What is antivirus for?
As you know, nails can be hammered, and viruses can be caught with antiviruses. But this opinion is widespread among users, as well as (unfortunately) among those who compile tender documentation for large projects. And what do their vendors think about the appointment of antiviruses?
The article is not very big in concept and, in general, continues the topic that has already been touched upon in the myths about antiviruses. In fact, this is the result of a series of articles on the purpose , capabilities and limitations of antiviruses. So to speak an abstract.
First of all, it is necessary to say (and in the comments to the articles of the series this was repeatedly emphasized) that a single and unique solution for all situations does not exist and (probably) cannot exist. For example, if a tablet is used for surfing and working with corporate mail, corporate mail, there are no critical data on it or they can be quickly restored, then (if we do not consider the need to protect against information leakage and / or its substitution), in principle, we can limit ourselves to creating backup copies . But if the same tablet is used on business trips, then an antivirus is already necessary, since it is not possible to access backup copies anywhere in the world (if only because of the quality of communication).
The choice of a solution depends on the level of risk - and to the greatest extent this provision applies to the protection of workstations. At one time, at a conference of the Security Code in Chelyabinsk, a survey was conducted - why install an antivirus. There were three options: as regulators require, since everyone does it and "how else?". That is, in essence, it is not the antivirus that evaluates the need for protection against malicious programs (with the exception of the need to protect weak machines, heavily loaded machines, and machines that perform procedures critical to execution time).
This is largely due to the widespread belief that an antivirus should catch all malware at the time of an attempt to penetrate a protected system. In fact, the antivirus (the antivirus engine, including heuristic mechanisms and behavioral analyzers of all types) can catch only known types of malware and their new variants. If the malware was created taking into account the specifics of the antivirus, tested on its current version (and it happens for the most dangerous malware), then the antivirus will skip it.
Accordingly, to protect against penetration, it is necessary to use not only an antivirus (estimates vary, but it will intercept at least 50 percent of malicious programs at the input), but first of all, restriction systems, whitelists of launched programs. Otherwise, acquaintance with cryptographers or banking trojans is quite possible not to happen during the study of logs. Well, of course, data backup - because "there are different cases."
The role of the antivirus on workstations and file / terminal servers is to remove malware that has previously entered the protected machine. In this role, the antivirus can be completely replaced by backup - but only if the recovery / interruption time of business processes is not critical.
That is why the antivirus (primarily the antivirus for workstations and file servers) must have self-defense (no one should demolish it before learning about the new Trojan), secure update and control systems (the update should not be intercepted) and a system for treating active infections .
The number of antivirus installations on mail servers is much less than installations on workstations. For a simple reason - according to the majority, the presence of anti-spam and anti-virus on workstations renders unnecessary similar protection at the mail server level. There is a rational grain in this opinion. Indeed, the opportunities provided by products from Microsoft, IBM, Kerio for anti-virus / anti-spam plug-ins are not very large. And mail servers on Linux, where the filtering capabilities in such plug-ins are really very powerful, are not found as often as we would like. As a result, the argument of sellers, arguing the need to purchase anti-spam for the server by reducing the load on it, does not work.
In fact, antivirus for mail servers is necessary for the same reason as for workstations. Unknown viruses are now the main problem. Installing antivirus on a mail server provides the ability to periodically scan mailboxes for previously unknown malware - we recall that for Exchange / Lotus / Kerio, etc., it is not possible to scan mail databases using file antivirus.
Attention! In MS Exchange 2013, the VSAPI mechanism was removed, which provided the ability to periodically scan mail databases / scan when accessing. In this regard, this mail server is not recommended for those who need to provide virus protection at the mail server level.
Well, those who want to provide really reliable protection against viruses and spam need to look in the direction of mail proxies, implemented on the basis of their own mechanisms for analyzing SMTP / POP3 / IMAP traffic - not in the form of plug-ins for mail servers and therefore not having functional limitations.
The antivirus has a completely different task for Internet gateways / internal gateways. In this case, the antivirus provides a reduction in the risk of malware penetration on those devices / computers, the installation of antivirus on which is impossible for one reason or another. From process control systems to printers and refrigerators.
A particular headache is protecting home computers / personal devices. Here, first of all, we need means of restricting access to data. Antivirus provides protection against traffic analysis (including interception of passwords), protection against phishing and banking trojans.
