The Essentials Series

Increasing Performance in Enterprise Anti-Malware Software

sponsored by

by Eric Schmidt

 Article1:WhyIsTraditionalAntiMalwareSoftwareSoSlow?..........................................................1 . TraditionalAntiVirusSoftwareIsSlow....................................................................................................2 MultipleEndpointProductsPerformingtheSameFunction...........................................................3 ScanMethodologies............................................................................................................................................3 RealTimeScans..............................................................................................................................................4 ScheduledScan................................................................................................................................................5 ClientReporting...................................................................................................................................................6 AntiMalwareShouldntBeSlow..................................................................................................................6 Article2:ConsiderationsforEvaluatingPerformanceinAntiMalwareProducts......................7 ExaminingtheCodeBase.................................................................................................................................7 ScanMethodologies............................................................................................................................................7 IntegratedScanEngines..............................................................................................................................8 ControlandManageScheduledScans........................................................................................................8 ScanConfiguration.........................................................................................................................................8 ScanSpeed.........................................................................................................................................................9 ClientConfiguration...........................................................................................................................................9 HeuristicScanEngine................................................................................................................................10 AHighPerformanceClientIstheBestDefenseAgainstMalware..............................................10 Article3:BestPracticesinDeployingAntiMalwareforBestPerformance................................11 AgentInstallation.............................................................................................................................................11 AgentConfiguration........................................................................................................................................12 PolicyDrivenAgentConfiguration......................................................................................................12 FileandFolderExclusions.......................................................................................................................12 ThreatDetectionIntegration.......................................................................................................................13 AgentandManagementServerCommunication................................................................................13 AntiMalwareCanBeEfficientWithoutImpactingSystemPerformance...............................14 i

Copyright Statement
2009 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.

ii

Article1:WhyIsTraditionalAntiMalware SoftwareSoSlow?
SincethebeginningoftheInternet,antimalwaresoftwarehasbeenanessential componentofeverybusinesscomputer.AstheInternetcontinuestogrowinscopeand sophisticationovertime,sodoestheintelligencebuiltintomalicioussoftware.Todays malwarehasevolvedfromitsoriginsofvirusesasamostlyharmlessdemonstrationofself replicatingcodetoafullfledgedundergroundindustrywithitsownmotivesforprofit. Tothatend,themalwarethreatlandscapehaschangeddramaticallyinrecentyears. Todaysthreatsarebeingcreatedforfarmoreinsidiousgoals,includingcyberterrorism, identitytheft,andcorporateespionage.Thisrealityhasbeenmadeeasierwiththe introductionofshrinkwrappedmalwaretoolkitsthatenablethepointandclick invocationofattacks.Thesetoolkitsareeasilydownloadablethroughonlineforumsthat facilitatethecollaborationanddevelopmentofsuchattacksoftware. Thesolutionsthatprotectcomputersfromthesetypesofattacksweredevelopedshortly afterthefirstviruses.Manyofthoseproductsarestillaroundtoday.Tocombattheever changingtacticsofmalwarewriters,thoseearlyantivirusproductshavealsoevolvedto addressnewthreats.Unlikewithmalware,however,thissophisticationinprotection productscomesatacost.Thatcostrelatestotheactualsystemresourcesnecessarytorun theirprotectiveprocesses. Ineffect,theslowevolutionofantimalwaresoftwareoverthelongtermhascreateda spaghettiofdetectionandremovalmechanisms.Thisaggregationoftodayssolutionsatop yesterdayscodebasescreatesamajorperformanceproblemforenterprisecomputers. Thatlossinperformanceimpactsemployeesabilitytoaccomplishtheirneededtasks, reducesbusinessprocessingagility,andincreasesthecomputinginfrastructurestotalcost ofownership. Onesolutionforthisprobleminvolvesanentirelynewapproachtocreatingantimalware solutionsforbusiness.Thisapproachthrowsawaytheagingcodebaseofthepastinfavor oftrulyrecreatingthewheel.Byelectingtobreakwiththesoftwareofthepast,newand highlyoptimizedsolutionscanbedevelopedtoprotectfrommalwarewhileensuringthe bestpossibleuserexperienceforyourdesktops,laptops,andservers. This,thefirstofthreearticlesinthisseries,willdiscusswhymanytraditionalantimalware solutionshaveanegativeimpactonsystemperformance.Itdiscussestheriskstobusiness operationsthatarecreatedasaresultofthisperformancedegradation.Continuingwith thisdiscussionaretwosubsequentarticlesthatfocusonthefactorsyoumustconsider whenselectinganantimalwareproductaswellaswhatcanbedonetooptimizeyour selectedsolutionsperformance.

