Exterminator Tools

Evaluating network antivirus software

Much has changed since the last time I had an opportunity to sit down with the leading Windows NT virus-detection tools. Today's viruses are sneakier, and the havoc they wreak is more difficult to recover from, than ever before. Widespread media coverage and the resulting public fear of viruses such as Melissa and Worm.ExploreZip stress the fact that networks of any size require an antivirus program.

When I began my evaluation of server-based antivirus programs, I faced an interesting question: Do the criteria for selecting a server-side program differ from the criteria for selecting a workstation solution? To answer that question, I had to establish a clear set of guidelines that differentiate workstation-based antivirus programs from their server-side counterparts.

Server-side programs keep multiple machines free from viral infections. That statement might strike you as obvious, but the criterion eliminated from my study a handful of programs that are viable only for single workstations or small peer-to-peer networks.

Another essential criterion for server-side antivirus programs is that they require little maintenance. On your PC, you might have all the time in the world to tweak options and download the latest virus-definition files. But in a network, the program needs to perform maintenance without requiring user intervention—automation is an important part of a successful network antivirus solution.

NT servers are vulnerable to users copying infected files to the server or running an infected file on their workstation. So, a server-side antivirus program needs to preemptively eradicate any threats to the network before a virus starts to spread.

An ideal server-side antivirus program is robust in its scanning options, provides a strong centralized management console to simplify the administrator's job, automatically updates frequently to catch the latest viruses, and can scale from a simple multisystem network to a large enterprise network. With that ideal in mind, I assembled a list of qualifying products. Then, I carefully evaluated the programs to determine the most effective tool for the discerning network administrator who wants to stay on top of today's viral threats.

[Editor's Note: Computer Associates' (CA's) InnoculateIT doesn't appear in this comparative review because of installation difficulties. The Windows NT Magazine Lab is working with CA to correct the problem. In the near future, Windows NT Magazine will evaluate InnoculateIT in a standalone review.]

ServerProtect 4.67
Despite owning a coveted piece of digital real estate among antivirus vendors (http://www.antivirus.com), Trend Micro is an underdog in a market that big names such as McAfee and Symantec dominate. Admirably, the company's contribution to the antivirus market, ServerProtect, touts functionality over marketing hype.

Trend Micro designed ServerProtect from the ground up to run as a LAN server antivirus utility. The company aims the product directly at the enterprise—complex networks with hundreds of interconnected machines. ServerProtect doesn't simply work with the workstations connected to your server. The product provides a centralized umbrella-like domain-management model that all your domain's servers fall under. This scenario lets you manage multiple servers and workstations from one console.

The product ships on one CD-ROM and includes a comprehensive ServerProtect User Manual that explains nearly every aspect of the program. The manual is well written and nicely illustrated—more than simply a throwaway gratuity.

ServerProtect boasts one of the smoothest installation processes I've encountered. You simply insert the CD-ROM and click a few buttons. The setup program takes a list of computer systems from the domain server and sets up the default scanning options, which are impressive.

ServerProtect is extremely flexible in its operation. As Screen 1 shows, you can set ServerProtect to scan files as you read or write them, monitor your system for suspicious behavior, and investigate compressed files.

Because ServerProtect maintains a list of all the servers and workstations that fall under your domain, the product uses a simple password-protection routine to keep unauthorized users from modifying your settings. When a scheduled scanning process begins, ServerProtect uses the remote procedure call (RPC) protocol to scan remote servers across the network.

ServerProtect's virus-detection routines are top-notch. Using rule-based and pattern-recognition algorithms, ServerProtect is possibly the most comprehensive virus scanner I've tested. The program caught every virus I introduced, including Melissa and Worm.ExploreZip. When I updated the virus pattern file (with updates that Trend Micro provides bimonthly), ServerProtect caught the new Back Orifice 2000 Trojan horse. When the software detects an infected file, ServerProtect offers to clean it, delete it, or quarantine the virus to a secure directory.

ServerProtect is as fast as it is thorough. A scan of my 12GB test disk (running at the default priority rate) took only 40 minutes to complete.

ServerProtect's realtime scanning utility is effective without eating up all your free resources. Using NT's Task Manager, I ascertained that ServerProtect's realtime scanning component uses only 800KB of memory at any time—a refreshing change from other programs that need as much as 2MB of RAM for their realtime scanning functions.

Updating the virus-definition files is a snap. ServerProtect includes built-in routines to download updates from Trend Micro's bulletin board system (BBS) or Web site. You can reduce the amount of maintenance work you must do by setting ServerProtect to automatically retrieve and install updates.

