Antivirus in an Enterprise environment

jarednichols
Honored Contributor

Hi-

I'm interested in seeing what people use for their AV solutions. We currently use McAfee Security for Mac, but it's resource heavy and it's serviced by another department. (We're piggy backing for now on their service.)

Thankfully, I have the latitude to choose the solution that meets our needs. I've given VirusBarrier a look and while I appreciate that it's Mac-centric, it's a bit *too* Mac-centric as it requires Mac OS X on the backend. With Apple out of the Enterprise game, I'm not comfortable with a Mac Mini or Mac Pro in the datacenter, nor would our datacenter guys go for it. If Apple would let the server OS be virtualized in something like an Enterprise-level VMWare, this would be moot.

So, I'm looking at ClamAV. Does anyone currently manage it with Casper? What are your experiences, good/bad/indifferent?

I'm open to other solutions, as long as they can run on Enterprise infrastructure (i.e. Not an Apple OS.) One that came to mind was Sophos', but I don't know if their Mac product is anything but the free home one I've seen (can't seem to find anything but that and their FDE for Mac solutions on their site).

Thanks for any & all input.

92 REPLIES 92

nkalister
Valued Contributor

@ cvgs- yeah, I'm using Mcafee, and not having any of the problem you're describing. We use 802.1x for both wired and wireless, no problems there, no problems with software installs, either.
At idle, it's eating maybe 3-4% of available CPU. When the system's seeing a lot of disk activity, that can go up to 15-20%.
I deploy the agent and the application from Casper, and include them in my system image for new builds.

charles_hitch
Contributor II

We are using McAfee as well. We turned off the firewall (have the native OS X fw running) and application protection (all about risk management). It was Application Protection that was killing us. This had to be done in local preferences so a couple defaults commands took care of it. Having them running was hosing software installs and usability. We recently received a hotfix for McAfee Security itself as well as one for ePO. It makes the install a 5 step nightmare, but in our testing it seems to work. Haven't deployed fully yet.

cvgs
Contributor II

@nkalister good to hear that it can work... i am still trying to figure out when exactly the slowdowns happen. Opening iMovie, for example, results in the McAfee menu item briefly showing an exclamation mark while the whole system pauses for 10 seconds, but only once after each login. strange stuff...

matthewbodaly
New Contributor

I've used both Kaspersky and Sophos on Macs

Matt
Valued Contributor

ClamAVx

jhbush
Valued Contributor II

@ cvgs most likely your issues revolve around your scans. You should look at setting your scans for write only. That resolved some of our issues with McAfee when we were using them. Other issues came up that just made switching to Sophos a better option.

chris_kemp
Contributor III

I'm using ClamXav here - have MCX handling the preferences, and so far it's worked very well.

SEP is an option, but I avoid Symantec like the plague. Too many bad experiences.

cvgs
Contributor II

@jhbush1973 our settings have been most relaxed to the point of doing nothing - the system still was slow as molasses sometimes. However, it looks like the upgrade to 1.2.0 fixed the slowness for us.

nkalister
Valued Contributor

one thing CVGS- we bought the license for mcafee's antivirus only- no firewall, no application protection. We tested the version with the firewall and app protection, and I saw many of the same issues you're seeing.

brlittle
New Contributor

Another (belated) vote for Sophos. The management console is nothing to write home about, and getting the update procedure down is finicky, but once it works, it works well.

jhalvorson
Valued Contributor

Currently SEP 12, not managed by any Symantec server. We are managing via the Casper Suite. I've been told to switch to TrendMicro and it will be managed with Tivoli.

Lincoln
Contributor

We are a mixed environment 80% Windows 7 clients and 20% Mac, Servers are mostly Windows 2008 R2 running on Hyper-V cluster. With that in mind here's our state of play.

