We use Sophos Endpoint (enterprise level). happy with it but scans slow down macs with 1 gig ram.
We have SEP12 here but I avoid it like the plague. Its probably once of the crappiest programs I have dealt with. I would love to move to Sophos but red tape dictates that so for now... ClamXav.
Currently I run a script at login that updates virus defs. I would love to see some scripts people have used for Sentry as I would like to set up weekly scanning schedules.
We've been using Symantec Endpoint Protection, currently version 11 but moving to 12. It's managed from a Windows Server, we found it to have the least impact to system performance among the "Enterprise" level solutions. The initial setup/config of the server can be a pain, and the client has to be deployed post-imaging. It seems to work though.
We actually use Sophos for all the windows machines and the servers but do not use it on the Macs. We tested it at one time and I found it to be too slow on the lower level machines and also excluding Flashback there isn't really much of a point...
DNSChanger got pretty big for a while and Flashback is definitely an issue but there are always good 'ol *NIX ways of dealing with these things.
It seems silly burning CPU time catching macro viruses in email (edit: actually here this is already taken care of anyway, so I guess maybe memory sticks?) and crap in the Cache of web browsers that doesn't even affect the systems they are on.
</$0.02>
+1 for Sophos:
http://www.sophos.com/en-us/products/endpoint.aspx
I run the management console on a Win 2008 R2 Data Center VM running in our VMWare environment. It's simple to manage and simple to deploy with Casper. I recently moved the console to a new server and did an uninstall of the Sophos client and re-install of the new client on the Macs. It happened effortlessly like I would expect.
@rmanly
Actually, there *is* much of a point. While the Mac may not get infected, it's estimated that 1 in 5 Macs carries Windows malware that can be passed on. Macs should be good corporate citizens and have AV.
@matt
Is "sentry" the active scanning portion of ClamAV?
@jarednichols SEP11 was cr@p since it doesn't support Lion or 64 bit...and it had very immature (on Mac) management controls, so it was intrusuve as heck. SEP12 appears to be much better...fully compatible with new Macs, and the management controls are much more mature so it's easier to manage background processes, scan controls, exclusions, etc.
We never enable background/active scanning...if we ever needed to (example, new virus announced that eats your computer as you work), we can toggle those things on at the server side when needed.
Symantec has a bad name in the Mac community (happy to say I helped there), but they've put a lot into the development side, as the Macs become more of an option in enterprise. I know you're a McAfee shop, but good info to know.
Personally, I'd go with Sophos and be done with it...but if we can leverage what's there, we save tons of money and possibly some jobs. ;)
Don
@Don
Thankfully, money's not an issue and we're more interested in doing what's right for the business unit's users than saving a few shekels.
If the Windows machines are already doing on-access scanning. And you have BIG A/V solution digging through all your email then how would that happen?
;)
I like this post that went up today and RIXSTEP in general. Always willing to stick it to Apple for doing something stupid.
http://rixstep.com/1/20120425,00.shtml
"Whilst the engineers at Apple sat on their hineys for two months and let up to 700,000 Apple customers get hurt."
"Beware Windows antivirus snake oil peddlers."
p.s. bypassing A/V is child's play nowadays. Not saying that everyone should uninstall it from all of their machines (oh how I pine for that glorious day) but going back to the Metasploit versions released in late 08 it is now incredibly trivial to create an executable with signatures that nothing has seen before.
http://pauldotcom.com/wiki/index.php/Metasploit#Using_Metasploit_To_Bypass_Anti-Virus
http://pauldotcom.com/wiki/index.php/Episode125#Tech_Segment:_Bypassing_Anti-Virus_Software_The_Script-Kiddie_Way
https://www.youtube.com/watch?v=FvwdyHlyhgc
http://www.defenceindepth.net/2009/12/bypassing-anti-virus.html
http://www.irongeek.com/i.php?page=videos%2Fmsfpayload-msfencoder-metasploit-3-3
p.p.s. No one ever got fired for installing (antivirus|firewall)
p.p.p.s. If you haven't noticed AV in general would qualify for my own segment of "You know what really grinds my gears..." and I don't want to see its horrible band-aid approach to bigger security problems spread to other OS's
We use SEP 12. It's an evil, eeeeevil program to install. Once you shoe horn it onto the Macs though, it's at least a quiet little piece of crapware. No performance issues or incompatibility issues reported. It's been deployed for about 6 months.
Id have much rather gone with Sophos, but was left out of that initial conversation :P
We're moving to Sophos AV using the Enterprise Console from Sophos. Looks like later this year the encryption will be pulled in as well.
+1 Sophos
Have used McAfee, Symantec and Sophos. Sophos is the hands down winner for enterprise use, its by far the better package.
The Enterprise console makes it really easy to deploy and manage and report on.
Are you sure SEP does not have any performance problems for you?
if i connect a thunderbolt drive to a vanilla lion os I can copy 35GB of data in ~7 mins and with SEP it took nearly 11.
I'm not sure I'd call a four minute difference a "performance problem". Every antivirus software that actively scans files as they're being accessed is going to impact performance just by its very nature. That's just overhead we have to endure while we use that product.
In this case you're seeing a "~4 minute performance hit" or better yet a "~36% performance hit".
As long as you're copying the exact same 35 GB of data then you can fairly compare your SEP performance hit with those of other products to determine which has the least impact while still actively scanning.
I haven't seen any recent third-party performance comparisons of Mac antivirus products but would be nice to find someone who's already done that work.
A lot of the performance hits depend on your settings as well.
For instance, on machines that have SSDs, initially it made sense to make your active scanning happen on read, not write, as SSDs initially were much faster in reading data. They've since closed that gap from what I know.
However, a lot of vendors by default scan on write.
We've used Sophos endpoint for several years and have been very happy with it. We're contemplating Kaspersky simply because they are partnered with VMWare for Virtualization but I don't see any other major performance differences. However, Sophos has been in the mac game longer at an enterprise and I trust them.
We're in year three of our 4 year license with Sophos and have been pretty happy with it. Antivirus is one beast that's nice to have in a single console and Sophos has taken a fairly balanced approach to Windows and Mac. Because of some of the old windows viruses still circulating, they end up being seen by our macs from time to time so it's nice to know we have antivirus on them.
Looks like I'll be giving Sophos a good look :) Thanks all
Does anyone use ClamXav or ClamAV? ClamXav provides the GUI interface for user initiated scanning. ClamAV appears to run solely underneath the hood. ClamAV has an on-access kernel extension.
http://blog.clamav.net/2012/03/on-access-scanning-for-os-x.html
If you use ClamAV, what extension attributes and policy scripts do you use to make sure it remains enabled and stays up-to-date with software version and virus defs?
I'm basically at the stage of a bake off between ClamXAV and Sophos. I've gotten all of the ClamXAV settings managed through MCX with Casper and it is very lightweight. My big hurdle to clear is making sure our risk guys sign off on it. But, before that, I have to give Sophos a look.
+1 Sophos, has worked well with Casper in all aspects (install at imaging, updates, extension attributes).
@jarednichols - are you working with the ClamXav from ClamXav.com or from the Mac App Store?
from clamxav.com. The App store one doesn't include Sentry and other goodies that are required.
Care to share your scripts and extension attributes?
