Mac Antivirus 2012

johnklimeck
Contributor II

Any thoughts / experience with corporate enterprise Antivirus solution on the Mac these days:

I see good things from Intego Virus Barrier and can be deployed / managed from the JSS?

We currently have Sophos (does not look that good), but I am sure it is better than McAfee or Symantec.

Thanks in advance, cheers

JK

28 REPLIES 28

donmontalvo
Esteemed Contributor III

We are testing SEP 12.1, a huge improvement over SEP 11.

As long as you have console admin rights to manage Mac client policy, it's not disruptive at all.

If the SEP team won't give you access, buy a kevlar vest...

Don

--
https://donmontalvo.com

nessts
Valued Contributor II

SEP degrades system performance by quite a bit, I did a bunch of tests using a thunderbolt drive copying 30GB of data from the external disk to the internal disk and saw that with PGP installed it was 30-60% slower copying the data on multiple platforms, SSD, regular disk etc.
boots are slower, logins are slower, but if its all you ever know its not horrible, and i rarely notice that things are slower unless i specifically time things.

jhbush
Valued Contributor II

I'm using Sophos Enterprise Console. It's been working great so far. I see very little impact on my clients which are mostly software developers. I deploy the client via JAMF and the updates are handled by the Sophos console. One thing I really like is that Sophos doesn't require all of the exclusions that McAfee did.

johnklimeck
Contributor II

Cool jhbush1973, thanks

That's what we have, version 8.x of the OS X client.

So use JAMF to push out the client with (Install pkg Policy, or did you use Composer / Snapshot to create a DMG.

thanks agin,

JK

jhbush
Valued Contributor II

I pulled the installer from the Sophos Enterprise Console. I just made a smart group that looks for machines without the app and it installs based on that. It gets added to the console where the policies get applied. You can accomplish the same thing by using a standard installer and including the plist file with the login settings.

donmontalvo
Esteemed Contributor III

@nessts Happy to do a screen share if you have a few minutes...I'll show you my SEP 12.1 management console if you show me yours.

(gawd that didn't sound right)

--
https://donmontalvo.com

dkucmierz
Contributor

once your mac environment gets large enough to require meultiple relay servers, managing the Sophos infrastructure with respect to mac load balancing is just gross

CasperSally
Valued Contributor II
once your mac environment gets large enough to require meultiple relay servers, managing the Sophos infrastructure with respect to mac load balancing is just gross

@dkucmierz - how large? We manage 6500+ macs via a console in a VM without much effort

evanmellichampe
New Contributor III

We have over 17K Macs (and 5,500 PC's) using Sophos. I have a policy in place for OS X that looks at the machine name and then correlates with a specific update manager to install Sophos Anti Virus during imaging. We have a total of 10 update managers in place. Another component we are using is Sophos WebDirector, which assigns machines to specific containers as they appear in the Sophos Enterprise Console.

It's alright. We've been using Sophos for nearly five years, but are currently reviewing a list of other providers. Our short list includes Symantec, F Secure, Webroot, Intego, eSet and maybe a couple more.

evanmellichampe
New Contributor III

I should probably add something about the Update Managers that Sophos uses. All of our machines are set to update via http:// and we can change their update locations after the fact, BUT... It's really important to balance the initial install evenly over multiple Update Managers because their message relay path remains static after the install. For example, If I have machines getting their install from UM01, but later change them to receive updates from UM05, their message relay path will always route to the Enterprise Console through UM01.

clifhirtle
Contributor II

We had SEP at my prior employer. Not pretty. v11 better than v10 (which tore up drives), but make sure you're in a room with no chairs and padded walls when you call for support because you're going to feel like throwing things after dealing with their "enterprise" support agents for more than 5 min on a Mac issue.

donmontalvo
Esteemed Contributor III

@clufhirtle Yea, 11 was pretty bad. Never touched SEP 10 but SAV 10 was bad until Todd Woodward helped get us wildcards (~/).

The biggest problem on SEP 11 is inability to exclude folders within users' profiles on Wintel. Not sure about Mac since we're only going to put them on SEP 12 when testing is over.

Comparing SEP 11 to SEP 12 is like comparing JSS 6.x with JSS 8.x. :) So far no issues with SEP 12 and we've got about a dozen POC test users (Mac) on it.

Just have to have full rights to manage the Mac policies on the console. :) The key, disable active scanning...if there ever is a problem, toggle it on at the server end so it is enabled on the Macs when needed (outbreak)...but keep it off until there is a need to have it on. You'll see all these performance issues go away... ;)

I know Wintel folks cringe at the throught of turning off active scanning, but on Mac it's not necessary - more of an unnecessary disruption. Having worked with Wintel groups in enteprise for years, it's been the compromise everyone buys into.

Of course if you don't have SEP console rights to manage policies, you may as well throw yourself under the bus. LOL

Don

--
https://donmontalvo.com

andyinindy
Contributor II

Don:

How are you dealing with the new flat package format of the SEP 12.1.2 installer? I am having fits trying to get it configured, as documented here:

https://www-secure.symantec.com/connect/forums/sep-1212-mac-installation

--Andy

donmontalvo
Esteemed Contributor III

Hi Andy, the package is created on the server side. All configuration is handled via SEP policy on the console. Do you have access to the console?

