Seeking advice on anti-virus and other security software
March 12, 2008 1:20 PM   Subscribe

I do okay with Windows Defender but its something of a resource hog when it does a full scan, but there's no avoiding that. The nice part about defender is that its free and its always scanning, like an anti-virus application.

You could also look at products that are anti-malware and anti-virus, like the Symantec anti-virus product. There's no need for Spybot and Defender then. Its also centralized through the symantec console.

I havent seen too many clash issues but on computers we have symantec on and windows defender on, they will cannibalize each other's quarantine, which is no big deal. Well, Symantec will detect a file in Defenders quarantine and take it.

I cant say which one is best, but centralized controls are a requirement. perhaps not for 20 people, but what if your non-profit is 50 people strong in a couple of years? Do you really want to run around making sure everyone has the right definitions, etc?

That said, switching to limited accounts is your best bet overall. The real vectors for viruses in my experience is via email and the web. Are you doing email server-side anti-virus scanning or just having the local anti-virus scan mail items? Are you blocking executable attachments from being sent and received? Are you blocking executable attachments from being sent and recieved in zip files or rar files?

Another thing to consider is a web proxy that scans for nasties. There's the popular baracuda product, but you may be able to roll your own usign Squid and ClamAV. This may be overkill for your environment though.
posted by damn dirty ape at 1:34 PM on March 12

Spybot doesn't conflict with Avast. Avast, and other AV products, integrate into the PC and offer real-time scanning/removal. Spybot isn't that advanced.

If you're looking for free solutions, I'd take Ad-Aware over Spybot, as the removal capabilities of Ad-Aware trump Spybot. For paid, there's many products, but the one that I recommend is Spyware Doctor. I've linked to a starter version, so you can check it out and see if it suits your needs, but it's much more effective than Ad-Aware or Spybot at removal. It's a fairly large program, though, so for puny systems, the users might need to be patient.

Also, keep in mind you can install a program like SpywareBlaster, which is a free, small java program that blocks spyware from installing.

For you AV needs, I'd keep Avast or go to AVG as far as free options. For paid, AV-Comparatives released their results yesterday on AV effectiveness.
posted by Psionic_Tim at 1:39 PM on March 12

Well, AV Comparatives doesn't allow deep linking, so click on 'Comparatives" and the most recent report date on the right.
posted by Psionic_Tim at 1:42 PM on March 12

If you want to get really hard core - I'm talking a manly, beat your chest sixpack of IT whoopass - install VMWare Player and a nice lightweight web browser appliance (or Microsoft Virtual PC and one of the WinXP IE images they give out) and require the staff to use them for all web browsing. Both of those options are free solutions which will essentially result in all web browsing being done in a sandboxed 2^nd operating system that viruses and spyware will be unable to escape from. (Though viruses and spyware can come in through other vectors besides web browsing, so keep up the AV.)

A future network-wide solution, done cleverly, could be rigged to prevent any browser in the host OSes from getting out to the internet, thereby ensuring that the web browsers in the virtual boxes must be used. (By having a separate IP range and a separate DHCP server for the virtual boxes and constraining access via firewall, for example… you can essentially have all of the virtual boxes in a DMZ unable to ping the host machines in any way.)

Note: The WinXP images might be challenging to run on an older system but those appliances with Firefox running in a trimmed-down Linux X shell are nice and light. Don't worry if you don't know Linux, everything is already installed and automated for you.
posted by XMLicious at 1:58 PM on March 12

If you're considering Vista, one of the nice benefits of it is that if you're running a limited account (as you should), you don't even need* to run Anti-Virus. You'll get much, much better disk performance, and as long as you pay attention to what's asking for your admin password, you're safe.

*Yes, I ran this by the MS reps at a vendor event, they thought I was brave, but didn't see anything wrong with that.
posted by Oktober at 2:02 PM on March 12

Windows' built-in firewall is enough for 99% of users.

A good alternative to malware detection software is the free version of ProcessGuard, which alerts you every time a program it's never seen before tries to launch. It has a "learn mode" which you can leave on for a few days while you use your machine for its regular tasks. When you turn that mode off, it will then throw up an alert for unknown programs. You can allow an app to run just once, or put it in the "safe list." The only downside is that automatic software updates will often fail, since they usually require never-before-seen EXEs to run. This is no big deal; just set Windows to notify you when there are updates rather than installing them, then do that manually.
posted by kindall at 2:36 PM on March 12

What software (or combination of software) are you using to keep your computer internet-secure these days?

Ubuntu Linux 7.10 (Gutsy Gibbon).

Yeah, I know, flip answer from a Linux fanboi. But I'm serious.

It makes no sense at all, in my view, for a non-profit to use commercial software (even when same is offered with relatively favourable licensing in the interests of perpetuating lock-in) when there is free software available that works adequately, and in many cases works better.

Plus, if you're currently a fledgling sysadmin, I can guarantee you that you will have more fun and less grief with Linux than with Windows. It's way, way more fun exercising your skill to get things working than it is to spend that time fixing things that shouldn't have broken in the first place.

I suggest you wean your users off Windows in easy stages. First thing is to disable access to Internet Explorer on all workstations, forcing all but the tech-savvy to use Firefox instead (and the tech-savvy are probably already doing that of their own accord, so no biggie there).

Next, install OpenOffice.org on all workstations and get your staff up to speed in using that instead of Microsoft Office for word processing and spreadsheets and whatnot. Justify this on the grounds that you will save a heap on licences for Microsoft Office as workstations get replaced, and that new workstations would otherwise end up with Office 2007 which they would also be quite unfamiliar with and which also causes minor default file-format issues.

