We're dumping Symantec! Recommend an ENTERPRISE a/v

blargoe

After a week from hell cleaning 600 desktops and 90 servers of malware due to a vulnerability in Symantec Antivirus, our powers that be have decided we are going to **** them. Fine by me.

I was wondering of your experiences with enterprise level antivirus/antimalware solutions. All things held equal (i.e., it's going to catch 99.9% of stuff assuming you keep it up to date), reliable and centralized management and deployment are very important to us. Secondary would be something that isn't horrible on system resources and that isn't known to interfere with other security software much - we also are planning to implement a desktop firewall solution.

Thanks

blargoe

royal

Right now we're using OfficeScan: http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm

We plan on going to Microsoft Forefront Security.

Plantwiz

Trend Micro.

5no-yt

Symantec is evil!
Right now its causing some serrrious issues with our FAT PC's (we have about 400 pcs in total - 20% of them fat) - Making a P4 feel like a good ol 20Mhz Intel!
Its GREAT!!!

keatron

JD and I talked about this at least a year ago. I also posted a few times here. Check out this post.

http://www.techexams.net/forums/viewtopic.php?t=21148

This is only the beginning, it's certainly going to continue to get worse before it gets better. As proof of concept to a client, I compromised one of their secretary workstations from the outside (GRE tunneling), replaced her host file with one I created. I had static entries in the host file that pointed www.lavasoft.com (adaware site), www.safer-networking.org/en/download/ (spybot site), to a web server I own that has fake spybot and fake adaware pages (looks like the real ones in other words). There's only one download link on both pages, but guess what? The file you download is NOT adaware and NOT spybot, it's a rootkit that records keystrokes (although I can't take credit for writing the kit, I got it from a good friend). I preceeded to send a fake forged email to their IT team from this secretary informing them that she had spyware on her machine. The email also requested that they come and clean it while she was at lunch that day. Well, they came and did exactly what I thought they would, went straight to the spybot website (or what they thought was the spybot website ), downloaded my kit and installed it. After the downloaded spybot install they got didn't do anything when they tried to install it (or at least they thought it didn't), they finally ran another popular tool and promptly reported that they didn't find any evidence of spyware (remember it was a fake email so nothing was really there). I promptly waited until that night, reconnected to my trojan, got her credentials, logged into her machine remotely, uploaded metasploit and a few other goodies to it, and absolutely went to town on their "secured" network. I eventually got access to a pretty important looking SQL server (still parsing data to see what it all is), but guess how I owned it? By hitting it with Metasploit and exploiting a VERY popular backup software that happened to be running on that SQL server. So far this year my success rate when attacking third party software on Windows boxes has been 100%. That's just sick.

The point is, I carried out my attack manually, simply because i was attempting to be at least a little quiet with the attack. But, how hard is it to script this exact same attack and make it an automated process? Not hard at all. If had not been for the vulnearability in that back up software, I was going to have an EXTREMELY hard time getting at any servers in this place, because if they don't do anything else, they do protect their servers pretty well for someone who's never had a professional security audit.

To everyone reading this; DO NOT attempt to do any of these things on any system which is not yours, and even then you will certainly hose your machine if you're not careful. What I posted here is the very beginning of the attack phase of a 100% authorized prelim pen test. That means I have complete permission. A prelim pen test is basically a baby pen test to convince them that they need a real pen test. With that being said, I purposely left out key steps and trying to do this following step by step from this post will almost certainly cause most IDS and IPS systems to scream bloody murder.

JDMurray

I second Trend Micro and, from what I've heard, Microsoft's OneCare is one of the worst A/V products with respect to actually detecting Malware. I realize that Microsoft will fix it (or force the company they bought it from to do the fixing), but why would they release such a crappy product just to coincide with the release of Vista? It just reinforces the "Microsoft never gets it right until version 3.0" bromide that's been repeated for years.

Keatron, I was at a security conference this week and heard a story about a pen testing company that planted USB flash drives in the parking lot of a customer for whom they were doing a survey. The 15 flash drives each contained a folder whose name implied that it contained adult content. Inside was an executable file whose name promised adult images if executed. The program was a simple app that "phoned home" to the pen tester's Web server and simply logged that it had been executed, and from what machine name and IP address. All 15 of the drives were picked up by employees entering the office for work that morning, and by noon eleven of the employees had run the program.

The point made by the presenter was that employees can't be trusted to follow a security policy, and that end-point security must be automatic and transparent (in this case, read-only access to USB devices plugged into workstations).

