Antivirus in an Enterprise environment

jarednichols
Honored Contributor

Hi-

I'm interested in seeing what people use for their AV solutions. We currently use McAfee Security for Mac, but it's resource heavy and it's serviced by another department. (We're piggy backing for now on their service.)

Thankfully, I have the latitude to choose the solution that meets our needs. I've given VirusBarrier a look and while I appreciate that it's Mac-centric, it's a bit *too* Mac-centric as it requires Mac OS X on the backend. With Apple out of the Enterprise game, I'm not comfortable with a Mac Mini or Mac Pro in the datacenter, nor would our datacenter guys go for it. If Apple would let the server OS be virtualized in something like an Enterprise-level VMWare, this would be moot.

So, I'm looking at ClamAV. Does anyone currently manage it with Casper? What are your experiences, good/bad/indifferent?

I'm open to other solutions, as long as they can run on Enterprise infrastructure (i.e. Not an Apple OS.) One that came to mind was Sophos', but I don't know if their Mac product is anything but the free home one I've seen (can't seem to find anything but that and their FDE for Mac solutions on their site).

Thanks for any & all input.

92 REPLIES 92

CasperSally
Valued Contributor II

We use Sophos Endpoint (enterprise level). happy with it but scans slow down macs with 1 gig ram.

Matt
Valued Contributor

We have SEP12 here but I avoid it like the plague. Its probably once of the crappiest programs I have dealt with. I would love to move to Sophos but red tape dictates that so for now... ClamXav.

Currently I run a script at login that updates virus defs. I would love to see some scripts people have used for Sentry as I would like to set up weekly scanning schedules.

JRM
Contributor

We've been using Symantec Endpoint Protection, currently version 11 but moving to 12. It's managed from a Windows Server, we found it to have the least impact to system performance among the "Enterprise" level solutions. The initial setup/config of the server can be a pain, and the client has to be deployed post-imaging. It seems to work though.

rmanly
Contributor III

We actually use Sophos for all the windows machines and the servers but do not use it on the Macs. We tested it at one time and I found it to be too slow on the lower level machines and also excluding Flashback there isn't really much of a point...

DNSChanger got pretty big for a while and Flashback is definitely an issue but there are always good 'ol *NIX ways of dealing with these things.

It seems silly burning CPU time catching macro viruses in email (edit: actually here this is already taken care of anyway, so I guess maybe memory sticks?) and crap in the Cache of web browsers that doesn't even affect the systems they are on.

</$0.02>

stevewood
Honored Contributor II
Honored Contributor II

+1 for Sophos:

http://www.sophos.com/en-us/products/endpoint.aspx

I run the management console on a Win 2008 R2 Data Center VM running in our VMWare environment. It's simple to manage and simple to deploy with Casper. I recently moved the console to a new server and did an uninstall of the Sophos client and re-install of the new client on the Macs. It happened effortlessly like I would expect.

jarednichols
Honored Contributor

@rmanly

Actually, there *is* much of a point. While the Mac may not get infected, it's estimated that 1 in 5 Macs carries Windows malware that can be passed on. Macs should be good corporate citizens and have AV.

@matt
Is "sentry" the active scanning portion of ClamAV?

donmontalvo
Esteemed Contributor III

@jarednichols SEP11 was cr@p since it doesn't support Lion or 64 bit...and it had very immature (on Mac) management controls, so it was intrusuve as heck. SEP12 appears to be much better...fully compatible with new Macs, and the management controls are much more mature so it's easier to manage background processes, scan controls, exclusions, etc.

We never enable background/active scanning...if we ever needed to (example, new virus announced that eats your computer as you work), we can toggle those things on at the server side when needed.

Symantec has a bad name in the Mac community (happy to say I helped there), but they've put a lot into the development side, as the Macs become more of an option in enterprise. I know you're a McAfee shop, but good info to know.

Personally, I'd go with Sophos and be done with it...but if we can leverage what's there, we save tons of money and possibly some jobs. ;)

Don

--
https://donmontalvo.com

jarednichols
Honored Contributor

@Don

Thankfully, money's not an issue and we're more interested in doing what's right for the business unit's users than saving a few shekels.

rmanly
Contributor III

If the Windows machines are already doing on-access scanning. And you have BIG A/V solution digging through all your email then how would that happen?

;)

I like this post that went up today and RIXSTEP in general. Always willing to stick it to Apple for doing something stupid.

http://rixstep.com/1/20120425,00.shtml

"Whilst the engineers at Apple sat on their hineys for two months and let up to 700,000 Apple customers get hurt."