TraditionalAntiVirusSoftwareIsSlow
Letsfacefacts.Traditionalantimalwaresolutionsareapainfulbuthistoricallynecessary functionofcomputing.Thefactisthereisaproblemintrinsictoanysoftwaresolutionthat hasevolvedoveralongperiodoftime.Mosttraditionalantimalwaresolutionsinuse todayaretheresultofyearsofdevelopment,withmuchoftheirevolutionaryupdatesdone tothesamecodebaseoriginallycreatedfortheancientoperatingsystems(OSs)of yesteryear. Likeanysoftwarecompany,MicrosoftreleasesnewOSseveryfewyears.EachofthoseOSs includesdramaticchangestotheircorekernel.Thosechangesmandateequivalentchanges toprotectivesoftwaresuchasantimalwaresolutions.Atahighlevel,antimalware solutionsoperateveryclosetothekernel,interceptingfilesystemcallsandmonitoring processesandprocessthreads.Architecturally,antimalwarescloseproximitytothe kernelitselfrequiresittoevolvewiththeOS.Ultimately,asMicrosoftreleasesnewOSs, antimalwaresolutionsmustchangetosupporteachnewversion.Oneproblemisthatsuch solutionsmustalsosupportlegacyOSs.Assuch,traditionalantimalwaresolutionsgrow heavierandheavierwitheachnewOSrelease,makingtheiruselessoptimizedovertime. Further,thewaysinwhichthebadguyswritemalwareevolvesovertimeaswell.The growthinmalwarecodebaseaccommodateseachOSrelease,addressesnewattack vectors,andincludesnewfeatures.Thevastmajorityofcommercialantimalwaresoftware hasgrownfromsimplevirusscanningtocomprehensivesuitesthatprovideprotection fromviruses,malware,andspyware;somealsoincludefirewallfeatures.Thegoalofthese productsistoprovidetotalendpointprotectionfromeverypossibleangle.Althoughthey canprovidegreaterprotectionthantheirpredecessorsoffer,muchfunctionalityhasbeen boltedonandshimmedintotheproductsinawaythatplacesmuchhigherdemandson systemresources.Thehigherresourcerequirementforcescompaniestomakecritical decisionsabouthowtheirsystemswillbeprotected. Thefirstoptionistopurchasemoreexpensivehardware(moreRAM,fasterprocessors)to ensurethatthesystemandantimalwaresuiteperformatacceptablelevels.Thisapproach mayresolvetheissue;however,ITbudgetsaretight.Dumpingmoneyintohardwarejustto accommodateslowsoftwareisalwaysapoorbusinessdecision.Themostcommon solutionistolimitthecomponentsthatareimplementedorcomeupwithcreative solutionsinordertomaintainoptimumperformance.Ultimately,throwinghardware answerstowhatisreallyasoftwareproblemisnotasmartsolution.Neededare improvementstothesoftwareitselfthatreducetheperformanceimpactofantimalware solutionsoverall.