RussS

I'm running CA Enterprise. Symantec has been going backwards for many years now both the home and commercial apps

Webmaster

jdmurray wrote:

I second Trend Micro

I 'third' it. I've implemented several TrendMicro Antivirus walls. Especially for smaller and medium sized companies the typical setup I created was:

[Internet]---isdn---[Cisco1600]---Eth---[dual-homed TrendMicro AV wall]---virtuallink--[Exchange Server]

The companies usually had contracts for AV on clients and servers (McAffee often) but it's the combination of using different AV products that gave the best protection. One of those network magazines used to test and provide an overview of the best combi.

Yesterday I was reading about Cisco's Outbreak Control solution from Cisco's Self-Defending Network strategy, which includes Cisco Incident Control System (ICS) but despite all the 'Cisco' in it:

Use of up-to-the-moment threat intelligence, as provided by Trend Micro, an industry-leading expert in antivirus and worm mitigation

Ed Rooney

I have a pushy salesguy horror story from Trend-Micro. I will never do business with them. I was a newly hired IT manager at a big retail company that was spinning off from a larger parent company. We were still within the 1 year where we were operating under the larger company's IT umbrella while we stood up our own systems. We had about 1500 instances of Trend on our desktops. I had engaged both Trend and Symantec, and had just selected Symantec. The Trend rep fired off an nasty emails to me and emails to his legal asking them to send letters to all of our C-level execs telling us to immediately uninstall Trend from all of our desktops (even though the parent company still had us licensed until the final separation date).

I ended up pushing out Symantec through the enterprise the next week, no because I had to, but because I wanted to. I also forwarded all of the sales rep's emails to friends of mine who were managing IT in other companies, with the sales guy CC'd.

KGhaleon

A lot of people seem to like CA Enterprise, though I've never used it before. We use AVG or Avast antivirus for our systems. You should also grab a good firewall and disable the windows firewall. Replace it with Comodo or Kerio.

KG

sthomas

I just dumped Symantec recently and went with CA Enterprise and I am happy with it so far.

malcybood

Macafee 8.5 with EPO3.5

18 months or so since we upgraded with no problems that I'm aware of

geekie

I'm happy with NOD32

royal

geekie wrote:

I'm happy with NOD32

Nod32 is what I use for Vista. It's pretty good and doesn't use up too many resources.

geekie

It's pretty good and doesn't use up too many resources.

Exactly! BF2 is running nicely for me ever since I switched

APA

Workplace ditched Trend Microscan as it was causing major problems........

We have been using Sophos now for almost a year.......I will tell you now...... Sophos implementation was smooth and easy..... picks up malware,spyware allsorts with next to know effort..... If anything, with the policies you can create it can be a bit of overkill but you can never be too sure about when something is going to strike so it's safer to er on the side of caution!.

So yeah Sophos definately gets a thumbs up!!!!!

pr3d4t0r

Anyone here using AVAST?

NOD32 is one of the best out there, but avast is by far the best.

JDMurray

icroyal wrote:

geekie wrote:

I'm happy with NOD32

Nod32 is what I use for Vista. It's pretty good and doesn't use up too many resources.

I use both NOD32 and AVG Free on my systems and I"m happy with them both. NOD32 is especially easy on system resources and updates its def file quickly too.

JDMurray

KGhaleon wrote:

You should also grab a good firewall and disable the windows firewall. Replace it with Comodo or Kerio.

Non-tech-savvy users will either always push the "Allow" button making the software firewall useless, or always push the "Deny" button making their network-connected apps useless. A pre-configured set of rules helps, but it doen't prevent the user from downloading and running apps that the Malware scanners don't recognize. Either way, the decision of what to block should not be left up to Joe Enduser.

james_

Using NOD32 Enterprise on my network. Pretty awesome AV. Fast and effective, easy to setup. Customer Service is good. Gets my vote!

sprkymrk

blargoe wrote:

After a week from hell cleaning 600 desktops and 90 servers of malware due to a vulnerability in Symantec Antivirus, our powers that be have decided we are going to **** them. Fine by me.

I don't think you'll be any happier with something else. What Symantec vulnerability was it and what version of Symantec? As far as I know, they haven't had any major issues in a while, and they have a mailing list that gives you a head's up when one is discovered. If the problem was due to not keeping your AV software patched the same way you keep Windows patched, then you could have a repeat performance on the next AV software you choose. I'm not talking about the definition files either, I'm talking about the software itself staying patched and up to date. BTW - Trend Micro just had a bad remote control vulnerability a few weeks ago.

Good luck!

RTmarc

Give BitDefender a look

http://www.bitdefender.com


We've rolled it out and so far it's been a good decision.

