Multi-level anti-virus

No, this is not an article about weird marketing practices or “ponzi” schemes within the A/V industry.  It IS an article about how you can better protect yourself against viruses and malware.  I decided to write this after one of our customers had the willies scared out of them by one of their other vendor’s “security alert” circular.

We (itgroove) have always worked from the assumption that no single a/v product provides 100% protection against all virus and malware threats.  The A/V vendors may take issue with that stance but it’s what we believe and it sets the tone for how we architect customer’s infrastructures.  We always “layer” A/V protection so that there are at least two layers of scanning using multiple vendors technologies.  Our preferred architecture relies on Sonicwall firewalls with Sonicwall’s McAfee-based technology scanning at the gateway (firewall) and Trend Micro’s A/V installed on all machines on the inside LAN (usually WFBS).  If the customer utilizes Office365 that adds another layer as Forefront is scanning at the Exchange level (on premise Exchange  is covered by the aforementioned Trend A/V).

The reason we layer is simple:  chances are if one vendor’s technology misses or does not identify and eliminate a virus or malware the other vendor’s will.  It is a simple numbers game where you have better protection if your “layer number” is 2 or greater.  Single vendor solutions such as Sonicwall’s Gateway A/V and Enforced Client A/V (to name but one) can leave you vulnerable as the same technology is in place at the gateway and on the LAN; if the technology does not identify a virus or malware then it misses it entirely throughout your infrastructure.  (To be fair to Sonicwall, they do offer Kaspersky as an optional layer.)

I want to circle back to my point about our customer and the security circular they received.  The circular highlighted the existence of a nasty virus that targets POS systems running on Windows boxes and was also a pitch for a “managed” single-vendor a/v service.  The interesting thing is the vendor provided stats from Virustotal which listed 40 different a/v vendors and whether or not their product identified and removes this particular virus.  Roughly half of the vendors missed identifying the virus.  Using our two preferred vendors as a measuring stick, Sonicwall (McAfee) missed and TrendMicro identified/removed.  If our customer’s network had ONLY been protected by McAfee they could have been at risk but they have the second layer in place.  Of course, the possibility exists that BOTH layers could miss something but the odds are much more in your favour with two layers than with a single layer.

If your network is only covered by a single layer of a/v then I urge you to look into how you can add a second layer from another vendor.  There are many, many options available and you don’t have to use our particular model.  But you should do something.  You should scan at the gateway as the best defence is to keep the garbage out of your network, period; specially so in this age of BYOD on your network.  You should ensure your various devices on the LAN are covered with a/v.  You should ensure your mobile users have a/v that ramps things up when they are NOT behind your corporate firewalls.  And you should pay attention to what your various a/v dashboards tell you.

We have a lot of customers set up with the multi-layer approach and it works extremely well.  It can work well for you, too.

2 responses to “Multi-level anti-virus

  1. Hi,

    I’ve worked for a number of years for Trend Micro and there’s one thing they tend to hide, they are sharing pattern across vendors. I know Trend had contracts with Symantec and McAfee to share in both ways latest findings so they can all stay competitive. In all fairness I don’t know the extent of that kind of contract but I know they exist.

    I believe the reason you see difference is related to the medium the virus is using to get through. For example a virus well empacted can easily pass a firewall scan and be detected at the extraction point on the end user computer and vice-versa.

    You do have advantages to keep the same vendors within a company, especially when it comes to enterprise suite as they work together and provide more flexibility.

    Now I’m not trying to sell Trend, I don’t work for them anymore it’s just that there is a side we don’t always know and it’s often hidden behind long boring marketing materials 😉

  2. Gaetan:

    Thanks for the comment. I know way back when that many of the other A/V firms also ran under patents licensed from Trend so you are right, there is nothing truly “unique” between the various vendors. That said, we still prefer the multi-level model because it can play to the individual strengths of the various vendors. And it also ensures that we catch stuff at the gateway and not just on the LAN. And, yes, I know that Trend also has gateway products but the mix we use (Sonicwall/Trend) works extremely well.

Comments are closed.