[PANTUGGeneral] IT: Central Anti-Virus For Small Business?

0 views
Skip to first unread message

JP Vossen

unread,
Jun 18, 2009, 2:35:19 AM6/18/09
to PANTUG General
Since it came up the other day...

http://it.slashdot.org/story/09/06/16/2126231
IT: Central Anti-Virus For Small Business?
Posted by kdawson on Wednesday June 17, @01:52AM
from the keeping-them-safe-despite-everything dept.
security
rduke15 writes "I'm trying to find a centrally managed anti-virus
solution for a small business network, which has around 20 Windows XP
machines with a Linux server. It is too big to manage each client
manually. However, there is no no full-time IT person on site, and no
Windows Active Directory server — just Linux with Samba. And the current
solution with Symantec Endpoint Protection seems too expensive, and too
complex for such a simple need. On the Linux server side, email is
handled by amavisd and ClamAV. But the WinXP clients still need a
real-time anti-virus for the USB disks they may bring to work, or stuff
they download from their personal webmail or other sites. I'm wondering
what others may be using in similar situations, and how satisfied they
are with it."


Interestingly, there was a rant or two about how hard MacAfee was to
uninstall, but Symantec was almost not mentioned at all. Lots of people
claimed this or that AV was crap and didn't find anything.

By far the most buzz was for "NOD32" which I've never even heard of.

There was also a pointer to:
http://it.slashdot.org/comments.pl?sid=1271237&cid=28358779
AV-Comparatives Corporate Report (Score:5, Informative)
by Ralish (775196) on Wednesday June 17, @04:02AM (#28358779)

AV-Comparatives recently released their May 2009 Corporate AV Report
[av-comparatives.org], which sounds like it may be right up your alley.

It's fairly large, but reviews a large number of AV products with a
corporate focus, contains lots of screenshots, and even grades them on
their appropriateness for Small, Medium and Large networks. Sounds like
it would definitely be worth a look in your case.
http://www.av-comparatives.org/images/stories/test/corporate/Corporate_May_2009.pdf