MultipleEndpointProductsPerformingtheSameFunction
Therearealsocircumstancesinwhichanantimalwaresuitemayexcelinoneareabutbe deficientinanother.Toaccommodatefordeficiencies,anenterprisemaychoosetoinstall multipleproductsonthesamesystemtoachievethebestlevelofprotection.Thisoverlap canhaveahugeimpactonperformanceandpotentiallyresultinanunstablesystemor productsthatareineffective. Acommonissuethatoccurswhenmultipleproductsareinstalledisanoverlapin functionality.Forexample,eachinstalledproductisperformingrealtimescans simultaneously.Inthissituation,eachproductrequireseveryfiletobescannedbeforeitis availabletotheuser.Thisdelayinopeningfilesandapplicationswillbeveryvisibletothe user.Insomecases,theconflictingproductswillcreateasituationinwhichfilesarenot scannedatallortheyareneverallowedtobeopened. Runningtwoormoreproductsalsocomplicatesthetaskoftroubleshootingapplicationand performanceissues.Duringthetroubleshootingprocess,adeterminationhastobemadeas towhichproductisdoingwhat.Thiswillhelpdeterminetheproductinneedoffurther investigation.Oncetheoffendingproducthasbeenidentified,theissuemayberesolved, butatwhatcost?Whatwastheoffendingproductsrole?Ifitisuninstalledordisabledwill thatputthesystematrisk?Cantheproductbereconfiguredsothattheissuewon'treturn? Althoughitmightbepossibletoruntwoproductsinacomplementarymanner,rareisthe vendorthatwillrecommendand/orsupportsuchaconfiguration.

ScanMethodologies
Anothercontributortoslowperformancewithantimalwaresoftwareinvolvesscan methodologiesandtheenginesthatrunthem.Beforeexaminingthedifferentscanning methodologies,itisimportanttodiscusstheprocessesandmechanismsthatenablescans toworkinthefirstplace: MalwareSignaturesandDefinitionsThefirstandmostwellknownmethod involvesmalwaresignaturesordefinitions.Thesedefinitionsencompassalistof knownvirusesormalwareandthemarkstheyleaveonaninfectedsystem.These breadcrumbsareusedwhenascanisperformed.Whileperformingascan,the engineusessignaturesasareferencetocompareagainsttheOSstateandfiles.If somethingisfoundthatmatchesasignature,itsmarkedasinfected,blockedfrom execution,andquarantinedordeleted. HeuristicsHeuristicsareusedtoidentifyinfectedfileswherenosignatureis readilyavailable.Thebenefitofaneffectiveheuristicsengineisthatsystemsareno longerexclusivelydependentonthereceiptofsignaturesinordertostopan infection.Heuristicscanningisaverycomplicatedprocessthatinferscertain behaviorsasbeingmalwarelike.Duetothiscomplexity,insomecases,legitimate filescanbemarkedasinfected. 3

 BehavioralAnalysisLikeheuristics,behavioralscanningprovidestheabilityto detectmalwarewithoutrelyingondefinitions.Behavioranalysisexaminesthe actionsofaprograminordertoidentifymaliciousactivity.Someexamplesof suspiciousprogramactionsincludewritingtoprotectedpartsoftheOSorregistry. Thisisconsideredamalwarelikeactivitybecauselegitimateapplicationsdont displaythesebehaviors.Eliminatingthedependencyondefinitionsforthreat detectionhastremendousbenefits;however,therecanbeariskoffalsepositives whenlegitimatebutpoorlywrittenapplicationsareused. EmulationAnothermethodthathasbeendevelopedinvolvesemulation.Here,a potentiallymaliciousapplicationisopenedinaprotectedareatoidentifymalicious behavior.ThisprotectedareaemulatestheOSsothatfilescanbeopenedand analyzedformaliciousactivityinaprotectedandtemporaryenvironment.Ifthefile isinfected,itcanbeallowedtoperformallitsactions,whichthenallowsheuristic andbehavioralanalysistobefullyperformedwithoutharmingtheactualsystem. Oncetheexecutionandanalysishascompleted,theemulatedenvironmentandall thechangesthatweremadearesafelyremoved.Goodheuristicsandtheuseof emulationhavebecomeincreasinglyimportantinconfrontingmodernattacks,as thepossibilityofzerodayexploitshasdramaticallyincreasedinrecentyears.

RealTimeScans
Realtimescansareoftenthefirstmethodofscanningtopreventsystemsfrombeing infectedwithvirusesandmalware.Realtimescanningrequiresaclientthatruns continuouslyandmonitorseveryfilethatisopenedorexecuted.Whenafileisopened,itis firstscannedbytheengineandevaluatedusingoneormoreofthemethodologies previouslydescribed.Realtimescansactasthefirstlineofdefenseagainstmalware becausetheymonitortheOSandallattemptstochangeprotectedareassuchasthesystem files,registrykeys,andsystemservices.

