Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Central Anti-Virus For Small Business?

kdawson posted more than 5 years ago | from the keeping-them-safe-despite-everything dept.

Security 359

rduke15 writes "I'm trying to find a centrally managed anti-virus solution for a small business network, which has around 20 Windows XP machines with a Linux server. It is too big to manage each client manually. However, there is no no full-time IT person on site, and no Windows Active Directory server — just Linux with Samba. And the current solution with Symantec Endpoint Protection seems too expensive, and too complex for such a simple need. On the Linux server side, email is handled by amavisd and ClamAV. But the WinXP clients still need a real-time anti-virus for the USB disks they may bring to work, or stuff they download from their personal webmail or other sites. I'm wondering what others may be using in similar situations, and how satisfied they are with it."

Sorry! There are no comments related to the filter you selected.

We use Nod32 (5, Informative)

Mark19960 (539856) | more than 5 years ago | (#28358087)

It works well, you just need a windows server/workstation to push it to clients and for clients to get updates from.
It's also not very resource hungry.

I think 30 seats was around $1000

Re:We use Nod32 (5, Funny)

Ethanol-fueled (1125189) | more than 5 years ago | (#28358101)

Uh, Linux bro. On all the workstations. That's what you were supposed to say.

Sheesh. Now if you'll excuse me, I have to boot back into my XP partition so that I may run all of my expensive, legitimate software.

Re:We use Nod32 (1, Funny)

Anonymous Coward | more than 5 years ago | (#28358235)

That's what you were supposed to say.

Oh? I thought it was 'F1rst p0st!1!!!1one'

Re:We use Nod32 (1)

Ethanol-fueled (1125189) | more than 5 years ago | (#28358281)

Nah. Shit, even "Caldera Linux or Unixware on all workstations" would have had a higher score than the FP. Just goes to show that people who are capable of learning GUI menus are incapable of learning slightly different GUI menus.

Re:We use Nod32 (2, Informative)

caubert (1301759) | more than 5 years ago | (#28358125)

We have 25 computers in the office and also use Nod32. It features a centralized admin GUI, easy to use, effective and no viruses. Try it

Re:We use Nod32 (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28358135)

I would have to agree with this recommendation.

I've been installing NOD32 at several sites recently. The Business version of their antivirus/antispyware package does include a Management Console feature.

You'll end up paying about $39/seat for a 2 year subscription.

Also, NOD32 just won a Consumer Reports award this year.

Re:We use Nod32 (4, Interesting)

FRiC (416091) | more than 5 years ago | (#28358273)

I don't know about other people, but around where I work, the joke is that whichever computer has Nod32 installed, it also has tons of viruses installed. Nod32 never seems to work in real life, eventhough it consistently scores high in reviews and have lots of recommendations.

(We use avira.)

Re:We use Nod32 (4, Informative)

JWSmythe (446288) | more than 5 years ago | (#28358427)

I hear and find the same thing true with AVG. :) People bring me malware infested machines, so I uninstall AVG and install Avast Home (Free), which takes care of the problems, and protects them in the future.

    I'd highly recommend Avast. It does have a management tool which is what the article is seeking (avast! Distributed Network Manager) [] . The server is free, but it requires a paid version of their software to use with it. Bulk pricing information is here: []

Re:We use Nod32 (1)

wguy00 (985922) | more than 5 years ago | (#28358637)

Ditto everything Smythe said.

Re:We use Nod32 (2, Insightful)

hairyfeet (841228) | more than 5 years ago | (#28358823)

It would help if he gave us the actual age of the machines in question. Working PC repair and builds I've had a chance to try just about all of them, and I recommend Avast! if it is an older machine that is very short on resources(256Mb) and Comodo [] on anything newer.

IMHO Comodo has a little friendlier interface and is a little more paranoid than Avast!, which means the first week you will get a few more false positives. But with an AV I'd much rather have it a little too paranoid than not paranoid enough.

Re:We use Nod32 (3, Interesting)

rdnetto (955205) | more than 5 years ago | (#28358831)

I can confirm this. Back when I ran AVG, I thought my system was clean and only downloaded Avast to see what it was like. I was pretty surprised to see how many viruses it found! AVG appears to work, but it doesn't come close to Avast.

Re:We use Nod32 (4, Interesting)

LodCrappo (705968) | more than 5 years ago | (#28358535)

a couple years ago i worked at a company the used NOD32 and they were often bringing infected machines in to the IT dept despite the software being updated and supposedly working. now I work at a company that used symantec, and they were often bringing infected machines in to the IT dept despite the software being updated and supposedly working. One of my current coworkers used to work at place where they used Panda. They were often bringing infected machines in to the IT dept despite the software being updated and supposedly working.


Re:We use Nod32 (5, Funny)

Mordok-DestroyerOfWo (1000167) | more than 5 years ago | (#28358735)

Same issue here with Symantec. I used to get angry but now I just consider it job security. Plus they gave me these really nice pills to calm me down. Oooh a unicorn!

Re:We use Nod32 (1)

notarockstar1979 (1521239) | more than 5 years ago | (#28358539)

I've had just the opposite experience with Nod32 at my day job. It's picked up things some of the bigger players (McCaffee, Norton/Symantec) couldn't find. It's also been incredibly easy to manage. That said, I use Avira at my home based business and it's worked out really well for me. I've never tried to centrally manage it.

