Centralising anti-virus protection for business
Few small businesses are completely unprotected, but many business will have developed their anti-virus strategies organically – in other words, with no organisation at all. If they are using any anti-virus software, they will probably have bought it individually on separate machines at the point of purchase, or installed it individually. They may not be managing signature updates in a comprehensive
Many anti-virus products now feature multiple security mechanisms folded into a single piece of software, which most companies call an agent. Symantec’s Endpoint Protection Manager features not only anti-virus software, but also anti-spyware, an intrusion prevention system, and a firewall. A central management console for the system can save you time administering all of these functions.
Kaspersky also uses an agent that can be stacked with discrete security modules such as anti-virus code and manages its agents using a console called the Administrator Kit. It runs on either SQL Server, SQL Server Express Edition, or MSDE (the last two of which are free). Install the Administrator Kit on an appropriate server with a database installed, and select a server account for administrative use with the console (this account must have administrative privileges over all client accounts that need to be protected). Now you can download and install the Kaspersky Antivirus Business Optimal software and use the quick-start wizard to create a network structure within the Administration Kit. Scan the logical network with the kit, which creates a network tree by scanning the Windows domain, and create a group within the Administration Kit.
Sophos includes the Sophos Control Center (SCC) with its Small Business Edition offerings. This can be used to install and update three classes of endpoint software: Sophos Anti-Virus, which focuses on malware detection and deletion, Sophos Computer Security, which includes a client firewall, and the Sophos Security Suite, which provides gateway mail protection for Exchange. SCC will administer this software on each client, and download signature updates from the company’s servers for subsequent installation. Client devices are set to check for such updates every ten minutes by default.
Given that many of your customers will be using a Windows-based server infrastructure, it makes sense to use the existing organisational data in Active Directory to configure policies for users and client devices. Most security tools support this facility. McAfee’s administrative console, EPolicy Orchestrator, uses Active Directory for two reasons: firstly, to give the administrative console an understanding of the organisational structure; and secondly, to maintain an updated record of what exists on the network. It can also be used to create and manage records for more than one administrator on the network. Symantec also provides a connector for Active Directory. The company can also talk non-natively to the service using LDAP, via port 389 (or secure LDAP, via port 636).
However, it is possible to configure things more simply by using IP addresses to administer the anti-virus solution. The downside is that management becomes more difficult in volatile networks where client devices come and go. In an economic downturn, where many companies will be using more contractors, that could be a problem.
Not every tool works with Active Directory. F-Secure offers two alternatives for managing its anti-virus agent. The first is a Web-based service designed to be used without any locally installed software or equipment other than the desktop agent. That doesn’t offer Active Directory integration, which is perhaps understandable, but neither does Policy Manager Server, which is the more functional administrative console designed to be run at a customer or consultant site. The company’s justification for this is that “in larger businesses, organisational unit structures can get hugely complex, and most people are simply looking for the ability to turn anti-virus functions on or off”. It would be useful to have the flexibility of Active Directory integration for the medium-sized businesses that you’re likely to be serving, however.
Once you have the management console, before you can use it to administer client-site anti-virus engines for your customers, you still have to deploy them. Because you will often be dealing with a variety of customer devices including laptops that spend long periods out in the field, poorly managed deployment quickly becomes a headache. Most anti-virus vendors offer at the very least a manual installation process using a CD that you can send to users who never come into the office.
There are other, more automated options, too. Kaspersky provides a login script-based installation option for workstations not running its agent. This makes the workstation download and run an MSI package while running its login script. For machines that already have the agent installed and merely require an updated version of the Kaspersky anti-virus engine, a push install option is available. This uses either the Network Agent Transport feature within the firm’s agent platform, or the Windows RPC facility, to get the anti-virus code onto the hard drive. Symantec’s administrative console also allows for RPC-enabled client installation, effectively logging into the remote machine as administrator and telling it to pull an installer package from a central machine.
Having deployed the anti-virus software, ideally you would manage your customer’s devices remotely from your own offices, rather than having to go in and configure policies locally at the customer site. Thankfully, most systems are sophisticated enough to support this in one way or another.
McAfee offers two solutions, depending on the level of sophistication required. The EPolicy Orchestrator is the most sophisticated, running directly on a Windows server, or under a VMware session. In addition to basic functions such as reporting and infection management, this also gives you the chance to manage scanning parameters at a more granular level. EPO runs on an SQL Server database.
The client agent uses port 80 to communicate with the management console. Administrative traffic including policy messages, event logs, and virus signatures are digitally signed and encrypted. This port 80 communication channel makes it relatively easy to remotely administer clients from your own offices, although it can be installed on client premises if they prefer. The Web-based interface means administrators can still log in remotely.
