Single versus Multiple Engine Antivirus

Without naming, for last two days, we are spending nights in office, manually cleaning over 1500 PCs for the Sality variant was not caught by our Antivirus and Level 2 support from the principal was worthless. Needless to say, the guys fare in the leaders quadrant of Gartner. A standalone utility by kaspersky came to the rescue though I am beginning to feel if the russian link exists here, for the virus tries to establish http connections in Russia.

Now, I am wondering, what should be the strategy behind choosing an antovirus solution? Should we look at Microsoft FCS for it claims to have multiple engines built into it? By the way, I read reports that various Forefront client customers too suffered from this Sality outbreak.

Something like GFI, which too claims to have various antivirus engines built into it?

Though we use combination of two solutions, differing at the mail gateway box but same for desktops and servers. What do you guys suggest!! It's been a real nightmare this time!!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

With 1500 machines infected, you made conceptional mistakes. Please tell us how that could have happened in the first place. Sality is a file infector, isn't it? How did it spread?
I am asking because I think single/multiple engines is a question far less important than that,
SwiftAuthor Commented:
Shares got infected and hence did the files. Windows based filers had files infected with 'Mcafee' installed, detecting but unable to clean. Even after it cleaned, re-scan showed the infections again.

Spread was by the users connecting to this filer, uploading downloading files while on-access scanner on these machines was unable to provide required protection.

Conceptual mistakes might consist of some antivirus machines not updating their dat files, some users having local full admin rights and or opening their folder shares to 'everyone' with full access or bringing in infected USBs while 'on access' scanner unable to provide protection.....what else???
This is a known version of malware that any major AV solution will protect against.

With 1,500 hosts, surely you are using ePO to manage the McAfee installations, right?
For networks your size, McAfee/ePO was the only product I found to be effective from a system management & protection standpoint.

If you are running the report function, you can pinpoint any host that does not have current DAT files and either force an update or run down the computer and get it off-line before it does any damage.

If you aren't running the reports (several times dailly), then you will never know your level of protection and will be continually surprised by the infections that crop up.

Also, as long as you let your users have admin rights on their computers, you are going to have infections.

At first glance, it appears as though you need a full-blown security audit.

If you add up the cost (in labor hours) of trying to recover from this outbreak, you should be able to convince your bosses that it is time to spend the money to put together a comprehensive plan (applications and equipment) for your entire network.
I generally agree with the above.  ePO is quite good at reporting what your protection state is.  Ideally you need 80%up to date to provide 'heard immunity' so that any infection can't spread too far as most clients are protected.

I'd try to remove unsecure shares form PCs as these are a virus's friend.  Get rid of local admins as best as you can. I understand there are usually users who need admin rights, such as laptop users who need to add printers/software as they go out and about.

Ensure your repository is up to date with the latest DAT files (now updated every day, even weekends)

I also use a McAfee Secure Internet Gateway to help keep attacks away from my network.

Do you use the 'Access Protection' feature in McAfee?  It is a bit of a pain at first as you add exe's to the allowed list, but it is good at preventing unwanted programs from getting to the network.  It even stops google earth from reducing productivity ;-)  Look at the Common Maximum Protection section and Prevent HTTP communication list.  you can also use the Outbreak control to make all shares read only.  Good thing to apply to PCs while you're fixing an outbreak as it limits the chance of reinfection.

Do you have any superagents?  These are good for spreading updates to your clients, very worthwhile with your size network.

Hope this is helpful with your current problems.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.