Server anti-virus scanners protect the network’s heart

While many it directors focus their anti-virus attention on catching malicious code at the network border, complete virus protection includes regular file scanning to make sure nothing slips past the anti-virus gateway.

We looked at server-based anti-virus scanners from three vendors — McAfee (Network Associates), Sophos, and Symantec — and found dramatic differences in their approaches to keeping the heart of a network virus-free.

All three were adept at recognizing basic virus infestation (the two-pronged approach combining virus signature dictionaries with malicious code heuristics is becoming standard in the industry). But they varied widely in their approach to managing virus scanning across clients on the network, supporting those clients, and reporting infestations back through management consoles and enterprise management frameworks.

Sophos is the minimalist of the group; a straightforward virus-scanning engine that protects a server without trying to become part of the network-management tool suite.

McAfee and Symantec both take a component-based approach with scanning applications and management consoles as separate products. Both can manage anti-virus activities on large numbers of servers and workstations, although the McAfee management console is the only one that will manage the scanning engine of another company — Symantec — as well as its own.

To test these products’ capabilities, all of the anti-virus software was loaded into a test network consisting of two Windows 2000 servers and six workstations running Windows XP Pro. The controlling server was a Dell PowerEdge 2600 server; the secondary server was a Compaq ProLiant ML 350 server. I tested all of the scanners with the Eicar anti-virus test files (eicar.com) in text, executable, ZIP, and double-ZIP configurations, with the files placed in various locations on the server and around the network.

McAfee VirusScan Enterprise 7.0

The McAfee (Network Associates) anti-virus solution consists of at least two pieces, e-Policy Orchestrator 3.0 (ePO) and the anti-virus products.

ePO is the management console and administrative heart of the system, controlling McAfee VirusScan Enterprise scanner and any other McAfee anti-virus products. It is perhaps the most ambitious of the management consoles of the four, and it places the greatest demands on its host server.

The host server must have a SQLServer database engine installed, in addition to standard Windows NT networking components such as DHCP and DNS (even if the host server is not the server providing those services to network clients). The database stores information on clients and alerts that may be generated by any of the McAfee, Symantec, or Dr. Ahn anti-virus products supported and monitored by ePO.

Setting up ePO is complex because the services it provides are comprehensive and support not just anti-virus but also firewall and gateway client software. In my testing, the McAfee Virus Scanner correctly recognized a virus presence, quarantined the file, and sent an alert through ePO to the network administrator.

To complete the circle of protection, ePO also provides emergency virus signature-file updates and propagation through the network in the event of a new virus outbreak.

With support for up to 250,000 clients and an interface equipped for several languages, the combination of McAfee, ePO, and some variety of scanning engines would be a solid choice for extremely large, international networks.

ePO goes far beyond simple anti-virus functionality, but if an organization is looking for a mechanism to manage usage and security policies along with its anti-virus activities, McAfee has a solid, comprehensive solution.

SophosAnti-Virus/ Enterprise Manager

Sophos Anti-Virus takes a big step toward ease of use compared to the other products in this test, showing a very simple user interface on its Anti-Virus scanner.

Sophos’ approach uses a combination of virus signatures and heuristics to identify virus payloads. It concentrates on scanning files on the server’s disks — a separate piece of software is available to scan e-mail for virus-infected attachments.

Setting up the system for basic operation took little time or effort. Sophos Anti-Virus, which offers either workstation or network-server installation with a short list of options, had by far the fastest installation and setup time among the products reviewed.

The basic Anti-Virus scan engine effectively found the virus signatures in my test. For managing multiple servers or a server and multiple clients, Sophos Enterprise Manager comes into play. Once again, straightforward design and execution is the watchword, with an emphasis on deploying and updating client scanner software.

Sophos’ software seems readily suited to two very different user groups. The first is the large organization, with solid network management already in place, seeking straightforward anti-virus protection, because Sophos is unlikely to conflict or collide with any other security or management software.

A company looking for simple-to-install anti-virus software that doesn’t require a great deal of network knowledge for successful deployment would also find this product useful. In this case, Sophos’ simplicity makes it easy to get solid anti-virus protection.

Symantec AntiVirus Corporate Edition 8.0

Symantec provides a component-based approach to enterprise anti-virus protection. As with the other two products in this review, McAfee and Sophos, enterprise management is separate from the active scanning component, and there are “snap-in” components within the scanner for individual applications.

The design of the component architecture is apparent upon deployment; the anti-virus server must be installed first to set up security groups, with individual clients then created and deployed through the server interface.

Individual servers and workstations are managed through the Symantec Event Manager interface, which uses a Windows NT Management Console for its displays and actions. The consistency of the interface shortens the learning curve for any administrator accustomed to Windows NT management.

Parameters controlled by the management console include the behavior of snap-in components for scanning MAPI (Messaging API) e-mail traffic and Lotus Notes messages. In addition, update behaviors (using Symantec’s LiveUpdate technology) actions to be taken upon positive identification, and alerts for groups, individual servers, or workstations can be set from the central console.

The Symantec product combination is designed to handle hundreds of servers and hundreds of thousands of workstations, because Symantec advises putting virus protection on each computer within an organization. If an enterprise is very large, yet has other facilities to control network policies and firewall-based security, Symantec is a solid candidate to fill its anti-virus scanning needs.

After putting these anti-virus scanners through their paces, it’s clear that each has  its security bearings and would be a solid component of a complete enterprise anti-virus strategy.

None of these products fails in the basic mission of virus detection, and the differences in management approaches give companies several choices when seeking the one product that will best mesh with their particular IT philosophy and architecture.