A program that reacts well to viruses needs an effective notification method. ServerProtect offers all the usual notification methods (e.g., network broadcasts, email notices) and also includes pager support—a must for administrators who aren't always tied down to their networks.

For remote maintenance, ServerProtect includes an efficient Web-based interface, from which you can peruse logs, change options, and trigger scans. This Web interface (unique to ServerProtect) lets you easily deploy updates across the network.

Trend Micro offers a separate server-side tool, the Trend Virus Control System (TVCS), that lets you configure and monitor antivirus software from your Web browser. At press time, Trend Micro has just released ServerProtect 5.0, which incorporates some of TVCS's central management features and lets you manage multiple NT and Novell NetWare servers and domains simultaneously. The new version improves ServerProtect's real-time scanning speed and manual scanning performance.

ServerProtect has all the essential features of an effective virus scanner. Administrators will embrace the package for its low-maintenance design and thorough testing patterns. ServerProtect is an excellent package that is worthy of your consideration.

Sophos Anti-Virus 3.23
Sophos is an antivirus veteran, so the strength of Sophos Anti-Virus isn't surprising. Sophos' packaging is excellent. Rather than simply throwing a few pieces of paper and a registration card into a box, Sophos delivers Sophos Anti-Virus with an enormous Sophos Reference Guide, which covers a wide range of subjects, including system security, denial-of-service (DoS) attacks, the Y2K bug, and file encryption. Sophos Anti-Virus ships on one CD-ROM, and the package includes a prefab Emergency Repair Disk (ERD) so that you don't have to search for a usable 3.5" disk.

Sophos Anti-Virus uses a single-point installation system. Instead of running from system to system, you can dump everything on a central server and let your end users install the client software over the network. During the installation process, you can specify how you want the server to handle client upgrades. When a new version of the product arrives, you can let users reconfigure the program or handle this task yourself.

Unfortunately, the client installation process can be a bit clumsy. To install the client on their workstations, users must enter the setup utility's full Uniform Naming Convention (UNC) pathname. (On my test server, the setup utility was buried in four subdirectories.) A more elegant solution would be for the software to automatically set up a share for users to connect to.

Uniquely, the product performs all scans on the client's end, which provides a bit of a speed boost (by reducing overhead on the server during scans) and a welcome relief from bandwidth saturation. The server component distributes upgrades and stores the main checksum database.

Depending on your systems' workloads, you can set Sophos Anti-Virus to run at normal or low priority. The advantage to running at low priority is that the virus scanner takes up less CPU time. The disadvantage is that the process runs at an agonizingly slow pace. Running at low priority, Sophos Anti-Virus took 4 hours to completely sweep 12GB of data. Running the same process at normal priority still took about 2.5 hours.

Sophos offers a separate approach to realtime virus scanning (perhaps implying that the company knows how slow its virus-detection routines are). Rather than automatically performing a virus scan every time you access a file, Sophos Anti-Virus uses a checksum system for on-the-fly scanning. When you access a file for the first time, Sophos Anti-Virus performs a routine scan, then adds the file's checksum into a database (if the file is clean). The product then leaves the file alone, unless the file's data structure changes. If you modify a file in any way, Sophos Anti-Virus rescans the file and updates the checksum database. This method will save your users time because they don't have to wait for a virus scan whenever they open an application.

Sophos Anti-Virus' detection routines are exceptional. Against a sample test bed of live viruses, Sophos Anti-Virus detected everything from the old and obsolete (e.g., Stoned) to the emerging and dangerous (e.g., Back Orifice 2000, Melissa). As Screen 2 shows, Sophos Anti-Virus either deletes the infected file or quarantines it to a secure directory for later examination.

Sophos Anti-Virus' notification features are adequate. When it detects a virus, the program can send a network broadcast or use an SMTP server to notify you by email. Thus, you must be near a computer to learn about the infection. More flexible options, such as the ability to send an alphanumeric page, would be more convenient for administrators.

Unlike competing programs, Sophos Anti-Virus can run on many platforms (e.g., OS/2, Novell NetWare, Linux). To test Sophos Anti-Virus' cross-platform interoperability, I installed the server component on an NT 4.0 system and the client software on Linux systems. The client/server communication between platforms was seamless—the Linux clients updated from the NT server and the NT server received and processed update requests from the Linux clients. I added a decrepit MS-DOS 5.0 machine to the mix and installed the Sophos Anti-Virus for DOS client. Again, the software performed flawlessly. If you're looking for consistency across platforms in a large heterogeneous network, Sophos Anti-Virus might be your only choice.

