Enterprise Antivirus
Anyone have recommendations or products to stay away from?
Currently Working On
CWTS, then WireShark
CWTS, then WireShark
Comments
-
nelson8403 Member Posts: 220 ■■■□□□□□□□We've used a couple products.. I liked ESET the best out of the enterprise antivirus, we use sophos currently though because our director was sold on their whole suite even though we don't use itBachelor of Science, IT Security
Master of Science, Information Security and Assurance
CCIE Security Progress: Written Pass (06/2016), 1st Lab Attempt (11/2016) -
markulous Member Posts: 2,394 ■■■■■■■■□□Last client we managed they were using McAfee version 8. Even though the licensing is free for life, it didn't seem worth it. It's a huge resource hog and unless you know how to manage it well, it's a pain. The company that managed it pushed out an update that corrupted every profile in their organization (~800 users) and a lot of them are remote.
-
dmoore44 Member Posts: 646I'm not a real big fan of the McAfee VSE and Symantec SEP products... Both have left me wanting more. One of my previous employers used Trend, and it seemed to be not horrible.Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
-
mrhaun03 Member Posts: 359I used Vipre at an MSP before which I liked. It was easy to use from the server console.Working on Linux+
-
gespenstern Member Posts: 1,243 ■■■■■■■■□□I vote against Symantec. Slow and bloated. Doesn't have a way to uninstall it from management console, I guess they don't want it to be removed, lol. Had to write a script to get rid of it...
TrendMicro was more or less okay, but they have a kernel-mode driver tmtdi.sys and it is known to cause BSOD issues with SAP. TDI is a technique to inject itself into TCP/IP stack for grabbing data and is outdated since 2008 but they still use it, should have rewritten it with the use of WFP.
ESET was also more or less, don't actually have cons, but I didn't use it much maybe that's why it didn't cause me any serious issues. Everything seems to be in place and flexible. Management console is somewhat counter-intuitive though, hard to find how to do simple things.
That's my experience from the last ~2-3 years, it doesn't make sense to look deeper as products do change all the time.
And main functionality -- catching malware, check with AV-comparatives and similar sites. -
Mike-Mike Member Posts: 1,860AV-Test and AV Comparatives both had F-Secure ranking very high, although I had never heard of them. I saw a demo and liked their GUI. Symantec left me unimpressed, and most people say it is a resource hog. Trend Micro also looks ok. Nothing amazing, but nothing badCurrently Working On
CWTS, then WireShark -
gespenstern Member Posts: 1,243 ■■■■■■■■□□^
that's because you are in Louisville, KY and they are in Helsinki, Finland. They have some market in Europe, I've been in their office in Helsinki, cool guys. -
Mike-Mike Member Posts: 1,860gespenstern wrote: »^
that's because you are in Louisville, KY and they are in Helsinki, Finland. They have some market in Europe, I've been in their office in Helsinki, cool guys.
F-Secure was my favorite, but based on name recognition, it's harder to sell the higher ups on themCurrently Working On
CWTS, then WireShark -
Fulcrum45 Member Posts: 621 ■■■■■□□□□□Stay far far away from AVG Cloud Care. They lure you in with an easy to use management interface and then proceed to gobble up legit .exe files on the network DESPITE having exceptions in place to not do so. Also, it has a tendency to become unmanageable from the end client device. I have run into issues where it would cause random OS crashes in Win8 as well.
Their support is horrendous. I have had an open case with them for over 6 months and I received one phone call and one email since then to tell me that they were still investigating. I had since given up on them well before that point. I just have too much on my plate to chase down a vendor I had no say in selecting anyway. -
Mike-Mike Member Posts: 1,860Stay far far away from AVG .
reminded me of office humor.. one day I was walking with my boss, and a guy in another department starting chatting with us, and we had to leave, my boss said we had security work to do, and the other guy goes, "yeah right, all you security guys do all day is go around installing AVG Free Anti-Virus on people's computers"Currently Working On
CWTS, then WireShark -
wes allen Member Posts: 540 ■■■■■□□□□□Use something free like windows defender, and take your budget for AV and put it into patching, secure workstation configs, and email/web filtering. You will be better protected with less user impact.
-
GreaterNinja Member Posts: 271Back in the Day AVG was good. THen I moved onto Avast due to its low system performance impact for gaming. Then I moved onto Kaspersky, Symantec, and ESET NOD.
Today I use AVG (free 1 yr license deal a few months ago), Kaspersky (Licenses are $3-8/yr), ESET NOD, and Avast if I need just any AV.
After finding out about a month ago that AVG records and sells your web browsing history to about anyone, I don't think I'll be using them anymore (again).
