Budget Justification for purchasing AntiMalware product

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
Originally, I wrote this up as an internal Budget justification in order to get my boss to get a different kind of malware protection than the college offers for free (Symantec).  It is specifically aimed at promoting the CES (Comodo Endpoint Solution/Security) software, but it can be modified to use with any software.

Feel free to use as you wish.  I have attached the original word document as well as included it here.  Please note that portions (the bullet points) are from a Techtarget techguide (also attached).  Good luck!

Budget Justification for purchase of new Endpoint Protection

For a variety of reasons the solution offered for free by the school, Symantec Endpoint Protection (SEP), is not a viable option if the aim is to protect our computers from intrusive malicious attacks. These incursions are now a daily problem.  Why is SEP inadequate to this task?

SEP primarily provides with virus definitions that update approximately once every day.  If the malware that attacks a specific computer is not contained in the virus definitions (which generally takes up to 5 days from the first computer it infects – known as a zero day infection) than SEP will most likely not see it as malware and the computer will become infected.

Additionally, SEP uses a significant amount of system resources thereby slowing down any computer on which it is running.  We tend to notice this less with newer systems because they run much faster to begin with.  The slowdown is due to the following:


SEP downloads updates only once per day so the definition updates are larger and therefore take longer to download, which in turn takes more system resources.  Even though this can be alleviated by setting SEP to download at a time the computer is not being used, it requires that the computer be on during that time.


Another problem is the way in which SEP makes it possible to revert to a previous definition file download requires a significant amount of disk space along with the logs that it keeps.  Although this problem can be somewhat alleviated by changing the settings in the SEP options to keep less fallback points and to delete log files sooner.  Still this procedure reduces the efficiency of the service SEP provides.

The security community has found in general that SEP, although not the worst option for endpoint security, is far from the best way to protect a computer.  
According to a 2012 Sophos report, 85% of  all malware (viruses, worms, spyware, adware  and Trojans) comes from the Web; drive-by  downloads are considered to the largest Web  threat.
Sophos also reports that 30,000 websites are  infected daily; 80% are legitimate sites that  have been hacked so that cybercriminals can  use them to host malicious code.
Content Agnostic Malware Protection  (CAMP), a malware-detection component  that Google Inc. built into its Chrome Web  browser earlier this year, was able to detect  more than 5 million malware downloads per  month. CAMP detected malware at a rate of  99%
source: Malware-defense-revisited--How-t.pdf Malware defense Revisited_How to improve your web-based malware detection
My tests have shown that the Comodo Endpoint Solution (CES) software not only detects and removes  significantly more Zero-Day malware (~98%) than SEP (figures echoed by online antivirus comparative sites), it also takes up less resources (more frequent downloads of definition files, so each download is smaller) and in so doing does NOT affect the speed of the computer as SEP does. More significantly, CES finds more potential problems – true backdoors and Trojans – than SEP and several other similar pieces of software.  When installing CES on a system that has been protected by SEP or Vipre for Business (the previous endpoint solution we used), CES found and sandboxed or quarantined a significant number of infections that the other software had missed.  CES uses another component on the management side to assure that applications running on the endpoints have not been compromised, it is called application whitelisting (AWL).  AWL assumes the following:
Only malware changes programs without IT knowledge. Malware needs to modify  executable programs to launch attacks and  survive reboot cycles on the endpoint. A  pragmatic alternative to scanning for malware  is to detect changes to programs that are not  associated with patches or software upgrades.
Identifying compliant configurations is easier than identifying malware. Through  the first three quarters of 2010, McAfee Labs  identified more than 14 million unique pieces  of malware, a rate of more than 60,000 new  infections per day, continuing the trend of  year-over-year growth in malware. Intuitively, checking a list of valid software configurations in real time is a smaller problem to solve than checking files for traces of malware.
The concept of trusted sources, fueled by feeds from software vendors, simplifies management of compliant configurations. Platform vendors, especially Microsoft, automatically supply application whitelisting vendors with detailed information on the files contained in released software products.  This relieves IT of the burden of having to figure out what is legitimate system software so it can focus on defining approved custom applications.
Source: Application-whitelisting--an-ext.pdf Appplication Whitelisting whitepaper from Techtarget
Thinking ahead is important.  In our endeavor to prevent future data loss, we bought a 2 drive bay system from govconnection.com, made by StarTech.  This purchase was essential in recovering the data that would have otherwise been lost, and the recent paper in process of publication, in XXXX's lab, at least delayed.

Finally, in the end the decision is not what the best software is to protect a given endpoint, but rather how many workhours will be lost due to a preventable infection? This comes down to the cost of lost time per person when they are unable to use their computer to work and the cost of time lost by the person that is fixing said computer that could have been used in other endeavors. Although CES requires more setup time and more maintenance (since it is a managed solution – each endpoint reports its condition back to a central console, which must be monitored), in the end, there is an overall savings of time, since the instances where a computer is infected are significantly less which means significantly less time is required to ameliorate the situations.

My recommendation is to purchase 25 licenses of the CES software at $17.55/seat for 1 year ($15.80/seat for 2 years, $14.04/seat for 3 years).  The multi-year licenses, although they cost less on a per seat basis (more initial layout) will lock us into this software and their technology.  This is not advantageous as we have learned from the problems that ITS is having because it is locked into a 3 year contract with Symantec for Symantec Endpoint Protection (SEP).
Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.