Boost NT's Virus Immunity

By KEITH SCHULTZ

Antivirus products are like firewalls-you wish you didn't need them, and they have to be absolutely flawless in execution. We decided to sample the new offerings from three popular antivirus companies to see the latest in Windows NT virus management.

We rounded up Dr Solomon's Anti-Virus Toolkit for Windows NT Server version 7.78, Symantec's Norton AntiVirus for NT version 4.0 and Trend Micro Inc.'s ServerProtect for Windows NT version 4.51 to see which product provided the best virus prote ction and gave us the best bang for the buck.

McAfee was invited to participate, but the company was about to release a new version of NetShield and declined due to time constraints. We found all of the products capable of stopping both file and Macro virus attacks, and they all shared the common trait of running as an NT service.

We evaluated our virus contenders based on the type and efficiency of the scanning engine, on the type of alerting and logging available to network administrators, and on overall functionality.

Management plays an important part in administering multiple servers across the enterprise, and we took these features into consideration. One of the most important features of a server-based antivirus scanner is that the real-time scanner continues to check for viruses even when a manual scan is running. Not all antivirus scanners can keep the real-time scan up during a manual scan, but all three of our products passed this test with flying colors.

We are happy to say that all thre e products did well in our tests with a few exceptions,as noted in the following sections. Dr Solomon's Anti-Virus Toolkit particularly impressed us, thanks to its superior, and faultless, scanning. Because of this, we are naming it Internet-Week Approved.

Dr Solomon's Anti-Virus Toolkit For Windows NT Server 7.78

One of the oldest antivirus companies, Dr Solomon's is no stranger to the rigors of virus detection and removal. Anti-Virus Toolkit for NT uses virus signature matching and heuristics to sniff out both file and

Macro viruses. WinGuard, Dr Solomon's real-time scanning agent, runs as an NT service and can detect viruses in OLE data streams. Enterprise management duties are handled by Dr Solomon's Management Console, a separate utility included in the package. Only the lack of a single interface detracts from this product.

FindVirus is Dr Solomon's "on-demand" virus scanner. You can start a scan of a local or network drive or directory either from Windows Explorer or from the Anti-Virus Toolkit interface. In fact, you can even scan based on a Universal Naming Convention (UNC) name by running FindVirus at a command prompt. To help you automate your virus detection, you can schedule a scan to repeat at certain times.

FindVirus can scan all files or only .EXE files if desired, and it also can recursively check for viruses inside compressed archives such as ZIP, ARJ, LZH and self-extracting archives. FindVirus also can sniff out Macro viruses using heuristics to identify unknown file and macro viruses.

But detection is only half of the game. Virus removal is the other half of the equation and is handled from the Anti-Virus Tool-kit utility. Dr Solo-mon's takes a "shotgun" approach to virus removal, as you have to disinfect an entire drive to remove a single virus. You cannot simply clean a directory or single file. For novice users, this is probably a good thing, but for many IT managers, it would be nice to be able to clean a specific directory.

The heart of Anti-Virus Toolkit for NT Se rver is WinGuard, Dr Solomon's real-time scanner. You can define different scanning behavior for both local and network resources. For example, you can have WinGuard ignore file writes from local drives but scan file reads and writes from drives out on the network. When it comes to OLE objects, unlike Trend Micro's ServerProtect, WinGuard can even detect and handle embedded viruses in an OLE data stream.

We tested Anti-Virus Toolkit by copying our virus sample to it from another PC on our LAN. WinGuard correctly detected and handled both file and Macro viruses and notified us of the intrusions via screen pop-up. We could not beat WinGuard's detection no matter how hard we tried.

Like the other products in this review, installation of Anti-Virus Toolkit was quick and presented no surprises. We were a little concerned that Anti-Virus Tool-kit, unlike ServerProtect, did not scan our test system for viruses prior to installation. We were told that this is simply due to the fact that the program code is comp ressed on the floppies and cannot run until after the installation finishes. If you believe the system to which you are installing has a virus infection, you can boot off Dr Solomon's Magic Bullet diskette. This special disk will find and clean boot sector viruses from any hard drive, including NT File System (NTFS) volumes. Although it cannot clean inside the NTFS volume, Magic Bullet can scan and clean FAT16 and VFAT32 volumes.

You actually get two products in the Anti-Virus Toolkit for NT Server box. In addition to the antivirus software, you also get Dr Solomon's Management Console. The Management Console provides you with a way to implement a networkwide antivirus policy without having to walk to each PC. In the Management Console, you can define an antivirus domain, add individual PCs as members of your antivirus domain and define your network antivirus policy from one location. You can have multiple antivirus domains on your network, and each domain can have its own policy.

One of the things we lik ed best about the Management Console is that you can "push" the virus updates to the PCs. The Management Console will install Anti-Virus Toolkit to any PC using Windows networking, including DOS machines running a DOS-Windows network client. Also, Management Console allows you to send alerts via pager, SNMP and SMTP messages.

ServerProtect For Windows NT 4.51

Trend Micro's ServerProtect for Windows NT is just one in a family of antivirus products. Like the other antivirus products tested, ServerProtect uses signature matching to locate file viruses, and MacroTrap, a new heuristic tool and rule-based technology, to detect and clean known and unknown Macro viruses. Easy administration, antivirus domain management and automatic updates highlight ServerProtect, but the ability to cut and paste viruses on a local server drive tarnishes an otherwise top-notch product.

