Kaspersky AV - As effective on Untangle as it is for the Desktop?

[warhed]

A client of mine uses Trend Micro Officescan for all the workstation clients. Recently a laptop got infected with a variant of the dreaded Conficker virus. They received this via email, clicked a link, saw the bogus Conficker info and thought it was a legit MS Update. Needless to say they were infected and spam flew out through our Exchange server blacklisting us and giving us a bad email reputation. This has been pretty serious and we are now looking for a new AV solution for the Servers and Workstations.

I test several AV's in Virtual Machines on Win XP SP3. I really think that Kaspersky is the best AV out there and also like offerings from Eset, GData as well and also MS Forefront.

Since we are looking for an new company wide AV solution, I was wondering if first going with the Kaspersky paid for module on our Untangle system. I understand we can test it for free, but I wanted to know how effective it would have been in our scenario above? Has anyone had a similar experience or would it just be better to go with a new AV for the Workstations and ditch our rather ineffective Trend Officescan.

Thanks all!

[sky-knight]

The Kaspersky module does not replace the need for strong desktop based AV. You can however use it as part of a multi-vendor approach to defending your network.

I've had excellent results with both Clam and Kaspersky in the Untangle gateway with eSet's commercial AV on the desktop.

[dwasserman]

The kapersky AV in untangle its only valid for mail traffic and web browsing.
You must have a good antivirus (anti malware today) solution at your desktop and servers.
The last line of defense its the desktop AV, but some times its react too late, permit the register modification and write some file in the temp folder.
Some theories say it is not good to use the same antivirus engine and signatures on both sides, the edge and the desktop, the AV company of course said no to this .
And with your especific conficker issue, a good patched and update microsoft machine should be immune.
We use for our customers?
Kapersky or ClamAV in the edge, and Eset in the desktop.
Never have a issue?
Not true, some times, some machine its infected, but thanks to web filter, protocol control and the reports of Untangle, I detect, identify and attack the source of infection. Its my job.

I hope this help you

[venom]

Thanks for the info and I agree on the approach. I think I will go one step further and try MS Forefront which claims to use several AV engines. Review wise it seems solid and there is a 120 day free trial which is nice.

[dwasserman]

I doubt you can implement the whole suite of forefront in 120 days

[sky-knight]

Yeah forefront is HUGE. Eset takes seconds to setup and get running...

Well assuming your mirror doesn't crap out and do strange things...

[fasttech]

Quote:

Originally Posted by sky-knight

Well assuming your mirror doesn't crap out and do strange things...

You should see the Vista desktop I have go to 80% cpu on startup scan at def update, it doesn't stop......

After a few weeks of emails and hours of troubleshooting with those guys I gave up on their support and disabled the startup scan on that unit.

[sky-knight]

I've NEVER seen it do that... I have hundreds of nodes of that thing out there and I sell you a few seats only to watch you nuke that mirror and run into other stuff...

I guess it just goes to show you that at the end of the day... nothing is perfect.

[fasttech]

It was doing it about 3 out of 5 times, and with 3 updates a day.....
What sucks is not being able to kill or restart ekrn, I'd have to reboot the unit to get it to stop, then when I'd log in the user, it'd start again, reboot, etc..., I asked point blank 3 different times, if and if not, why, I was unable to stop or restart the ekrn process, after ignoring the question, a response was finally, "this is just because of security reasons, malware like to stop this service, so it has to be made so, that this is not possible so easily", I said forget it.

It's taking up to 48 hours for av companies to come up with def's for modern day malware anymore anyway......... so the reality is to watch the traffic and be prepared to fix.

Just to really twist your mind, I also have an xp unit that has done the cpu race twice on startup scan, but not for a few months now, so it's really two nodes...

Check out the pic, this is what a startup scan did, notice the days.... I'd gone out of town...

[dwasserman]

This is Vista, in XP and Seven I dont have problems with eset startup.