I have to agree with Nelson, ESET NOD seems to be the best. -
TR4V1STY Member Posts: 62 ■■■□□□□□□□I used Vipre at an MSP before which I liked. It was easy to use from the server console.
I found out the other day that they are based out of Clearwater, Florida. Scientology headquarters is located there.Beginning in the 1970s under the code-name Project Normandy, Scientology began targeting Clearwater in order to "establish area control" of the city and county. The operations were exposed in a Pulitzer Prize winning series of articles in the Clearwater Sun.[55]Gabe Cazares, who was the mayor of Clearwater at the time, went so far as to call it "the occupation of Clearwater.” [56] and later characterized it as a "paramilitary operation by a terrorist group."[57] The Church of Scientology targeted Cazares, attempting to entrap him in a sex scandal.[58][59] Scientology also staged a phonyhit-and-run accident with Mr. Cazares in an attempt to discredit him.[60] Cazares and his wife sued the Church of Scientology for $1.5 million. The church settled with Cazares in 1986.[60]
Scientology headquarters are located in downtown Clearwater and there remains ongoing controversy over the church's influence. The Church of Scientology refers to Clearwater as their "Flag Land Base."[61] -
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□Anyone have recommendations or products to stay away from?
All of them suck if they are your only protection...
https://www.dropbox.com/sh/m2zd4y5bq32d9wa/AACoqQAv6peVBFCzIFCDyAsAa2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
Mike-Mike Member Posts: 1,860All of them suck if they are your only protection...
https://www.dropbox.com/sh/m2zd4y5bq32d9wa/AACoqQAv6peVBFCzIFCDyAsAa
they aren't, just one of the layersCurrently Working On
CWTS, then WireShark -
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□Good to hear
I like Trend Micro Deep Security, the virtual patching feature is nice2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
pennystrader Member Posts: 155I think Bit9 is the strongest in this category as it is not based on signatures. The problem is since all AV's use signatures when something new is detected AV won't find it until they have seen it. Bit9 is application whitelisting with a deny everything approach and then only allow what the admin of the systems deems as safe in their environment. Trying to detect malware via signatures is outdated technology and now you really need to look for the indicators of advanced threats.
https://www.bit9.com/why-bit9/why-you-need-bit9/
The more knowledge one obtains the more there is too accumulate..... -
YFZblu Member Posts: 1,462 ■■■■■■■■□□pennystrader wrote: »I think Bit9 is the strongest in this category as it is not based on signatures. The problem is since all AV's use signatures when something new is detected AV won't find it until they have seen it. Bit9 is application whitelisting with a deny everything approach and then only allow what the admin of the systems deems as safe in their environment. Trying to detect malware via signatures is outdated technology and now you really need to look for the indicators of advanced threats.
Very few organizations are employing true application white listing. So few that I want to say none...but somewhere, I'm sure it's happening - so I won't say none. A nice combo would be something like AV + Bit9, but not just Bit9 - what happens when you've put all your eggs in the bit9 basket, and then it betrays you? Use them both.Wes Allen wrote:Use something free like windows defender, and take your budget for AV and put it into patching, secure workstation configs, and email/web filtering. You will be better protected with less user impact.
If a group can't manage proper configurations or patch because of the antivirus budget, the group is the problem. -
pennystrader Member Posts: 155Very few companies use Bit9? I don't think that is the case. The have won awards the last 2 years for how much more effective their tool is than a standard AV product. I can write a virus right now that will sneak right by AV until they figure out eventually what it is. Bit9 would block it immediately assuming it is malicious until it was approved to run.
They won the best endpoint protection of the year. They won the award form SANS which is not easy to do.
https://www.bit9.com/bit9-carbon-black-is-the-top-choice-of-security-professionals/
I think whitelisting is much more effective. I worked in a large global enterprise company that had things sneaking by the AV and we put in Bit9 and were amazed how much more effective it was. It stopped hackers and even our admins form running scripts and tools that we did not want on critical infrastructure servers. The company I was in had hackers always trying to get in and Bit9 was keeping them from running any hacker tools on our boxes. They ran right through the AV we had which was a big AV company but I will not say their name to protect the guilty
I would not argue with using both though as layered protection but you would have to put exceptions in both so they are trying to evaluate files at the same time and thus causing contention and using unnecessary resources on the host.
The more knowledge one obtains the more there is too accumulate..... -
gespenstern Member Posts: 1,243 ■■■■■■■■□□pennystrader wrote: »Trying to detect malware via signatures is outdated technology and now you really need to look for the indicators of advanced threats.
...and that's why almost any modern anti-virus isn't just anti-virus but a full-blown HIPS instead.
however, signature based prevention is still bread and butter because it's robust. All heuristics approaches are good for detection, because they always tend to give a lot of false positives and therefore can't be used for robust prevention/remediation techniques. You just can't delete a file or prevent it from being placed on your pc because your advanced heuristics-based AV "thinks" something. Because if you do -- you end up ruining legitimate software, documents and operating system scripts and files.