"Beware Windows antivirus snake oil peddlers."

p.s. bypassing A/V is child's play nowadays. Not saying that everyone should uninstall it from all of their machines (oh how I pine for that glorious day) but going back to the Metasploit versions released in late 08 it is now incredibly trivial to create an executable with signatures that nothing has seen before.

http://pauldotcom.com/wiki/index.php/Metasploit#Using_Metasploit_To_Bypass_Anti-Virus
http://pauldotcom.com/wiki/index.php/Episode125#Tech_Segment:_Bypassing_Anti-Virus_Software_The_Script-Kiddie_Way
https://www.youtube.com/watch?v=FvwdyHlyhgc
http://www.defenceindepth.net/2009/12/bypassing-anti-virus.html
http://www.irongeek.com/i.php?page=videos%2Fmsfpayload-msfencoder-metasploit-3-3

p.p.s. No one ever got fired for installing (antivirus|firewall)

p.p.p.s. If you haven't noticed AV in general would qualify for my own segment of "You know what really grinds my gears..." and I don't want to see its horrible band-aid approach to bigger security problems spread to other OS's

acdesigntech
Contributor II

We use SEP 12. It's an evil, eeeeevil program to install. Once you shoe horn it onto the Macs though, it's at least a quiet little piece of crapware. No performance issues or incompatibility issues reported. It's been deployed for about 6 months.

Id have much rather gone with Sophos, but was left out of that initial conversation :P

jhbush
Valued Contributor II

We're moving to Sophos AV using the Enterprise Console from Sophos. Looks like later this year the encryption will be pulled in as well.

DHS
New Contributor

+1 Sophos

Have used McAfee, Symantec and Sophos. Sophos is the hands down winner for enterprise use, its by far the better package.

The Enterprise console makes it really easy to deploy and manage and report on.

nessts
Valued Contributor II

Are you sure SEP does not have any performance problems for you?
if i connect a thunderbolt drive to a vanilla lion os I can copy 35GB of data in ~7 mins and with SEP it took nearly 11.

talkingmoose
Moderator
Moderator

I'm not sure I'd call a four minute difference a "performance problem". Every antivirus software that actively scans files as they're being accessed is going to impact performance just by its very nature. That's just overhead we have to endure while we use that product.

In this case you're seeing a "~4 minute performance hit" or better yet a "~36% performance hit".

As long as you're copying the exact same 35 GB of data then you can fairly compare your SEP performance hit with those of other products to determine which has the least impact while still actively scanning.

I haven't seen any recent third-party performance comparisons of Mac antivirus products but would be nice to find someone who's already done that work.

jarednichols
Honored Contributor

A lot of the performance hits depend on your settings as well.

For instance, on machines that have SSDs, initially it made sense to make your active scanning happen on read, not write, as SSDs initially were much faster in reading data. They've since closed that gap from what I know.

However, a lot of vendors by default scan on write.

Chris_Hafner
Valued Contributor II

We've used Sophos endpoint for several years and have been very happy with it. We're contemplating Kaspersky simply because they are partnered with VMWare for Virtualization but I don't see any other major performance differences. However, Sophos has been in the mac game longer at an enterprise and I trust them.

John_Wetter
Release Candidate Programs Tester

We're in year three of our 4 year license with Sophos and have been pretty happy with it. Antivirus is one beast that's nice to have in a single console and Sophos has taken a fairly balanced approach to Windows and Mac. Because of some of the old windows viruses still circulating, they end up being seen by our macs from time to time so it's nice to know we have antivirus on them.

jarednichols
Honored Contributor

Looks like I'll be giving Sophos a good look :) Thanks all

Walter
New Contributor II

Does anyone use ClamXav or ClamAV? ClamXav provides the GUI interface for user initiated scanning. ClamAV appears to run solely underneath the hood. ClamAV has an on-access kernel extension.

http://blog.clamav.net/2012/03/on-access-scanning-for-os-x.html

If you use ClamAV, what extension attributes and policy scripts do you use to make sure it remains enabled and stays up-to-date with software version and virus defs?

jarednichols
Honored Contributor

I'm basically at the stage of a bake off between ClamXAV and Sophos. I've gotten all of the ClamXAV settings managed through MCX with Casper and it is very lightweight. My big hurdle to clear is making sure our risk guys sign off on it. But, before that, I have to give Sophos a look.

Not applicable

+1 Sophos, has worked well with Casper in all aspects (install at imaging, updates, extension attributes).