Re:We use Nod32 (2, Informative)

jetole (1242490) | more than 5 years ago | (#28358711)

I have had to install AV for company and part of my task was figuring out which one was the most effective. Take a look at [] which is an excellent comparison site for AV products. Avira enterprise always came out on top. They have a enterprise client with centralized management etc etc and it works well. Of coarse I personally dislike windows a ton but it's part of the job. If you want a centrally managed AV solutions keep clamav on the mail server, install clam through squid for web access and disable the cdrom and usb disks in windows. Thats the best you can probably do since just about everything in the windows world costs an arm and a leg.

the problem is the OS (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28358093)

I don't mean this to be smug or smartass

but we migrated the office to Mac OS X. It took about 4 months to get everyone happy with the switch.

Now we're very happy with the solution.

Re:the problem is the OS (4, Funny)

QuantumG (50515) | more than 5 years ago | (#28358121)

That's sexual harassment. And no, it doesn't matter if you work in the fashion industry.

Re:the problem is the OS (0)

Anonymous Coward | more than 5 years ago | (#28358405)

I thought it was funny.

Re:the problem is the OS (3, Funny)

iMac Were (911261) | more than 5 years ago | (#28358605)

Ooooh, you are awful!

[flounces out]

Re:the problem is the OS (1)

irving47 (73147) | more than 5 years ago | (#28358245)

Prices have come down recently, so it's not a terrible idea... As long as the apps you need are available.
And we have clamx av.
I am sounding smug right now after talking to three people today I moved over to Mac OS and they're all happy.

Re:the problem is the OS (0, Troll)

ThePengwin (934031) | more than 5 years ago | (#28358401)

Thats like saying a house needs to be demolished because theyd like a new door

And i dare say it will raise enormus compatibility problems and costs would be astronomical compared to solving the small problem at hand.

Re:the problem is the OS (2, Informative)

dna_(c)(tm)(r) (618003) | more than 5 years ago | (#28358595)

Thats like saying a house needs to be demolished because theyd like a new door

More like "soon their house will be demolished, better not invest in a new door now".

Within 2 years they probably have to migrate to Vista or Win7 anyway, they also need to buy and maintain AV software, why not invest in something else instead? Or at least look at alternatives and do the maths.

Re:the problem is the OS (2, Interesting)

LodCrappo (705968) | more than 5 years ago | (#28358431)

I'd love to be able to use osx on our network, but there are some serious roadblocks. #1 is the price of the workstations. when you need 300 bog standard desktops on a tight budget, your options from apple are... lacking to say the least. #2 is compatibility. entourage is very weak as an exchange client in a business environment. OWA on non-IE browsers is not great either. CAD and ERP software is limited. #3 is the cost of (re)training employees. with windows you get the benefit of your users having the same system at home/previous job/etc. even very simple differences in the ui require real support resources. some people just don't get it, no matter what "it" is.

also, while i am a fan of osx and use it personally, i don't put any faith in the "macs are more secure" arguments. every security analysis I've seen shows that macs are actually easier to exploit (probably will improve in 10.6). maybe the small installed base just isn't worth the effort to malware creators (yet), but if you use security as justification for switching to the PHB, I think you're setting yourself up to look really bad.

Re:the problem is the OS (0)

Anonymous Coward | more than 5 years ago | (#28358529)




Re:the problem is the OS (0)

Anonymous Coward | more than 5 years ago | (#28358565)



Re:the problem is the OS (1)

Jurily (900488) | more than 5 years ago | (#28358617)

Now we're very happy with the solution.

Does OSX have a better security record [] ?

ClamWin (0, Redundant)

MoFoQ (584566) | more than 5 years ago | (#28358105)

What about [] ?

Re:ClamWin (4, Informative)

Anonymous Coward | more than 5 years ago | (#28358163)

From website:

Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

This assumes that the users remember to scan everything before they run.
(I personally do the clamwin thing for my personal machine, haven't found anything yet)

Re:ClamWin (2, Insightful)

Opportunist (166417) | more than 5 years ago | (#28358255)

Terrible detection rate. Sorry, but when an AV suit finds about 2/3 of the threats, you can just as well go without one.

ClamWin is not an option (0)

Anonymous Coward | more than 5 years ago | (#28358335)

What it does is provide a simple GUI for clamscan/freshclam,
and nothing more. Its a memory hog (written in wxPython).
Its consistently outdated, and has been abandoned a couple of times.
Its clumsy (installs freshclam/clamscan commandline clients, but makes it practically impossible to use them -- you have to do everything from GUI).
The only thing it has going for it, its the only relatively recent win32 binary version being released (compiling clamav for win32 is really a PITA, and clamwin guys manage to do it).

Re:ClamWin (3, Interesting)

RudeIota (1131331) | more than 5 years ago | (#28358475)

Moonsecure [] is an AV based on clamwin: it actually employs a real-time scanner. clamwin offers no active protection, so it is pretty much useless for most user scenarios.

In all honesty, I've given both Moonsecure and clamwin many chances over the past couple of years. I don't want to admit it, but I feel as though I've been largely disappointed with the detection rates, the interface and the speed of both AVs. I've used them mostly in a 'workbench' setting though, scanning client drives outside of the system. In comparison to the other (commercial) scanners I use regularly, I've not been impressed.

We use Avast Corporate (3, Interesting)

BabaChazz (917957) | more than 5 years ago | (#28358113)

At least, we do at the school. That's a 50-station network, and amounts to about $10 a year per station after the educational discount. $20/year per station without, but you get cut rates for longer terms. I'm quite happy with Avast. At the business (20 stations, no AD when it was installed aeons ago) we used Trend Micro ServerProtect, which is no longer supported. That one was $800/25 stations flat fee and is still being updated. Neither one of those needs an AD server for its console, though they are both Windows based.

