Evaluating network antivirus software
Much has changed since the last time I had an opportunity to sit down with the leading Windows NT virus-detection tools. Today's viruses are sneakier, and the havoc they wreak is more difficult to recover from, than ever before. Widespread media coverage and the resulting public fear of viruses such as Melissa and Worm.ExploreZip stress the fact that networks of any size require an antivirus program.
When I began my evaluation of server-based antivirus programs, I faced an interesting question: Do the criteria for selecting a server-side program differ from the criteria for selecting a workstation solution? To answer that question, I had to establish a clear set of guidelines that differentiate workstation-based antivirus programs from their server-side counterparts.
Server-side programs keep multiple machines free from viral infections. That statement might strike you as obvious, but the criterion eliminated from my study a handful of programs that are viable only for single workstations or small peer-to-peer networks.
Another essential criterion for server-side antivirus programs is that they require little maintenance. On your PC, you might have all the time in the world to tweak options and download the latest virus-definition files. But in a network, the program needs to perform maintenance without requiring user intervention—automation is an important part of a successful network antivirus solution.
NT servers are vulnerable to users copying infected files to the server or running an infected file on their workstation. So, a server-side antivirus program needs to preemptively eradicate any threats to the network before a virus starts to spread.
An ideal server-side antivirus program is robust in its scanning options, provides a strong centralized management console to simplify the administrator's job, automatically updates frequently to catch the latest viruses, and can scale from a simple multisystem network to a large enterprise network. With that ideal in mind, I assembled a list of qualifying products. Then, I carefully evaluated the programs to determine the most effective tool for the discerning network administrator who wants to stay on top of today's viral threats.
[Editor's Note: Computer Associates' (CA's) InnoculateIT doesn't appear in this comparative review because of installation difficulties. The Windows NT Magazine Lab is working with CA to correct the problem. In the near future, Windows NT Magazine will evaluate InnoculateIT in a standalone review.]
ServerProtect 4.67
Despite owning a coveted piece of digital real estate among antivirus vendors (http://www.antivirus.com), Trend Micro is an underdog in a market that big names such as McAfee and Symantec dominate. Admirably, the company's contribution to the antivirus market, ServerProtect, touts functionality over marketing hype.
Trend Micro designed ServerProtect from the ground up to run as a LAN server antivirus utility. The company aims the product directly at the enterprise—complex networks with hundreds of interconnected machines. ServerProtect doesn't simply work with the workstations connected to your server. The product provides a centralized umbrella-like domain-management model that all your domain's servers fall under. This scenario lets you manage multiple servers and workstations from one console.
The product ships on one CD-ROM and includes a comprehensive ServerProtect User Manual that explains nearly every aspect of the program. The manual is well written and nicely illustrated—more than simply a throwaway gratuity.
ServerProtect boasts one of the smoothest installation processes I've encountered. You simply insert the CD-ROM and click a few buttons. The setup program takes a list of computer systems from the domain server and sets up the default scanning options, which are impressive.
ServerProtect is extremely flexible in its operation. As Screen 1 shows, you can set ServerProtect to scan files as you read or write them, monitor your system for suspicious behavior, and investigate compressed files.
Because ServerProtect maintains a list of all the servers and workstations that fall under your domain, the product uses a simple password-protection routine to keep unauthorized users from modifying your settings. When a scheduled scanning process begins, ServerProtect uses the remote procedure call (RPC) protocol to scan remote servers across the network.
ServerProtect's virus-detection routines are top-notch. Using rule-based and pattern-recognition algorithms, ServerProtect is possibly the most comprehensive virus scanner I've tested. The program caught every virus I introduced, including Melissa and Worm.ExploreZip. When I updated the virus pattern file (with updates that Trend Micro provides bimonthly), ServerProtect caught the new Back Orifice 2000 Trojan horse. When the software detects an infected file, ServerProtect offers to clean it, delete it, or quarantine the virus to a secure directory.
ServerProtect is as fast as it is thorough. A scan of my 12GB test disk (running at the default priority rate) took only 40 minutes to complete.
ServerProtect's realtime scanning utility is effective without eating up all your free resources. Using NT's Task Manager, I ascertained that ServerProtect's realtime scanning component uses only 800KB of memory at any time—a refreshing change from other programs that need as much as 2MB of RAM for their realtime scanning functions.
Updating the virus-definition files is a snap. ServerProtect includes built-in routines to download updates from Trend Micro's bulletin board system (BBS) or Web site. You can reduce the amount of maintenance work you must do by setting ServerProtect to automatically retrieve and install updates.
A program that reacts well to viruses needs an effective notification method. ServerProtect offers all the usual notification methods (e.g., network broadcasts, email notices) and also includes pager support—a must for administrators who aren't always tied down to their networks.
For remote maintenance, ServerProtect includes an efficient Web-based interface, from which you can peruse logs, change options, and trigger scans. This Web interface (unique to ServerProtect) lets you easily deploy updates across the network.
Trend Micro offers a separate server-side tool, the Trend Virus Control System (TVCS), that lets you configure and monitor antivirus software from your Web browser. At press time, Trend Micro has just released ServerProtect 5.0, which incorporates some of TVCS's central management features and lets you manage multiple NT and Novell NetWare servers and domains simultaneously. The new version improves ServerProtect's real-time scanning speed and manual scanning performance.
ServerProtect has all the essential features of an effective virus scanner. Administrators will embrace the package for its low-maintenance design and thorough testing patterns. ServerProtect is an excellent package that is worthy of your consideration.
Previous
The author states that the product doesn't offer paging options. I agree--
but who wants a product to page you? If you have a well-mannered antivirus program, your immediate attention isn't needed.
The author also states that the product doesn't automatically retrieve definition updates. In CSS Central (the server-side program), you can find a Schedule button under Update, Configure FTP, Local Configuration. When you properly configure CSS Central, it will automatically download the latest definition files, component updates, or complete product updates. At each logon (or at 4:00 a.m. if users leave their systems on overnight), CSS Central will push needed updated files to the clients, without any user intervention.
I agree with the author's assessment that CSS Central is poorly documented, but Command Software Systems provides some of the best technical support in the software business. If I have a problem and can't find the solution on the company's Web site, I call--and the support is still free.
--Tony Hale
Tony Hale February 16, 2000