We have been using Sophos on all machines with an internal update server and this was working very nicely for us. Being a school we get very good education rates on MS stuff and with SCCM2012 that includes System Centre Endpoint Protection. So we have just moved from Sophos to MS SCEP for all Windows machines and I was testing deployment of ClamXAV when MS announced that SCEP was available for Mac and with SCCM2012 SP1 there would be support for local hosting of updates for SCEP for Mac. So I have packaged, tested and deployed SCEP to all our Macs and have to say that so far it is all going swimmingly. For the moment they are getting updates through our proxy but once SP1 is out we will host updates locally.

Regards

Lincoln

Paolo
New Contributor

We use Sophos for windows server and clients and Macs.
It functions a lilttle better on windows but if you have SSD on your laptops, there's nothing to worry about.

Pretty good protection too.

ajohnson
New Contributor

Does anyone have any more recent thoughts on this post? We have encountered some performance issues with Sophos Cloud, and are considering switching. We also need a solution that will support Linux servers. Does anyone have a solution that they are super happy with? Would also like something that plays nicely with FileVault.

chriscollins
Valued Contributor

@ajohnson whatever you do, I'd stay away from Trend Micro. Their PC software is fine, but their Mac software is terrrrrrible.

emily
Valued Contributor III
Valued Contributor III

We've been pretty happy with Sophos (Enterprise Console) for our Macs. It's gotten a little tricky to deploy, but @rtrouton is always on the case.

davidacland
Honored Contributor II

Our preference is still Sophos as the enterprise console works well with Active Directory to automatically configure all the client side settings. Most of our clients are already using McAfee on their Windows computers so we end up having to deploy that quite often. Neither are pkgs and so require a command to get them installed.

Chris_Hafner
Valued Contributor II

Does anyone have an opinion on eset vs Sophos? We've been a happy sophos customer for about five years, but the eset console is tempting.

rtrouton
Release Candidate Programs Tester

I have a post showing how I'm currently packaging Sophos Enterprise 9.2.x for my own shop:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

dpertschi
Valued Contributor

I've been supporting Macs for a long time, and this is question comes up with regularity on a variety of different forums over the years.

Time and time again, I generally see more nods of acceptance towards Sophos.

I've never used it, but fewer people seem complain about using Sophos v.s. 'the others'

gachowski
Valued Contributor II

Alexis,

We are content with Symantec. They just rewrote the app before X.9 and it works well. We are in their beta program and get to test beta OS X with their beta client. They have been very responsive and helpful with our beta feedback

They have released the X.9 and X.10 client the same day Apple released.

The two downsides that I see is that the client .pkg is created on the server so you have to update your Symantec management server before you can create the client .pkg. Also the virus defs are in the client .pkg so the defs are out of date in you build the day after you update your server. As you don't update the server or the installer that often. We had a small issue with the X.9 client auto updating (and we scripted a solution) but the X.10 client has been rock solid.

C

jconte
Contributor II

we are using mcafee.

casper100
New Contributor II

Just finished a POC with the Sophos AV & Enterprise Console and was very happy with it (for my use - and usual disclaimers). Their sales people connected me with technical people whenever I had questions during the free trial and were very helpful. I found that between JamfNation, @rtrouton @tkimpton and Sophos' own KB and communities that there were vast and rich resources to navigate me through most of the unknowns. I, too, wanted to try ESET before making my final decision but the help resources weren't as plentiful and, frankly, their sales people seemed uninterested in a small installation such as ours, and were rather "disengaged". After they sent me some very outdated Mac materials, I gave up on them.
An independent review of various Mac AV client's effectiveness placed Sophos at the top in all categories but one (ESET was first in that category and second in all the others). I easily integrated the alert logs with our InfoSec's Splunk tool so they are happy. I can dig around for the link to the review (it was from late 2014) if you wish. If JN had some sort of double-blind email system for registered and verified members, I'd send you a redacted copy of my detailed POC that I submitted to management. Or, if you have a disposable email address, post it here and I'll email you all of the info. I'm funny about public disclosure of personal info. I spelled out my name on JN-IRC the other day and immediately broke out in hives. :-)

dgreening
Valued Contributor II

We use Sophos with the Enterprise Console running on a 'Doze Server 2008 R2 VM. We have an update manager (VM) for US/UK and one for APAC (VM). Can't say we have had any complaints from users, unlike SEP 12 which we moved away from. We do keep our users machines in warranty though, so there aren't many if any clunkers kicking around.