NOD32 Antivirus and NOS32 Remote Administrator (4, Interesting)

BiggerIsBetter (682164) | more than 5 years ago | (#28358115)

Do it without the server, and install NOD32 antivirus on the clients, with NOD32 Remote Administrator to manage them. We put this system in recently and it's very very effective. Synchronized our antivirus product and definitions quickly, and reported infections that had slipped past the unmanaged installation on one machine (it hadn't been updated for a while...). No, you don't have to install it on a Windows Server OS (although we did).

Re:NOD32 Antivirus and NOS32 Remote Administrator (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28358313)

Anti-virus doesn't work from what I've experience. You could run 15 different anti-virus type apps against a removed hard drive and still not find all the crap on them. Suggesting: don"t use MS Windows.

Re:NOD32 Antivirus and NOS32 Remote Administrator (2, Insightful)

RudeIota (1131331) | more than 5 years ago | (#28358423)

Suggesting: don"t use MS Windows.

Yes, and don't venture into the outer world either... You'll obtain the swine consumption.

Re:NOD32 Antivirus and NOS32 Remote Administrator (3, Informative)

RudeIota (1131331) | more than 5 years ago | (#28358407)

NOD32 works fantastically well, although the licenses are comparatively more expensive when compared to some of the competition that's in the 'same league' (Eg. Kaspersky)

I haven't used the remote administrator to manage NOD32 clients (We don't have enough here), but after scanning thousands of PCs, I can vouch for the quality of NOD32. It's anecdotal, but I concur with many of the online results which show NOD32 has near-perfect detection rates and very low false positives. We keep trying different scanners, but NOD32 seems to do the best job.

Re:NOD32 Antivirus and NOS32 Remote Administrator (0)

Anonymous Coward | more than 5 years ago | (#28358663)

Nod32 here as well. The remote admin works but the workstations pretty much look after themselves.

Licensing is more cost effective than norton or mcafee, as nod32 does malware as well as av without a seperate client.
Word of warning though. nothing is perfect at malware so don't shoot it down if it misses some. The AV engine however is excellent.

Last thought (and I have nothing to do with eset i just use it) If you are currently a Norton place the users will see a speed increase on there machines as the nod client is one of the least invasive.

AVG (1)

mbutler (1398527) | more than 5 years ago | (#28358129)

Ive installed AVG with the central control module just setup an old workstation to look after this easiest software ive ever installed, also allows you to change keys and do remote installs takes about an hour to install on machine then remotely load up 20-30 computers.

Re:AVG (1)

sumdumass (711423) | more than 5 years ago | (#28358237)

I second AVG.

Not only are the licenses cheaper then the Symantec corporate edition, we got 2 years instead of one for about 2/3 the cost per seat. The management console seems to be better oriented and it can even force a reboot to remove an infection if needed. They even have Linux support.

Re:AVG (2, Informative)

wgoodman (1109297) | more than 5 years ago | (#28358359)

In migrating from AVG free to AVG corp, the push never worked and we had to end up manually uninstalling on every workstation before we could push the corp version and have it actually work properly.. if we tried to push the newer version over the free version, it just disabled any sort up updates and made things worse

yes, free should never have been installed in a corp environment, but that's how it was when i was hired.. licensing was the least of my problems by far.

Re:AVG (1)

mbutler (1398527) | more than 5 years ago | (#28358483)

The newer control center doesnt seem to have this issue, I was out at clients site last week it installed over the free version they were using properly and updated no worries(using the remote install).

Re:AVG (2, Interesting)

sumdumass (711423) | more than 5 years ago | (#28358493)

I see you already placed the biggest point I could make out there. It does it also if the old version is too old or isn't a networked version.

I actually had the same problem at a site with a laptop that somehow slipped through the cracks and didn't get updated to the latest version of AVG. In my case, it was a corporate version (network edition, but it was severely outdated) and I had to manually uninstall before being able to install the new client. I think the laptop ended up on a shelf in one of the partners closet so while we thought he was working with it periodically which should have already updated it if it was on the network. When we ended up seeing a version 7 in the management console after it hit the network fir the first time in over a year, and we were one 8.5, our eyes lit up.

I'm not sure I would consider a one time walk around in order to set things up as a big negative. Especially when the case is as you mentioned. All future pushes should work pretty well. I went from 8 to 8.5 buy upgrading the console machine first and then pushing it our to everyone else. Well, everything but the one laptop I mentioned earlier.

Re:AVG (1)

easyTree (1042254) | more than 5 years ago | (#28358849)

Parent and GP> Surely 'easy to use' and 'licenses are cheaper than...' should be less mentionable than 'detection/removal rate is ...' ?

Re:AVG (1)

newruler (1485203) | more than 5 years ago | (#28358315)

I also put forth my vote for AVG. Though my own workstations are Linux based for all my customers running Windows it's AVG all the way. I have installed it up to a network of 100 workstations and it can scale further if needed. Of course the 20 workstation scenario is covered quite well by it. Like it has been mentioned it doesn't require a server to be installed on. Also please note that they also have linux clients available as well. Oh and versions exist for File Servers as well as some mail servers.

I'm guessing here, but... (0)

Anonymous Coward | more than 5 years ago | (#28358139)

A decent router, regular Windows security updates, Firefox and user education are out of the question, right?

Re:I'm guessing here, but... (2, Insightful)

profplump (309017) | more than 5 years ago | (#28358153)

Those are all great things. But A) they won't actually stop people from bringing viruses into the office. They might *help*, but you'll still need an A/V client from time to time and B) those things are not going to happen reliably someplace that doesn't even have a full-time IT guy.

