Why one virus engine is not enough
Multiple virus engines are needed to reduce time lag between virus outbreak and signature update - by GFI Software
There is no single anti-virus engine on the market today that is always the fastest and most effective at identifying viruses, trojans and other threats. This white paper examines why having multiple anti-virus scanners at mail server level substantially reduces the chance of virus infection and explores ways in which this can be achieved.
It is a well known fact that viruses, trojan horses, worms, spam, and other forms of malware present a real threat to all modern-day organizations and affect productivity and business operations negatively. According to the 2006 FBI Crime and Security Survey, 97% of organizations have anti-virus software installed, yet 65% have been affected by a virus attack at least once during the previous 12 months. Network World cited studies that placed the cost of fighting Blaster, SoBig.F, Sober and other email viruses at $3.5 billion for US companies alone. Similarly a 2006 study by the British government found that 43% of companies in the United Kingdom were infected by viruses during 2005.
Responsible organizations agree that they need to protect their network from virus attacks by installing an email security product. Yet malicious code is becoming more sophisticated and is advanced everyday as virus writers hone their skills and sharpen their code to stay one-step ahead of virus detection methods, penetrating anti-virus and firewall solutions with alarming regularity. The success of these viruses is, to a large part, linked to the flawed logic and inherent weakness of protection strategies that are based on a single scanning engine to assess the threat of incoming files.
This white paper explains why the answer to the question: “Is one anti-virus engine enough to protect the internal network from mass-mailing viruses, worms and other email-borne threats?” - is an emphatic “NO!” It also examines the need for multiple anti-virus engines to reduce the average response time to a virus outbreak, and thus reduce the chance of having your network infected. The use of multiple virus engines also enables security administrators to be vendor-independent when it comes to virus scanning, thereby able to use the best of breed virus engines available on the market.
The need to have a fast response time
One of the most important factors in the successful protection of your network against viruses is how fast you get new virus engine signature files – those files released by anti-virus labs that help to identify a virus when there is a virus outbreak. Email allows viruses to be spread at lightning speed in a matter of hours, and a single email virus is enough to infect your whole network. Obviously then, a critical factor is how fast the signature files of your anti-virus solution are updated when a new virus emerges. In every virus attack there is a time differential between the outbreak of the new virus and the release of signatures to defeat and eliminate it. The faster a signature file is created, the less likely the chance of an infection. A 2006 study by the UK government found, for example, that although 100% of large British companies use anti-virus products, 43% of them were infected by viruses during 2005, largely because virus signature updates had not been deployed fast enough.
Every anti-virus vendor in the market claims to have a fast response time. However the reality is not quite so sanguine. Anti-virus labs produce updates for virus and worm outbreaks at different intervals. For example, the same lab may produce an update for one virus within six hours, yet take 18 hours for the next one. Complicating the matter further is that while, on average, some companies perform better than others, there is no one company that will always be the first and fastest to respond to a virus outbreak. Granted some companies may be faster on more occasions, but it is never the same company that delivers protection the first. One time it is Kapersky, the next it is McAfee, another time BitDefender or Norman and so on.
Time differences may also occur that are not the result of the quality of the work or the competency of the lab, but reflect their geographic location and time zone related factors. Read the full article: Why one virus engine is not enough
» posted by gillykramer
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
Multiple Scan Engines
This article brings to mind Microsoft's Forefront product. The New Jersey company they acquired to add to their security product permitted you to run multiple scan engines to protect the exchange server.A number of security appliances have multiple scan engines. Several years ago, Trend Micro had the "named" scan engine in a 3rd party appliance and Kaspersky's scan engine was so far under the head that it did not appear on data sheets.
An issue not really addressed in the article - do you run the engines in parallel? Does everything get tested by both? Is the testing random between the two (or more engines) with an equal or unequal weighting? Microsoft's acquisition (I haven't looked what Microsoft does with respect to this) permitted you to tweak the percentages.
And of course - what is the effect of multiple scan engines on performance?