ajohnson
New Contributor

Thanks for all the responses! I'm wondering if anyone has used Sophos Enterprise in the past and has any familiarity with their cloud offering? We are using Sophos Cloud, and I'm not finding it to be as seamless as it sounds like the on prem offering is.

casper100
New Contributor II

Sorry, we're using on premise as my company is very wary of anything outside of our own data center. Otherwise, I would have just dropboxed the aforementioned docs to you. :) I have seen some threads around here of people moving in that direction (Sophos Cloud) and I'm sure someone will chime in. This community is awesome despite my own penchant for obscure humor and/or emotional responses.

reidg
New Contributor III

Looks like this thread has com back to life.

For those of you using ClamXav, would you be able to share how you enabled scheduled scans and/or Sentry, if applicable?

Thanks.

dstranathan
Valued Contributor II

@chriscollins Can you please expand on 'terrrrrrible'?

Buggy? Unstable? Resource-intensive? Intrusive? OS/software compatibility issues? Hard to install/manage/update? Any insight would be helpful.

I'm running ClamXav (i.e.; clamav + the GUI wrapper), but my IT dept recently purchased the Trend Micro Enterprise Suite - so there is a push to install (or at least consider installing) Trend Micro Security (Mac) 2.x on our ~300 Mac workstations. I have it on (2) IT test Macs running 10.10.2 Yosemite now.

yellow
Contributor

Where to go, what to choose?

  • At my former employment, we used McAfee, and it's something I'll never do again. 25% of our CPU cycles needlessly wasted doesn't make me happy.
  • At my new employment, when I started a couple years ago, they used Trend for both Windows and Macs. It was terrible.. on Windows. The number of re-images due to infection was excessively high, and techs had started installing WSE on PCs as a result. Eventually the powers that be were convinced that Trend had to go and we've currently with SCEP on Windows. Frankly cheaper, but not much better than Trend. But this is about Macs, so.. No one had installed Trend on a Mac in ages and it wasn't even a package in Casper, so that should tell you how popular it was.
  • Norton AV... hahahahahahahahahahahahahahahaha..... hahahahaha. We use PGP here, so I've had plenty of dealings with Symantec. I don't think they'll be getting any more of our money or time, if I can help it.
  • Many many moons ago, I tried Intego. It was ok, but their business practices over the last few years has been reckless ('proof of concepts released into the wild to sell AV'). So they're out.
  • Once it was available, I moved to ClamXav and I've been quite happy with it for my own use.

Now at my new employment, we're again at a crossroads where none of my predecessors have bothered with modern AV and it's become my job to choose and deploy something. Naturally I'm inclined to go with ClamX, EXCEPT they are no longer a freeware company. They've gone to pay-for (which is totally understandable!). If I'm going to end up paying licenses, then I want to make sure I'm getting something good. The general consensus here on JAMFNation seems to be that Sophos is the way to go, however, I have no interest in taking on the management of a yet another enterprise solution that requires a server-based console and management, strictly so some exec can check a box that says 'AV compliant on Macs'.

So here I am, which way to go?

  1. ClamX is lightweight and I can configure it to act sanely. I've used it for a long time and I'd like to support the little guy. I know it won't spend tons of time sucking CPU cycles needlessly. But it has no centralized enterprise level solution (do I care?). It's also a little ugly (do I care?). They will be reasonable with an EDU-based-bulk licensing scheme.
  2. Sophos is Enterprise level software. But I need a centralized server to run/control it from (I don't want to have to manage that too). It's considerably more heavyweight in terms of CPU cycle usage, from what I have read. I don't know what the EDU-based-bulk licensing would cost yet, but suspect it will be more than ClamXav. In the long run, will this be a better choice when someone asks what we're using?

gachowski
Valued Contributor II

Jacques,

Symantec rebuilt SEP for the Mac for X.9. I am not saying that it's perfect, but it is many times better than it was.

