AV management / monitoring best practice and essentials
I am looking into general anti-virus management / monitoring best practices (regardless of vendor). I basically want a check list for comparison to actual of:
-what our administrators should be alerted on from the AV agent / software installed any client device,
-what they should be able to produce in terms of compliance reporting for all their managed devices specific to AV.
-What kinds of issues they should be looking for when reviewing logs/alerts specific to AV on a daily basis
I will then use these to compare what they can produce from their central AV monitoring console(s) for a sample of devices or even all devices listed in other information sources such as AD, system centre or our asset management DB. I presume the 3 basics would be status (on or not), definitions last updated, last scheduled scan date. Are there any others?
There seems to be an assumption AV setup/config/management is pretty hard to get wrong but from some recent health checks for PCI DSS I noted on the findings many issues such as out of date signatures, AV not even running in some cases on devices etc.
-what our administrators should be alerted on from the AV agent / software installed any client device,
-what they should be able to produce in terms of compliance reporting for all their managed devices specific to AV.
-What kinds of issues they should be looking for when reviewing logs/alerts specific to AV on a daily basis
I will then use these to compare what they can produce from their central AV monitoring console(s) for a sample of devices or even all devices listed in other information sources such as AD, system centre or our asset management DB. I presume the 3 basics would be status (on or not), definitions last updated, last scheduled scan date. Are there any others?
There seems to be an assumption AV setup/config/management is pretty hard to get wrong but from some recent health checks for PCI DSS I noted on the findings many issues such as out of date signatures, AV not even running in some cases on devices etc.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Here is what comes to my mind. Something is just for general overview, some parts should be checked on daily basis.
1, AV software status - AV DB update, Client version, AV modules status (Real-time protection, Firewall, HIPS, etc.) - running/not running/turned off
3, Computer scan results - where infections were found (even cleaned)
4, Uncleaned infections, Boot viruses, Viruses in memory should be reported ASAP as they occur.
5, Report of any new type of virus - if possible. From my observation, there are few virus "families" running around (mostly).
Note: used numbering does not mean importance. That is up to you.
From configuration point of view:
- full disc scan after AV installation is a must.
- regular scans is a must.
- daily reporting on non updated machines (with Signature DB ver. older then a day)
- force AV configuration with everything important defined. Do not leave any important settings in default installation state, even if is is set to On/Configured/Running.
1, AV software status - AV DB update, Client version, AV modules status (Real-time protection, Firewall, HIPS, etc.) - running/not running/turned off
- any problem related to module status check should be handled ASAP.
2, Policy inconsistencies - if possible.3, Computer scan results - where infections were found (even cleaned)
4, Uncleaned infections, Boot viruses, Viruses in memory should be reported ASAP as they occur.
5, Report of any new type of virus - if possible. From my observation, there are few virus "families" running around (mostly).
However it is good to be informed about anything new, what was catched. Weekly/Monthly, it is up to you.
6, Computers where AV is not installed. Here it depends if you can compare with data from AD or other network devices.Note: used numbering does not mean importance. That is up to you.
From configuration point of view:
- full disc scan after AV installation is a must.
- regular scans is a must.
- daily reporting on non updated machines (with Signature DB ver. older then a day)
- force AV configuration with everything important defined. Do not leave any important settings in default installation state, even if is is set to On/Configured/Running.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Symantec Endpoint Protection manager can do that for you. They have a cloud solution now so you dont have to have a server running the manager in premises.
You can build and schedule custom reports like the ones you are looking.
There are tons of options available in the manager i have been using them for many years and i like the reporting for PCI DDS compliance.
You can build and schedule custom reports like the ones you are looking.
There are tons of options available in the manager i have been using them for many years and i like the reporting for PCI DDS compliance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
We use Kaspersky Endpoint Protection, and it sends me emails about any issues, as well as having a dashboard where I can easily see all useful information at a glance.
I normally check it on Mondays, take a few corrective actions for virus scans that failed over the weekend because people took their devices offline or something like that, check any viruses that have been detected, and take action if needed, and then forget about it until next Monday.