 Traditionalrealtimescanscanhaveanegativeimpactonperformancebecausethefile beingopenedmustfirstbescanned.Iftheantivirussoftwareissloworpoorlywritten, fileswilltakelongertoopenandprogramswillrunslowerbecausetheymustwaitforthe realtimescantoreleaseitsholdonfiles.Thiscanhaveadirectimpactonuserperception ofoverallcomputerperformance,resultingindecreaseduserproductivityandunnecessary callstotheServicedesk. Therearealsoriskstoothercomputersonthenetworkifrealtimescanningisslow.Itis possibleforasystemtobecomeoverloadedtothepointwheretherearecommunication delaysbetweentheagentanditsmanagementserver.Inthesesituations,anoverloaded agentmaynotbeabletoreceivethelatestdefinitionfilesorprovidestatusreports.Ifthis weretooccurduringanactivemalwareattack,delayedcommunicationcouldresultinan infectedsystem.Anotherthingthatwillhappenwithmoresavvyusersorsupportstaff whenperformanceisslowisthattheycanturnofftheirantivirussoftware,which obviouslythenplacesthesystematriskofbeinginfected.Antimalwaresolutionsthatdo notincorporateapolicybasedapproachtodefiningclientconfigurationsareparticularly atriskfortheseuserbehaviors.

ScheduledScan
Thepurposeofscheduledscansistoproactivelyevaluateallthefilesonacomputersome ofwhichmaybedormanttodetectviruses,malware,spyware,andadware.This approachisascriticalasarealtimescanbecauseitcanfindandstopthepropagationofa threatbeforeitisopenedandgivenachancetoexecute.Scheduledscansalsohavea negativeimpactonperformanceiftheantivirusclientisslowordemandsasignificant amountofresourceswhilethescanisbeingperformed.DiskI/Oisoneresourcethatis heavilyimpactedinadditiontosignificantprocessingandRAMconsumption.Slowclients willtakelongertoperformthescanand,duringthistime,theoverallsystemperformance willbeslowerastheclientexamineseachfile.Thiscanbeofparticularconcernwith todayslargeharddrivesaswellastheamountandtypeofdatabeingstored(forexample, virtualmachines,emailarchives,images,documents,andspreadsheets). Manyorganizationsattempttoalleviatethisperformanceimpactbyschedulingscans duringoffhours;however,thisisonlyabandaidapproachtowhatisreallyacoresoftware problem.Theoffhourapproachmayworkfinefordesktopsthatnevermoveandcanbe leftonovernight.Yetmoreandmorecompaniesaremovingtoamobileworkforcethey arereplacingdesktopswithlaptops.Daytodayusewithlaptopsisverydifferentthanwith desktopsbecauselaptopstendtobepoweredononlywhentheyarebeingused.With laptops,scheduledscanscanrunwhiletheuseristryingtousethesystem,therebymaking itcriticalthattheantimalwaresoftwareisleanandefficientwhileperformingscheduled scans. Whensuchisnotthecase,performanceisimpactedbyscheduledscans.Toresolveuser performancecomplaints,thedecisionisoftenmadenottoperformscheduledscansand relysolelyonrealtimescanning.Insomecases,usersmayalsostopascheduledscanin ordertorestoresystemperformance.Theseactionseliminateanimportantmethodof virusandmalwaredetection,whichputsthesystemandinfrastructureatriskofinfection. 5

ClientReporting
Forenterprises,administratorsrelyonthecommunicationbetweentheantimalware clientsandtheserversthatmanagethem.Clientsareconfiguredtocommunicatewith managementserversinabidirectionalmannerforseveralreasons.Thefirstistoenable therapiddistributionofmalwaresignaturesandclientupdates.Thesecondaspectisthe clientreportingitsstatusbacktotheserver.Clientstatusreportingisoneofthemost importantaspectsoflimitingtheimpactofamalwareinfection;itreliesontheabilityto collectandanalyzedatafromeveryclient.Thetypeofdatathatisneededincludesthe healthoftheclient,whichisdeterminedbytheversionand/ordateofthevirusdefinitions ontheclient.Clientswillalsoreportbackanyinfectionsthatarefoundandtheactions performed.Thisreportingenablesadministratorstoassesstheoverallthreattotheir infrastructureandtakeappropriateaction.Clientsthatareoverloadedorslowtoreport theirstatuslimitanadministratorsabilitytoproperlymanageandprotectthe infrastructure.