Also another plus for SEP is that since X.8 Symantec has delivered a working version on the day that Apple release a new OS... i.e. X.8, X.9 and X.10.

They also have a beta program that let's us test ahead of the OS release.

C

PS. Nobody has been able to convince me, that the built in AV is not enough. Last time I checked Apple is doing a reasonably good job.

mm2270
Legendary Contributor III

I've heard good things in general about Sophos on the Mac. As good as any AV product can get at least (they basically of all suck by nature)
But I would agree with @yellow If I could convince the org I work for to ditch McAfee I would in a heartbeat. Unfortunately, due to some "ins" and some buddy buddy stuff that is going on between McAfee reps and our InfoSec team, it seems it would take an act like their product erasing data across the entire company to even get them to admit its just so bad. I'm not even talking about just the Mac. Its bad on Windows too.

emily
Valued Contributor III
Valued Contributor III

I can't say any specifics but we have McAfee on some servers and it has a habit of really running up the CPU. Bad bad bad.

My lovely Macs use Sophos and it's lovely. McAfee is staying as far away from my Macs as possible.

phibo78
New Contributor

Sophos here as well.

It just works effortlessly in the background and is seemless for integration with the management console, our Windows/Mac are all running it and it's rare it to cause any problems with user base of 400 desktops, oldest being 2010 iMac,

Majority of users don't even know if it's there

ernstcs
Contributor III

Sophos here as well with no real complaints, at least on the client side.

There are a few things I wish it would do for automatically, like putting systems into groups based on some criteria, like naming patterns. As far as I know it can't do that. When a machine is imaged, the client is installed and it phones home it goes into a default container. You have to manually move it into the preferred group.

You can make it go into groups based on AD as well, but only when you trigger an import, again...based on what I recall. Perhaps that's changed.

tico
New Contributor

We use Webroot Secure Anywhere

tnielsen
Valued Contributor

SEP 12.1.6 Enterprise here. It's crap, don't buy it. It's always happy to scan your email for PC trojans, though.

ClamAV or Sophos or even better... nothing. Bosses don't like to hear the "we dont use antivirus" talk though.

jarednichols
Honored Contributor
Bosses don't like to hear the "we dont use antivirus" talk though.

No, they don't. However, if you can have it intelligently they may budge. If you're using a large AV vendor's product you should have some infection rates and such, and perhaps even infection vector if you combine information from a proxy/firewall. Add in remediation tickets from your help desk system and you may end up with a compelling argument that the vectors of infection (like drive-bys) are passing through AV like swiss cheese, don't end up on Macs to begin with and that good security practice is 80% user education.

jimmy-swings
Contributor II

Does anyone extend their security controls beyond antivirus? What are these? Does anyone have any recommendations on the following:
- Data Loss Prevention
- File Integrity Monitoring
- Firewalls (location aware)

VT-Vincent
New Contributor III

We've historically used Sophos on everything but starting this school year we're going antivirus-free on the student machines and moving to Kaspersky for our staff machines. I'd be curious to hear about any experiences anyone has had with Kaspersky.

ronb
New Contributor II

We used McAfee way back in the day - I won't go back.
We have been using ClamXav. Though it never caught the three adware problems (the only malware we've ever received on our Macs), but we used Adware Medic, which did a great job cleaning them out.

So now that ClamXav has gone commercial (good for you, Mark Allan!), we've been researching, trying to determine if we even need third party protection, given recent Mac OS anti-virus initiatives. If we do stay with some third party solution, we'll be contemplating Sophos vs ClamXav. We're a pretty small shop, so will probably stick with the lean and mean ClamXav along with Adware Medic. Oh wait, they've got commercial solutions as well, though apparently nothing yet for active scanning on the Mac. But you can still get Adware Medic as Malwarebytes Anti-Malware application for removal.