No more hiding in the server room
Free antivirus vs. Paid for AV vs. Firewalls vs. application whitelisting
I'm a big fan of everything opensource or just plain free. I always recommend applications such as openoffice.org to those that really don't need to buy ms office. But I've always been a bit hesitant to say that a free alternative to norton/symantec is good enough. I've always liked clam and avg, but somehow always thought that they'd only catch 99% of the bad stuff, and that 1% is the dealbreaker. The reason I thought that the commercial versions were better is that the company backing the product would have the resources to keep current with the existing virus and malware, while the community or smaller company behind the freebies would be a bit too late.
But now, after learning much more about penetration testing, and the tools available, such as nessus, and metasploit, I see that the blacklisting style of AV is really a thing of the past. I've looked into application whitelisting, which is a fantastic concept, and works really well if you want to keep your environment stable. I evaluated a few products that have the enterprise in mind, bit9, lumension, savant, but then found that there's really no equivalent for home and personal use. At least nothing advertised as such.
Oh well, I thought. Whitelisting's time perhaps has not come, so I'll keep using good old AV. I got myself kaspersky's internet security, which is held in high regard among the hacking/security community. It includes a firewall that works inbound and outbound, allowing you to control what applications can access the internet. It's not application whitelisting, which allows you to prevent an app from being run at all, but by preventing an app to connect to anything outside, it's a huge step toward preventing the spread of malware that hasn't made it into the antivirus signature hall of fame. Kaspersky set me back $60 for 3 computers. Not bad.
But then i tried Comodo Internet security. Free for personal use. seems simple enough for most users, has a firewall too.. but then i dug into the settings a bit more. Damn. All the control you have over apps! Very Impressive. for free? unbelievable! although it's disabled by default, it actually has what effectively is application whitelisting. It might be a bit chatty for the average user, potentially asking you about every single file being accessed, but for techies that want to know whats really going on on their machine, and really want control, and confidence that they're secure, this is it.
If there was a way to manage this type of protection across the enterprise, symantec is out!
So what products do you recommend for home use? What do you think is best for business/enterpise?
What part does firewall play along with the AV? Any experience with whitelisting? any other great freebies worth trying?
If you try comodo, I'd love to hear what you think of it..
But now, after learning much more about penetration testing, and the tools available, such as nessus, and metasploit, I see that the blacklisting style of AV is really a thing of the past. I've looked into application whitelisting, which is a fantastic concept, and works really well if you want to keep your environment stable. I evaluated a few products that have the enterprise in mind, bit9, lumension, savant, but then found that there's really no equivalent for home and personal use. At least nothing advertised as such.
Oh well, I thought. Whitelisting's time perhaps has not come, so I'll keep using good old AV. I got myself kaspersky's internet security, which is held in high regard among the hacking/security community. It includes a firewall that works inbound and outbound, allowing you to control what applications can access the internet. It's not application whitelisting, which allows you to prevent an app from being run at all, but by preventing an app to connect to anything outside, it's a huge step toward preventing the spread of malware that hasn't made it into the antivirus signature hall of fame. Kaspersky set me back $60 for 3 computers. Not bad.
But then i tried Comodo Internet security. Free for personal use. seems simple enough for most users, has a firewall too.. but then i dug into the settings a bit more. Damn. All the control you have over apps! Very Impressive. for free? unbelievable! although it's disabled by default, it actually has what effectively is application whitelisting. It might be a bit chatty for the average user, potentially asking you about every single file being accessed, but for techies that want to know whats really going on on their machine, and really want control, and confidence that they're secure, this is it.
If there was a way to manage this type of protection across the enterprise, symantec is out!
So what products do you recommend for home use? What do you think is best for business/enterpise?
What part does firewall play along with the AV? Any experience with whitelisting? any other great freebies worth trying?
If you try comodo, I'd love to hear what you think of it..
Views: 85
-
Comment by Adam Ruth on April 3, 2009 at 3:29am -
How does it whitelist applications? By file signature or some other mechanism? I'd not heard of whitelisting applications before, if this is something that would be difficult to spoof, it's something to look into.
-
Comment by Constantin Visan on April 7, 2009 at 12:59pm -
Hi Paul,
I use AVAST because have also a email scaning with the COMODO firewall. Or you can use AVIRA also for free but no email scanning. Both have auto update for virus signatures.
Cheers
-
Comment by Steven on April 7, 2009 at 3:33pm -
For our firewall we're using Untangle. It has ClamAV as well as quite effective spam filters, email security and remote access capabilities. I'm such a fan we upgraded from the Open Source version and bought the "Pro" version. So far it's caught any incoming viruses and say 85% of the Spam.
Our email server (MDaemon) uses Kaspersky as it's scanning engine (juat in case Untangle misses something) and has it's own set of Spam filters as well.
Client-side... Symantec. Which I hate. We're going to switch, I'm not sure to what yet. I've heard good things about AVG's Enterprise version as well as Trend Micro. But I'm *really* interested in this topic.
I have a client with Exchange that also hates Symantec. So any recommendations on that?
-
Comment by Albert Widjaja on April 8, 2009 at 12:31am -
On The Server side to secure my Exchange Server 2007 email traffic i use: ForeFront Security for Microsoft Exchange SP1
while on the client side i use Symantec End Point Protection MR4 (the latest) and so far I've no problem with malware only a few spam get through (1-2 per day).
-
Comment by Thomas Stensitzki on April 8, 2009 at 12:14pm -
There is quite a difference for such solutions, if they are used for personal use or in an enterprise environment. In an enterprise environment prefer to use a multi-step concept. For AV I recommend using gateway security solutions as well as client solutions which can be managed from a central console (like Trend Micro). Gateway security must be aware of the different ways viruses can enter a company network (http, https, ftp, smtp). In case of preventing spam to enter a company lan we use (and recommend) the NoSpamProxy software solution by NetAtWork.
-
Comment by Robert Chipperfield on April 8, 2009 at 4:25pm -
At work we use ESET Nod32, and I've started using that at home now as well. For a long time I've been a fan of AVG, but recently got bitten by a few things slipping through.
Nod32 seems to be blisteringly fast as well, which can only be a good thing!
-
Comment by Paul Stoklosa on April 8, 2009 at 6:53pm -
As a followup to this blog post, comodo does have an enterprise endpoint product that centrally manages this AV/firewall/whitelisting juggernaut. I've been toying with a trial for 3 days now, and i gotta say, I like it. Works as advertised, which is saying alot. a little tricky to manage at first, but once you get the logic, it works great. pricing is in the $17-25 range depending on number of nodes.. on par with symantec Endpoint..
-
Comment by Paul Stoklosa on April 8, 2009 at 7:02pm
-
@adam. Yes, whitelisting usually works by file signature.. hashes, like md5 or sha1, so if the file is changed at all, it's treated as a new file, which is good because a malicious program can be 'bound' to existing system files. (i've seen this done by such tools as 'prorat') The concept is really solid and almost guarantees that malicious code does not run (or any unknown code, for that matter). It is definitely many times safer than Antivirus since it also protects against unknown malicious content such as new 0 day hacks, and custom jobs. Definitely the future of security, although it's been around a while, it hasn't caught on much at all. I think everyone should look into it more. There's more effort in the initial setup, but worth it imho.
-
Comment by milt mallory on April 16, 2009 at 12:39am -
I use Avast on my personel stuff, Symantec at work and we have Juniper Netscreen-ISG 1000 firewalls. I'm always trying out things like: Spybot Search and Destroy, and Glary utilities seem pretty good. What's the consensus on Linux (centos/Gentoo in my case) servers these days?
-
Comment by Paul Stoklosa on April 16, 2009 at 3:23am
-
My stance on linux servers is, no one ever should be accessing the internet by browser or opening emails on a server. That should be done on a workstation, and if linux, not by root. Aside from that, I'd recommend that only the services you need be the only ones to run, and that they are always up-to-date with security patches. Also run some system integrity checks ( Host-based Intrusion detection system) to be certain that nothing gets changed that you didn't change yourself. Tripwire is standard, another user on this site turned me on to ossec... It's great, and I'm slowly rolling it out on all our servers.. A firewall should be in place on the network to prevent access from the net, and a second firewall on the server itself, such as iptables, would be good just in case the first one fails for some reason. (accidental allow all scenario) Of course there's always clamAV that you can run on linux.
The idea that i do want to stress though, mostly on the windows side of things, is that the classic AntiVirus approach to security is just about obsolete.. I guess I should start a new blog post on this, but AV providers can no longer keep up, and can't possibly be aware of all malware being created by hackers. Therefore, what I'm looking for are products that move the level of protection up to a higher level. Symantec Endpoint protection is already dabbling in the whitelisting and firewalling, but i see these other tools are much more advanced than the big guy already...
© 2012 Created by Elizabeth Ayer and Michael Francis.
Powered by
You need to be a member of The SysAdmin Network to add comments!
Join The SysAdmin Network