Don

--
https://donmontalvo.com

andyinindy
Contributor II

No, I do not have console access. However, I am pals with the Symantec admin, and he claims that there is nothing that he can do to configure the package, short of exporting it. Are you aware of any customizations that you can perform via the management console?

hkim
Contributor II
I know Wintel folks cringe at the throught of turning off active scanning, but on Mac it's not necessary - more of an unnecessary disruption. Having worked with Wintel groups in enteprise for years, it's been the compromise everyone buys into.

I'd like to know what magic sauce you have in getting Windows groups to buy into turning of active scanning for Macs. Or a Chief Security Officer.

donmontalvo
Esteemed Contributor III

@andiinindy I'm assuming by "configuration" you mean scheduled scans, exceptions, updateing, etc? Set all that up in SEP 12 console, export and deploy a PKG installer (well made I might add). Once SEP is on the Mac, changes going forward are managed at the console.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@hkim Alot also depends on the kind of business (Banking, medical, government, etc.) you're in and any regulations you're forced to comply with, as well as your position and the relationship you have with the other towers. ;) We're usually able to come up with a formal compromise, along with addendum to support/escalation process for Macs.

And when it looks like we're not going to win, we whip out the 3" crosshair stickers...nothing scares anyone more than being held accountable to a band of rabid Mac production folks (that usually gets the point across nicely).

external image link

--
https://donmontalvo.com

andyinindy
Contributor II

@don:

I am referring to slipstreaming/including the latest virus defs in the SEP installer package. I know that you can configure all of the other stuff via the console once the client is installed.

It seems that my only option will be to somehow include a liveupdate run as a postinstall task (although this apparently will not run without someone logged in).

--Andy

donmontalvo
Esteemed Contributor III

@andyinindy I would let the server handle that...the first time SEP client checks in, it'll pull down all updates.

The SEP client connects to the server and puts itself into the correct policy group based on the console settings (the default "container" where you manually move it over - you'll need console access to do this; or directly to your Mac "container").

This is one of the reasons the SEP team needs to provide console access to the Mac environment lead person, easily sold as "let me make your job easier and I'll buffer you from the Mac crazies if anything happens!" If the SEP team doesn't listen, start using those crosshair stickers. ;)

[UPDATE]I got a response from our SEP rep, you're right, updates can only happen when a user is logged in...bugger.

Don

--
https://donmontalvo.com

andyinindy
Contributor II

Don:

Found out that we do not run a liveupdate server internally, which might account for why the clients have to run it manually. I am asking our admin to set up the liveupdate server; we'll see if he complies :/

So you are saying that if we have everything configured correctly, the end user should not need to do anything in order for the SEP package to get updated defs/engine/etc.? Or will they still need to manually run liveupdate the first time after an install/uprgade of SEP?

[EDIT] Whoops, just saw your update above... bummer. So there is no choice but to run liveupdate manually from the GUI? Craptastic.

--Andy

donmontalvo
Esteemed Contributor III

@andyinindy I think we determined that the updates can only run if someone is logged in, but I don't remember if this is for the components only, or if that incluedes definitions updates. It sucks that SEP 12 is not mature enough to run scheduled updates silently in the background without needing a GUI. But it's good that no admin rights are needed by the user.

We have clients getting updates from the SEP box...internal.

--
https://donmontalvo.com

andyinindy
Contributor II

FYI, Symantec updated their instructions for slipstreaming virus defs into the new flat pkg format that is included with SEP 12.1 RU2 and newer:

http://www.symantec.com/business/support/index?page=content&id=TECH144098

donmontalvo
Esteemed Contributor III

The article seems to be offline at the moment.

I wonder what benefit this would have over deploying (1) SEP client and (2) latest defs, separately, using Casper?

Or creating a wrapper to install both using one PKG?

In any case, looking forward to seeing the article once it's back online. :)

Don

--
https://donmontalvo.com

Susan
New Contributor

Whatever you do, avoid Trend Micro. Although they fixed their Java quarantine issues, it was a major pain in the neck for a long time. Sophos works as well as ESET (Kapersky). Avoid Norton at all costs.

bbinder
New Contributor

Did you mean ESET (NOD32)/Kaspersky instead?
They are owned by 2 separate entities. I have had good luck with NOD32 on Macs. Not much in the Enterprise space as most don't feel there's a need for it. I have always been a fan of the ESET offerings however.

TPrashant
New Contributor

@jhbush1973

I am also using Mcafee and its really slowing down the mac devices. Please can you share what exclusions you used on McAfee.

Thanks

Chris_Hafner
Valued Contributor II

We are happily using Cylance after having several good years with Sophos. I find that Cylance is not only better at stopping Mac malware, but it doesn't tweak and affect performance when trying to update lists. Compared to the other solutions I've seen, it has the best performance by far.