AntiMalwareShouldntBeSlow
Toaddresstheeverincreasingsophisticationofthreats,softwarevendorshavecreated moresophisticatedantivirusandantimalwaresolutions,butthecostofthisdevelopment isdecreasedperformancebothfromthesystemperspectiveandfromtheantivirus softwareitself.Manyfactorscontributetothispoorsystemperformance,suchascode bloat,therequirementsofOSsupport,andproductsthatwereboltedtogetherovertimeto provideasuiteofsolutions.Onlythroughtheuseofnewandspecificallytargetedsolutions forantimalwarewilltodaysITenvironmentsensurethehighestlevelsofprotectionwhile maintaininggoodperformanceintheircomputinginfrastructures.

Article2:ConsiderationsforEvaluating PerformanceinAntiMalwareProducts
Theantimalwareproductspaceconsistsofmanybloated,slowproductsuitesthathave beenaroundforaverylongtime.Theproductshaveevolvedalongwiththethreatsthey areintendedtodefendagainst.Thisevolutionhasatthesametimecreatedmassivesuites thatcreatemajorimpactsonsystemperformance. Whenchoosinganantimalwaresolutionforanenterprise,itisveryimportanttoconsider severalfactors.Thefirstconsiderationistheabilityoftheproducttoprotectthesystems itsrunningon.Thesecondaspect,whichisoftenoverlooked,istheimpacttheproductwill haveonoverallsystemperformance.Thisarticlewillfocusonwhatyoushouldexamine fromaperformanceperspectiveduringtheproductselectionprocess.

ExaminingtheCodeBase
Thefirstareatobeexaminedistheantimalwarecodebaseitself.Themostpopularanti virusproductstodayarearesultofyearsofdevelopment.Insomecases,thelatestcode basewasdevelopedforalegacyoperatingsystem(OS)andthensimplyupdatedtosupport themostcurrentone.Althoughthefactthataproducthasbeenaroundforalongtimecan beatestamenttoitsmaturity,itcanalsobeanindicatorofapotentialnegativeimpactto performanceduetothepresenceoflegacycode.TheproductmaystillcontaincallstoAPIs ofolderOSs.Insomecases,theproductmaystillrelyonlegacyAPIsinsteadofleveraging newfeaturesandimprovementsofamodernOS.Thiscanleadtopoorperformance.

ScanMethodologies
Thenextareathatshouldbefocusedonwithrespecttoperformanceisscan methodologies.Thefirstarticleinthisseriesdescribedindetaildifferenttypesofscan methodologies,includingrealtimescans,scheduledscans,heuristics,behavioralanalysis, andemulation.

IntegratedScanEngines
Today,mostenterpriseproductsarenotlimitedtovirusprotection.Theyhaveevolvedinto suitesthatincludeprotectionfrommalwareandspywareaswell.Althoughthisfeatureset cansimplifyproductselection,oneshouldexaminehowthosedifferenttypesofscansare beingperformed.Insomecases,productsuitesareasetofsolutionsthatwerebolted togetherbutnotintegrated.Inthesecases,theremaybenointegrationbetweentheanti virusandantimalwareengines.Thislackofintegrationcreatesperformanceissues becauseeachcomponentinthesuitehasindependentscansthatneedtobeperformed.For theseproductstoperformeffectivelytheremaybeadditionalresourcerequirements. Often,theseperformanceissuescanbeavoidedbyselectingaproductthathastheability toprotectagainstalltypesofthreatsusingasingle,integratedscanengine. Firewalls Thisdiscussioncanalsobeextendedtosuitesthatincludefirewalls.WithVistaand Windows7,Microsoftmadesignificantimprovementsinthebuiltinfirewall,thereby makingitoptionaltoselectantimalwaresuitesthatincludeone.WindowsXP,however, doesnotincludearobustbuiltinfirewall,forcingcompaniestodeploythirdparty solutions.Theinclusionofafirewallshouldbeweighedcarefully,comparingtheadditional controlandfunctionalityofathirdpartyfirewallversusthepotentialpenaltyof unnecessarycodebloat.

