Most computer users and system administrators have learned, many of them from their own bitter experience, that some kind of anti-virus protection is necessary. But antivirus solutions that work for the home or small business user cannot easily scale to meet the needs of the corporate environment. Therefore, you need to be careful when choosing an antivirus solution for your company's network, as this solution must scale as your company's network grows in the future.
How antivirus solutions work
Antivirus programs use several different methods to detect and protect against malicious code:
Most antivirus programs use a known virus signature database. A signature is a specific string of binary code that functions as an identifier for a specific virus. Every virus (and its variations) has a unique signature. Since new viruses are created and released daily, the antivirus program must update its database frequently. Most antivirus programs include automatic updating mechanisms. They connect to their suppliers' websites at scheduled times and download new signature files.
Some antivirus programs use an integrity check to determine if files have been modified (such changes can be caused by viruses). The program can then provide the user with the option to restore the file to its pre-infection state.
Antivirus programs can use heuristics to protect against new viruses that are not yet defined. It is a method of analyzing code for suspicion based on how it is built, rather than looking for specific signatures.
Some antivirus programs use a virtual machine environment called a sandbox to run suspicious code to see how it behaves and what it does.
Antivirus programs can scan files already on your computer's hard drive and files (such as e-mail messages and downloads) as they arrive over the network. The program can scan files before opening them, and most antivirus programs are configured to scan executable files by default.
When antivirus solutions don't work
Unfortunately, there are many ways for virus writers to bypass or defeat antivirus programs:
|How antivirus solutions work|
Hidden viruses that are loaded before antivirus software and cover their activities.
Polymorphic viruses that change every time a virus infects a new computer are like mutating biological viruses.
Viruses that try to disable the antivirus software itself and / or block access to the antivirus vendor's websites in order to prevent new signatures from being downloaded.
Host-based antivirus solutions
virus protectionThe traditional method of protecting against viruses and other malicious software is to install an antivirus program on every workstation and on servers that connect to the Internet, such as email and web servers.
Host-based antivirus programs usually do a good job of detecting viruses in email and are necessary to protect against viruses that are injected locally (for example, via a portable hard drive, USB key, or memory stick), but do not protect as well against viruses as via the web. pages or instant messages. More importantly, they do not protect the network itself; to be detected, the virus must reach the local machine.
Host-based antivirus programs can also cause performance degradation because virus scanning is quite CPU intensive. Other applications may not work correctly when scanned by an antivirus program. Antivirus programs running in the background can also interfere with the correct installation of some applications.
If a company relies on host-based antivirus to protect its network, it may be overlooking the laptops that employees bring to connect to the network, or home computers from which employees connect remotely. You may not be able to verify so easily that these systems have updated antivirus protection.
Finally, the AV host programs are under the control of an individual user. Users can turn off the antivirus program, change its settings, or open quarantined files.
Host antivirus software, on the other hand, is relatively inexpensive and easy to deploy on small networks.
Network antivirus solutions
Network antivirus solutions are deployed at the firewall or server level. Firewall-based AV solutions stop viruses and worms around the network perimeter, so they never enter the network at all. Networked AV solutions can be implemented in several ways:
Anti-spam and anti-spyware hardware firewall devices that include virus blocking
Additional software or modules for software or hardware firewalls with application-level filtering
Mail server-based antivirus programs that scan inbound and outbound e-mail messages and attachments for viruses and intercept them before they reach user mailboxes or are sent over the network.
In a large networked environment, installing and maintaining antivirus software on each individual host computer can be cumbersome, costly, and error prone (machines can be unsecured by outdated software). As your network grows, you should consider deploying a network solution that gives you centralized control over virus detection, blocking, and removal.
At the enterprise level, solutions from Fortinet or Sophos combine antivirus, content protection and IDS functionality in a single package based on hardware clustering. This creates a highly scalable solution as new cluster nodes can be added as your needs grow, so you can maintain optimal performance as your network grows.