JDMurray

RTmarc wrote:

We've rolled it out and so far it's been a good decision.

How so? Did BitDefender identify all of the Malware that you purposely released on to your network to test it? Or is it just easy to deploy and manage? And are you using a secondary Malware scanning solution for redundancy?

computerguy9355

I would NEVER use any Norton products on a production network. Their products suck, same goes to their products for home users.

I would strongly recommend you use Kaspersky. They have priducts thats designed for large enterprises.

Here is a link

http://usa.kaspersky.com/products/enterprise-security.php

Kasperksy is one of the best antivirus product out there. It also has the highest virus detection rate. You can't go wrong with Kaspersky.

NinjaBoy

So far the only 2 anti-virus products that I have liked on my network at work is:

1. McAfee and
2. Panda

I have tried Symantec, Sophos, AVG, etc and along with other things I dislike about them, the PC's that I've installed them on really have a big performance hit (so much that I've had to change Anti-virus virus product due to users complaining).

I'm currently using Panda to protect my network, as MsAfee was too expensive this year and I have to say the Enterprise Console is truely easy and nice to use.

-Ken

RTmarc

jdmurray wrote:

RTmarc wrote:

We've rolled it out and so far it's been a good decision.

How so? Did BitDefender identify all of the Malware that you purposely released on to your network to test it? Or is it just easy to deploy and manage? And are you using a secondary Malware scanning solution for redundancy?

I've got a few test virus programs and malware I released in our test environment and not only did it find everything but it found them quickly. Which if it found 100% of the files I ran out there it will make me happy.

As far as deployment goes, it's a breeze. Load the Enterprise Management Console on a single server and you push out the program to all machines via the Deployment Tool. You can do configuration of the clients in this manner as well.

We use Windows Defender for secondary scanning.

rossonieri#1

well,

couple of weeks ago i've posted about 2796 - it did hurt the network significantly, - but
an anti virus is just another thing in the network.
ingress-egress filtering will help, an IPS will also be a great help.

i think the SYM*** really facing a serious performance decline - i've notice from my experience about 5 years ago. Trend OSCE is small but powerfull, CA eTrust is as heavy processor intensive performance as McAfee, Kaspersky has a little hard to deploy configuration. F Secure?? not really.

cheers

LukeQuake

Whatever you do, DO NOT roll out "Kaspersky" anti virus

We started using this about 8 months ago and it's been hell ever since.

garv221

keatron- What do you recommend?

I agree that Symantec is not a good solution for anything. I have been frustrated with them many times and finally gave them the axe.

keatron

garv221 wrote:

keatron- What do you recommend?

I agree that Symantec is not a good solution for anything. I have been frustrated with them many times and finally gave them the axe.

I recommend a couple of different ones depending on the size of the client and complexity of the environment. Since for most small clients (100 to 500 users) I usually spec (and sometimes install) Sonicwalls simple (low security) content filtering and content management, I often roll out McAfee. People argue all the time about which one will catch the most, which one will remove the most etc. That's all good, but you also have to equate ease of management and availability (see the CIA Triad). The McAfee solution works good with the Sonicwalls simply because it's an optional module that automatically does the little things like deny any machine without anti-virus internet connectivity. The updated virus signatures come into the Sonicwall and are pushed out from it instead of every one on the network updating from the vendor website (think WSUS lite for antivirus).

Another alternative to Symantec (trust me, none of them are that much better), is Trend Micro. I'm involved in a large lab test using AVG with a client currently, so I'll be able to comment it on it later.

Bottom line is all of these vendors have their own quirks. The best thing to do is research a few of them (read install, observe and record, not read an article), and closely examine the results of your research. Anti-virus management is hardly a "install and leave it be" process. Sometimes some training might even be required and I even strongly recommend it if you're rolling out the enterprise versions of anything I've named above. And just to clarify, there ARE many exploits that are successful against every piece of software I named. I didn't want anyone to think that Symantec is the only vulnearable solution mentioned.

Quite honestly, for the last couple of years I've been knee deep in forensics, and IDS [clears throat] "research" and have passed the host level antivirus and anti-trojan torch to one of my senior security consultants. So far he's not found much reason to abandon the basics of what I've stated here.

Keatron.

Ye Gum Noki

Chapt3r:4 wrote:

Symantec is evil!
Right now its causing some serrrious issues with our FAT PC's (we have about 400 pcs in total - 20% of them fat) - Making a P4 feel like a good ol 20Mhz Intel!
Its GREAT!!!

GUH!!! Why do you have FAT partitions in 2007? There is a new craze sweeping the IT world, it's called Information SECURITY. You may have heard of it (or then again...)