Re: Exchange Server Virus Scanning

[Graham Toal <gtoal () UTPA EDU>]

> Our edu is contracted with Mcafee for client protection and
> that layer is very beneficial.

I forgot to mention in my summary of anti-virus+spam protection
for Exchange: it is a very good idea to have a different AV product
in your external filter from the one you have on your server,
and from the one you have on your desktops.  None of these guys
are perfect, and it has happened more than once that one of our
AV products had broken its automatic updates, but we remained
protected because at least one of the others still worked.  The
worst scare we had was when both clamav and uvscan updates broke
at the same time and we were protected only by our desktop AV.

Losing your automatic updates is insidious because it is not
immediately obvious that it has happened.  We noticed it because
we do end-of-month summaries of our virus figures for a state
agency, and spotted that the distribution of detections had
moved from the mail filter to the desktop.

For us the biggest determiner for desktop AV is how well it can
be centrally managed.


Stopping direct machine-to-machine worm transmission is pretty
much a licked problem (at the network level).  The majority of
issues now come from trojans that people click on from email or
web sites.  Stopping those doesn't really need an AV solution,
more a systems management one.

I think in the future the emphasis has to shift to ways of
not allowing *any* unapproved software to run on the desktop in the
first place, rather than what is effectively an after-the-fact
cleanup process that is done by current AV products.  We probably
do still need those to catch things like buffer overflow exploits,
but they should be the last line of defence, and more akin to
a host-based IDS like tripwire.


Graham