No, this is not an article about weird marketing practices or “ponzi” schemes within the A/V industry. It IS an article about how you can better protect yourself against viruses and malware. I decided to write this after one of our customers had the willies scared out of them by one of their other vendor’s “security alert” circular.
We (itgroove) have always worked from the assumption that no single a/v product provides 100% protection against all virus and malware threats. The A/V vendors may take issue with that stance but it’s what we believe and it sets the tone for how we architect customer’s infrastructures. We always “layer” A/V protection so that there are at least two layers of scanning using multiple vendors technologies. Our preferred architecture relies on Sonicwall firewalls with Sonicwall’s McAfee-based technology scanning at the gateway (firewall) and Trend Micro’s A/V installed on all machines on the inside LAN (usually WFBS). If the customer utilizes Office365 that adds another layer as Forefront is scanning at the Exchange level (on premise Exchange is covered by the aforementioned Trend A/V).
The reason we layer is simple: chances are if one vendor’s technology misses or does not identify and eliminate a virus or malware the other vendor’s will. It is a simple numbers game where you have better protection if your “layer number” is 2 or greater. Single vendor solutions such as Sonicwall’s Gateway A/V and Enforced Client A/V (to name but one) can leave you vulnerable as the same technology is in place at the gateway and on the LAN; if the technology does not identify a virus or malware then it misses it entirely throughout your infrastructure. (To be fair to Sonicwall, they do offer Kaspersky as an optional layer.)
I want to circle back to my point about our customer and the security circular they received. The circular highlighted the existence of a nasty virus that targets POS systems running on Windows boxes and was also a pitch for a “managed” single-vendor a/v service. The interesting thing is the vendor provided stats from Virustotal which listed 40 different a/v vendors and whether or not their product identified and removes this particular virus. Roughly half of the vendors missed identifying the virus. Using our two preferred vendors as a measuring stick, Sonicwall (McAfee) missed and TrendMicro identified/removed. If our customer’s network had ONLY been protected by McAfee they could have been at risk but they have the second layer in place. Of course, the possibility exists that BOTH layers could miss something but the odds are much more in your favour with two layers than with a single layer.
If your network is only covered by a single layer of a/v then I urge you to look into how you can add a second layer from another vendor. There are many, many options available and you don’t have to use our particular model. But you should do something. You should scan at the gateway as the best defence is to keep the garbage out of your network, period; specially so in this age of BYOD on your network. You should ensure your various devices on the LAN are covered with a/v. You should ensure your mobile users have a/v that ramps things up when they are NOT behind your corporate firewalls. And you should pay attention to what your various a/v dashboards tell you.
We have a lot of customers set up with the multi-layer approach and it works extremely well. It can work well for you, too.