Re: [Full-disclosure] looking for enterprise AV solution

[Jamie Riden <jamie.riden@xxxxxxxxx>]

On 26 October 2010 19:26, bk <chort0@xxxxxxxxx> wrote:
> (resending from correct account)
> On Oct 26, 2010, at 6:55 AM, Mikhail A. Utin wrote:
>
>> Folks,
>> We are looking an enterprise level AV-software <snip>. Any advising?
>
> Signature-based AV is a dead technology.  Updates don't get released until 
> hours after you're already infected, so all it really ends up doing is being 
> a resource-suck on your CPUs and hard-disk access.
>
> My recommendation:  Buy whatever has the highest composite score for ease of 
> management, limited resource consumption, and affordability.
>
> Anyone who says "get Vendor X" or "get Brand Y" without telling you what 
> selection criteria they used is a tool.  How do you know if what is important 
> to you was also important to them in making the selection?

If you've got a decent perimeter, it should keep the threats out for
some time, but I tend to agree. AV these days is starting to be more
about detection than prevention - it will at least highlight that you
have a problem so you can deal with it. Think of it as part of your
intrusion detection if it helps.

Oh, and somewhere I used to work ran two separate AV products on the
mail gateway, and then a third on desktops on servers. I suspect this
was more about licensing models (couldn't do per-seat for email as we
had >100k email addresses) than paranoia, but it did help out
considerably to have independent engines.

cheers,
 Jamie
-- 
Jamie Riden / jamie@xxxxxxxxxxxx / jamie.riden@xxxxxxxxx
http://uk.linkedin.com/in/jamieriden

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/