Re:I'm guessing here, but... (0)

Anonymous Coward | more than 5 years ago | (#28358349)

Force users to act like grownups. Tell them "We're not wasting the money, the mental and CPU cycles or the time and effort of constantly updating a glorified version of grep to babysit you. If you click on an exe file from a stranger that promises to be Britney Spears giving a blowjob, or download goofy smiley emoticon extensions for IE, it's YOUR machine that's going to be screwed up, it'll be YOUR data that's going to be lost. And it'll be the rest of us laughing at you."

Sophos (4, Informative)

nevhan (1422601) | more than 5 years ago | (#28358151)

Both my university and workplace (of similar size to yours) use Sophos. They provide a number of centralised management tools, centralised update servers etc. Check them out,

Kaspersky - Support for Windows & Linux (5, Informative)

Swampcritter (1165207) | more than 5 years ago | (#28358155)

Kaspersky Enterprise Space Security is comprised of components for the protection of Linux and Windows workstations, file servers and mail systems.

Samba File Servers are also fully supported!

More Information -- []

Re:Kaspersky - Support for Windows & Linux (0)

Anonymous Coward | more than 5 years ago | (#28358189)

Kaspersky Enterprise Space Security is comprised of components for the protection of Linux and Windows workstations, file servers and mail systems.

Samba File Servers are also fully supported!

More Information -- []

I'd second this I recently deployed Kaspersky on a combination of 30 workstations and file servers for a local small business.

The centralized management console is really a time saver.

It was even able to send WoL packets to all the client PCs before scheduled scans.

Ill tell you what *not* to use (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28358165)

Im security admin for a fortune 500, posting anonymous coward. Ill tell you what not to use. Don't use Panda. We have it at a european subsidiary, and I have never seen anything so crap. Never.
Now for the advice - Use something you recognise and trial it do death, antivirus detection rates are not so important as product robustness, and console usability. It's no use having something with a 99% detection rate if the 1% it doesnt detect are things like virut and conficker, and the product falls over every time you look at it. Coporate antivirus arent so much about detecting 100% of virus as reliably reporting the viruses they have found, and robustly maintaining communications with the management console so you can deploy updates.
These days no antivirus is really very good, I came to the conclusion a while ago that AV is an obsolete technology. The malware writers are just taking the piss, and Windows can never be virus free.

Re:Ill tell you what *not* to use (2, Informative)

wgoodman (1109297) | more than 5 years ago | (#28358397)

fair enough.. as much is i hated symantec 11, after they finally released several bug fixes and it was able to at least run without crashing a machine, it was quite good as far as disallowing removable drives on a per workstation basis, and reporting anything that was found on any machine. (it was also good about re- hijacking a homepage after a user went to a questionable site that changed the homepage to or what not. a simple "your homepage was highjacked" page was FAR better than the support calls i'd get at 2am about a horse doing something to a midget.)

just saying..

Re:Ill tell you what *not* to use (1)

mlts (1038732) | more than 5 years ago | (#28358719)

I agree with you completely here. After Symantec fixed some CPU issues with earlier versions of Symantec Endpoint Protection, I highly recommend it. For something lighter weight, either VIPRE from Sunbelt Software, or Avast! have done well for me.

Buying Antivirus protection does two things. The first is obvious... it mitigates a potential compromise. The second is that it provides legal CYA. Should a box get infected, there is a less chance people (like shareholders) would sue if it has a decent [1] AV program than if it had no protection at all.

The OP said that SEP is pricy, and that is understandable. There are other decent solutions out there that can allow one to check off the box of "all computers have AV software present." SEP offers a lot of nice management tools though, and this may make it worth the premium in cost for a larger (hundreds to thousands of PC) enterprise.

[1]: I use two factors for calling an AV program decent: The first is ICSA Labs certification as a standard, which most AV labs submit their code and get certified. The second is having the executables Authenticode signed under Windows, including the executable. This is important because this can show if an executable got tampered with (assuming no rootkit is present), and when downloading updates, can show that the updates have not been compromised on some stage.

Re:Ill tell you what *not* to use (0)

Anonymous Coward | more than 5 years ago | (#28358737)

Seconded - I'd go as far as to say Panda is as much, if not more, of a resource hog than Norton.
Painfully slow, although the central management console was ok.

HAVP (1)

clarkn0va (807617) | more than 5 years ago | (#28358177)

How about HAVP? [] Scans all your traffic in and out. It won't stop the bug catching a ride on a USB stick until it actually hits the wire, but heckuva thing being able to monitor the pipe from a single seat. Also available as a PFSense package. []

Re:HAVP (1)

wgoodman (1109297) | more than 5 years ago | (#28358415)

for a small business, it's a lot harder for them to have a central proxy server (especially one without a IT dept) it's great in theory, but only if they're willing to commit the resources. a decent firewall and group policies as far as disabling certain options will work far better than a specialized box that sits between users and the internet. especially if only a bofh will ever have access to the logs.

McAfee Total Protection (0)

Anonymous Coward | more than 5 years ago | (#28358193)

McAfee Total Protection is web-based... All clients grab configuration info and updates from the web. You can manage AV from a web portal, run reports from there, etc.

Start with sensible policies. (5, Insightful)

Opportunist (166417) | more than 5 years ago | (#28358263)

Antivirus suits are the last line of defense. Not the first!

The first is the user and sensible usage policies. When people can download and execute arbitrary software and plug in USB sticks at random, you have bigger problems than the choice of your AV.

Re:Start with sensible policies. (4, Insightful)

GF678 (1453005) | more than 5 years ago | (#28358369)

The first is the user and sensible usage policies. When people can download and execute arbitrary software and plug in USB sticks at random, you have bigger problems than the choice of your AV.

