Single versus Multiple Engine Antivirus

Posted on 2008-11-18
Medium Priority
Last Modified: 2013-12-04
Without naming, for last two days, we are spending nights in office, manually cleaning over 1500 PCs for the Sality variant was not caught by our Antivirus and Level 2 support from the principal was worthless. Needless to say, the guys fare in the leaders quadrant of Gartner. A standalone utility by kaspersky came to the rescue though I am beginning to feel if the russian link exists here, for the virus tries to establish http connections in Russia.

Now, I am wondering, what should be the strategy behind choosing an antovirus solution? Should we look at Microsoft FCS for it claims to have multiple engines built into it? By the way, I read reports that various Forefront client customers too suffered from this Sality outbreak.

Something like GFI, which too claims to have various antivirus engines built into it?

Though we use combination of two solutions, differing at the mail gateway box but same for desktops and servers. What do you guys suggest!! It's been a real nightmare this time!!
Question by:fahim
LVL 57

Expert Comment

ID: 22989690
With 1500 machines infected, you made conceptional mistakes. Please tell us how that could have happened in the first place. Sality is a file infector, isn't it? How did it spread?
I am asking because I think single/multiple engines is a question far less important than that,

Author Comment

ID: 22992795
Shares got infected and hence did the files. Windows based filers had files infected with 'Mcafee' installed, detecting but unable to clean. Even after it cleaned, re-scan showed the infections again.

Spread was by the users connecting to this filer, uploading downloading files while on-access scanner on these machines was unable to provide required protection.

Conceptual mistakes might consist of some antivirus machines not updating their dat files, some users having local full admin rights and or opening their folder shares to 'everyone' with full access or bringing in infected USBs while 'on access' scanner unable to provide protection.....what else???
LVL 38

Assisted Solution

younghv earned 800 total points
ID: 22993479
This is a known version of malware that any major AV solution will protect against.

With 1,500 hosts, surely you are using ePO to manage the McAfee installations, right?
For networks your size, McAfee/ePO was the only product I found to be effective from a system management & protection standpoint.

If you are running the report function, you can pinpoint any host that does not have current DAT files and either force an update or run down the computer and get it off-line before it does any damage.

If you aren't running the reports (several times dailly), then you will never know your level of protection and will be continually surprised by the infections that crop up.

Also, as long as you let your users have admin rights on their computers, you are going to have infections.

At first glance, it appears as though you need a full-blown security audit.

If you add up the cost (in labor hours) of trying to recover from this outbreak, you should be able to convince your bosses that it is time to spend the money to put together a comprehensive plan (applications and equipment) for your entire network.

Accepted Solution

acmp earned 1200 total points
ID: 23002579
I generally agree with the above.  ePO is quite good at reporting what your protection state is.  Ideally you need 80%up to date to provide 'heard immunity' so that any infection can't spread too far as most clients are protected.

I'd try to remove unsecure shares form PCs as these are a virus's friend.  Get rid of local admins as best as you can. I understand there are usually users who need admin rights, such as laptop users who need to add printers/software as they go out and about.

Ensure your repository is up to date with the latest DAT files (now updated every day, even weekends)

I also use a McAfee Secure Internet Gateway to help keep attacks away from my network.

Do you use the 'Access Protection' feature in McAfee?  It is a bit of a pain at first as you add exe's to the allowed list, but it is good at preventing unwanted programs from getting to the network.  It even stops google earth from reducing productivity ;-)  Look at the Common Maximum Protection section and Prevent HTTP communication list.  you can also use the Outbreak control to make all shares read only.  Good thing to apply to PCs while you're fixing an outbreak as it limits the chance of reinfection.

Do you have any superagents?  These are good for spreading updates to your clients, very worthwhile with your size network.

Hope this is helpful with your current problems.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question