Get all your people Gmail accounts and hook those into Mozilla Thunderbird via IMAP (don't use POP3 - use IMAP). Add their existing email addresses to their Gmail accounts as extra accounts, and to Thunderbird as extra identities within the main Gmail account, and make their existing mail providers forward mails to the Gmail addresses. Now you have a permanent mail archive that won't burn down with your building, with the best spam filtering I've ever seen.

Set them all up with Google Calendar, too, and give them read access to each other's calendars. Blam - Outlook bites the dust.

Once you're doing everything with cross-platform free software and/or web apps, you've freed yourself from Microsoft's vendor lock-in. There is no further need to put up with Windows' bullshit security model and bullshit licensing terms, and you can start putting Ubuntu on new workstations. It comes with all the above-mentioned apps preinstalled; just make sure you also install the msttcorefonts package to avoid breaking the layout of existing documents.

The day the last Windows workstation leaves the building, you can have a little party.
posted by flabdablet at 4:10 PM on March 12 [2 favorites]

As much as I agree with flabdablet about Linux vs Windows, ripping out your existing systems might be biting off a bit more than you want to chew as a "fledgling sysadmin".

Like Oktober said, the single best thing you can do (and you are doing it in some cases) is having all of your users running as User...even those who need administrative privileges. Put a second account with Admin rights on their systems and let them RunAs when necessary, but none of your users should actually be working (and especially not web browsing with IE) as a local administrative account.
posted by JaredSeth at 5:01 PM on March 12

Here's where I went when I'd just installed two new Windows systems fresh (one XP, one Vista) and needed to find the best current antivirus solution: AV-Comparatives.

I chose NOD32, and it's been great. On the XP computer, I use Sunbelt Personal Firewall (free for home use; fairly inexpensive for business use) and on the Vista computer just use the built-in firewall 'cause Sunbelt isn't yet supported. Sunbelt used to be known as Kerio, and it's one of the best inexpensive software firewalls out there.
posted by limeonaire at 5:37 PM on March 12

ripping out your existing systems might be biting off a bit more than you want to chew as a "fledgling sysadmin"

which is precisely why I favour moving piecewise, an app at a time, with enough time allowed after each app cutover for the teething problems to go away. It's also the rationale for not installing Ubuntu until after all the app cutovers are complete and the new workflows bedded in, and even then, installing it only on new workstations as the old ones get replaced.

The simple fact is that if you're not installing Ubuntu on new workstations in a year or two, you will be installing Windows Vista. And you won't like it when it's angry.
posted by flabdablet at 11:23 PM on March 12

Flabdablet, why use IMAP instead of POP3?

Also what should the OP use for security in the interim before complete switch over to linux?
posted by flummox at 6:25 AM on March 13

flabdablet appears to be recommending IMAP in this scenario because undeleted messages will remain on the server. With POP3 generally all the messages are downloaded to a local store in the email client and deleted from the server; hence, unless the user does regular backups, any data loss on the client system results in permanent loss of the saved messages.

If you have your own mail server this can lead to storage space issues on the server (but that's basic IT stuff, so no sweat) but a nice feature of flabdablet's recommendation in using Gmail is that Google takes care of any space management issues for you. (However, you'd also essentially be relying on Google to back up and maintain the email stores on their servers, which is a fairly reasonable expectation but I would assume that their service agreement absolves them of any legal liability if they did lose everyone's old email.)
posted by XMLicious at 7:10 AM on March 13

Yeah, what XMLicious said. IMAP is nice because it does pretty much what webmail does (gives you a view into the same server-side mailbox from any IMAP-connected workstation) without forcing you to use a webmail interface that may be slow to load, poorly integrated into the desktop, or unfamiliar to staff. Staff don't like change, by and large, and they're generally far more resistant to change in how stuff looks than how it works under the hood. Thunderbird looks enough like any other email client to minimize the pain of that.

IMAP clients also allow you to make selected mail folders available for offline viewing, which means they can just download all the mail to a workstation-accessible location (either on the workstation's own hard disk, or on your local file server). So if you don't trust Google to keep all your mails safe, IMAP will not stop you running the same backup strategies you would have been using anyway for POP3-connected email clients.

As for what bandaids to apply to Windows: I use the Network edition of AVG at school, because it's not terribly invasive, licensing is cheap even without the 50% discount for schools or 30% for nonprofits, the central admin stuff works, the central update management stuff works, and the centralized deployment stuff mostly works. I have disabled easy access to Internet Explorer except via the IE View extension in Firefox, by turning off its checkbox in Add/Remove Programs->Add/Remove Windows Components. Everybody has Adblock Plus installed, so students just don't see the tempting shiny shiny things that cause sysadmins grief when clicked on. There's also a fairly extensive site blacklist maintained by the school's ISP.

I would not want to use any firewall more intrusive than the inbuilt Windows SP2 firewall, which does what a firewall is supposed to do, quietly and without fuss.

I have Spybot Search & Destroy available for cleanups, but have not had to use it for the last year (basically, since the last IE diehard left the school).

Staff own and manage their own laptops. Some of those laptops come pre-infested with Norton Antivirus and/or Windows Vista. There's not much I can do about Vista, but I do encourage people not to use Norton.

So far, my Great Evil Master Plan is meeting resistance at the MS Office->OpenOffice cutover stage (I've actually been specifically asked not to roll OOo out to all the campus computers alongside MS Office). But I'm sure that continued gentle educational pressure, and the fact that we could buy three more interactive whiteboards for the cost of enough licences to upgrade the whole school away from MS Office 2000, will eventually help the principal see things my way :-)
posted by flabdablet at 4:55 PM on March 14

« Older Help me price out a server. I ...   |   Anyone know a good, non-cruise... Newer »