What is your selection criteria for corporate antivirus?

I was really impressed by the the RFP George Washington University put together for their Encryption project. It was made available at the SANS Desktop and Storage Encryption Summit that I attended a few months back.
I decided to sit down and try to hammer out a list of requirements for some upcoming projects. I’ would like to replace the corporate antivirus that we currently use on our desktops and servers. I’ve been kind of impressed with what McAfee has done. Many companies left them for Symantec at the turn of the millenium. McAfee was too difficult to update, and had a reputation for bogging the systems down. Now McAfee has a reputation for being easy to manage through ePolicy Orchestrator and many companies have tired of Symantec’s lack of support, virus definition corruption problems and confusing update structure.
Certainly reputation is important. Experiences from someone you trust can go a lot further thna a 30 day eval in a lab. The problem is that the people I know using McAfee have really drunk the koolaid. They’re like a Mac user. They can only bash the competition, they apparently have nothing but postitive experiences to report. It makes me question whether they can be trusted to provide a true evaluation of McAfee.
Actually detecting and cleaning is important. But how to select which vendor is good at it? I read an interesting NIST article on that from 1996. Rather than evaluating vendors on the basis of some virus zoo, I think a better evaluation is to 1) measure their response time when a new varient comes out, and 2) measure how they perform when signatures aren’t available and all that is left is heuristics and behavior profiling.
The ability to control which PUPs (potentially unwanted programs) are detected and what occurs. I am sick of getting alerts about Netcat. I don’t have a problem with it being in my environment. But because Symantec made an error in the version I’m running, I can’t completely exclude it from detection.
It is just so easy to make the evaluation points all of the things you hate about the current product, rather than brainstorming a full list of requirements.
Currently we have a lot of systems having issues with corrupt virus definitions. Gartner reports that McAfee has the same problems. How do I know if that’s a real issue. Is it better or worse than my Symantec problems.


  1. People who use McAfee drink the kool-aid? (Flavor-Aid, to be pedantic.) We used McAfee 8.0i and EPO 3 at the last company I worked at (a Fortune 500 clothing company), and it was the worst AV I’ve ever used. Our EPO server was installed by them at great cost, and barely worked. It failed to catch Nachi even though the defs were up-to-date, the spyware detection was a pay-for add-on, and we wound up using logon scripts to deploy updates because EPO was such junk.
    We had about a 33% rate of users disabling AV for performance issues. The company I’m at now uses SAV 10.1, and we don’t have that problem. SAV may not be the best (I’ve only worked with SAV and McAfee, and Sybari on Exchange) but it’s the best I’ve used, and it’s at least “adequate”.
    (Maybe the reason everyone says they love McAfee is because they’ll sue you if you say otherwise: http://www.oag.state.ny.us/press/2003/jan/jan17a_03.html )

  2. Have you tried NOD32 from ESET? http://www.eset.com/
    It’s extremely fast (being written largely in assembler) and doesn’t use half of the processor like Symantec. The heuristics are also extremely powerful – it’s not missed a new virus to my knowledge.

  3. Its probably been 5 or 6 years since I last looked at Nod32. I didn’t even know they offered enterprise protection. Interesting!
    There is that old saying, ‘no one ever got fired for buying IBM.’
    Does anyone know of companies using NOD32 at the desktop?

Comments are closed.