I rescued an old comment from Akismet (the spam filter I’m using on the blog) because it asked a interesting question. How can Symantec’s acquisition of MessageLabs improve their desktop antivirus.
My first reaction to this is that MessageLabs Antivirus can’t be duplicated at the desktop. They use multiple antivirus engines in addition to their own Skeptic engine – a collection of heuristic detections. Multiple scan engines work on gateway servers, and Microsoft Antigen/Forefront/whatever uses multiple engines on Sharepoint. But at the desktop performance is needed. Also don’t quote me on this, but I thought I’d read that the Skeptic database has a huge ruleset. That also doesn’t lend itself well to desktop performance.
Multiple antivirus vendors are now looking at implementing antivirus in the cloud. In this model, new/unknown files are sent to the cloud for analysis. Skeptic would fit in well in Symantec’s implementation of that model.
Posts tagged ‘Antigen’
Symantec so done with Antigen
Regular readers of my blog know that one of my many duties at work is to administrate what was once known as IMLogic (now known as Symantec IM Manager). I’ve complained loudly and frequently here ever since Symantec bought IMLogic . This post is more of the same. 
IMLogic would keep me up to date about new releases. Symantec released version 8.2 without letting me know.
IMLogic worked hard to stay on top of new developments in the IM industry and let me know what actions I should take. Yahoo announced their web IM a few days ago. I still haven’t heard from Symantec about the best way to make sure that Yahoo Web IM is either blocked or monitored.
When Symantec bought IMLogic and Microsoft bought Sybari, I predicted that the Sybari – IMLogic integration was not long for this world. As I read the Symantec IMManager release notes for version 8.2, I see that Antigen for IM is no longer integrated. Here’s a support article about that.
Fortunately, it seems this version doesn’t have a lot new that I care about.
Real-time Enterprise Vault export capability
Groups and Group policies based on IP address ranges
File transfer control by type
Internationalization And Localization Changes
VMWare Support
Oracle 10g Support
Unfortunately, 8.1 the version I’m using is EoL in the fall.
Symantec IM Manager Upgrade
This afternoon I upgraded Symantec IM Manager from 8.0.12 to 8.1.4. I needed to upgrade to allow the new Live Messenger 8.1 client to work. IM Manager 8.1 is a different code branch than 8.0, but I wanted to see what was new in it as long as I was upgrading.
As I installed I noticed that it was adding .Net 2 to the server. After the install, I ran a Microsoft Update, and sure enough, Symantec installed .Net 2 without the latest security patches.
The 8.1 has a different web design than 8.0. I kind of like it. While browsing through the options, I notice that liveupdate is one of the listed update methods. The IM Manager updates are still separate. They have embedded the Symantec scan engine into the product so if you enable it (enabled by default on new installs) it will use Symantec AV to scan file transfers. I currently use Microsoft Antigen for this purpose. Because we don’t have a lot of file transfers via IM, I may save some money at renewal time by ditching the Microsoft Antigen.
Upgrading Symantec IM Manager
I spent most of my Saturday upgrading Symantec (IMLogic) IMManager. We have two servers running that, one acts as a proxy for public IM traffic and the other looks at LCS traffic. Prior to implementing IMManager we had a track record that once a month a user would get their computer infected through IM and then spread it to their contacts inside and outside the company.
The upgrade process wasn’t the smoothest thing I’ve experienced. I didn’t follow their advice to try it in a lab environment first. I felt like it would take me more time to set up the lab environment and even then it wouldn’t prove that I could upgrade production successfully, only that I I could upgrade the lab successfully. I decided it would take about the same amount of time to fix whatever problem occurred on the production machine
I backed up the database to allow for a fall back position, I reviewed the release notes and all available documentation and jumped in. Symantec provides a lot of information in the documentation, the release notes, and in knowledge base articles, so I was able to create a decent upgrade plan.
I received an error on my update indicating “an error has occurred in the installation of the IM Manager. Description: Failed to install the IM protocols engine. Would you like IM Manager setup to continue.” There was a support article with a few things to try. (missing dll, Windows Installer not started, and you’re just screwed). None of those suggestions were relevent. I’m wondering now if I the problem was a failure to stop the upgrade service as they recommended.
To resolve the problem, I had to uninstall by hand. There is a knowledge base article for this, but its pretty obvious what to do. Delete the install directory. In the registry, remove the uninstall key and the service keys. I then installed 9 from scratch. Since I had a SQL database on another server, the configuration was preserved.
I am still missing support for Yahoo Messenger 8 (they are working on that for a future release), and I had had a weird problem where I had to reboot to get the server to listen for AIM traffic, but other than that I’m pretty happy. Hopefully it will continue to work on Monday when the users come back.
IMManager is integrated with Microsoft (Sybari) Antigen for IM to provide antivirus scanning. I upgraded that a minor build number as well. The only new development there is to allow encrypted LCS traffic and also support LCS 2005 sp1.
Alex is having a temper tantrum
Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he’d be saying if they were giving it away as they probably should be.
I dont really follow this all that closely. I’m currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I’m paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.
The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.
Symantec’s IMLogic Acquisition 5 months later
Its 5 months since Symantec bought IMLogic. When it first occurred I wrote an anguished cry predicting woe. Lets take inventory and see what has happened.
IMlogic IMmanager 8 was released the last few days of April. Not bad for having originally been on the books for January before the Symantec purchase. Of course I dont know for sure that the delays were caused by the Symantec purchase. But I have my suspicions. The good news is the release still has the support for Google Talk and AIMs rendezvous file sharing server.
The shoe dropped the other day regarding changes to support. Actually its not quite clear from the letter I received. As I figured they are transferring support into their “gold” support at the end of your current contract. The thing is my gold antivirus support does not have a way to create tickets online, I cannot email support, and the knowledge base is kind of annoying. So although the letter says I wont lose anything, it sounds like I will lose features if they make it like antivirus support. I also wonder if there will be a separate IMlogic support group as there is now, or if this skill set will be merged in with the antivirus support people. There are still a lot of questions and I don’t know who to ask. The letter from Symantec merely talked about how great things would be but did not offer a way to ask questions. Is support equipped for questions like this? Do I have an account rep? Who knows.
I was also rather worried about integration with Sybari (Microsoft) Antigen. I emailed Sybari today to ask them if they were supporting Microsoft Antigen for IM version 8 integrated with the new IMManager version 8 that came out two weeks ago. Support did not know! They actually emailed me back that they would download IMManager 8 and try it out. This does not bode well.
Kaspersky Update befowls Exchange with Sybari
This morning at 11:40 our Exchange 2003 server updated the kaspersky antivirus scan engine. That is part of Microsoft (Sybari) Antigen. A few minutes later I began receiving emails about a scantime timeout and when I checked I saw that no mail was being delivered anymore.
After spending an hour on hold with Microsoft waiting for support I changed tactics and called my TAM. He told me I was still 35th or so in the phone queue (down from a couple hundred) and that the problem was a bad Kasperski virus definition update. (that is what I suspected). I disabled Sybari scan jobs (once I could get into its admin gui) and updated Kasperski to a newer definition set. All told two admins wasted three hours on this today and our company couldn’t send or receive email for most of that time.
While bad virus def updates have hosed our server in the past (usually its kaspersky), I have never had this kind of hold time. I am really unhappy with the quality of support now that Microsoft owns Antigen.
Using Sybari? Check your Scanallattachments setting
Sybari (or is that Microsoft) sent out a security bulleting relating to WMF viruses. They are calling it WMF/Exploit.b, Alias: Exploit-WMF trojan, Exploit.Win32.IMG-WMF.a, Troj/DownLdr-QB
But most importantly, they warn:
****PLEASE NOTE****
For Windows platforms, users must set the “ScanAllAttachments” registry value to 1 for this filetype to be detected.
Domino Users:
For Domino, the following can be done:
1. Open the “notes.ini” file.
2. Add the “.JPG” and “.WMF” extension to the “AntigenAveExts” parameter.
3. Save the file.
4. Recycle services.
I always thought it a little sketchy that by default Sybari scans specific file types only. Hopefully Exchange performance wont grind to a halt when this change is made.
