Recently in Antivirus Category
Symantec Endpoint Protection Manager Console (SEP11) allows authentication through local accounts, Active Directory and SecurID. SecurID is a two factor authentication system which combines a user known PIN and a token generated 6 digit code for authentication. The token is generated every 60 seconds.
Because the SecurID passcode is always changing imagine my surprise when I attempted to log into SEPM and I received an error that my password has expired. After checking the KB and the Symantec forums and not finding an answer, I opened a case with support. Support tells me that this is a known issue that should be fixed in a future maintenance release.
For now I'm either going to have to configure AD authentication for people requiring access to the SEPM console (such as admins and helpdesk). If I continue with SecurID accounts I'll have to recreate their accounts every 90 days.
I think its a really good idea to use AD or SecurID for authentication so that each administrator doesn't end up with 50 accounts with bad passwords that are never changed. It would be preferable however if the authentiction actually worked correctly.
No conclusions can be drawn from this single instance comparison. I called both Sophos and Symantec tech support to ask them a simple question. Are there any known interoperability issues between your product (SEP11, and Sophos AV/AF) and PGP. We have seen conflicts in the past between some personal firewall clients and PGP and we'd like to know of any issues.
First I checked the knowledge base articles for each vendor. A search for 'PGP' returned nothing on each website.
Next a call to Sophos. I got the phone number off their public website. This was not a support line for evaluation customers. I called, went through the phone menu and was talking to tech support after maybe a minute of hold time. He knew there was a potential issue and read me a KB article from their internal system. There is an issue when PGP is installed after Sophos. Couldn't expect much more, although I dont see why that article wasn't in the Public KB.
Next a call to Symantec. It took 3 minutes to get to the call pre-screener. This person couldn't find my contact information...asking me if I've called before. Yeah for the past 8 years. 9 minutes into the call I finally escape the pre-screen and get into the real phone queue. The recording says the customer waiting the longest has been on hold for 7 minutes. That is incredible. I was expecting to be on hold for 2 hours, since I called in the afternoon. In about 5 more minutes, I talked to the tech who was not aware of any PGP issues. I pointed out that PGP interoperability problems would occur most when managing what applications can run, which is off by default. He checked with other people and no one was aware of any issues.
This difference in support on this one call as not as great as I expected. I could live with either one. I just need to get my Symantec account straightened out so I don't have to fight with the prescreener so much.
I'm seeing some new virus detections on the SMTP layer.
Filename : vertrag.exe (vertrag is contract in German)
Detected as: New Malware.co
Subjects: Mietvertrag (Mietvertrag is German for lease according to babelfish.)
Abbuchungsvertrag (Deduction contract in German)
Tilgungsvertrag (Repayment contract in German)
As I've posted previously, currently I'm doing an eval with Sophos to potentially replace our Symantec Antivirus with Sophos Antivirus, HIPs and Firewall. Sophos provides support for a wide variety of Operating Systems.
I haven't crossed that bridge yet, I did talk to my pre-sales support (hi Chris) about the issues with 1) convincing Linux, Solaris and Mac users to follow the company policy and install antivirus and 2) the new burden with these people now thinking you provide support for anything that goes wrong with their system because it must be the AVs fault.
Mark Harris Director of SophosLabs has written a blog entry covering some of the same type of information. He announces Sophos Anti-Virus for UNIX 7.0 beta and explains why Antivirus for Unix is even necessary.
This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating "sales lead" to themselves). Currently we're using Symantec Antivirus 10. I'm looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I've been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I've also considered McAfee Total Protection because it has the McAfee HIPS technology.
Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.
When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.
1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.
Sophos' answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.
This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn't allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.
2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I'll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).
I haven't run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.
I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.
3. The Sophos install creates a local administrator account. Now I'm sure it has a very strong password, but I'm just not comfortable with my software creating a local admin account. Symantec didn't do that. McAfee didn't do that.
I've been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn't matter if the rest of the eval is perfect, if Sophos can't answer to my satisfaction why they are doing things this way and why it isn't a problem, I can't do with this product.
Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.
My sales engineer is out most of next week. I'm out Monday. I'll post a followup when I get some answers back.
