Managing the Virus Threat

Like any good security manager, Phill Bakker can't be too careful. As senior security architect at eHealthDirect Inc., a Lexington, Mass.-based health care application service provider, he's responsible for safeguarding sensitive health care claims data. Like many security professionals, he uses antivirus products from several vendors to be sure he always gets the latest virus patches and descriptions.

His problem, though, is making sure all of the updates from all of the vendors are distributed at the right time to the more than 150 workstations and approximately 50 servers on his network. He and one staff member must do much of that work manually, which chews up time and can lead to errors. "There are a dozen or more companies manufacturing antivirus-type products. It would be really nice to see all of those companies get together and have a common console" to help manage the update process, says Bakker.

But until antivirus vendors release such a tool, security administrators must rely on a hodgepodge of update tools, manual procedures and a "defense in depth" strategy that extends scanning to servers, such as those that handle e-mail, in hopes of catching viruses before they hit the desktop.

Most antivirus tools today work by scanning for specific known viruses, looking for "signatures" such as particular file names or certain types of e-mail attachments. But with as many as a dozen major vendors issuing


My Kingdom

For a Console

IT managers say they want antivirus management tools that can:
Coordinate and manage antivirus updates from multiple vendors.

Monitor client and server hardware for current antivirus definitions and provide reports to security managers.

Coordinate, schedule and quarantine updates automatically until they’re checked for safety.

Provide alerts when new antivirus definitions are released, and take preventive measures (such as blocking certain e-mail attachment types) while waiting for vendors to release virus patches.

regular signature updates, keeping hundreds of desktops and servers up-to-date can be more work than busy support staffs can handle. And some antivirus products also require updates for the engine that scans for viruses.

Jesper Johansson, an assistant professor of information systems at Boston University, cites one major company, which he declined to identify, whose PCs' virus lists haven't been updated since the machines were deployed 18 months ago.

According to John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., "At Gartner, we're declaring signature-based antiviral [protection] at the desktop to be dead. It's providing near-zero value today, mainly because of the lag in updating the signatures."

Updating is easier on servers because there are fewer of them than there are desktops or notebooks, and servers spend more time linked to the Web, where they can capture virus updates distributed by vendors. But security managers must still make sure every system has the proper updates to protect their companies from hackers.

Sean Mahon, manager of security at an East Coast financial services firm, estimates that he's able to keep 97% of his Windows-based systems up-to-date with the latest virus definitions from Symantec Corp. in Cupertino, Calif. "I want to bring it up to 99.9999%," he says, adding that he wants to automate the update process to stop virus attacks more quickly.

Rising Threat

The need for up-to-date virus protection is greater than ever before, say security managers and analysts, because of the increasing importance of e-commerce and e-mail, which expose corporate systems to more hackers.

Some newer viruses can infect systems running Microsoft Corp.'s Outlook and Outlook Express e-mail clients when a user first opens an infected e-mail, unlike earlier viruses that required users to open attachments, says Brett Eldridge, co-founder of OneSecure Inc., a Denver-based firm that builds and manages secure networks. Microsoft has issued a patch against such attacks, he says, but "you have to distribute that patch to all your users," including those who aren't linked to the corporate network.

Buying and distributing updates from multiple vendors may be a headache, but it's crucial that you get the fix for any future virus as soon as it becomes available. "I can't rely on just one manufacturer," because it's impossible to know which vendor might come out with the solution to the next Melissa virus fastest, says Bakker.

With all this manual work, it's no wonder security administrators long for a single tool that would let them schedule virus updates, coordinate their rollout and confirm when they've been completed.

Several leading antivirus vendors say they have no plans to develop such a cross-platform console. "There is no need for multivendor antivirus" protection, because the major antivirus vendors issue patches for new viruses "within a couple of hours of each other," says Gary Ulaner, group product manager for Symantec's Norton AntiVirus Corporate Edition. Besides, he adds, any vendor that built such a console "would be basically admitting that their full complement of products is not a good approach."

However, McAfee, the antivirus division of Santa Clara, Calif.-based Network Associates Inc., plans to take the first step toward such a console, with the expected release of Version 2.0 of its ePolicy Orchestrator this month, says product marketing manager Ryan McGee. It will provide a networkwide view of which client machines are protected not only by McAfee but also by Symantec and Cupertino, Calif.-based Trend Micro Inc., he says, with future releases possibly adding the ability to monitor servers and other devices to determine if they have updated virus descriptions. But producing a console that could actually manage tools from multiple vendors would require closer cooperation among antivirus vendors than exists now, McGee says.

Making Do

In the meantime, security managers are using a mix of vendor-specific update tools, manual processes and some third-party software to perform virus updates. One method is to download the latest antivirus definitions as part of the user's log-in to the network.

Andy Benson, network manager at Schwartz Communications Inc., runs the Norton AntiVirus product for NetWare and for Windows NT at the Waltham, Mass.-based public relations agency. Every Monday, he makes the download of any available virus updates an optional part of the log-in process for his 200 users, which he estimates keeps 90% of his client systems updated. While the updates take too long for most remote users, he says, those systems are usually updated when a user returns to the office.

For each antivirus product, security managers can use the management console included within the products, such as the Symantec System Center central management console and McAfee's ePolicy Orchestrator. Companies running Microsoft Corp.'s Systems Management Server (SMS) can use software distribution tools written for SMS, such as Cognet 3.5 from Cognet Corp. in Valhalla, N.Y. Mahon uses both an update written into the log-in script and the Cognet tool to distribute virus definitions to his users.

Another option, says Eldridge, is Mountain View, Calif.-based Marimba Inc.'s change management tools based on its Castanet and Timbale content distribution technology.

Developing a Strategy

Until someone discovers the Holy Grail of antivirus management, analysts and security managers recommend making antivirus updates as easy as possible for users by creating a defense that doesn't rely only on desktop antivirus updates, along with fine-tuning your procedures for finding and stopping virus outbreaks. This approach requires "putting in multiple layers of security, so if one fails, another one will catch something," says Eldridge.

Besides putting antivirus packages on every client, for example, many administrators use virus scanners on e-mail servers. Keeping client-based scanners up-to-date is vital, because viruses in encrypted e-mail can escape server-based scanners, Eldridge says.

Eventually, the need to perform such cumbersome updates at the desktop will fade as antivirus vendors produce tools that identify viruses by detecting their suspicious behavior, not by comparing them to a list of known virus signatures.

Pescatore predicts that such behavior-based tools will be most popular on harder-to-update desktops and notebooks. Signature-based antivirus tools will continue to be used on e-mail and other servers, he says, because it takes less processing power to scan for a list of known viruses than to dynamically analyze the behavior of incoming files or e-mail.

McAfee's Outbreak Manager technology, which ships in several of the company's antivirus tools, allows administrators to define suspicious behavior, such as when an e-mail attachment tries to read a user's e-mail address book, and to define which actions to take if the behavior is spotted. Symantec already ships its Bloodhound technology, which examines code for suspicious behavior, in the scanning engine used throughout its product line, says Ulaner.

But such heuristic tools will only complement rather than replace signature-based antivirus weapons for the foreseeable future, observers say. And that means security managers will keep searching for easier ways to keep their antivirus weapons up-to-date.

Scheier is a freelance writer in Boylston, Mass.


Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon