Security for All Sizes: Which Antivirus Is Best?

Leave a reply

I remember the first time I saw an AI antivirus program. I was amazed, impressed, and sure that it would be something we’d want to use back at my day job. After the conference, I leaned over the cube wall of the AV Manager and started to tell him what I saw.

He smiled, kind of cut me off, and said, “I’ve heard of those guys and another vendor that does a similar thing. However…” He swung his monitor so I could see it. It showed his admin dashboard for AV installations. “I need one of these. I can’t have any AV product unless I get to see an enterprise dashboard that tells me who has it installed and who doesn’t.”

That was at a global megacorporation. PCIHIPAA, and other regulations require that any PC that connects or even might connect to a sensitive network have antivirus software installed and running. The regulations do not specify that the antivirus actually has to work, just that it be installed and running. The primary concern in the big company is in delivering a report to an auditor that shows the AV software is installed and running on every PC in the company.

As for dealing with viruses, that’s a simple matter. Download the latest signature, test it against a development environment, verify that it doesn’t break production, then roll it out. While it’s true that most AV packages can’t deal with a zero-day threat, it’s also true that most threats are from the dim and distant past. Remember CIH? Melissa? Nimda? Well, they’re still out there. They’re out there with all of their old-school buddies from 20 years ago, and that AV program is there to keep all the known threats out of the PCs it protects.

Flashy new products are nice, but the big firms need to know where they’re installed. Until the flashy new product can deliver that information, it won’t be installed. Even if the product can identify virus writers and have them proactively incarcerated, if the AV manager can’t show that it’s on every PC, it won’t be installed.

At the other end of the business size continuum, the key factor is price. Really small firms will have each employee download a personal version of a free AV program and just hope that the Business Software Alliance never knocks on the door. Once the small business is big enough to be on the BSA’s radar, it’s likely that the margins there are so thin that if an AV solution isn’t free or near-free, it’s a non-starter. If the flashy new product can’t meet that price target, then the small firm is going with a near-free vendor that can protect against those legacy threats just as well as the flashy new product that might also be able to stop zero-day exploits before they happen. The thing is, that proactive stuff comes at a cost they can’t afford.

The mid-sized company that’s outgrowing its near-free AV solution but still isn’t yet ready to bow down at the altar of big corporate dashboards may be the best chance for that flashy new product to find a customer. That being said, the flashy new product has an uphill fight against the name recognition of the existing major players. Who’s been fighting against all those viruses for 20 years and more? Not the Johnny-Come-Lately product.

And that new AV product will also have to be sure that it never, ever, ever, never no never not ever takes down production. All those cool new algos and AI learning potential come up face to face with the stark reality that, every so often, a production application does stuff that’s very much like a virus.

Maybe the developers took advantage of a Windows security hole to take care of a task. Maybe a developer copied and pasted some evil code into an app. These things can happen at any size of firm, and present real security issues.

I recently ran into this at a mid-sized company where I noticed that there were devices launching brute-force password attacks at file servers. We traced the attacks to PCs that were all in the same department. As it happened, they all used a particular application specific to their field that contained the brute-force code.The attacks continue as we wait for the vendor to issue an update that doesn’t include that code. The app was already white-listed with their AV program, so it didn’t get shut down, even though it was doing some horribly evil things on the network.

Then there’s the botnet I discovered one day in the badge readers at a large corporation. Those devices had enough Windows embedded in them to support the botnet, but not enough to be able to run the AV program. At least most of the company was running AV on their Windows workstations, so they were protected from becoming part of the badge reader botnet.

While the malware threat from whitelisted apps and IoT devices can be at any size company, there’s one particularly nasty threat that is more pervasive the smaller a firm is: users with local admin rights.

If users have local admin rights, and they typically do at the smaller firms, they can do all kinds of terrible things to their PCs, from accepting the installation of malware along with their Veeblefetzer searchbar add-on, on up to disabling their local AV program so that they can run their torrenting software without being interrupted about the malware that goes with those torrents. Large firms will also have local admin abusers, but the large firms are also more likely to be actively policing for that kind of abuse.

On the whole, I think small firms have it hardest when it comes to getting an AV solution. They have to deal with tight budgets, unchecked developers, and local admin rights for all, so they’ve got the hardest battle to fight. As the firms get larger, the better they get at fighting yesterday’s wars, but remain open to tomorrow’s surprises.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.