Walter
New Contributor II

@jarednichols - are you working with the ClamXav from ClamXav.com or from the Mac App Store?

jarednichols
Honored Contributor

from clamxav.com. The App store one doesn't include Sentry and other goodies that are required.

Walter
New Contributor II

Care to share your scripts and extension attributes?

jarednichols
Honored Contributor

ernstcs
Contributor III

Sophos here, and I've been satisfied with it using Enterprise Console. Have to upgrade to new version after semester ends. Going to start using it for Linux clients as well.

Walter
New Contributor II

Thanks Jared. Will you be enabling the on-access scanning too?

Did you use composer and build a package from the /Applications/ClamXav.app folder? What do you do to get the ClamAV engine installed? Run installer with the package inside ClamXav.app/Contents/Resources/clamavEngineInstaller104.pkg?

I tried doing this but I think some things didn't work right. I could never run ClamXav.app and manually have it update the signatures (run freshclam) successfully. It always told me I still needed to update the signatures again.

jarednichols
Honored Contributor

Hi- I do have Sentry running. I ran Composer in filesystem monitoring mode as it installs items on first launch. Aside from defining the proxy in the freshclam.conf file, updates have worked fine.

Walter
New Contributor II

Well, I figured out why my ClamXav wasn't updating definitions. Our secure configuration includes a sudo setting to require a TTY. freshclam runs in the background via sudo without a tty. It was also preventing Sentry from starting.

jarednichols
Honored Contributor

Update: There's some "out of band" issues that have come up and we're sticking with blasted McAfee.

AAARRRRG.

I may have said "It's not a matter of if, but a matter of when I say 'I told you so.'"

[/rant]

donmontalvo
Esteemed Contributor III

@jarednichols For what it's worth, this sounds like the age old argument, where the pro-heterogenous Wintel team can't be bothered with the issues related to real-world-homogenous environments.

We provide documentation on what may happen any why your recommended solution can prevent unnecessary risk, downtime, and increased ROI...companies tend to listen when a light is shined on those things. So we become part of the solution, and the Wintel folks can decide if they want to be part of the problem.

--
https://donmontalvo.com

jarednichols
Honored Contributor

It's a battle I'm not going to pick right now. It's less effort for me to just let McAfee fall on their faces. When it becomes untenable (and it will) then I'll worry about it.

donmontalvo
Esteemed Contributor III

@jarednichols I hear ya...we're waiting to get started testing SEP12, that should be loads of fun. SEP12 console policies for Mac computers will be under my control, I made sure of that. LOL

--
https://donmontalvo.com

Kevin
Contributor II

We have been using SEP 12 for quite a while now without issue. We have about 450 Macs and nearly 2,000 pc clients. Older versions of Symantec AV caused significant issues with our Adobe InDesign/ InCopy workflow (we are a publisher), but those issues were resolved in SEP 12.

acdesigntech
Contributor II

@donmontalvo - a word of warning, watch the Symantec scans on your JSS - it eats up CPU cycles enough that remote and imaging more often than not will time out if coming from a remote location. Lately we've been experiencing timeout from local admin boxes. It's a nightmare. Killing the navx process (how it appears on OS X) will fix this immediately.

Feel free to hit me up with any questions. I've had to teach the Symantec engineers a few things about how their product actually works on the Mac.

donmontalvo
Esteemed Contributor III

@acdesigntech If you're having CPU issues and are having to kill the navx process, I would tweak your console settings for a less intrusive, more conservative set of policies, exclusions, etc.

If you don't have access to SEP12 console, might want to position yourselves so when these issues come up the bullseye is painted squarely on the group that does control the settings.

We've been working closely with Symantec engineers for years, unfortunately some of the more capable ones (like Todd Woodward) moved on to other areas within Symantec. But there are still engineers who "get it" and can help snuff these issues.

--
https://donmontalvo.com

acdesigntech
Contributor II

@donmontalvo - I'm doing just that right now! I took a look at the scanning schedule (which my team does not control and it is known that we don't), and to my surprise saw a niceness setting of 20, not -20...

cvgs
Contributor II

We are also using McAfee, but "resource heavy" is an understatement. It is interfering with our 802.11 WLAN Network, it interferes with software installation, it makes for a simple login to take 10 minutes in some situations, and so on. We have all 4 components of "McAfee Security" enabled, but the policies are not restrictive at all.

Is anybody using McAfee and has at least bearable results?

donmontalvo
Esteemed Contributor III

@acdesigntech Ya, that's the problem, as long as you don't have control of the console, you can't disable the stuff that causes problems. :(

--
https://donmontalvo.com