Upgrade antivirus, consolidate servers — and scan often
Washington state’s Ecology Department does not have a particularly large network, about 800 computers at the headquarters in Olympia and another 700 or 800 in local offices throughout the state. But in the mid 2000s, the IT shop found that it had to reimage about 1 percent of those computers each week because of malware infections.
“We had an antivirus solution in place that wasn’t working,” said department IT specialist John Allen. “It wasn’t pretty.”
When looking for products, think small
Now the state is in the process of transforming its IT structure by allowing other departments to acquire services from the Department of Information Services (DIS). As part of this effort Ecology is rehosting its e-mail service with DIS and reducing the number of servers it maintains from about 120 to about 20 through consolidation and virtualization. At the same time it must accommodate budget cuts to make up for major statewide shortfalls in the 2011-2013 budget period.
Despite these challenges, “our security wasn’t bad,” Allen said. “Our users are pretty sharp. A lot of them are scientists. Malware was the biggest problem. We weren’t catching everything that came down the pike.”
Allen does not want to identify the product that was letting the malware into his network, although he says it was from one of the top four antivirus vendors. “They just weren’t cutting the mustard,” he said.
In early 2007, he moved to CounterSpy AntiSpyware from Sunbelt Software and saw an immediate spike in detection of viruses and other malware, along with a corresponding drop in infections. “I could probably count on two hands the number of computers we have reimaged in the last two years,” he said.
One of the reasons for the improvement was the impact the old antivirus program had on network performance, Allen said. He was not able to perform proactive scans or update signatures more than once a week because “it would inundate the network.” But with CounterSpy — now Vipre Antivirus — “we didn’t notice any performance impact,” he said.
The ability to scan files for threats without slowing performance is a big selling point for Vipre, said Jason Chronowitz, product manager for GFI Software, which acquired Sunbelt for its Vipre product suite in 2010. It inspects files with a client agent that uses heuristics and blacklists of known bad addresses and sites, as well as with malware signatures. Scanning schedules and policies for endpoint agents are set on the management console, which also can handle receiving and pushing updates to agents.
Signatures are a necessary but not sufficient tool for threat scanning, Chronowitz said. The ability to look beyond signatures is needed to help thwart social engineering attacks that solicit sensitive information or lure users to malicious sites where malware can be uploaded to a victim.
“Any antivirus product that walks away from signatures won’t be working effectively,” he said. “You need signatures, you need heuristics, you need bad URL filtering. You need a layered approach.”
Vipre was created from the ground up to provide a more comprehensive threat-scanning tool than CounterSpy AntiSpyware. It replaced CounterSpy when GFI ended support for that product in May.
Performance and security
As to maintaining network performance while scanning files, Chronowitz said, “The key is to not bloat your product with unnecessary features.”
Initially the Ecology Department used one Vipre management console and pushed all agent updates from that. Because of the number of local sites throughout the state that needed to be supported, consoles to handle updates locally have been placed in the larger offices, Allen said.
“We still do administration centrally, but we update locally,” to minimize network traffic, he said. The signature files are small, and updates can be done frequently without worrying about slowing down or bringing work to a halt, Allen said. “There is no impact at all from the updating.”
The threats being caught on his network follow the national trend away from exploiting operating systems vulnerabilities and toward applications, he said. “The biggest things we see are probably for third-party software,” he said. “I think [Windows] is getting better,” and the most common target now seems to be Adobe.