Processor: Is Your Antivirus Working?
Processor | February 13, 2009
Your Security Software Can’t Afford Downtime
You have installed the latest and greatest antivirus software, so your end points are safe and sound, right? There might be a problem. According to a recent Promisec (www.promisec.com) survey, more than 25% of enterprise users have disabled or deactivated the software on their laptops or servers. Also known as end points, these systems are an ideal way for your security to be breached and can lead to untold recovery expenses.
Users disable antivirus for many different reasons. They may get annoyed by the scanning or downloading of virus signatures. They may have been told to disable the antivirus agent by an application they are installing, and some applications have conflicts with antivirus agents. When users with good intentions plan to restart their antivirus agent manually “as they have time,” their laptop/desktop is wide open to threats.
Users’ lack of attention is in stark contrast to the increasing importance of protecting enterprise end points. Endpoint vulnerability reduction is at the top of most IT priorities as internal and external threats to an organization’s data assets are at an all-time high. Jim Waggoner, director of product management for Endpoint Protection at Symantec (www.symantec.com), says, “Viruses and other security breaches are no longer created to play a prank; it is now about money.” These programs capture credit card, bank account, and Social Security information-the primary focus for the malware writers.
The challenge is the rate at which viruses are created, which requires a constant and proactive protection process. Even disabling an antivirus application for a few hours at a single end point can leave corporate data vulnerable.
The Starting Point
At a minimum, your antivirus application needs to be installed and updated frequently. New threats arrive on a daily basis, and missing these updates can be dangerous. Second, SMEs with limited IT resources need antivirus applications to manage and automate as much as possible.
“Installation of the software isn’t enough,” says Waggoner. “That must be followed with a console that can make sure your antivirus software is active and up-to-date and if it is not, can alert you to that condition.”
Most antivirus application agents will perform periodic updates to ensure that it has the latest version of virus signatures. Far fewer will report that back to a centralized console. Fewer still will do more than alert you to the problem, which, when managing potentially hundreds, if not thousands, of end points, is a problem. The busy IT professional has too many other irons in the fire to be constantly checking his antivirus status screen.
Antivirus solutions need to take care of things on their own and let you know that they did. “An important capability for your antivirus solution is to make sure it has some form of automatic remediation,” continues Waggoner. “Automatic remediation is more than just the ability of an antivirus application to restart itself if a user cancels the application. It is also the ability to reinstall and reload the application if the user deletes it.”
The Third-Party Audit
The top priority of verifying that your antivirus is working, according to Promisec’s VP of Marketing, Alan Komet, is to have a console in place that will report on the status of antivirus protection. “The challenge with built-in consoles from antivirus software developers is that they only detect their software,” he says, “and often even that reporting is inaccurate, reporting working agents that are not actually working.”
“There are even cases where users have disabled the antivirus software and then the laptop becomes infected by a virus that targets the antivirus application itself. What is needed is a third-party tool that can provide an independent validation that the antivirus software is installed, active, and up-to-date.”
Additionally, these consoles should advise on other security threats, such as missing service packs, unauthorized removable storage, and unauthorized peer-to-peer applications, such as personal VoIP software or instant-messaging applications.
These applications need to examine the current state of a machine but also remember its recent configurations. For example, in the case of unauthorized removable storage, the console software will have to work forensically to diagnose a device that was attached in the past, even if it is not present at the time of the scan.
Protecting shares is also critical. The next time you have a layover, go to an airport lounge and see how many hard drives you can access on the wireless network. The results can be alarming, especially when you consider that some of these may be your users.
“It is also important to have the console software agentless,” Komet says. “In many cases, agents in and of themselves create security holes or require special provisions in your firewall and security measures.”
Protecting your end points from viruses and other threats is a big challenge. They are often mobile and out of the control of IT. Proactive auditing and monitoring is required to make sure that an end point doesn’t become compromised and, more importantly, doesn’t spread that contamination to the corporate data assets.