On 26 October 2010 19:26, bk <chort0 () gmail com> wrote:
(resending from correct account)
On Oct 26, 2010, at 6:55 AM, Mikhail A. Utin wrote:
Folks,
We are looking an enterprise level AV-software <snip>. Any advising?
Signature-based AV is a dead technology. Updates don't get released
until hours after you're already infected, so all it really ends up doing is
being a resource-suck on your CPUs and hard-disk access.
My recommendation: Buy whatever has the highest composite score for ease
of management, limited resource consumption, and affordability.
Anyone who says "get Vendor X" or "get Brand Y" without telling you what
selection criteria they used is a tool. How do you know if what is
important to you was also important to them in making the selection?
If you've got a decent perimeter, it should keep the threats out for
some time, but I tend to agree. AV these days is starting to be more
about detection than prevention - it will at least highlight that you
have a problem so you can deal with it. Think of it as part of your
intrusion detection if it helps.
Oh, and somewhere I used to work ran two separate AV products on the
mail gateway, and then a third on desktops on servers. I suspect this
was more about licensing models (couldn't do per-seat for email as we
had >100k email addresses) than paranoia, but it did help out
considerably to have independent engines.
cheers,
Jamie
--
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