McAfee’s alternative is the Total Protection Service (TPS). This provides a Web-based management portal hosted on McAfee’s servers that enables you to deal with malware clean up and reporting, all without having to run anything locally. In this scenario, McAfee emails links to each user to be protected by an agent. They click the link, and the agent is installed remotely.
Most of the anti-virus companies that we spoke to use a database to support their administrative consoles, with the exception of F-Secure. Its Policy Manager Server uses a flat file structure to manage information about the relevant clients, but engineers at the firm maintain that it can easily be used to manage multiple remote customers from a single implementation, because the product is domain-agnostic. The system communicates over port 80 (although that is a configurable default), but PMS is designed to be used internally, so network packets exchanged between the administration console and the client agent are cryptographically signed, but not encrypted. The company also offers its Protection Service, which like McAfee’s TPS is a hosted management portal that you can use to manage your clients’ devices on line. Sunbelt’s locally-hosted system designed to be installed on customer sites uses a Terminal Services session for remote administrative access.
Like it or not, the chances are that even if a system is designed primarily for use inside a firewall, it will have to cope with remote machines at one time or another. With an increasing number of business employees these days using laptops instead of desktops, any anti-virus solution should be able to deal with employees on the road, regardless of whether it is situated at your customer’s office or your own. This is particularly true when it comes to signature updates. If a management console isn’t able to communicate with a laptop at someone’s home, then that laptop should still be able to retrieve virus signatures to keep itself protected.
Symantec’s Endpoint Protection Manager is location aware, so it knows whether it’s on a network local to the administrative server or not. The firewall included in the product can be guided to download updates from different locations based on policies set by the administrator.
F-Secure’s agent is designed to download incremental updates (meaning only the new signatures, or changes to existing ones, download, rather than the whole signature base). This leads to download sizes of roughly 100Kb each time. That helps to keep the bandwidth relatively small, which is particularly important for you if you’re serving the signatures for your customer out of your own offices, although the occasional bulk download of 2–3Mb may still be needed.
However, if you have a hundred client machines at the customer site and they all try to download signatures from your management console, then you could find your bandwidth annoyingly constrained at times (especially if they all do it at once, and if you have more than one customer doing the same thing). A more intelligent alternative may be to use a client machine at the customer site as a staging machine for the signatures. This effectively downloads the signatures once, and then distributes them locally. F-Secure’s agents support this concept.
Finally, consider network access control as an option. Customers will benefit from knowing that unpatched machines will be prevented from connecting to the network. Symantec’s management console comes with built-in protection, and can also be made to work with Microsoft’s own built-in network access protection (NAP). F-Secure’s system needs a Cisco router to access network access control today, but will support NAP in the next version that ships in the spring.
The top-level dashboard in McAfee’s ePolicy Orchestrator (EPO) gives administrators a bird’s-eye view of the state of their client devices and administrative server.
Administrators can set behavioural analysis parameters for client anti- malware deployments using the EPO; for example, allowing or disallowing application buffer overflows.
The same policy can be adjusted in the EPO for servers, too.
Defence in depth
The problem with anti-virus software is that it doesn’t work – at least, not entirely. itexpert knows several security experts who don’t use it at all or at least question its usefulness. With malware techniques such as automated polymorphism (a different code signature with every download) and code obfuscation on the rise, it becomes increasingly difficult to catch all viruses. Defence in depth has been posited as an answer to the problem.
By putting more than one virus engine in an organisation, and at different points in the company, it is possible to at least increase your chances of catching malicious software. However using more than one product on the desktop risks increasing the computational overhead and you’re likely to get complaints from users. Instead, using a gateway anti-malware appliance in conjunction with desktop engines applies more computing muscle at different parts of the organisation.
To ensure users on the road use the gateway, you’ll want to set group policies in Windows to make them tunnel back to your gateway using a VPN, and then out to the Internet using the appliance’s protection.
Relying solely on the gateway is dangerous, because your customers’ employees may still insert infected media such as USB keys. So a desktop engine is still advisable. For even better security, you may want to consider a third layer and sign them up for a hosted scanning solution from a company like MessageLabs (now owned by Symantec) or use the email security in an archive service like Mimecast. But as you choose solutions at these three tiers, be sure to check which engines the appliance and the hosted system uses. Replicating the same engines within different tiers is pointless. Mix-and-match is the order of the day.
Finally, take advantage of the behavioural analysis functions that all these products support. In addition to conventional signature analysis, they offer the ability to block software based on suspicious actions such as writing to certain keys in the Windows registry and dropping files in key systems folders. Management consoles designed to run at local sites rather than as hosted administration services will generally provide some customisation options that let you set the aggression level of behavioural analysis.