Sophos Anti-Virus' biggest problem is its lack of an automated virus-definition update feature. In fact, the product seems to offer no way to update its definition files from within the program. I had to connect to the company's Web site and download a product update that I needed to install manually. Fortunately, once the software updates on the server side, the update trickles down to the workstation clients automatically.

Sophos Anti-Virus is a good—but not great—product for large networks. The package's cross-platform capabilities keep it at the top of the list for heterogeneous networks, but Windows-only shops need a solution with better notification options, improved speed, and automatic virus-definition update features. However, Sophos Anti-Virus' centralized network virus protection is possibly the best-designed architecture I've seen.

Sophos updates its software monthly. At press time, the company has just released Sophos Anti-Virus 3.28.

Command AntiVirus 4.57
The name is new, but the technology isn't. Command AntiVirus is the new moniker for the perennial favorite F-PROT. You might remember that my first experience with F-PROT wasn't entirely positive. (To read my review of F-PROT Professional for Windows NT 3.0, see "Workstation Virus Scanning Software," November 1997.) However, this product has changed much more than its name.

Command Software Systems' Command AntiVirus ships on two CD-ROMs—one contains the Command AntiVirus client software, and the other contains the CSS Central server-side program. The accompanying Quick Start Guide walks you through the basics of software installation and configuration.

The installation process is straightforward: The server component installs on your server, and the client software installs in a directory for workstations to connect to. Rather than automatically setting up a share, Command AntiVirus requires users to connect to a UNC path to install the software.

After you install the software, you need to manually add your workstations to the CSS Central console window. This procedure might sound tedious (especially if you have many machines in your network), but you need only queue the systems in Network Neighborhood and copy them to the console.

CSS Central provides flexible options. You start by placing your network's workstations into groups. By setting true-or-false values, you can create an effective model for how Command AntiVirus operates on your network. For example, you might want Command AntiVirus to vigorously and frequently scan your customer service group (i.e., any group that receives files on a regular basis), whereas you might decide to ease back on the scanning criteria on the human resources group. Unfortunately, CSS Central is poorly documented. The Quick Start Guide devotes only seven pages to CSS Central—essentially, you have to figure the component out for yourself.

HoloCheck, Command AntiVirus' scanning engine, functions heuristically. By monitoring behavioral patterns, Command AntiVirus can detect new viruses by watching a file perform viral-like functions (e.g., replicating itself, changing a crucial file structure). A drawback of most heuristic engines is false alarms. However, in my tests, Command AntiVirus raised no false alarms, even when I introduced files with Trojan horse behavior. Running Command AntiVirus against a 12GB test disk took a respectable 45 minutes. The program caught all the test viruses I fed to it.

Command AntiVirus employs task-based scanning. The product includes several prefab scan tasks, but if you want to take full advantage of the program, you need to create specific tasks. As Screen 3 shows, Command AntiVirus' options let you take granular control of the software—from choosing disks to scan to selecting the actions to take when the scanner detects a virus. You can also schedule local or network scans. A particularly appealing feature in the scheduler is the ability to launch a scan after a specified duration of idle time. I set the product to start scanning after a 15-minute idle period (because if 15 minutes go by, I probably won't be back soon).

When Command AntiVirus detects a virus, the software quarantines the infected file, writes a log event, and sends you an email notice with the file attached (so you can analyze the virus). Unfortunately, the product offers no paging options. This disadvantage limits the program's usefulness for administrators who might not always have access to their mailbox.

Command AntiVirus seems content to stay in the background. The realtime detection module, Dynamic Virus Protection (DVP), is effective without being intrusive, taking up 1MB of RAM and nearly no CPU time. The module's best feature is its alertness. When I introduced a document infected with the Melissa virus, DVP immediately attacked the infection.

The product handles virus-definition updates electronically. When you want to update the definitions, you can download data and update the program by means of Command Software Systems' several mirror sites. After you select a site, Command AntiVirus extracts the files and automatically updates them. Unfortunately, the product doesn't automatically retrieve definition updates. However, after you've downloaded the updates, the program automatically deploys files to the clients on your network.

Command AntiVirus is workgroup-oriented. Working with multiple domains from the CSS console doesn't seem to be possible—I was unable to find an option to switch domains from CSS.

Command AntiVirus is a good package with an even better scanning engine. Its unique task-based design gives you maximum flexibility for customized scanning processes, and the CSS Central console lets you tweak nearly every aspect of Command AntiVirus' control over your network. However, the product is missing some of the frills of competing packages that sell for the same price.