ControlandManageScheduledScans
Althougheveryantimalwareproducttodayhastheabilitytoconfigureandmanagethe schedulingofscans,thereareimportantdetailstotheirspecificfeaturesthatshouldntbe overlooked.Asmentionedinthefirstarticle,scheduledscansareanexcellentproactive processthatcandetectandpreventmalwareinfections.Whenlookingforanantimalware solution,considertwospecificareasinwhichthedetailsofscheduledscanscanhavean impactonperformance:scanconfigurationandscanspeed.

ScanConfiguration
Howeffectivelycanascanbeconfigured?Insomecircumstances,itisnecessarytoexclude certainfilesorfoldersfromscheduledscans.Thisiscriticalasthescanitselfcanhavean impactonapplicationorsystemperformance.Ondatabaseservers,forexample,itis recommendedthatdatabasefilesthemselvesbeexcludedbecausethescanningoftheir verylargefilescanresultinpoordatabaseperformance.Whenevaluatingantimalware products,itsimportanttolookatthemanagementconsoleandthefunctionalityitoffersto manageexclusionsacrossallclientsinyourinfrastructure.

ScanSpeed
Thesecondfactoristhespeedatwhichscanscanbecompleted.Ithasalreadybeenstated thatproductsthatemploymultiplescanenginescantakelongerthanthosewithan integratedapproach.Whenmultiplescanenginesareemployed,theymustbestaggeredto runatdifferenttimesortheirconcurrentoperationwillcompetefordiskresources.Thisis ofparticularimportancewithmobilecomputersnowoutsellingtraditionaldesktop computers.Mobilecomputersareoftenonlyonwhentheuserisintendingtouseit.By selectingaproductthatcanperformscheduledscansinthemostefficientmannerpossible, onecanminimizetheimpacttotheuserwhilethescanisbeingperformed.

ClientConfiguration
Duringtheevaluationofanantimalwareserverconsole,oneshouldalsolookattheease withwhichotherclientbehaviorsandattributescanbeconfigured.Theseincludethe abilitytodeploytheclientitselfaswellasupdates.Theconsoleshouldalsofacilitatethe abilitytoeasilydeploydefinitionsandsignaturesbothonascheduledandadhocbasis. Theabilitytodeployonanadhocbasisisnecessaryduetotheincreasingnumberof exploitsthatareexperiencedonadailyorlessthandailybasis.Inmostcases,thethreats areidentifiedbeforemassinfectionsoccur.Antimalwaresolutionvendorscreateupdated signaturesthatmustbedeployedtoallclientsinanefficientmannertoprevent widespreadoutbreaks. Especiallyproblematicarethetypesofexploitsthatpropagatebeforesignatureshavebeen updated.Thesearecommonlyknownaszerodayexploits.Whenazerodayexploitis discovered,thequalityoftheclientsantimalwareengineistestedbecausesignatures haveyettobecreated.Here,clientsmustrelyonheuristics,behavioralanalysis,and emulationtoprotectagainstthesethreatsuntilasignatureiscreated.Onceantimalware vendorsreleaseasignature,itbecomesimperativethatitbequicklydeployedtoallthe clientsasthisenhancestheclientsabilitytodetectthethreat.Apoorlyperformingclient maybeslowtocheckinwiththeservertogettheupdateddefinitions,whichthenputsthe systematriskofbeinginfected.

HeuristicScanEngine
Theriskofzerodayexploitscanbelessenedbyselectingaproductwitheffectiveheuristic behaviorandemulationscanengine.Recallfromthefirstarticlethatheuristicslookfor viruslikebehavior.Agoodheuristicscanenginecanbeaugmentedevenfurtherby leveragingadvanceddetectionfeaturessuchasemulationandbehavioranalysis.When theseadvancedfeaturesareavailable,everyfilecanbeopenedinaprotectedenvironment. Thisprovidestheheuristicscanenginewithgreaterinsightintoeveryfile,whichthen increasesthelikelihoodthatazerodayexploitwillbedetected.Thistypeofscancanalso beoptimizedbythevendorforperformance.Itisimportanttoselectavendorthatoffers heuristicscanningthatcanbeperformedquicklywithanintegratedenginethatdetectsall typesofthreats.Similartotheotherconsequencesofaproductthatwasntwrittenfor MicrosoftsmostcurrentOS,theheuristicscanningshouldbeoptimizedforthatplatform. Ifittooreliesonlegacycode,thereisthepotentialthatitwillhaveanegativeimpacton systemperformance.