http://it.slashdot.org/comments.pl?sid=1271237&cid=28359387
AV is inherently a flawed idea...
[...]

~~~~~~~~~~~~~
<rant>
While I understand the issue and the question, from a tactical
in-the-trenches perspective, as a whole we still keep asking the wrong
question. "What Anti-{virus,spyware,malware,whatever} product should I
buy in a vain attempt to make Windows safe to use?" is the wrong
question. "Why should I be required to waste a lot of my time, effort
and money to research, purchase, configure, maintain, track licenses for
multiple products that I *should not need in the first place?*?" Why do
we tolerate this massively and demonstrably defective OS?

Just think about that for a minute. How much time and money is utterly
wasted on dealing with this issue? How much have we ALL just wasted,
reading the /. article and this thread?

It's like buying a car that would fall apart if you took it out in the
rain. You'd have to spend a lot of time finding just the right car
cover for you and your car's use-case. Then you have to buy it, and
patch it when it gets holes, and periodically buy new ones for no good
reason except the old one is "old."

We'd never put up with that, we'd go buy a car that actually worked
out-of-the-box under predictable, real-world circumstances. So why do
we put up with this crap with Windows?
</rant>

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| http://bashcookbook.com/
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
_______________________________________________
PANTUGGeneral mailing list: PANTUG...@lists.pantug.org
To remove your address or change your delivery options see:
http://lists.pantug.org/mailman/listinfo/pantuggeneral
For the searchable archives see:
http://groups.google.com/group/pantug/

lefty

unread,
Jun 18, 2009, 4:14:50 PM6/18/09
to PANTUG General Discussion (and technical Q&A)
JP Vossen wrote:
> We'd never put up with that, we'd go buy a car that actually worked
> out-of-the-box under predictable, real-world circumstances. So why do
> we put up with this crap with Windows?
> </rant>

You go, boyee!

Agreed.


But back in unfortunate reality, the poor fella needs an answer.
We're experiencing nightmares uninstalling Symantec. Anybody familiar
with Symantec probably feels my pain. Even Symantec can't tell you how
to do it properly if/when their uninstall fails, not to mention all the
leftovers that continue to pop up after it *has been* uninstalled.

We're changing over to Kaspersky on desktops, but that's also a managed
solution. If I were the original questioner, I'd seriously check out a
lighter solution in general; probably Antivir or similar.

AV's have become more and more bloated, like their OS. Kaspersky is
currently pissing me off because it's `helping' me all the time by
stopping things I'm doing. On the user desktops it's locked but the
admin desktops aren't so we can *attempt* to stop these features from
helping us. It's still blocking things. When I have to work on a
remote desktop or right at the user's desk, Kaspersky stops me from
installing virus tools and other software.

I have one old XP box at home (the rest are linux). I have a free home
license from Kaspersky but I use Antivir. I'm not sure I can rate it
fairly as an AV because my habits don't set an AV off. I can tell you
it's *very* light, it updates itself, and I don't find myself yelling at
it for `helping' me.

Come to think of it, Antivir is on my wife's old XP laptop. She doesn't
know much about security but it has never bothered her and I scan the
machine every now and then for viruses and malware. It's clean.

I recommend going light. Used to use AVG but it got bloated too. Clam
doesn't do on-access scanning (or that version didn't) so it's no good
for this application (but is good as an additional scanner).

Bob Sherman (m13)

unread,
Jun 22, 2009, 6:40:11 PM6/22/09
to PANTUG General Discussion (and technical Q&A)
We do XP because we do MS-Office. We do MS-Office because that's what the
company mandates. Therefore, we do Antivirus, Anti-spyware, Anti-phishing,
Anti-spam, etc. The company has a very large body of data in MS-Office
formats including Word, Excel, PowerPoint and Access. Across thousands of
desktops in the company, access to that data is stable and uniform.
Thousands of Employees have spent the last 10 years getting up to speed on
those applications, and some of those employees are not the sharpest tacks
in the box. Most of them use XP and Office at home. All employees are
"policied" into a standard and relatively uniform interface.

The company has mandated that vendors and suppliers conform to the data
formats the company uses. The vendors and suppliers do conform. They would
not be happy about changing after having conformed.

The company finds that, literally, thousands of similar companies of the
same size, by region, and even competitors, are using the same solutions.

The customized and proprietary software that the company uses runs on XP and
Windows servers. That body of data covers thousands of employees and, at
least, tens of thousands of client/customers.

The company does not uninstall software for desktops. They nuke 'em and
re-image and update.

Out of 100 employees, 75 of them work with a computer because they are
compelled to by "the company." At home, they don't play games. The
dominant usage of their home computers is email (outlook express), news,
weather, shopping online, education, and looking up times when local movies
start. Most of them don't need more than word-pad for anything else. They
could easily use Linux for these tasks, but they don't. They don't because
they use Windows at work, because that's what main stream vendors sell, and
after the initial purchase, their only add-on cost is the all-in-one
anti-malware solution.

As a vendor for that company, our company of 20 employees standardizes on
the software that produces the data required by "the company". 15 of our
employees fit the same profile as the (75 of 100) employees at "the
company." Having experimented with not using the same software, we arrived
at the conclusion that the easiest thing to do was use the same software as
"the company". Unfortunately, our "company of 20" can't achieve the same
economy of scale as "the company" with their thousands of employees. The
response for "company of 20" is to hire a semi-IT guy who pays individual
attention to 20 separate desktops where 20 separate copies of a Symantec
solution resides because it is the easiest to administer while covering the
multitude of security challenges that must be met. Otherwise, a
non-standard suite of anti-malware tools would need to be employed and some
greater amount of maintenance attention would need to be paid to one or more
of those tools. The Symantec solution offers a single update point as well
as set it and forget it configuration. You would judge that the automatic
updating configuration of those systems would not be in your best interest.

For "the company", whether Windows or Linux is inherently safer, is not even
a discussion point. Recreating their controlled and automated distribution
process represents a very large task. A seamless and transparent move to an
alternate system is not possible and, without inclusion of the cost or
non-cost of software, would be expensive. The actual cost of the software
in terms of the total COO is negligible when compared against the total
alternate scenario. They don't even want to consider the cost of studying
a change-over. Whether the Windows UI or Gnome, or KDE is more or less
secure is not a discussion point.

Hence, these things are not discussion points for "company of 20" either.

The fact is, nobody concerned is interested in changing anything.

It doesn't matter if you are right about Linux being more secure than