So what would you recommend?

I don't disagree with you; smart and sensible policies are the best defense. But then again, I service schools, and schools have kids and parents (and teachers) who aren't going to follow the rules, so AV is still necessary. I can't lock down the USB ports (physically or otherwise); I'd have a rebellion on my hands.

BTW - I'm an engineer by trade, just acting as an IT jockey in the meantime, so I don't know all the best tricks of the trade yet. But it'd be helpful to know. :)

Re:Start with sensible policies. (2, Informative)

atraintocry (1183485) | more than 5 years ago | (#28358413)

I haven't used it since I'm in an office but since you mention a school, I hear good things about Windows SteadyState. Maybe for library computers or other kiosk-style machines.

Re:Start with sensible policies. (1)

mwvdlee (775178) | more than 5 years ago | (#28358551)

When people can download and execute arbitrary software and plug in USB sticks at random, you have bigger problems than the choice of your AV.

So what policy would you advice for organisations where people need to be able to download and execute arbitrary software in order to get their work done?

Re:Start with sensible policies. (1)

LodCrappo (705968) | more than 5 years ago | (#28358717)

i'm genuinely interested.. what type of organization has this need? executing arbitrary software? seems unsupportable.

Re:Start with sensible policies. (1)

drsmithy (35869) | more than 5 years ago | (#28358807)

So what policy would you advice for organisations where people need to be able to download and execute arbitrary software in order to get their work done?

Throwaway VMWare machines and brutally restrictive firewalling.

Re:Start with sensible policies. (1)

sumdumass (711423) | more than 5 years ago | (#28358703)

I'm all with you but it isn't exactly that easy. Some software packages to this day still require root access to the local machine even though the domain user is restricted and it is designed to run on a domain. QuickBooks used to be really bad with that but I don't think it is anymore. You also have the problem with approved sites being compromised [] and using browser exploits to defeat security limitations. []

You also have the problem of some sites that don't even have a full time sysadmin. It's difficult to restrict US sticks and all if there isn't someone there to allow it when it's needed. I have used IPMI [] in the past but this gets tricky when you aren't there.

Your right though, those things should be considered and implemented. I try to set up proxy servers with access lists like Dan's guardian or something and redirect all zipped and executable downloads to a specific file where a script runs a virus scan on them before releasing it to the user. However, that is something easier accomplished at large sites more so then a 20 user site which the IT guy may be at it once every two weeks unless something goes wrong. I also just had an issue where an over priced app needed internet access and had no concept of networking so it wasn't able to grab the proxy settings from the workstation. It almost caused the entire proxy to go down until I figures out some IP-tables kung-fu where you can block all traffic except specifically allowed traffic and I basically had to set up a second network head.

The worse part about this was that I had the sales rep telling the owner we weren't smart for having the proxy in the first place, they are dangerous and we should get rid of it, to use a windows server instead. I won't give the name of the company, what the app did, or why the app needed to access the internet, but I ended up justifying the configuration by showing the PCI DSS standards and reminding the owner what it was like before we put the proxy in (he has kids supervising kids in the evenings, you can guess where that led to). He almost had me follow the rep's suggestion and rip the proxy out instead of insisting the app be fixed. The app wasn't fixed, I kludged a workaround in place, he uses it, and still and pays the annual license fee. It can be a real bitch implementing what you suggest- and yes, I agree with implementing it.

Server (1)

Shadow-Copy (1194657) | more than 5 years ago | (#28358269)

If you run a basic HUB network, with one Linux Server as your gateway. You can do several things.

I will give you small modifications ideas that you yourself can adjust to your Server, or your clients.

Restrict sites with your Linux server and only give access to sites you approve.

Open up the policy settings on your clients computer restrict installation, to only be able to use programs that are already installed onto that computer.

Doing one or the other, will eliminate intrusion onto your server. Simply, just by limiting accessibility to/from your small network.

It depends (5, Interesting)

Rosco P. Coltrane (209368) | more than 5 years ago | (#28358295)

I "administer" our small business IT infrastructure (well, it's just 10 computers) and our solution was to assess who needs internet access. As it turned out, the boss and the secretary need web, email and access to the accounting software on the remote side of a VPN, and the other guys don't because they use only internal documents. But they do need Windows because we use Windows-only software (SolidWorks and MasterCAM). So I've setup a fast Linux box that's on the internet, that provides web and email access through NX servers and clients [] (that is, the clients run on the linux box and display on the Windows workstations). USB ports are also disabled on all Windows boxes, and people who really want to see what's in a USB key have to plug it on the Linux box and have the content checked before it's transfered to a Samba share for Windows consumption. Same thing for CDs. None of the Windows boxes ever see the internet.

None of our Windows boxes are patched, updated or fitted with antivirus software, and we're doing just fine. The Windows boxes are super-fast as a result too.

But that's *our* solution. Your mileage may vary, but I think you should make a reasonable assessment of workers' need for internet access. You may be surprised how few actually need it to do their work (IM isn't a valid reason) and you may be able to rearrange your infrastructure to make it very easy and manageable like ours.

Re:It depends (1)

wgoodman (1109297) | more than 5 years ago | (#28358439)

nobody aside from the boss and secretary need email?

the interesting thing that I've consistently found is that the boss, who need to "know what's going on always", tends to be quite content not having any sort of domain access as long as they have email and porn access. It's quite sad that that's been the case at the last few jobs. they are all about monitoring all the employees, but somehow never notice that i never gave them access to anything useful. big supprise that the last 2 places went out of business.. go leadership!