Norton AntiVirus 5.0
Of all the programs in this review, Symantec's Norton AntiVirus (NAV) 5.0 has changed the least. Stability isn't a bad thing, of course, because the industry widely regards NAV as the premier antivirus package on the market. In fact, Windows NT Magazine awarded NAV its Editor's Choice award 2 years in a row. So when I sat down with the latest version of NAV, the one question on my mind was, "Does it still hold up?"

NAV 5.0 ships on one CD-ROM and includes a comprehensive Norton Antivirus User Manual. You use a wizard to install the program. Simply click a few buttons, set a few directories, and the CD-ROM spins the data to your hard disk. After you install the server and client components, you're ready to go. NAV can run as a service to provide antivirus protection for unattended systems.

Like its previous versions, NAV 5.0 is easy to use. A clean GUI belies the highly customizable features. All the software's functions are clearly represented by a labeled button. Aside from the usual features (e.g., scanning, detecting), NAV includes a powerful scheduler that you can use to run any executable program on a regular basis. A comprehensive virus list, which lists and describes nearly every live virus, tops off the package.

NAV's scanning engine is lightning-quick. Scanning 12GB of files (some of which contained live viruses) took only 35 minutes. Best of all, NAV doesn't bog down the CPU during a comprehensive scanning process. NAV caches network scans, which saves time and conserves bandwidth.

NAV is thorough—the program detected every test virus on my network. NAV is the only product I tested that can scan compressed cabinet format (CAB) files. Because NAV uses a pattern-recognition engine, the program can detect viruslike behavior. How can you be sure that a virus is causing the detected behavior? New to NAV 5.0 is the Scan and Deliver function. If NAV detects what it believes to be a new virus, you can quarantine the file, encrypt it, and email it to Symantec's AntiVirus Research Center for further evaluation.

NAV's realtime scanning module—AutoProtect—is one of the best in the business. AutoProtect consumes about 1.5MB of RAM, but the CPU usage is negligible. By proactively monitoring your systems, AutoProtect can jump into action when you open an infected file. I tested AutoProtect with a document infected with the Melissa virus. The scanning module stopped the virus before the document was fully loaded. Screen 4 shows how AutoProtect reacted when I copied an infected file from a workstation to my server.

When the software detects a virus, NAV presents the standard options for dealing with the infection: Prompt, Notify, Repair, Delete, and Quarantine. A new feature in NAV 5.0 is the Customize option. When you enable Customize, you can specify how NAV reacts to certain types of viruses. For example, you can instruct NAV to clean macro viruses, delete file viruses, and notify you only when it detects a boot virus. These three events are independent of one another, giving you the option of dealing with each type of virus using the antivirus model you've established for your network. For example, you can set NAV both to delete Trojan horses immediately and to repair macro viruses before deleting them.

Although fine-tuning NAV 5.0 settings for individual computers on the network is difficult, NAV's management tools let you easily customize the program for your entire network. NAV 5.0 is compatible with Windows 2000's (Win2K's) Microsoft Management Console (MMC) architecture.

NAV's notification features are the best available. In NAV 5.0, you can select from a host of notification options (e.g., SNMP, pager, email, local console alerts). NAV can even communicate with NetWare machines (using IPX) and Macintosh machines (using AppleTalk).

Symantec's reputation as a conscientious vendor with an admirable approach to virus-definition updates holds true in NAV 5.0. You can download the company's bimonthly definition updates from the company's bulletin board system (BBS) or FTP site. NAV's LiveUpdate feature lets you easily grab new virus definitions from within the software. NAV 5.0 features a new scheduler tool and the ability to download, install, and deploy new definition updates automatically.

You can't go wrong with NAV. Although the product is missing a few features you can find in other programs, it remains one of the most effective antivirus packages on the market. Norton AntiVirus' scanning speed puts almost every other program I tested to shame. Add Symantec's frequent updates and the software's ease of use, and you have an excellent choice for keeping your network clean.

Network Associates McAfee NetShield 4.03
If you were shopping for an antivirus tool by name recognition only, NetShield would be your choice. NetShield, which antivirus legend McAfee.com developed and distributes under the Network Associates banner, dates back to the days of MS-DOS and 340MB hard disks. Does it perform well in 1999?

Available for NT Server and NetWare, NetShield arrives on one CD-ROM and includes a concise Installation Guide. The product's setup is simple—pop in the CD-ROM and run the installation program. NetShield can run as a service, so you'll need to set it up with an administrative account.

