Product Group Tests

Anti-malware management (2007)

by Peter Stephenson July 10, 2007
products

GROUP SUMMARY:

We award Trend Micro's Interscan Gateway our Best Buy award for its simplicity and ease of use and the features it provides, which offer exceptional value for money.

Savant Protection's Enterprise Management System offers high protection that is difficult to fool. We rate it as Recommended for its effectiveness and value for money.

All-round protection against a wide variety of threats is the key to this group of solutions. And, as Peter Stephenson discovers, software-based offerings are catching up with appliances.

In the enterprise environment, anti-malware management tools pose a few challenges. For example, how do you implement anti-malware management in a 10,000-user enterprise that is spread around the world? And, once implemented, how do you support it with timely updates and logging and alerting of events? That is the subject of this group review.

In the course of writing this review, we looked for several things on these products. First, some came complete with the anti-malware product licences in place. You simply set up the software or appliance and launch your malware-management scheme. Others work in conjunction with a suite of anti-malware products. In either event, we were interested in what types of malware these products could manage.

Generally, we found that when a vendor says "anti-malware" that is precisely what it says on the tin. All products offered protection against anti-virus and anti-spyware, but we also found spam, phishing, bots, worms, Trojans and, pretty much the whole gamut of internet bugs addressed. So, one of our criteria was the number of different types of malware the product could handle.

We were also concerned with how well the product logged events and how these events were presented to the administrator. Was there a robust alerting system with email and pager alerts? What were the logging options? Finally, we wanted to know how difficult it was to manage client-side anti-malware on the desktop or laptop. Were updates to the clients automatic, for example? How is updating the data files managed? Can clients that do not have the current level of data file be forced to update?

Anti-malware is a difficult product group because there is little differentiation in the various actual anti-malware products on the market. Where we found variations was in the management tools for the enterprise. This leads us to view the anti-malware market from a couple of perspectives. First, catch rate is a non-starter. All of the good products have about the same catch rates. Many boast the ability to catch zero-day exploits. How well they actually do that depends upon the particular technology used.

The big differences are in what the management tools do. For example, are they one-trick ponies that only catch viruses or spyware? Or do they cover a broad range of threats? There were both appliances and software implementations. We found that, even with strong software implementations, the appliances still tended to have the most comprehensive protection.

However, we had a bit of a surprise here. We expected, from past experience, that the appliances would have the ease-of-use score nailed, hands-down. That was not necessarily the case. Some of the software products went in smoothly and performed well. While we did see appliances that were in and working in about 15 minutes, some of the software did not take much longer.

Another area that surprised us was how these products actually manage anti-malware at the desktop. We expected to see, again based upon past experience, a bit of awkwardness. However, we saw virtually none. These tools manage smoothly, allow policy development and report well, especially the appliances.

Finally, one more thing we looked for was what, exactly, are these products managing? Are they just handling the clients or do they act as a gateway looking at data as it enters the enterprise as well? In that regard, there were products that focused on the client-side and servers (data at rest), those that focused upon data in motion, and those that did both. We tend to recommend as much functionality as possible here because there are multiple infection vectors possible for just about any kind of malware and all those vectors need to be monitored.

This was one of our most interesting group reviews so far this year. As one might expect, the market is mature and the differences between products sometimes are subtle. Our advice, as always, is know what you want to do and how your resources will allow you to do it before you opt for one of these, generally good, products.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US