Re:It depends (4, Interesting)

Rosco P. Coltrane (209368) | more than 5 years ago | (#28358527)

nobody aside from the boss and secretary need email?

Well, I didn't count myself in :) We're a small firearms manufacture, so the boss and the secretary need email to answer customers, and the boss needs the web to check on the competition (he's not into porn at all, not the type). The secretary doesn't need the web, but I left it for her because she sometimes has no work for hours and she doesn't really like to read. She also does the accounting, so she needs her distributed accounting software client. As for the other guys, they work mostly at the workbench, mounting the guns. They need PCs to consult technical documents such as plans, steel compositions or art drawings, and they also need them to work with 3D models of parts, to feed the milling machine. None of these computers need to be on the internet, they are just glorified document viewers and machining tools.

As I said, every situation is different. In a software development outfit, the sort of solution we have here wouldn't work at all, but for us it works. The OP says he manages a "small business network": for all I know, it could be a printing shop, or a garage, not necessarily all white collars. That's why I mentioned what we implemented here at my company.

One proposal (3, Insightful)

freedom_india (780002) | more than 5 years ago | (#28358339)

1) You need an anti-virus solution in the Linux box. Assuming that is your only gateway to the external internet, putting up a anti-virus enabled firewall and stopping unwanted protocols is enough to filter out most stuff.
2) Disable USB and DVD drives on every PC. Physically. Period.
Its cheap and fast.

Re:One proposal (0)

Anonymous Coward | more than 5 years ago | (#28358727)

2) Disable USB and DVD drives on every PC. Physically. Period.
Its cheap and fast.

You know, I like your thinking on this, but I don't know why you stopped short of an actual solution. Just remove the power supply. 100% protection, guaranteed every time.

Since, you know, we're obviously not concerned about usability whatsoever.

Re:One proposal (2, Insightful)

freedom_india (780002) | more than 5 years ago | (#28358833)

Usability != USB Drives.
In most of the corporates i have worked for, my USB ports have been disabled and my DVD drive missing.
I didn't feel least constricted, if that is what you mean.
If i needed a software, i had to follow the stupid process, but i did not miss a USB drive or a DVD drive for work.
Minimalist physical configurations leave you less worrying about issues.
You are probably too young and inexperienced in the corporate world. That's why you seem to equate USB with PSU.

Re:One proposal (0)

Anonymous Coward | more than 5 years ago | (#28358749)

in a 10 WS environment with 2 linux servers, i am using a proxy as the only exit to the internet (filtering sites also), and using local email server.
That reduced the viroses to none.

Incoming emails and such are filtered and also people is aware that they shall only use trusted usb sticks and open trusted email.

Re:One proposal (1)

freedom_india (780002) | more than 5 years ago | (#28358851)

people is aware that they shall only use trusted usb sticks and open trusted email

I don't know whether to laugh or cry at your naive quote.
You just summarized a network administrator's worst nightmare: Trusted USB sticks and Trusted email.
Tell me, how do you "trust" a USB stick? Put a stamp on it?

the obvious solution.. on /. (1, Insightful)

stillpixel (1575443) | more than 5 years ago | (#28358345)

run Linux on all your machines.. and keep a good XP VM image on each machine...if it gets nasty.. delete and start over..that is standard Windows IT procedure anyhow you know.. just wipe the machine and reinstall.

Re:the obvious solution.. on /. (0)

Anonymous Coward | more than 5 years ago | (#28358451)

That is what we do now and it works really well. 90% of the Windows stuff either has Linux equivalents or runs under Wine 1.1.23, so far only 3 apps have needed VirtualBox!

Re:the obvious solution.. on /. (2, Insightful)

bryhhh (317224) | more than 5 years ago | (#28358585)

I'm assuming from your post that you aren't running AV? That's how I read it anyway, as you don't include an AV solution (which is what this post is all about)

Security Lesson #1: Usability, Secure, Cheap - pick any two.

Anyone can put up a solution that provides two of these, however I think the solution you have put together provides only one.... Cheap!

Working from a VM? Not usable - at least not for typical office workers. No AV protection? Insecure

Allow me to elaborate on insecure...

Fair enough, you 'reset' your virtual machines when shit happens, but what about when a virus sends out spam from one of your IPs and gets your blacklisted? What about when a virus/trojan/whatever leaks confidential business information? and how do you know if things get nasty if you aren't running AV?

The viruses you need to worry about, are the ones you probably wouldn't detect without AV protection, as these are the ones most likely to do your business harm.

We use AVG (1)

atraintocry (1183485) | more than 5 years ago | (#28358383)

I have AVG 8.5 on our workstations, it's about 30 of them now. Regular AVG, not Internet Security. But the Network Edition, which has a management console. My guess is that as long as you have something you can't really go wrong. AVG works fine for me. The weird thing is that you can usually deploy AVG for the first time without rebooting the station, but every so often there will be a program update to AVG that needs a reboot to take effect.

It's about about $25 a seat I think. I've only ever bought 1 year at a time. I'm on my second year.

I don't install the link scanner, browser plugin, etc. (we have some web filtering at the router anyway). Just the antivirus/spyware/rootkit and the email and MS Office plugins. I was toying with the idea of using the firewall, since we've essentially paid for it, but I think the Windows firewall + Group Policy is probably enough for intra-LAN security.

Re:We use AVG (1)

dana340 (914286) | more than 5 years ago | (#28358521)

I second the reccomendatuon for AVG. It's effective, lightweight, and low cost. Management tools allow remote admin, but the installation works much smoother on a domain. You may still be a le to get it to install from there without it, depending on your networks. I have deploied it across poorly functioning domains and it runs into permission issues without domain admin privledges.

