Setting antivirus policy is fairly simple. Halifax plc's rule, for example, states that "any machine connected, directly or indirectly, to our corporate network must have a demonstrable antivirus solution installed on it," according to Richard Fry, "malware" defense team leader for the West Yorkshire, U.K.-based bank and insurance company.
Enforcing this policy, however-detecting vulnerabilities, not to mention actual viruses that sneak in despite safeguards-isn't so simple, especially considering Halifax, which merged with Bank of Scotland in September, has more than 1,700 corporate and branch locations.
To better manage its security, Halifax recently began using ePolicy Orchestrator, an antivirus management system from McAfee, a division of Santa Clara, Calif.-based Network Associates.
"ePO works by reporting what we've got out there and enforcing policy centrally," Fry said.
The product is "a management tool that lets you report who is letting viruses in," which terminals have adequate antivirus protection and which don't, among other information, said Michael Callahan, marketing director at McAfee. For example, ePO can tell if a terminal had a virus, what that bug did and whether the machine is safe to use. And if a virus gets into the system, ePO can determine how far it's spread.
"It's been very good steering us toward problem areas," Fry said. The product not only targets viruses but identifies potential vulnerabilities.
The software's virus scanning function is performed by an engine that checks three tiers: the desktop device, the groupware server (for example, the server handling company-wide e-mail) and the gateway into the system. Banks need virus scans at each layer, Callahan said, because bugs can come from many sources, such as diskettes employees bring from home, or externally generated e-mail.
When a virus enters the system, the engine zaps it and lets the rest of the file through. ePO's engine is powerful enough to detect even previously unknown viruses, picking up on telling characteristics. For example, a Word document containing code calling a user's address book is suspicious, because there's no reason for that file to touch it.
ePO's single-server model scales up to 100,000 users. Users can operate from anywhere using a remote console, from which they can set and change policies as often as necessary to adapt to changing threats and network environments, without ever leaving their desks. The product also saves time with a configurable directory and flexible agent deployment.
Previously Halifax used Dr. Solomon, an antivirus software product that Network Associates had acquired in 1997. That product had state-of-the-art detection capabilities but poor reporting and management tools, Fry said.
Halifax chose ePO because it uses the powerful Dr. Solomon engine, and because "no other products at the time offered anything close to the level of management reporting and enforcement," Fry said.
By mid-December, Halifax had installed it on 40,000 machines, with another 3,000-completing the company's full roster-expected to be added by the first or second quarter of 2002.
Halifax evaluated antivirus software management products from several major providers besides Network Associates, including Sophos, Computer Associates, Symantec and Trend Micro. All were deemed capable of detecting viruses. Halifax put two or three products through vigorous system testing, employing a test virus to determine how much memory each demanded and how much they slowed file access, among other things.