Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: looking for enterprise AV solution
From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 27 Oct 2010 11:32:31 +0100

On 26 October 2010 19:26, bk <chort0 () gmail com> wrote:
(resending from correct account)
On Oct 26, 2010, at 6:55 AM, Mikhail A. Utin wrote:

We are looking an enterprise level AV-software <snip>. Any advising?

Signature-based AV is a dead technology.  Updates don't get released until hours after you're already infected, so 
all it really ends up doing is being a resource-suck on your CPUs and hard-disk access.

My recommendation:  Buy whatever has the highest composite score for ease of management, limited resource 
consumption, and affordability.

Anyone who says "get Vendor X" or "get Brand Y" without telling you what selection criteria they used is a tool.  How 
do you know if what is important to you was also important to them in making the selection?

If you've got a decent perimeter, it should keep the threats out for
some time, but I tend to agree. AV these days is starting to be more
about detection than prevention - it will at least highlight that you
have a problem so you can deal with it. Think of it as part of your
intrusion detection if it helps.

Oh, and somewhere I used to work ran two separate AV products on the
mail gateway, and then a third on desktops on servers. I suspect this
was more about licensing models (couldn't do per-seat for email as we
had >100k email addresses) than paranoia, but it did help out
considerably to have independent engines.

Jamie Riden / jamie () honeynet org / jamie.riden () gmail com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]