The results for the Feb 2007 Anti-Virus Comparatives report was released today. The big news is the poor performance of Microsoft’s OneCare, the home use product. Faced with the same threats as the other products, it only successfully defended against 82.4% of them. OneCare is still a fairly new contender in this field. Given how focused Microsoft is in the anti-malware field right now, I would not be surprised to see them make some serious improvements.
The performance chart (follow the "Comparatives" link) shows the big names performed as follows:
- GriSoft AVG Anti-Malware: 96.37%
- Kaspersky Labs AV: 97.89%
- McAfee Virus Scan: 91.63%
- ESET NOD32 AV: 86.71%
- Symantec NAV: 96.83%
The top performer was G DATA Security AntiVirusKit (AVK) at 99.45%. There was no mention of Sophos or Trend Micro.
As you can see, none of them were perfect. The last report I read had NOD32 at the top end of the charts so we can see that things do change quite quickly. This makes it very clear and re-enforces that you must have a layered defense. I’ve come across organisations that trust their entire anti-malware defense to one vendor. This report makes it clear that this opens a door into those networks.
E-mail has become the common source of threats. It is more important than ever to run multiple engines on, at least, your gateways. Using MS Forefront Security for Exchange (I’m assuming that it’s the same as MS Antigen for Exchange Messaging Security Suite) you could run 4 engines on your gateways and a different 4 engines on your mailbox servers. To maximise performance but still have layered defenses you could scan mails with 2 engines (of the four) on the gateway at once and 1 at once on the mail box servers.
A second but less common source if you run a proxy filter will be web downloads. I’ve come across some pretty poor solutions that intercept downloads and pause them until the entire file is downloaded and scanned. This can break automated downloads, e.g. AV, WSUS, and can annoy users. Try to pick a different solution than you have on your mail gateways.
A different vendor should then protect your servers. And you may even consider yet another vendor for desktops but I would normally be happy with one vendor scanning internal servers, applications and desktops and ideally using different engines to those on the gateways. Personally, I’ve been a fan of Trend Micro and have used it in a few sites. I know people that I trust who speak very highly of Sophos and NOD32. I’ve checked out MS Forefront Client Security. I can’t speak for the engine but I do like how the architecture will work in multi-site deployments and how easy it looks to manage.
Credit: Bink.