The configuration options on NetShield's refreshingly simple GUI, which Screen 5 shows, are consistent with the standard Windows property sheet format. By disabling features I didn't require and tweaking those that I would need, I quickly modified NetShield to suit my network's needs.

NetShield's architecture is task-based. To set up a scanning session, you simply create a new task, define its parameters (e.g., which disks to scan, which systems and files to exclude), decide which actions to take when the software detects a virus, and determine how often you want the task to execute. After you save the task, anyone with administrator access to NetShield can use it.

NetShield's scanning engine is fast and thorough. When I set the engine to scan executable and document files, NetShield plowed through 12GB of data in about 50 minutes. The software identified, quarantined, and cleaned or deleted infected files. Because NetShield identifies new and emerging viruses heuristically, you might occasionally trigger a false identification. However, my testing triggered none. A drawback of NetShield's scanning engine is that the default scan priority can be a major burden on your CPU. Unless you schedule virus scans during downtime, you need to drop the scan priority to its lowest setting.

NetShield's realtime scanning agent—the NetShield On-Access Monitor—prevents viruses from striking between scheduled virus scans. When a user accesses a file, the agent quickly analyzes the file structure and makes sure it's clean. If the agent detects an infected file, the NetShield On-Access Monitor prevents the application or document from executing until the agent can notify an administrator. In my testing, this agent performed extremely well, detecting and trapping macro viruses and Trojan horses before they could inflict damage on my test system.

NetShield shines in its configuration options. The product's simple GUI lets you tailor nearly every aspect of NetShield to conform to your network architecture. NetShield's notification options are broad, encompassing SNMP, email notification, and pager alerts.

The product's centralized management console lets you configure and control every system on your network without leaving the confines of NetShield. For example, you can distribute new installations and deploy software updates directly from the console. Unfortunately, NetShield's network support doesn't seem able to handle multiple domains.

NetShield's virus-definition update facilities are excellent. NetShield includes an integrated FTP client (which works in conjunction with an internal scheduling program) that automatically retrieves definition updates from Network Associate's FTP server as they become available. The software stores downloaded updates on the local server so that you can deploy the new patterns to the other machines on your network.

McAfee's detection routines are among the best in the industry, and NetShield's notification options are simply unmatched. The only caveat with this program is its poor domain-management functions—NetShield seems better suited for small single-server networks than for large enterprise systems. If the former describes your network, NetShield's efficiency and host of features will be a good fit for your system.

And the Award Goes to ...
In my testing, I was surprised by how favorably the latest iteration of antivirus products compared with one another. Whereas companies such as Symantec and Cheyenne dominated in the past, all of this year's vendors have redoubled their antivirus efforts and complicated my intention to pick a clear-cut winner. Therefore, rather than simply selecting the product that left the best impression (I wouldn't hesitate to recommend any of the programs featured in this review), I'll conduct a process of elimination to crown this year's king.

The most important feature in any antivirus product is the timely availability of updates. Whenever a new virus emerges, antivirus vendors must quickly release a virus-definition update to catch the menace before it spreads. Although all the programs I tested provide frequent definition updates, not all of them let you easily retrieve and install new definition files. A good server-based virus scanner needs to download new definitions automatically. In this area, both Sophos Anti-Virus and Command AntiVirus are lacking.

Robust notification features are essential. Because you're probably not sitting near your network every waking minute, you need a program that can notify you of a viral infection when you're away from your systems. The best way to notify an administrator of an infected network is to send an alphanumeric page. Both Sophos Anti-Virus and Command AntiVirus lack such a feature.

Finally, you need to consider how well an antivirus program adapts to your network topology. A good server-based antivirus program not only handles your network load but also lets you easily work with groups of systems or individual computers on your network. Norton AntiVirus, NetShield, and Sophos Anti-Virus lack a strong centralized console for system micromanagement. Command AntiVirus' CSS Central is an excellent tool for this purpose, but its weak documentation and inability to handle multiple domains prevent me from recommending the product to anyone with a large network.

I've narrowed the field down to one product: Trend Micro's ServerProtect. Because the company has built ServerProtect from the ground up to support large networks, you know it won't collapse when it runs into your monster LAN. Conversely, the product also easily scales down to accommodate smaller networks. ServerProtect's virus-detection rate is one of the highest I've seen, and the product has no problems disinfecting files. Those advantages, coupled with the product's excellent notification features, win for ServerProtect my Editor's Choice recommendation.

Corrections to this Article: