AV software - is it a waste of money?

AV software - is it a waste of money?

  • Yes

    Votes: 14 16.9%

  • No

    Votes: 42 50.6%

  • Possibly, but its still necessary

    Votes: 27 32.5%
  • Total voters
    83
hardware_failure

hardware_failure

[H]ard|Gawd
Joined
Mar 21, 2008
Messages
1,370
I support ~100 users. I am up for renewal of almost this many licenses for one of the major AV companies. No names, its one of the ones that most people use.

For a business of this size (lack of there of) this is a pretty hefty bill for something that... apparently does nothing in my exp.

Over the last 3 years or so, the AV client has caught a handful of infections, ZERO of which it was able to contain to my satisfaction and thus resulted in a re-image. Over ~75% of other infections were malware which wasnt even detected. A "combination" of tools and methods were required for clean up, none of which would have been achievable by one client running in real time. (be it officially branded as anti virus, adware, malware, whatever)

I pretty sure that a good majority of members here have also repaired an 'infection' by no less than using a handful of tools and procedures. (countless times I might add)

Adding content filtering, increasing security, and being more rigid about software updates and usage policies has done wonders for cutting out nasties for me. Realtime AV protection has done squat.
 
It's crucial for mail scanning (especially if you don't do it on the mailserver/gateway).

If you don't do content filtering on web (content types, av scanning) it's important as well.

We've caught a handful of things - especially on the laptops that leave the office and get connected to home/hotel internet connections.

For my company (about the same size), NOD32 is perfect. The price is right and it provides great protection (although it isn't tested very often). Our other measures are pretty good - we haven't had a malware/virus infection in years (at least that we know about, of course). It's not terribly expensive - I consider it cheap insurance.
 
Do you have AV protection anywhere else besides host based (ie on the mail gateway)? If no, keep host based AV. Do you allow your users to access web based email? If yes, keep host based AV. Do you have a perimeter firewall? If not, keep the AV.

The malware issue is a different beast, but take away admin rights from users and use some sort of proxy to limit browsing and that should eliminate the majority of your problems.

I'm not sure of exact licensing limits, but would something like Avast be an option for you?
 
Oh yes for our mailserver, I should have been more specific. I have a totally different package for the mailserver as well as use spam filtering that uses greylisting, the major block lists etc. Couldnt live with out all that.
 
Just like wearing a seatbelt. All it takes is a single moment.

If it ever does decide to spread across your network, having clients on all the machines equates to less risk as well. No AV and it'd spread like wildfire.


That said, I think good filtering on your border devices is key.
If you implement good filtering and blocking on those devices, nothing gets in the door to start with!
Spam, Phishing emails/sites, viruses, malware, rogue Active X controls, these are all things you can stop before it hits the end-nodes.
 
I voted for the third option.

FWIW, I smell a lock in this threads future. Eventually.
 
If you aren't catching 75% of the stuff you're getting, you are using the wrong AV package. Further, if you are getting that much crap in it sounds like your environment needs some attention ( more filtering at the edge, less user rights on the desktop, ect... )

Don't base your impressions of all AV off of a single, crappy, AV package.
 
In my experience most of the "major" AV vendors have had some major problems with their AV packages over the last year. Mostly because the malware writers write their code to defeat those same vendor's wares. Of all the clients I have had issues with and moved them to ESET NOD32 I've had one, maybe two alerts in the management console that there was an issue detecting or removing something. Oddly enough, I had a client about a week ago that had a DNS-redirector variant installed and it blocked access to ESET's US based website for updates. So, it looks like they are getting more popular as well.

The key to protecting your network from your users is a good content filtering solution at the edge and reduced rights on client workstations.
 
Why wont you name what you are using? Let us know and maybe we can help more.

You should not have users with no AV protection, you can run into some serious issues then. Just imagine if a data miner worm or something got on your network and had fun for a few days...that could be really bad.

That being said, Trend Office Scan small business has worked out really well for me for quite awhile. Does decent malware protection as well.
 
Ironically, I wandered into a new client's office a few weeks ago to help them with a terminal services server setup. I asked what AV they were going to put on the server and they said none. I asked what they were running on the workstations and they said none. They told me it was more cost effective to throw out a few computers per year than to purchase AV licensing for all of them. They bought some watchguard firewalls that are "supposed to prevent malware from reaching their network"
 
Note: I work on the signatures for Microsoft Forefront, OneCare, Malicious Software Removal Tool, and Windows Defender. Some have been known to call me biased... ;)

I have and always will preach Defense in Depth. Good AV/AV software on each client's machine is part of that strategy. All you need is a worm like Worm:Win32/Conficker.B running loose on your network, and you'll say that AV software was worth it's weight in gold. Having a security guard on each computer is like the alarm system on your house. Sure it can be defeated, but it adds another layer to your whole networks defense.


I highly recommend if you're business has a Microsoft Enterprise Client Access License Suite that you look into adding FCS. It's reasonable.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Captain Colonoscopy said:
Ironically, I wandered into a new client's office a few weeks ago to help them with a terminal services server setup. I asked what AV they were going to put on the server and they said none. I asked what they were running on the workstations and they said none. They told me it was more cost effective to throw out a few computers per year than to purchase AV licensing for all of them. They bought some watchguard firewalls that are "supposed to prevent malware from reaching their network"
Click to expand...

That might be one of the most ignorant things I've ever read... (your client's comments.. not yours)...

They obviously have never seen a full blown virus outbreak...
 
At my clients where I have a quality antivirus program like NOD32, I have much fewer issues. For those few times the Vundu/ZLob trojan initially slips past NOD32....NOD32 still stops the rest of the installation, and it's been VERY easy and quick to cleanup. So XPAntivirus doesn't get far into the machine...barely a toehold.

In addition to NOD32, and several of my clients I'm running them behind the Untangle UTM appliance..which adds virus and spyware scanning at the gateway...and I have even fewer problems.

A little over 1 month ago....I came across the first XPAntivirus infection that I had to give up on, and format her computer. She ran her computer with NO antivirus protection at all..none...nothing. Her homepage was also Facebook. :rolleyes:

So...summing up my experience....
*My business networks clients with a top notch antivirus....very little problems, if something does get in..it doesn't get far and is quick to remote.
*Clients with an additional UTM appliance scanning ...even fewer problems
*Machines with no antivirus...spend stupid amounts of time backing up data, wiping clean, reinstalling windows and their programs, restoring data...
 
YeOldeStonecat said:
So...summing up my experience....
*My business networks clients with a top notch antivirus....very little problems, if something does get in..it doesn't get far and is quick to remote.
*Clients with an additional UTM appliance scanning ...even fewer problems
*Machines with no antivirus...spend stupid amounts of time backing up data, wiping clean, reinstalling windows and their programs, restoring data...
Click to expand...
Same here.
Will add:
Host based email anti-virus scanning is a must have on today's internet.
Once it hits your network it is to late.
 
stormy1 said:
Same here.
Will add:
Host based email anti-virus scanning is a must have on today's internet.
Once it hits your network it is to late.
Click to expand...

Yup...many clients of mine are protected several times when it comes to e-mail.
*I parter with a host that does e-mail cleaning....removes spam and viruses..for both POP3 and my SMTP Smart Host with Exchange Servers
*Untangle UTM appliance scans
*Exchange Server onsite will have it's own antivirus component
*And of course...desktop AV client.
 
XOR != OR said:
If you aren't catching 75% of the stuff you're getting, you are using the wrong AV package. Further, if you are getting that much crap in it sounds like your environment needs some attention ( more filtering at the edge, less user rights on the desktop, ect... )

Don't base your impressions of all AV off of a single, crappy, AV package.
Click to expand...

++ What he said.

PS: Don't trust users as far as you can throw em'. Lock everything down that you can.
 
earnstaf said:
That might be one of the most ignorant things I've ever read... (your client's comments.. not yours)...

They obviously have never seen a full blown virus outbreak...
Click to expand...

It was very hard for me to remain diplomatic at that point. :D That was what their "IT Guy" told me. Mind you they also have seven locations tied together with VPN and no domain environment except for the Terminal Server. He thinks Active Directory is retarded and creates more management overhead in a large environment. They have about 200 email addresses and they're all hosted by GoDaddy and they use POP3. . . .
 
Captain Colonoscopy said:
It was very hard for me to remain diplomatic at that point. :D That was what their "IT Guy" told me. Mind you they also have seven locations tied together with VPN and no domain environment except for the Terminal Server. He thinks Active Directory is retarded and creates more management overhead in a large environment. They have about 200 email addresses and they're all hosted by GoDaddy and they use POP3. . . .
Click to expand...

LOL talk about a mickey mouse setup with duct tape and paperclips. :D
 
Just remember Murphy's Law. As soon as you don't have that AV in the place is the moment you catch something that infects your whole network. ;)

So what's more cost effective? Saving that money and going no AV causing you to spend a weekend fixing everything once a month. Or spending the money and having those weekends to do whatever you want?
 
Vermillion said:
Just remember Murphy's Law. As soon as you don't have that AV in the place is the moment you catch something that infects your whole network. ;)

So what's more cost effective? Saving that money and going no AV causing you to spend a weekend fixing everything once a month. Or spending the money and having those weekends to do whatever you want?
Click to expand...

Or better yet, having something on your network, for weeks maybe months. Spread through all the client machines, phoning home client information, financial information etc. Unknown to everyone.

This is the theoretical disaster story I inform my clients about. The good, slash that, well written Malware, you'll never know is there, unless youre actively trying to prevent it.
 
Captain Colonoscopy said:
It was very hard for me to remain diplomatic at that point. :D That was what their "IT Guy" told me. Mind you they also have seven locations tied together with VPN and no domain environment except for the Terminal Server. He thinks Active Directory is retarded and creates more management overhead in a large environment. They have about 200 email addresses and they're all hosted by GoDaddy and they use POP3. . . .
Click to expand...

:eek:

That makes me feel very good about always being able to find a job somewhere.
 
YeOldeStonecat said:
*I parter with a host that does e-mail cleaning....removes spam and viruses..for both POP3 and my SMTP Smart Host with Exchange Servers
*Untangle UTM appliance scans
*Exchange Server onsite will have it's own antivirus component
*And of course...desktop AV client.
Click to expand...
Multiple layers is always great, especially if one fails.

For me...
Emails go through DynDNS filtering to strip most crap out.
Emails then hit Untangle device which strips it back 99% of the way.
Once it finally hits the server it gets scanned by NOD32.
Once it hits the client it'll get scanned again client-side.


d3c1us said:
The good, slash that, well written Malware, you'll never know is there, unless youre actively trying to prevent it.
Click to expand...

This is what most people that don't run AV don't realize.
Not all AV will mock you with popups and changed system settings. Like you said, the "good" stuff remains hidden. Heck, some of it even removes itself after the deed is done so future detections won't have anything to find, and you would have NEVER KNOWN IT.
 
If you want to keep your job in the event something happens you better have A/V. It's like insurance...you wouldn't suggest the company dump all their insurance would you just because you have a sprinkler system?
 
Wow, good feedback from everyone, thanks.

For the record:

Users go thu an ASA5505 for gateway/firewall which is behind an untangle box with an AD addon for filtering.

Exchange box is on a different router/firewall with ORF for spam and Symantec AV corp.

Users have TrendMicro OfficeScan (the product up for renewal)

In the last 12 months Ive seen 3 infections on machines with OfficeScan. Each were boxes where the Users required local admin rights. OfficeScan was unable to clean all 3, and only notified of a problem via email on 1.

I was just wondering if ~2 grand could be spent better elsewhere for more protection.
 
I am shocked you are having issues with OfficeScan, I have had overall great results with it and found that it is very effective at both malware and viruses much of the time (even though it is not built specifically for malware).
 
I just switched to Nod 32 after some people on here talked about it and for the price I must say its well worth it... oh and did i mention when you call them you actually get a English speaking person and my last call I didnt even have to wait! I have never been so happy with a business anti virus product
 
I've been using Nod32 for about a year now and it works very well and has extremely low overhead. I can run a full deep scan, play a game, and not notice a performance hit.
 
You must log in or register to reply here.
Back
Top