Also, check out the ZyXEL zywall 5. As a basic security appliance for $600 and no per seat licenseing for antivirus/ intrusion protection, I find it to be an invaluble toolfor many of our small business clients.

Bit Defender (1)

labnet (457441) | more than 5 years ago | (#28358389)

We use bit defender, but it gives me the shi^s.
You manage all the client via an MMC snap in, but like other MMC snap ins, it just doesn't really work that well.
eg. The computer names get mangled when DHCP reassigns, so you need to view clients by IP rather than name, but the mangled name is the only reference in the reports.
Everything is done by assigning policies, but there is no easy way to see what clients licenses have expired.

I intend to change to something else when licencing comes up again.

Re:Bit Defender (1)

botik32 (90185) | more than 5 years ago | (#28358641)

I second that. Their management console is horrible - it does not hold computers in the group, is counter-intuitive, and fails to keep removed computers out - always adds them again to the main list. The management server is limited to N computers and if you get new users you have to install another management server. And they sell only in bulk of 10 or 25 licenses.

McAfee? (0, Offtopic)

gareth.fletcher (855305) | more than 5 years ago | (#28358473)

McAfee offer a nice solution - yourasp, which is quite good. Offers a really nice web interface for central reporting and policy configuration etc. At first I thought it would be total crap but now recommend it to our clients, some 6 - 30 PCs. Not sure about the licensing though. But just use what you know, no point spending 20hours trying to figure out some xyz app when you could be doing better things (read beer).

Rethink your IT solution (0)

Anonymous Coward | more than 5 years ago | (#28358489)

You said you don't have full time IT. Maybe you should re-think that since you are asking this question.

mcafee (3, Informative)

fearlezz (594718) | more than 5 years ago | (#28358491)

In my personal experience, I found mcafee asap ( the easiest to use in such a small business. This software has "agents" which report their status back to the website, from which the administrator can monitor all pcs.

This idea is great for small companies. The implementation however had a few problems:
- Over time, I've installed all "agents" at least twice. They just stop working for no reason at random moments
- Some agents 'do' have a reason to stop: they think the license has expired, while it's definitely not.
- And mcafee is bloated + it uses mshtml for every single dialog and even for invisible actions like downloading updates. This eats cpu power.

F-Secure (0)

Anonymous Coward | more than 5 years ago | (#28358553)

We're using F-Secure Client Security.
The reason: The central server can be run under linux... ;)
The drawback: F-Secure consumes comparatively much resources on the clients...

At least we had no virus (or similar) on our machines in the past years.

A good and fast volume shadow policy... (2, Interesting)

Klistvud (1574615) | more than 5 years ago | (#28358567)

...may be your most secure bet. No matter what antivirus solution you implement, given enough exposure to the Internet, one of the machines will eventually get infected in the end. So, unless you're willing to migrate your entire office to Linux, the safest solution would be frequent volume shadowing, maybe combined with a good antivirus such as AntiVir (which even has a Linux version IIRC).

Sophos Enterprise Console (0)

Anonymous Coward | more than 5 years ago | (#28358591)

Our company uses Sophos products and manages some 300-400 computer connections via the Sophos Enterprise Console. This solution is far from perfect though. On the plus side, we are able to tell at a glance which computer on our network is infected or suspected and be able to act accordingly. We have Sophos configured to warn the user of possible threats and to call the helpdesk for assistance with removing these threats. On the down side, we have to constantly add new app. chksums whenever a new version of software comes up. We have one person in our IT department dedicating about half his work day to "Sophos duties." []

Our company has decided to invest into managed routers that will limit the amount of spam/wurms, etc. Currently we are looking into Fortinet's line of routers.

Regardless of which security software you go with, implementing best security practices is really the only way to go. Locking down the computer, restricting or limiting admin access, applying automatic updates, user education, etc. []

Trend Micro (2, Informative)

clam0 (1527499) | more than 5 years ago | (#28358597)

For our little business of around ~35 people, we use Trend Micro OfficeScan. You need to check out what it costs, but I can tell you it works well here. To uninstall/configure the program on each client there's a central password and every noticed virus gets e-mailed to the sysadmin. The program is very stable too, and doesn't noticeably slow the system down.

Trendmirco. (0)

Anonymous Coward | more than 5 years ago | (#28358607)

I personally have great experiences with the trendmicro solution. I love the central web interface from where you can view reports, scheduele updates, view infections and unprotected PC's, etc..... All of these clients use the Mircosoft Small Business Server 2003. So I have no experience with Linux clients.

I installed it with various small business clients. Never had any problems with it in the last 4 years.

Trend OfficeScan (2, Informative)

Lcf34 (715209) | more than 5 years ago | (#28358649)

After having managed three major products in the past years (EPO + McAfee, Trend OfficeScan, SEP, on various directories ranging from 120 to 6000 boxes) I would definitely vote for Trend.

confirm Nod32 sucks balls in real world (Y/N): Y (1)

w0mprat (1317953) | more than 5 years ago | (#28358661)

Where I used to work there was nod32, and scheduled clamAV scans was the 1-2 combo. Techs would again use a further package for troubleshooting only (I will decline to name, the EULA didn't allow this use). Most AV packages seem to let some infections through, it's a given in the security world, but it spooked me how prevalent it was. The solution was to use two, thus what defeats a major package will be picked up on by the alternative.

confirm nod32 sucks balls in real work (Y/N): Y

ClamAV was good at catching things that slipped past the goalie. Where multiple scans were used, I don't recall any incident that wasn't satisfactorily cleaned up.

