We use TrendMicro because the client is lightweight, it has decent centralized management and the pricing is reasonable. That said … do you need AV at all, at least on the client side?
For pretty much my entire career we’ve had AV on the Windows machines but 3 years ago I just got so fed up with the problems; AV clients that kill performance, AV clients that cause apps to stop working, AV clients that have security flaws (!) and then need to be patched … we were just done with it. Every AV company likes to brag about how they stop approximately 268 hojillion viruses but only a handful of those even matter. When was the last time anyone got Sircam? And then when a new threat breaks out its days before an update comes out anyway.
We had been moving to a security model where everyone is a regular user on their desktops; not local admin, not power user, just user. After moving everyone to user permissions I dumped client side AV and for 3 years we haven’t used AV on the desktops and laptops. Limiting user privileges has been most effective for stopping malware because instead of trying to blacklist every know threat we are securing our infrastructure correctly to begin with. In addition to limiting user permissions we also make sure we roll out vendor patches quickly, after testing of course.
We still use AV on the file servers and email gateway servers but that’s only to scan for incoming issues … say malware in a file coming from an outside party. So we still have AV on some of the servers but dumping AV on the clients has been a success.
That's amazing. I'd guess most are not confident enough to attempt such a setup. Do you have issues with things running from within the users' profile folders and not necessarily "installing" on the systems?
We switched from Symantec to Kaspersky over a year ago and have been very pleased. The centralized management is not as good as it could be but the application is so much more lightweight on the clients. The pricing was also excellent compared to Symantec.
Jeff Hengesbach: "Do you have issues with things running from within the users' profile folders and not necessarily "installing" on the systems?"
Not particularly. We have had some malware issues but these incidents have been quite rare and I have no confidence that AV would have stopped them given our past experiences. I can’t comment on the difficulty of removing the malware from a windows install without AV after an infection because our solution to malware infections has always been to take off and nuke the entire site from orbit. It's the only way to be sure.
Jeff Hengesbach: "The pricing was also excellent compared to Symantec."
We saved money but dumping Symantec as well but that’s not saying much. … it’s hard to imagine how you would not save money with someone else. Maybe if your install media was gold plated and encrusted with gems it would be more expensive then Symantec.
Well sure, everyone’s targeting windows. But are we talking about something that infects that one machine or something that spreads through the network? Because nobody cares about a desktop per se … desktops are expendable and can always just be reloaded … whereas something network wide is more serious. I mean in your example it wasn’t like that user went around plugging their media player into every desktop in the company.
I haven’t seen something that successfully attacks patched Windows machines over the network yet AV will stop it. Have you? I’m asking an honest question because my strategy is that we’re killing malware at the email gateway, we are eliminating security holes through patching, we are blocking it from installing by restricting permissions and if it does infect a machine then we will blow that machine away and reload. But if that strategy assumes that malware can’t spread to other desktops if those desktops are patched. So far this has been true but if you’re routinely seeing something different …
i've been using KAV for the last 3 years for the MS Win clients, i'm fine with it. What Isaac says is interesting and clever, but not always a company wants that kind of policy ....unfortunately. Nice discussion :)
We use McAfee too and are about to start looking round at other vendors as our renewal is due earlyish next year. We did this last year and came close to Kaspersky, but during testing they had released about 3 or 4 patches which required a reboot of even the server edition of the AV, which didn't impress us one bit! The new McAfee ePO is miles better than what we were running (an older version at the time) so have since moved up to that.
Other vendors just didn't seem "enterprisey" enough - they appeared to be aimed more at the SMBs with tens of machines, not hundreds/thousands.
I’ve been trying to rethink a lot of assumptions regarding how networks are built and dumping AV came out of that. It’s always just been a given that you run AV on Windows, but MS has come a long way from windows 95/98. I feel that not everyone is entirely cognizant of that and really haven’t questioned things that were needed in the past but not now. Things like running as a local admin or having client AV for instance.
Many traditional concepts are very valid and I’ve learned a lot from more experienced people but not everything is relevant anymore. I’m not trying to say everything new is good either, I’m incredibly skeptical of using “the cloud” for apps that matter for instance, but that’s the new thing everyone is pushing.
Anyway I head up IT at a small company and that has many disadvantages but one advantage is that I can just do things differently without having to deal with other teams or entrenched views from other managers.
I like the idea of AV less PC in ideal world but world can not ideal ever.!!
Things works great when the PC user is just a user and works with resources on his PC. But the majour problem comes when he connects to the world of internet. There are lot of ways around to inject infections into PC through browser. If atleast one PC is compramised, it can spread it to other PC using your LAN speed. I browse my home computer with just user rights and I get some valid virus alerts from my AV client. They are real and trying to infect my system though I am with normal user rights.
I prefer having a decent AV on PC along with the restirctions Isaac mentioned.
I agree... there's too many ways around not having admin rights.. rights escalation through exploits, etc.. the only way an internet connecting pc is safe without AV is if it's really locked down, with some kind of blacklisting.. or something that removes any changes after reboot, like microsoft steady state, or deep freeze (though this doesn't prevent infection, just cleans it up afterward)