It is mandatory to protect home computers and mobile devices from those who service various systems outside the office. Practice shows that the level of protection of such devices is lower than that of computers on the local network and infection through removable media of the discussing personnel is an everyday reality.
The article is not very big in concept and, in general, continues the topic that has already been touched upon in the myths about antiviruses. In fact, this is the result of a series of articles on the purpose , capabilities and limitations of antiviruses. So to speak an abstract.
First of all, it is necessary to say (and in the comments to the articles of the series this was repeatedly emphasized) that a single and unique solution for all situations does not exist and (probably) cannot exist. For example, if a tablet is used for surfing and working with corporate mail, corporate mail, there are no critical data on it or they can be quickly restored, then (if we do not consider the need to protect against information leakage and / or its substitution), in principle, we can limit ourselves to creating backup copies . But if the same tablet is used on business trips, then an antivirus is already necessary, since it is not possible to access backup copies anywhere in the world (if only because of the quality of communication).
The choice of a solution depends on the level of risk - and to the greatest extent this provision applies to the protection of workstations. At one time, at a conference of the Security Code in Chelyabinsk, a survey was conducted - why install an antivirus. There were three options: as regulators require, since everyone does it and "how else?". That is, in essence, it is not the antivirus that evaluates the need for protection against malicious programs (with the exception of the need to protect weak machines, heavily loaded machines, and machines that perform procedures critical to execution time).
This is largely due to the widespread belief that an antivirus should catch all malware at the time of an attempt to penetrate a protected system. In fact, the antivirus (the antivirus engine, including heuristic mechanisms and behavioral analyzers of all types) can catch only known types of malware and their new variants. If the malware was created taking into account the specifics of the antivirus, tested on its current version (and it happens for the most dangerous malware), then the antivirus will skip it.
Accordingly, to protect against penetration, it is necessary to use not only an antivirus (estimates vary, but it will intercept at least 50 percent of malicious programs at the input), but first of all, restriction systems, whitelists of launched programs. Otherwise, acquaintance with cryptographers or banking trojans is quite possible not to happen during the study of logs. Well, of course, data backup - because "there are different cases."
The role of the antivirus on workstations and file / terminal servers is to remove malware that has previously entered the protected machine. In this role, the antivirus can be completely replaced by backup - but only if the recovery / interruption time of business processes is not critical.
That is why the antivirus (primarily the antivirus for workstations and file servers) must have self-defense (no one should demolish it before learning about the new Trojan), secure update and control systems (the update should not be intercepted) and a system for treating active infections .
The number of antivirus installations on mail servers is much less than installations on workstations. For a simple reason - according to the majority, the presence of anti-spam and anti-virus on workstations renders unnecessary similar protection at the mail server level. There is a rational grain in this opinion. Indeed, the opportunities provided by products from Microsoft, IBM, Kerio for anti-virus / anti-spam plug-ins are not very large. And mail servers on Linux, where the filtering capabilities in such plug-ins are really very powerful, are not found as often as we would like. As a result, the argument of sellers, arguing the need to purchase anti-spam for the server by reducing the load on it, does not work.
In fact, antivirus for mail servers is necessary for the same reason as for workstations. Unknown viruses are now the main problem. Installing antivirus on a mail server provides the ability to periodically scan mailboxes for previously unknown malware - we recall that for Exchange / Lotus / Kerio, etc., it is not possible to scan mail databases using file antivirus.
Attention! In MS Exchange 2013, the VSAPI mechanism was removed, which provided the ability to periodically scan mail databases / scan when accessing. In this regard, this mail server is not recommended for those who need to provide virus protection at the mail server level.
Well, those who want to provide really reliable protection against viruses and spam need to look in the direction of mail proxies, implemented on the basis of their own mechanisms for analyzing SMTP / POP3 / IMAP traffic - not in the form of plug-ins for mail servers and therefore not having functional limitations.
The antivirus has a completely different task for Internet gateways / internal gateways. In this case, the antivirus provides a reduction in the risk of malware penetration on those devices / computers, the installation of antivirus on which is impossible for one reason or another. From process control systems to printers and refrigerators.
A particular headache is protecting home computers / personal devices. Here, first of all, we need means of restricting access to data. Antivirus provides protection against traffic analysis (including interception of passwords), protection against phishing and banking trojans.
It is mandatory to protect home computers and mobile devices from those who service various systems outside the office. Practice shows that the level of protection of such devices is lower than that of computers on the local network and infection through removable media of the discussing personnel is an everyday reality.