That's why almost any non-signature-based approach needs an army of analysts watching alerts and doing manual incident response. If you don't have such an army -- it becomes useless. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□pennystrader wrote:Very few companies use Bit9?
When did I say that? I said that very few companies are doing true application white listing on all endpoints. Bit9 has more than one configuration.pennystrader wrote:I think whitelisting is much more effective.
Whitelisting is more effective, I never said it wasn't. What I said was, most places aren't whitelisting in the true sense, even with whitelisting products in place. A tool is only as good as its implementation - most implementations are half-baked due to the following:
-Cost of deployment to all endpoints and servers
-Cost of dedicated staff to properly implement and manage the tool + its output
-Technical challenges: having an actual gold image, managing the whitelist, managing trusted software, etc
-Political challenges which go hand-in-hand with true whitelistingpennystrader wrote:I would not argue with using both though as layered protection but you would have to put exceptions in both so they are trying to evaluate files at the same time and thus causing contention and using unnecessary resources on the host.
Bit9 is a nice product when it's deployed with the spirit of the tool in mind. But considering how poorly engineered most orgs are, I'm just saying that very few companies are prepared to acquire a product like Bit9 and do away with traditional antivirus. -
Balantine Member Posts: 77 ■■□□□□□□□□I came to the same conclusion about Bit9 last year. It is the only way forward.dulce bellum inexpertis
-
636-555-3226 Member Posts: 975 ■■■■■□□□□□2 issues we had with bit9 when looking at it for xp whitelisting - wasn't really enterprise-friendly for a diverse global company (no centrally managed server for multiple geographic regions) and it ignored powershell, which is kinda a big security hole. Both issues may have been fixed at this point (it's been a few years), but that's what I used to know.
-
Mike-Mike Member Posts: 1,860I had a demo with Bit9, excellent product, but it is exponentially more expensive than AV. Also, it's not technically "antivirus" so it is not really relevant here. It would be more Application Protection, or Advanced Endpoint Protection, but they will tell you themselves they are not "antivirus"
For auditing purposes, I need "antivirus" so Bit9 might fit into the equation in another area, but not for this specific conversation.
That being said, they do seem to have an excellent product.Currently Working On
CWTS, then WireShark -
wiseguy Member Posts: 62 ■■■□□□□□□□There are two endpoint products that have caught my attention recently. One is "Cylance Protect" and the other product is a relatively new "Menlo Security".
Cylance Protect takes a proactive approach by leveraging artificial intelligence and machine learning instead of virus definition databases and signatures. I've seen some a lot of positive end user feedback on Cylance here (https://community.spiceworks.com/topic/833551-does-anyone-actually-use-cylance) and here (https://www.reddit.com/r/sysadmin/comments/3objtq/antimalware_on_endpoints_what_do_you_use/).
Menlo Security is very new. My boss brought this company to my attention and I like the approach they are taking by isolating content from even being run from an endpoint. It looks like an application virtualization/proxy type of approach. I have yet to see any reviews for this product at this time. -
Mike-Mike Member Posts: 1,860I had a demo for Cylance, they were also insanely expensive. about 3.5 times as expensive as Trend..
pretty cool product, but way out of my budgetCurrently Working On
CWTS, then WireShark -
dustervoice Member Posts: 877 ■■■■□□□□□□When was the last time an antivirus solution caught a real virus? maybe back in 1995.... get rid of that thing off your PC. whenever i purchase a new computer thats the first thing i uninstall and for corporate users who need to achieve regulatory compliance, install anyone they are all crap just make sure you add an extra 4 GB RAM and another CPU core for the hogging it will do.
-
Chivalry1 Member Posts: 569Mcafee is a joke; it couldn't catch a cold. Symantec is just overpriced bloatware. I do understand that most enterprises require a anti-virus for compliance/regulations and/or security policy. In these cases I recommend Sophos Antivirus. But as someone already mentioned invest your money into Firewalls, IDS/IPS, WebFilters, Patch Management etc. Overall it simplifies management and its a cheaper technical solutions."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
Robertf969 Member Posts: 190dustervoice wrote: »When was the last time an antivirus solution caught a real virus? maybe back in 1995.... get rid of that thing off your PC. whenever i purchase a new computer thats the first thing i uninstall and for corporate users who need to achieve regulatory compliance, install anyone they are all crap just make sure you add an extra 4 GB RAM and another CPU core for the hogging it will do.
As an auditor I can tell you in full confidence that the PCI council could care less what your opinion of AV is. If you don't use it you don't comply.