Antivirus: March 2007 Archives

What is your selection criteria for corporate antivirus?

I was really impressed by the the RFP George Washington University put together for their Encryption project. It was made available at the SANS Desktop and Storage Encryption Summit that I attended a few months back.

I decided to sit down and try to hammer out a list of requirements for some upcoming projects. I' would like to replace the corporate antivirus that we currently use on our desktops and servers. I've been kind of impressed with what McAfee has done. Many companies left them for Symantec at the turn of the millenium. McAfee was too difficult to update, and had a reputation for bogging the systems down. Now McAfee has a reputation for being easy to manage through ePolicy Orchestrator and many companies have tired of Symantec's lack of support, virus definition corruption problems and confusing update structure.


Certainly reputation is important. Experiences from someone you trust can go a lot further thna a 30 day eval in a lab. The problem is that the people I know using McAfee have really drunk the koolaid. They're like a Mac user. They can only bash the competition, they apparently have nothing but postitive experiences to report. It makes me question whether they can be trusted to provide a true evaluation of McAfee.

Actually detecting and cleaning is important. But how to select which vendor is good at it? I read an interesting NIST article on that from 1996. Rather than evaluating vendors on the basis of some virus zoo, I think a better evaluation is to 1) measure their response time when a new varient comes out, and 2) measure how they perform when signatures aren't available and all that is left is heuristics and behavior profiling.

The ability to control which PUPs (potentially unwanted programs) are detected and what occurs. I am sick of getting alerts about Netcat. I don't have a problem with it being in my environment. But because Symantec made an error in the version I'm running, I can't completely exclude it from detection.

It is just so easy to make the evaluation points all of the things you hate about the current product, rather than brainstorming a full list of requirements.

Currently we have a lot of systems having issues with corrupt virus definitions. Gartner reports that McAfee has the same problems. How do I know if that's a real issue. Is it better or worse than my Symantec problems.

By Roger on March 4, 2007 11:02 AM | | Comments (3) | TrackBacks (0)
« Antivirus: February 2007 | Main Index | Archives | Antivirus: April 2007 »

Search