AHighPerformanceClientIstheBestDefenseAgainstMalware
Thebestdefenseagainstvirusesandmalwareisanefficient,highperformanceclientin concertwithamanagementserverthatiseasytouseandconfigure.Thereareseveral factorstoconsiderwhenchoosinganantimalwaresolution,includingthecodebaseon whichitwaswrittenandtheintegrationofthevariousscanengines.Theidealproductwill beonethatcombinesantivirus,antimalware,andantispywarescanningintoasingle enginethathasbeenoptimizedtorunontheOSforwhichitwillbeused.Itwillleverage theOSsbuiltinsecurityenhancementsandnotrequirethatthosefeaturesbedisabled. Thisarticleexploredwhatmakesantimalwareproductsslowandwhatshouldbe examinedwhenselectingaproduct.Thefinalarticleinthisserieswillfocusonthebest practicesfordeployingantimalwaresolutionsforoptimalperformance.

10

Article3:BestPracticesinDeployingAnti MalwareforBestPerformance
Newmalwareisbeingreleasedatrecordnumbersonadailybasis,yettheproductsthat defendagainstthesethreatsremainacommonsourceofperformanceissuestoday.The threatsthatenterprisesfacenecessitatearobustantimalwaresolutionwhilemaintaining highperformingsystems.Thefirsttwoarticlesinthisseriesfocusedonwhatmakesanti malwareslowandwhatshouldbeexaminedtoensureoptimalperformanceduringthe antimalwaresolutionselectionprocess.Inthis,thefinalarticleoftheseries,thefocuswill beonthebestpracticesfordeployingantimalwaresoftwaretooptimizeperformanceand theprotectionitsintendedtoprovide.

AgentInstallation
Theagentistheobviousplacetobeginadiscussiononoptimizingperformance,withagent configurationbeginningatinstallation.Theserverconsoleshouldprovidetwofeatures withrespecttoagentconfiguration.Thefirstistheabilitytodeploytheagentfromthe consoletoallsystemswithminimaleffort.Thisenablesadministratorstoquicklydeploy theagenttoallsystemsorreinstallagentsonsystemswheretheyhavebecomeunhealthy. Thesecondistocreateapreconfiguredinstallationthatcanbedistributedbybothmanual installationandautomatedsoftwaredistributionmethods.Theinstallationthatiscreated shouldrequirelittleornouserinput.Thisensuresthateveryclientwillbeinstalledthe samewaybyreducingoreliminatingtheabilityforthepersoninstallingtheapplicationto makechanges.Optimalperformanceandtheabilitytomanageclientsareachievedthrough aconsistentandreliableinstallationoftheclient.

11

AgentConfiguration
Oncetheagenthasbeeninstalled,thenextareatolookatisitsconfiguration.Beforea discussiononwhatshouldbeconfigured,itsimportanttoaddressthebenefitsof controllinghowtheagentconfigurationismanaged.Next,filesandfoldersthatshouldbe excludedfromscanswillbeaddressed.Eachofthescanmethodsshouldbeconfiguredin suchawaytooptimizesystemperformanceandlimittheimpacttotheenduser.

PolicyDrivenAgentConfiguration
Smartorganizationsleverageapolicybasedapproachtoagentconfiguration.Here,all clientbehaviorandconfigurationoptionsareestablishedontheantimalwareserverand deployedtotheagentsinawaythatprohibitsendusersfrommakingchanges.Thisis criticalbecauseeveryattributethatispermittedtobemodifiedbytheusercreatesthe opportunityforinconsistency.Whenenvironmentsareinconsistent,theybecomemore difficulttomanageandtroubleshootandincreasethelikelihoodofaccidentalexposure.In extremecases,theabilityforagentstodetectandeliminatethreatsishamperedbecause theuserdisabledorcrippledacomponentthatwouldhavepreventedthethreat.