ServerProtect's main goal is to keep viruses off your server. The folks at Trend Micro are aware that the Internet is a source for poss ible trouble, so MacroTrap includes the ability to identify more than 200 potentially dangerous ActiveX and Java applets. ServerProtect can check for viruses inside file archives created with PKZIP, ARJ, MS Compress and LHA, but, as of this release, cannot scan OLE data streams.

Like the other products in our review, ServerProtect runs as an NT service, and its real-time protection is active even without being logged into the server. To test its virus-sniffing capabilities, we copied our virus sample to the server, but ServerProtect sniffed and caught all of our file and Macro viruses without a hitch, and notified us via screen pop-up. We were able to circumvent its protection under one special circumstance, however: If the first file in the quarantine directory did not contain a virus, we could select all of the files and cut and paste them from that directory to another directory on the same server. A copy would trigger the real-time scanner, but the "cut" made it through. The folks at Trend Micro are wo rking on this problem and plan to have it fixed by the next release.

With ServerProtect, you define the action to take when it detects a virus, the type of files to scan-program files or all-and whether to scan inside file archives. Both the manual and real-time scan can have their own configuration settings. For example, on the manual scan, you can tell ServerProtect to delete any virus in all files and skip compressed archives, while the real-time scan may simply move infected files to a quarantine directory and only check incoming files.

Unlike Norton Anti-Virus for Windows NT, ServerProtect lets you set up an antivirus domain and also perform your antivirus domain administration from one console. You define one or more antivirus domains for your network and add servers on your network for each domain. You can define a default configuration for each domain's members and a specific antivirus configuration for a domain member. You also can change its configuration without changing the domain default. Whe n you update your main server, you can push the update to any of the servers in your antivirus domain.

And similar in function to Symantec's LiveUpdate utility, you are able to receive virus pattern updates via the Internet, by dialing Trend Micro's BBS directly or from another server on the network. You can even set up a schedule to pull down updates on a monthly basis. We like this method of updating signatures, although we recommend pulling them down to a secure directory and inspecting them before use. Currently, new virus patterns are available every 15 days.

Notification is very important, and ServerProtect comes with a nice variety of notification choices. We like the fact that you can test the printer, SMTP and SNMP message options to make sure the alerts are working properly.

Installation is easy and presented us with no surprises. During installation, you can choose the default action for incoming and outgoing viruses. This defines ServerProtect's default setting for the real-time scanner.

Norton AntiVirus For Windows NT 4.0

Symantec brings us solid yet flexible virus protection. Norton AntiVirus for Windows NT uses a blend of signature matching and a new heuristic detection engine called BloodHound to sniff out both known and unknown file and Macro viruses. AutoProtect, Norton's real-time scanner and the heart and soul of Norton AntiVirus, can handle embedded OLE objects as well as when a file is opened. Like all of the other products, AutoProtect runs as a service and protects your server without requiring a user to be logged in. Currently, there is no centralized management available for the enterprise and AutoProtect cannot scan inside file archives.

Norton AntiVirus can recursively scan PKZIP, ARJ and LZH files to detect viruses, but AutoProtect's scanning engine is unable to uncompress and inspect a compressed file archive in real time. If your network sees lots of traffic from outside sources, we recommend that you schedule a scan of the system, including compressed files, at least once a day. We were able to copy both ZIP and ARJ files containing viruses to our server without triggering any alarms. But when we tried to uncompress the files, AutoProtect then detected the viruses and handled them based on our virus policy.

Unlike Trend Micro's ServerProtect, AutoProtect takes file access scanning one step further. Not only will it scan for a virus when a file is read from or written to disk, it also will check your files when you move them. We could not fool AutoProtect as we did ServerProtect by cutting and pasting infected files. Also, like Dr Solomon's Anti-Virus Toolkit,

AutoProtect can scan an OLE data stream for Macro viruses.

Norton's new heuristic engine, BloodHound, is the key to detecting unknown file and Macro viruses. You can vary the sensitivity of BloodHound by moving a slider control. Move the slider to the left and you increase scanning performance but lessen BloodHound's effectiveness. Move the slider to the right and you will slow down your scanning speed b ut you will also make BloodHound much more paranoid.

By default, the slider is right in the middle, which is fine for most situations.

Although not as comprehensive as ServerProtect's administration, Norton AntiVirus for Windows NT does come with the basics. You can install it to remote servers on your network as long as you have a valid user account. Also, it can receive all virus alerts from any other client PC running Norton AntiVirus. This way, you can watch all virus activity on any client platform, including DOS and Macintosh PCs. You can schedule scans of local and remote server drives for daily maintenance, but you cannot scan based on a UNC name.

LiveUpdate is Norton's utility to pull down virus signature updates. You can download updates via the Internet or by dialing Symantec's BBS directly. These events can be scheduled to occur anywhere from hourly to yearly using Norton's Scheduler. We had no trouble updating our virus signatures from Symantec's FTP site and mak-ing it available to the ot her servers on our LAN.

One of the things we liked best about Norton AntiVirus is that you can customize the action taken based on the type of virus detected. For example, on a manual scan, you can have it automatically delete a file virus, automatically clean a Macro virus and prompt you when a boot record virus is found. You can have a completely different setup for the real-time scanner. This allows you to tailor the software specifically to your needs. Also, like ServerProtect, you can define a password to prevent unauthorized access to your scanner settings.

Norton AntiVirus for Windows NT also comes with many alerting options. Norton Anti-Virus can pass an alert on to a Novell NetWare server running NAV for NetWare as well as via E-mail and message pop-up. New to this release is SNMP trap support.

Keith Schultz is a Destin, Fla.-based network consultant and frequent contributor to InternetWeek. He can be reached at kschultz@destin.net .