From the mailbag a couple of days ago, Ralph asks “what Anti Virus do I use”


My Antivirus that is running both here at home and at the office is the Trend SMB suite



But I know that others in SBS land use:


Sophos [Marina and Eriq recommend this one]


Symantec 9.0 suite [Handy Andy  and Frank have installs of this]


CA Etrust [SuperG uses this]


But let me get the exact products that they recommend and I’ll update the blog post.


Update:  Make sure you read the comments section for some “real life” reports of what works.  You know what I find funny?  No one in small business is mentioning the antivirus firm that Microsoft bought [Sybari].

 

10 Responses to Anti Virus firms that “get” SBS

  1. Chuck says:

    Sophos looks really interesting. It appears to be a great product for SBS 2K3. I’d be courious to hear real life experiences.

  2. Eriq Neale says:

    Overall, I’ve been very pleased with Sophos. One of my clients has been having an issue, and so while he’s no really crazy about what’s been going on, I’ve been very pleased with the support I’ve received from Sophos tech support – we were able to get to the root of the problem and get it resolved. Very professional, very capable.

    The product itself has imporessed me on a number of points, three of which I will enumerate here.

    1. True cross-platform support. A number of anti-virus vendors provide a license that will allow you to run their products on multiple platforms, but that product is different on each platform and must be managed differently. With Sophos, the update files pulled down from the Sophos servers apply to both platforms. No need for "double pulls" or to learn a different updating routine.

    2. True remote installation and management. I haven’t found an anti-virus vendor who makes a true remote installation (via http, not VPN) possible and as easy as Sophos. Again, works the same way on both platforms.

    3. Scanning methodology. I’ve been in the anti-virus game since 1989, and I’ve worked with every major product that’s out there in multiple versions. Bottom line, file scanning is file scanning is file scanning, at least historically. Each vendor, Sophos included, has mechanisms for configuring real-time scanning options with the intent of reducing the extra load on the server as much as possible. This is in the form of telling the scanning engine which files to scan and which files to skip. But the Sophos mechanism for scanning is, IMO, better than the others in the way it determines which files need to be scanned. The first time a file is accessed, Sophos scans it, and when the file is determined to be clean, Sophos creates a checksum of the files and stores that away for future reference. The next time the file is accessed, Sophos first looks at the checksums, and if the checksum has not changed, the file has not changed, and Sophos will not scan the file. If the file has changed, Sophos will perform a scan on it at that time. For file systems that are mostly static, this approach significantly cuts down onthe overhead processing time for real-tim scanning of the server.

    There are a lot o other things I like about the Sophos product, but those are the big three for me.

    -Eriq

  3. Jason Jystad says:

    I use Panda antivirus. I have several clients who are running it on my recomendation and are very happy with it.

    I switched originally from Symantec as my primary recomended platform because their support had gotten so bad. I stayed switched for exactly the reason mentioned by Eriq above. They support true remote installation and management.

    They do not have an SBS specific version, but the cost for the system works out to the same price or less than any competitive packages I have seen.

    And their tech support stomps arse. 🙂

  4. Trend customer and StarTrek fun says:

    We run Trend’s ISVW for SMB and it works OK. Not more than that, just OK. InterScan Virus Wall for SMB is a gateway with spam, virus and HTTP trafik protection in one package for a good price. We had some issues with the HTTP proxy under load. It just stop. And of course with the automagically updates. Tryit before you buyit. I uninstalled the gateway from the SBS server to a separate PC because of 100 CPU utilization during the schedulled updates.

  5. Stevereno says:

    CA E-Trust Gateway has been great – comes with 5 user license for less than $200. Has worked well and stops a lot of junk at the gateway. It also protects Exchange e-mail.

    The default policy is very agressive and some JAVA is blocked but hasn’t been a problem. I do have 1 issue with Windows Update – AV didn’t recognize the signed certificate from Microsoft on last Tueday update for 1 patch and wouldn’t allow passage throught the gateway.

    If you happen to have a virus attachment (outside of Exchange, like pop3)and open it it locks you out of the network in miliseconds which is real cool. Automatic updates are available on a daily basis.

    CA has been good on SBS 2000 and SBS 2003

  6. John says:

    We use Sybari !!

    We have about 50 SBS sites running Sybari and its an absolute winner. The great thing about Antigen is that a default install gives you 4 AV engines from different vendors (Sophos, Norman, two from CA) and also the Sybari worm purge feature..Now thats what I call defence in depth..

    The content filtering engine is very strong as well eg it will pull out mpegs embedded in word or other office docs if required…You can also scan the information store and remove non-busines related attacments mp3/mpegs etc (dont think Trend does this ?)

    Its price very keenly as well for SBS, minimum requirement is just 10 seats. They also have products for Sharepoint and LCS..