Windows. Everybody concerned would rather wait for MS to deliver a more
secure Windows. And will wait.

Don't shoot the messenger. I'm just reporting what is.

My advice to the slashdot iteration of "Company of 20" is "bite the bullet"
unless 18 of the 20 are geeks. My guess is that "rduke15" is the only
resident geek.

Therefore, the "right" question can't be asked. Or it would have already
been asked.

Art Alexion

unread,
Jun 23, 2009, 7:43:49 AM6/23/09
to PANTUG General Discussion (and technical Q&A)
You pretty much summed up the situation that many of us find ourselves
in -- I certanly do. I suppose my situation is more like that of the
big company you describe.

I was hired two years ago, much of the reason being my Linux
experience, but with all good intentions, I am mostly just using that
experience to administer my own desktop and our [hugely popular with
the tech and non-tech staff] collection of Ubuntu netbooks.

Our legacy accounting system is Windows based. Around the time I
started, we were begining to implement a new, browser-based financial
system -- except it wasn't browser-based system, it was an active-x
based system.

In the past month, we bought a new budgeting system without any input
from the staff that will have to implement and administer it. Windows
only.

One of the subsidiaries that I work does art education for mentally
ill individuals. We are implementing Macs. I have no experience with
OS X, but I bought one for myself to learn. So far, the BSD under the
hood is not much different from the Linux that I know; learning a
desktop GUI is easy. The name of the subsidiary is Oasis. I am hoping
it will be my Oasis from all of the Windows nonsense in our central
office.

MS Office doesn't even enter into it. I actually /like/ Office (not
counting Outlook). That said, I find OpenOffice 3 more compatible with
more MS Office formats than any of the individual versions of the MS
product. Access is a deal breaker, though. OO's Access support is it's
greatest weakness.

I can even deal with active-x using ies4linux.

But it is worse than an uphill battle.

I think the computer industry secretly likes viruses. It employs
security specialists, supports an antimalware industry. Most of all,
though, it benefits hardware manufacturers. By way of illustration, we
just had to replace an otherwise fine computer because the new
antivirus package was slowing it down to much for practical use.
Better viruses sell bigger antivirus packages, and bigger antivirus
packages sell new hardware.

--

Art Alexion
Sent unsigned from iPod

On Jun 22, 2009, at 6:40 PM, "Bob Sherman \(m13\)" <bob.she...@gmail.com

JP Vossen

unread,
Jul 22, 2009, 10:24:06 PM7/22/09
to PANTUG General Discussion (and technical Q&A)
I'm late returning to the part due to vacation, and various other issues...

I admit that Bob makes a very compelling real-world case. I'm going to
try to Devil's Advocate it anyway... :-)


Bob Sherman (m13) wrote:
> We do XP because we do MS-Office. We do MS-Office because that's what the
> company mandates. Therefore, we do Antivirus, Anti-spyware, Anti-phishing,
> Anti-spam, etc. The company has a very large body of data in MS-Office
> formats including Word, Excel, PowerPoint and Access. Across thousands of
> desktops in the company, access to that data is stable and uniform.

"Stable and uniform?" I guess that depends on how you define those
terms. You been getting many .docx files yet? You ever have to copy
all but the last paragraph marker of a Word to into a blank document or
better yet open a Word doc in OpenOffice to clear out Word's own
corruption? Even need to access a 10 or 15 year old document, Word or
otherwise?


> Thousands of Employees have spent the last 10 years getting up to speed on
> those applications, and some of those employees are not the sharpest tacks
> in the box. Most of them use XP and Office at home. All employees are
> "policied" into a standard and relatively uniform interface.

Until you are forced to move to Office 2007+, which as we all know is
totally different. I'm really amused that OpenOffice 3.5 is more
"Word-like" than Word 2007...


> The company has mandated that vendors and suppliers conform to the data
> formats the company uses. The vendors and suppliers do conform. They would
> not be happy about changing after having conformed.
>
> The company finds that, literally, thousands of similar companies of the
> same size, by region, and even competitors, are using the same solutions.

Yeah, there is certainly that. I could argue the evils of a
mono-culture, but there are benefits too.


> The customized and proprietary software that the company uses runs on XP and
> Windows servers. That body of data covers thousands of employees and, at
> least, tens of thousands of client/customers.
>
> The company does not uninstall software for desktops. They nuke 'em and
> re-image and update.

That's nice work--if you have the resources to do it. But why is a
'nuke-it-from-orbit-it's-the-only-way-to-be-sure' approach is acceptable
or even desirable? Remember who brought us the rather insane concept of
a "preventative reboot...."


> Out of 100 employees, 75 of them work with a computer because they are
> compelled to by "the company." At home, they don't play games. The
> dominant usage of their home computers is email (outlook express), news,
> weather, shopping online, education, and looking up times when local movies
> start. Most of them don't need more than word-pad for anything else. They
> could easily use Linux for these tasks, but they don't. They don't because
> they use Windows at work, because that's what main stream vendors sell, and
> after the initial purchase, their only add-on cost is the all-in-one
> anti-malware solution.

Plus the cost of additional hardware to make it all run acceptably, time
spent maintaining and doing updates that are critically necessary to the
health of the Internet as a whole. Oops, forgot, they don't do that,
and everyone suffers as a result. Except... They shouldn't *have* to
do that either...

Sadly, I have to give you this one. But that is not always so clearly
the case.


> The fact is, nobody concerned is interested in changing anything.

And until we start asking the right questions, nothing will change.


> It doesn't matter if you are right about Linux being more secure than
> Windows. Everybody concerned would rather wait for MS to deliver a more
> secure Windows. And will wait.

I never mentioned Linux in my rant. All I said was we need to ask
better questions about Windows. Why do we put up with that crap from
them? There is no other industry that has such incredibly poor products
and consumer protection. Why? And why can't we fix that?

Read _Geekonimics_ for the book-length treatment of that question. It's
fascinating, and depressing as well.


> Don't shoot the messenger. I'm just reporting what is.
>
> My advice to the slashdot iteration of "Company of 20" is "bite the bullet"
> unless 18 of the 20 are geeks. My guess is that "rduke15" is the only
> resident geek.
>
> Therefore, the "right" question can't be asked. Or it would have already
> been asked.

If that's true then we're all screwed and we might as well give up and
go home. But I don't think it is. The goal of InfoSec, very broadly,
is to become part of the background and disappear because things Just
Work as Expected (which implies they are secure and robust). Obviously
we aren't even close, and it sometimes seems it's getting worse instead
of better. But if we just accept the crappy status-quo and don't ask
the right questions, we'll never improve.

Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| http://bashcookbook.com/
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.

Reply all
Reply to author
Forward
0 new messages