Single versus Multiple Engine Antivirus

Posted on 2008-11-18
Last Modified: 2013-12-04
Without naming, for last two days, we are spending nights in office, manually cleaning over 1500 PCs for the Sality variant was not caught by our Antivirus and Level 2 support from the principal was worthless. Needless to say, the guys fare in the leaders quadrant of Gartner. A standalone utility by kaspersky came to the rescue though I am beginning to feel if the russian link exists here, for the virus tries to establish http connections in Russia.

Now, I am wondering, what should be the strategy behind choosing an antovirus solution? Should we look at Microsoft FCS for it claims to have multiple engines built into it? By the way, I read reports that various Forefront client customers too suffered from this Sality outbreak.

Something like GFI, which too claims to have various antivirus engines built into it?

Though we use combination of two solutions, differing at the mail gateway box but same for desktops and servers. What do you guys suggest!! It's been a real nightmare this time!!
Question by:fahim
    LVL 52

    Expert Comment

    With 1500 machines infected, you made conceptional mistakes. Please tell us how that could have happened in the first place. Sality is a file infector, isn't it? How did it spread?
    I am asking because I think single/multiple engines is a question far less important than that,

    Author Comment

    Shares got infected and hence did the files. Windows based filers had files infected with 'Mcafee' installed, detecting but unable to clean. Even after it cleaned, re-scan showed the infections again.

    Spread was by the users connecting to this filer, uploading downloading files while on-access scanner on these machines was unable to provide required protection.

    Conceptual mistakes might consist of some antivirus machines not updating their dat files, some users having local full admin rights and or opening their folder shares to 'everyone' with full access or bringing in infected USBs while 'on access' scanner unable to provide protection.....what else???
    LVL 38

    Assisted Solution

    This is a known version of malware that any major AV solution will protect against.

    With 1,500 hosts, surely you are using ePO to manage the McAfee installations, right?
    For networks your size, McAfee/ePO was the only product I found to be effective from a system management & protection standpoint.

    If you are running the report function, you can pinpoint any host that does not have current DAT files and either force an update or run down the computer and get it off-line before it does any damage.

    If you aren't running the reports (several times dailly), then you will never know your level of protection and will be continually surprised by the infections that crop up.

    Also, as long as you let your users have admin rights on their computers, you are going to have infections.

    At first glance, it appears as though you need a full-blown security audit.

    If you add up the cost (in labor hours) of trying to recover from this outbreak, you should be able to convince your bosses that it is time to spend the money to put together a comprehensive plan (applications and equipment) for your entire network.
    LVL 6

    Accepted Solution

    I generally agree with the above.  ePO is quite good at reporting what your protection state is.  Ideally you need 80%up to date to provide 'heard immunity' so that any infection can't spread too far as most clients are protected.

    I'd try to remove unsecure shares form PCs as these are a virus's friend.  Get rid of local admins as best as you can. I understand there are usually users who need admin rights, such as laptop users who need to add printers/software as they go out and about.

    Ensure your repository is up to date with the latest DAT files (now updated every day, even weekends)

    I also use a McAfee Secure Internet Gateway to help keep attacks away from my network.

    Do you use the 'Access Protection' feature in McAfee?  It is a bit of a pain at first as you add exe's to the allowed list, but it is good at preventing unwanted programs from getting to the network.  It even stops google earth from reducing productivity ;-)  Look at the Common Maximum Protection section and Prevent HTTP communication list.  you can also use the Outbreak control to make all shares read only.  Good thing to apply to PCs while you're fixing an outbreak as it limits the chance of reinfection.

    Do you have any superagents?  These are good for spreading updates to your clients, very worthwhile with your size network.

    Hope this is helpful with your current problems.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now