure AVG to *only* install the AV part (only thing Grisoft is somewhat good at), and stay as far away from the crappy firewall and other bloat you'll save yourself a lot of trouble (and headache).

Re:We use Nod32

[Bert64]

AV is inherently a flawed idea... As you've found out, not every AV picks up every *known* piece of malware, and none of them will pick up new malware that has only just been developed (and people are developing new stuff all the time)...

Take some of the files that avast found and upload them to virustotal.com, and see just how many other AV products don't find it... You will also find that there is plenty of other malware out there which avast won't find... Anything that's missed by both avast and avg could potentially still be sitting on your machine.

Also, malware authors don't just sit still, malware is big business and the people writing it are constantly looking for new ways to avoid detection, and that often involves specifically targeting the most popular types of AV in order to find effective ways to bypass them. AV by it's very nature will always be one step behind the authors of malware... AV will always just be a low hanging fruit exercise, it will never be able to get anything...
The only place i use AV is on my email server, not because i'm especially concerned about the actual malware itself, but because malware detection works as another method to remove some unwanted junk mail.

Perl

[Krneki]

Perl scripting is the answer. Install a free anti-virus, and setup a script checking. Check the anti-virus files and registry entry. You can get all the information you need, program virus version, database version, and use a central server to store the logs. Using scripts you can force anti-virus updates and restart. I have a lot of experience with Trend Micro and all the anti-virus parts are daily checked with Perl scripts (during the night), to make sure the clients behave.

Re:Ill tell you what *not* to use

[Anonymous Coward]

These days no antivirus is really very good, I came to the conclusion a while ago that AV is an obsolete technology. The malware writers are just taking the piss, and Windows can never be virus free.

If no antivirus is really very good, then why is it that only Windows can never be virus free? Why does the same not apply to Linux, Unix, OSX, or whatever? I understand that they have truly miniscule marketshare by comparison and that accounts for their relatively low number of virii. But I think you would be a fool to believe that they are inherently more secure simply by virtue of being more obscure, or to believe that if one of them had 95% market share that there wouldn't be a thriving virus industry targeting those operating systems.

Re:We use AVG

[minvaren]

AVG was lightweight until version 8.5. Now the footprint is as bad as McAfee or Symantec (around 100MB of memory used by each).

Managed Service...

[Harassed]

Take a look at the Trend WorryFree managed service. Doesn't need a central server on-site and you still get a centrally managed solution.

Re:We use Nod32

[adisakp]

AV is inherently a flawed idea... As you've found out, not every AV picks up every *known* piece of malware, and none of them will pick up new malware that has only just been developed (and people are developing new stuff all the time)...

That's one reason why application whitelisting would work better. Only allow "good" known apps with a valid signature or saved CRC of some sort are allowed to execute. Any unknown apps either get canned, or request the user's permission to run -- these unknown apps can be added to the whitelist by the user.

Of course, you still have to worry about security flaws in the "good" apps allowing remote execution / etc so then you'd want to combine the whitelisting with some sort of sandboxing / limiting privileges on apps.

Comment removed

[account_deleted]

Comment removed based on user account deletion