We also had a proprietary recovery tool that could basically rebuild a system with fresh md5-checked binaries, thus a reasonable guarantee of virus-free executables.

As for the unix and open systems floating about, not a single virus of course, however they would get hacked directly by meat popsicles. The assumption of security leads to serious pwnage when root is obtained on a major box.

Aside from big holes nod32 has good usability and didn't blow system performance back to 2002, two essential things in enterprise equipment.

Anyway, my kingdom for a freakin open-source realtime scanner.

NOD32 (0)

Anonymous Coward | more than 5 years ago | (#28358691)

Thank me later.

Never McAfee (3, Insightful)

dltaylor (7510) | more than 5 years ago | (#28358751)

McAfee is horrendously insidious. Should you ever want to use a different product, it is damn near impossible to remove. After the IT guy at a job spent 7 hours trying to get rid of it (he did, mostly) when they switched to Kaspersky, I spent another three with regedit and a few Cygwin tools hunting down the rest. I think I got it all, since Outlook has finally quit trying to use it.

Avoid it like the plague.

Viper Antivirus (1)

loddington (263358) | more than 5 years ago | (#28358755)

I am currently testing Viper Antivirus [] in a similar sized group. So far it seems very fast to scan, none of the users are complaining about extra load and it is easy to administer.

What's wrong with SEP? (0)

Anonymous Coward | more than 5 years ago | (#28358759)

I took AV management upon myself when I upgraded from SAV 10 to SEP 11. It's very simple to set up the basic stuff, just the management server with the built-in database. Sure you can stack on LiveUpdate, redundant management servers, SQL databases, Quarantine servers, etc, but none of that is needed most of the time.

I have since set up a geographically seperate management server/database and set it to provide only fault-tolerance, not load balancing. I'm in the process of updating all of the existing SEP clients to the latest Maintenance Release, which is nearly as easy as dropping the install package onto the group that all of the machines are in. Even updating the old SAV 10 clients is easy, just let the SEP management server search for all machines that don't have SEP already installed. It performs the SAV 10 uninstall and then installs SEP11. Very slick.

lastly, SEP seems to be less resource hungry then the aged SAV 10.

That being said, I haven't used any enterprise-grade AV products outside of symantec, so maybe others are even easier?

AV-Comparatives Corporate Report (4, Informative)

Ralish (775196) | more than 5 years ago | (#28358779)

AV-Comparatives recently released their May 2009 Corporate AV Report [] , which sounds like it may be right up your alley.

It's fairly large, but reviews a large number of AV products with a corporate focus, contains lots of screenshots, and even grades them on their appropriateness for Small, Medium and Large networks. Sounds like it would definitely be worth a look in your case.

Sophos (1)

briggsl (1475399) | more than 5 years ago | (#28358799)

We use Sophos at the school I admin with the enterprise console. It is by no means the greatest antivirus out there, but it does the job. It doesn't intrude on the user, updates itself quietly and efficiently and you can manage clients well using the enterprise console. I believe its fairly reasonably priced, but we get a discount being educational (they sell heavily to schools)

Just make sure you only get the endpoint AV and not the bundled firewall - that really sucks

comodo if you don't have the budget (2, Informative)

Verunks (1000826) | more than 5 years ago | (#28358825)

Since my company doesn't have the budget, I have tried to find something free but I failed, in the end I installed comodo av which is free, it can't be remotely managed, but it's far better than clamav, I've scheduled an automatic scan at 1pm during launch break, and it does automatic updates too, if you need to administer it remotely just install vnc on each client, 20 aren't that much

I've got some bad news for you (1)

jimicus (737525) | more than 5 years ago | (#28358835)

OK, first let me explain my assumptions, based largely on what you've said in the summary:

1. Only 20 or so PCs, no full-time admin.

It's probably a small company, so there's a strong chance that individual staff don't have roles sufficiently specialised that you can simply disable removeable media and block internet access to 90% of staff. Even if you did that, one of the other 10% would probably let something in and as soon as they do everyone else is vulnerable because there's no AV.

2. Need centralised management.

I can relate to that. Unfortunately, as I'm sure you've discovered, an awful lot of people seem to think "centralised management" means "can push it out remotely, though that may mean visiting each machine logically rather than physically".

Free Clue: The OP can have centralised management like that by enabling remote desktop on every PC. At the very least, s/he needs an interface that presents a list of machines found on the network and offers the option to select which machines on that list need to have the software installed.

3. Having trouble justifying the money for Symantec Enterprise.


Hate to break it to you, but I think you're asking for the moon. Most of the free products I can think of do offer the features you require - but only in a souped-up commercial version of their product.

You could (if you haven't already) set up an LDAP server, have Samba act as a domain controller and then push everything out that way. However, you'll only get the equivalent of an NT4 domain, which is very primitive compared to AD in terms of remote management of groups of computers. You'd almost certainly spend any money you saved on the time it would take to lash something together yourself - which will still not be anything like as sophisticated as AD.

Get a proper AD server (3, Informative)

Toreo asesino (951231) | more than 5 years ago | (#28358855)

...then use group policies to push out AV updates automatically & lock down the desktops remotely and automatically. Samba is a half-cut replacement for a proper Windows Server when it comes to Windows workstations (sorry samba guys; samba is good, but ultimately lags far behind what it's trying to imitate)

Windows XP is only really so vulnerable to viruses because normally it runs in "everything as root" mode; which, if you had a proper Windows server you could change in seconds (not that you couldn't do this manually, but with AD it's automatic network-wide).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?