When my network grew to a point where it was no longer feasible to administer anti-virus on a per-workstation basis, I began looking for an enterprise solution capable of central management, monitoring, and control. Norton AntiVirus had been our desktop solution, but I found Symantec's enterprise solution to be a little cumbersome, both in terms of management and budget. I have also had some bad personal experiences with McAfee products, so I did not consider their products an option.
Enter Trend Micro. After talking to a user of Trendís software about his experiences, I checked out OfficeScan. The first appeal was the price -- for a network the size of mine, I could save over $1000 (US) over the Symantec solution, including purchasing products to secure my file servers and my Lotus Domino mail server. Considering this is a small, rural high school with a couple hundred students, $1000 is a _lot_ of money. Learning that OfficeScan is web-based sealed the deal, and after a brief evaluation I rolled it out network-wide.
Installing OfficeScan is a snap. The server component must be installed on a Windows server with IIS 4 or greater. The user has only to create a shared folder for the OfficeScan server and the installer takes care of the rest. From here on out, all administration is done through the web interface. For security reasons that will become obvious in a moment, I installed the production server component on my Intranet.
Pointing a browser to the web interface shows us there are two levels of access: Public and Administrative. Public access requires no password, and only has the ability to install the client component on Win95/98/Me machines. The administrator (or a workstation user, for that matter) simply logs in, clicks the public link, and the server begins installation through the browser (IE4 or greater required).
The administrator portion is password protected, and there are no individual accounts. Entering the administration section first greets the user with an overview: presently-infected workstations; the top 10 viruses to hit the network; and the last virus infection discovered. As you can see in Figure 1, I need to educate some of my users about careful surfing habits.
The menu running down the left-hand side of the screen takes us through the rest of the configuration options, all of which are easily understandable. In fact, I have never had to refer to the manual following installation.
The bulk of the work is done through the Workstation Administration tab. It is here the administrator sets up privileges (whether users will be allowed to shut down the client or set their own scan schedules), scanning schedules, and scanning options. For a look at the various options available, check out Figure 2. I tweaked very little out of the box. The File Exclusion submenu allows global file exclusions, and remote scans or uninstalls can be requested at any time. Virus logs can be viewed network-wide or per client, and log rotation is also managed here.
It is important to note that all NT/2000/XP workstation installations are managed through the web interface. Rather than having to visit every machine on a network or relying on users to perform client installs, the administrator can take care of it with a handful of mouse clicks. An entire queue of installs can be set up, requiring only the remote machine's admin password to complete the job.
Server customization is enabled through the Server Administration tab. Here the administrator can change the password, create alert and outbreak notification messages and methods (including email, pager, SNMP, and the Event Log -- see Figure 3), and manage any proxy settings. Notification messages include variables that can display the name of the virus and the names of the infected clients, allowing the administrator to quickly prepare to handle the situation.
Updates & Upgrades are all handled via the web. Here the administrator can download updates manually or set up a schedule. The Administrator can also push updates out to each client manually or set a schedule by which the clients poll the server for new data. Pie chart overviews provide client data at a glance for easy troubleshooting. A Rollback feature is provided in the event of bad software patches or corrupt definition files, but I have never needed to use it.
Finally, the Support tab takes the user to the Trend Micro website for online support and the knowledge base, and the Online Help tab brings up an electronic version of the user manual. Similarly, clicking on the name of any reported virus in status windows or logs takes the user to Trend Micro's virus encyclopedia to learn about the virus, how to remove it and/or prevent further spread, and download removal tools if available.
One caveat: client control messages are sent out to port 12345. As a result, my firewall (a SonicWall Pro, also reviewed for HNS by myself) matched it to a trojan attack signature and refused to allow the traffic to my clients. I assume this will also trigger false positives on other IDS systems, something administrators should be aware of when spanning networks with a single server.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.