    You still need a file level scanner, we usually go McAfee again the more vendors AV engines you have the better IMHO..

    I would definately recommend Antigen to all SBSers

  7. Matt Gibson says:

    We use Sybari too!

    It’s an AWESOME product. As John said, you still need a file level scanner, but I’ve yet to see ANYTHING get through Sybari.

    Ditto on EVERYTHING John said.

  8. John says:

    Hey Matt,

    I followed the link to your site..I see you do Fortinet firewalls as well… we are putting these on SBS sites as too…

    Fortinets provide another AV engine as well as HTTP/POP/IMAP/SMTP scanning for spyware and antivirus.. and IPS

    with fortinet and Sybari you have a very strong perimeter defence, we also use ISA…

    The need for multiple engines has been highlighted by the results of the people at avtest.org. They measure the response times for all the major AV engines…

    The test is conducted scientifically and randomly, the virus

    in question (MyDoom.BB) is real and the outbreak happened in real world

    earlier this week. Avtest.org wrote script to poll every AV company update

    site every minute and obtain the signatures, then they install the signature and use real virus to test whether the product can catch it. So no one can cheat and no one can prepare the test in advance.

    heres the results from the recent MyDoom.BB out break:-

    Part I: Proactive detections:

    >

    > BitDefender WITHOUT UPDATES BehavesLike:Trojan.Downloader

    (suspected)

    > F-Secure WITHOUT UPDATES Email-Worm.Win32.Mydoom.m

    > Kaspersky WITHOUT UPDATES Email-Worm.Win32.Mydoom.m

    > Norman WITHOUT UPDATES W32/Downloader (Sandbox)

    > Quickheal WITHOUT UPDATES Suspicious (warning)

    > Part II: Signature detection by regular updates:

    >

    > ClamAV 2005-02-16 22:02 Worm.Mydoom.M-2

    > Sophos 2005-02-16 23:00 W32/MyDoom-O

    > Trend Micro 2005-02-17 00:05 WORM_MYDOOM.M

    > Fortinet 2005-02-17 00:18 W32/Mydoom.BB-mm

    > F-Prot 2005-02-17 00:43 W32/Mydoom.AY@mm

    > McAfee 2005-02-17 00:52 W32/Mydoom.bb@MM

    > eTrust-CA 2005-02-17 01:30 Win32/Mydoom.AU!Worm

    > Symantec 2005-02-17 02:06 W32.Mydoom.AX@mm

    > Command 2005-02-17 02:44 W32/Mydoom.AY@mm (exact)

    > Virusbuster 2005-02-17 02:58 I-Worm.MyDoom.AX

    > Trend Micro 2005-02-17 03:12 WORM_MYDOOM.BB

    > Quickheal 2005-02-17 04:11 I-Worm.Mydoom.BB

    > eTrust-VET 2005-02-17 05:31 Win32.Mydoom.AU

    > AntiVir 2005-02-17 06:09 Worm/MyDoom.BB (exact)

    > Ikarus 2005-02-17 06:29 Email-Worm.Win32.Mydoom.BB

    > Dr. Web 2005-02-17 07:03 Win32.HLLW.MyBot

    > Proland 2005-02-17 07:19 W32/Mydoom.Bb.Worm

    > Panda 2005-02-17 07:41 W32/Mydoom.AO.worm

    > RAV 2005-02-17 07:43 Win32/Mydoom.BB@mm

    > BitDefender 2005-02-17 07:56 Win32.Mydoom.AQ@mm

    > Norman 2005-02-17 08:20 MyDoom.AQ@mm

    > Dr. Web 2005-02-17 08:54 Win32.HLLW.MyDoom.54464

    > AVG 2005-02-17 10:05 I-Worm/Mydoom.AP

    > Kaspersky 2005-02-17 12:18 Email-Worm.Win32.Mydoom.am

    > F-Secure 2005-02-17 14:46 Email-Worm.Win32.Mydoom.am

    > Avast 2005-02-17 15:23 Win32:Mydoom-AM [Wrm]

  9. Dennes says:

    GFI’s MailSecurity is one great product too!

  10. I use on most client sites CA eTrust on the server side. Some clients had previously used Symantec 8 which I do not like. On all new sites I run eTrust throughout, A 5 user license cost me about $120 at CDW. Reading the above I will in my spare time try to test some of the competitor products in my lab. As a note, for full push install on XP SP2 I needed to change a registry key to allow RPC calls.

    Windows Registry Editor Version 5.00

    ;Allows RPC calls for eTrust and others with XP SP2

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC]

    "RestrictRemoteClients"=dword:00000000

    http://msdn.microsoft.com/security/productinfo/XPSP2/networkprotection/restrict_remote_clients.aspx

    I would assume that other AV pushed installs also use RPC (Remote Procedure Call) to install.