Malware – viruses, worms, Trojans and other bits of programmatic nastiness – is a multi-billion dollar problem. According to analysts at Aliso Viejo, Calif.-based Computer Economics Inc., last year’s SoBig virus alone accounted for US$1 billion in damages, and the estimated tab for the first wave
of MyDoom last January was US$4 billion. Toss in umpteen variants of Bagle, and Sasser and the newest MyDoom, and you have mind-boggling numbers.
The cost to businesses and individuals for cleanup and lost productivity is not, believe it or not, the scariest part of the equation. That’s reserved for the supposedly collateral damage from backdoors installed in infected systems. Yes, July’s MyDoom attack took major search engines down and flooded e-mail systems, causing great irritation and economic loss. But it apparently passed quickly.
What people didn’t immediately realize was that it installed a back door that was subsequently used by another virus – an electronic one-two punch.
These back doors allow compromised computers to be controlled by anyone holding their secrets. Lists of vulnerable systems can be sold to spammers, who use them to spew their garbage. Sneakily installed keyloggers can scoop up passwords, bank account numbers and credit card numbers and send them to those who will make illicit use of them. Compromised machines can be used to attack other systems, either on purpose, as with MyDoom’s assaults earlier this year on SCO and Microsoft, or accidentally, as the latest MyDoom did when it took down popular search sites in its quest for e-mail addresses to spam.
And the authors are not all kiddies looking for bragging rights anymore. Criminals have discovered the potential of malware, and are taking advantage of it.
Stopping their activities needs a combination of tactics. People need to be more cautious about what files they open, and what Web sites they visit, and what “”free”” programs they install (they often discover, too late, that “”free”” was a very high price). Software vendors need to tighten up their code to eliminate the vulnerabilities exploited by malware. Law enforcement needs new tools and techniques to track down the bad guys. Until all this is in place, every computer needs anti-virus software.
We asked a group of vendors to supply their corporate products to give us a sense of what the market today offers. Six agreed to participate. Note that their pricing, if quoted in U.S. dollars, has been converted to Canadian dollars at the current Bank of Canada rate of about 1.33. It is the annual base list rate per seat, and will decline depending on volume purchased and licence duration.
TTX Canada provided Pentium 4 laptop for the testing. We looked at functionality, and impact on system performance (measured by PCMark 2002) – the only “”virus”” tested was the benign Eicar test pattern. For detection and removal information, we turned to three companies that regularly evaluate products’ capacity to hunt down and deal with viruses found “”in the wild””.
CA eTrust Anti-Virus 7.1
* Per seat pricing starts at: $63.14
ETrust is unique in that it contains not one, but two scanning engines. Administrators can choose which one to use, and even alternate them in scheduled scans if desired.
The program runs on almost any platform: Windows from 95 up, Linux, several versions of Unix, NetWare, Macintosh OS X, PDAs, some smart phones and more. The administrator’s console is equally versatile, allowing enterprise control from Windows, Linux or Mac. The admin interface looks very much like a Microsoft Management Console plug-in. The administrator has a collection of 60 reports to choose from, and can lock down user settings to prevent accidental cessation of protection.
Workstations can be designated as signature caching servers, so updating is distributed to improve performance.
The program offers all of the usual amenities: on-demand scanning, scheduled scans, choice of files to scan (the default is all), and if a user remotely accesses or copies an infected file to the PC, they’re immediately locked out for a configurable time. |
Grisoft AVG Anti-Virus Network Edition 7.261
* Per seat pricing starts at: $63.14
* AVG’s pricing is for a two-year license.
AVG runs on Linux and every version of Windows from 95 up. It comes as either a standalone or a network edition with centralized deployment. Administrators can build setup packages on CD or on network shares, or push the software out to its clients from a server (they must deploy with administrator privileges on the target system). They can even configure a system to their satisfaction, then use it as a template for deployments. The configuration can be either completely locked, or can be set to allow the user to change specific parameters.
The spftware has two user interfaces: Basic and Advanced. Basic has a straightforward push-button look, while Advanced resembles MMC. As expected, the administrator’s interface provides extensive monitoring and reporting of the state of protected systems; all of this information is stored in a SQL database. Grisoft even provides tools to keep this database tidy and performing well.
By default, the program runs a full scan when you start the system but it didn’t slow normal operations on our test system. It generates a dialogue when it’s done, which is distracting unless there’s something to report.
I found it annoying that the default installation only loaded a subset of the help files; you have to go to the Grisoft site to retrieve the full package.
McAfee VirusScan Enterprise 8i
* Per seat pricing starts at: $53.87
VirusScan Enterprise 8i is a shiny new version of McAfee’s enterprise product, with lots of new bells and whistles. We tried a release candidate, since our deadline was a couple of weeks before official launch.
As well as standard virus protection (including some spyware detection) for Windows NT and higher (Windows 9x users are stuck at version 4.5.1), 8i now offers port blocking (which stops unknown mass mailers from sending); it will even prevent FTP or Web activity if desired. It can be configured to block access to shares, to prevent IRC communication, and to prevent creation of new executables and DLLs in system directories.
There’s buffer overflow protection for a herd of programs (including Internet Explorer), with, McAfee says, more on the way.
“”Unwanted program”” (spyware, adware, joke programs, dialers, remote administration programs, etc) detection is off by default; a bit silly given the amount of the pesky stuff around. In a nice touch, however, users can define additional programs to block, if they choose.
The current admin tool, ePolicy Orchestrator (ePO), will have been upgraded by the time you read this (a new version was scheduled for August), however the big improvements won’t arrive until next year, when ePO’s somewhat convoluted reporting system gets a major revamp. ePO performs necessary admin tasks.
Panda EnterpriSecure
* Per seat pricing starts at: $100.00
Installing Panda can be a wee bit convoluted. Where most products need, at most, a licence code, Panda wants a user name and password as well. I was also somewhat bemused when a number of the dialogue boxes appeared in Spanish.
Once you get past those idiosyncrasies, the AdminSecure administrative program builds a repository, and distributes the client to workstations (all versions of Windows from 95 up). Users have zero configuration choices; those who click on the Panda head in the system tray only see a list of what they can scan (files, e-mail, etc).
The administration console has a clean interface that’s easy to navigate. It lets you set up jobs to perform tasks