FileandFolderExclusions
Realtimeandscheduledscansrequiretheidentificationoffilesandfoldersthatshouldbe excluded.Thevastmajorityofsoftwarevendorswillpublishinformationonwhatshould beexcludedfortheirproducts.Forexample,Microsofthasanarticle http://support.microsoft.com/kb/943620thatdetailswhatshouldbeexcludedforsomeof theirserverproducts.Whendeployinganantimalwaresolution,itiscriticalthatall installedapplicationsarereviewedinordertodeterminewhetherthereisaneedto excludesomefilesorfoldersinordertoachieveoptimalperformance. WOL Inthepast,itwascommonfordesktopstoremainon24hoursadaytosimplify maintenanceduringnonbusinesshours.WiththemovetowardgreenIT,manycompanies havechosentoturnoffdesktopsduringnonbusinesshours.Inthesesituations, technologiessuchasWakeOnLAN(WOL)canbeleveragedandallowthescanstostillbe performedduringnonbusinesshours.WOLenablescomputersthatareoffbutconnected tothenetworktobeturnedonasneededinordertoperformmaintenancetaskssuchas virusscanningandpatchinstallation.IfWOLcanbeleveraged,scheduledscanscanbe configuredtorunnightly.IncaseswhereWOLisnotavailablebutsystemsarestillturned offduringnonbusinesshours,thefrequencyofscheduledscansmaybereducedfroma dailyactivitytoaweeklyonewithquickscansperformeddaily.

12

 Mobilecomputerspresentasimilarchallengetodesktopsthatarenotonatnight. Scheduledscansareoftendisabledbecausethesystemsareonlyonwhensomeoneis intendingtousethemobiledevice.Inthesecases,itisalsobesttolimitscheduledscansto runonaweeklybasis.Ofcourse,thebestmitigationthatenablesscheduledscanstoberun whileauserispresentistoselectaproductthathasasingle,integratedscanenginethat hasbeenoptimizedfortheoperatingsystem(OS).Iftherightproducthasbeenchosen,the impactofrunningascheduledscanmaynotevenbenoticedbytheuserbecauseitdoesnt consumealargeamountofsystemresources.Finally,ahighperformanceclientin conjunctionwiththeabilitytoexcludefilesandfoldersbasedonvendorrecommendations willresultintheabilitytorunscansonadailybasiswithlittleornoimpacttotheuser.

ThreatDetectionIntegration
Scanningperformanceisalsoimpactedbyhowthevendorhaschosentointegratethe varioustypesofthreatdetection.Withmoreandmoresystemsbeingononlywhileusers areactivelyworking,theperformanceofantimalwareagentsisdependentontheengine itself.Somevendorshaveboltedthevariousthreatdetectionenginestogetherinawaythat requiresmultiplescans,oneforeachtypeofthreat.Withtheseproducts,theremaybeno practicalwaytoaccomplishallthescheduledscanswithoutimpactingtheuser.Inorderto minimizetheimpacttotheuser,itisbesttochooseaproductwherealltypesofthreat detectionshavebeenintegratedintoasingleengine.Thissimplifiestheschedulingoffull scanswhileenablingthemtoberunmorefrequentlybecauseanintegratedefficientscan wontimpactperformance;thus,theycanberunevenwhilesomeoneisusingthesystem.

AgentandManagementServerCommunication
Agentcommunicationwiththemanagementserverscanalsohaveadirectimpactonclient performance.Ideally,theintervalsthatagentscheckinwiththeirmanagementservers shouldbeconfigurable.Atmost,theagentshouldnotbeconfiguredtocheckinmorethan onceanhour.Inmostcases,every4to8hoursissufficient,buttheyshouldneverbe configuredtocheckinlessthanonceaday.Thissetupprovidesahighenoughfrequency forclientstogeturgentdefinitionupdates,whichareoftenreleasedmultipletimeseach day.Thisalsoenablestheagentstogetconfigurationchangesinarelativelyshortamount oftime.Thisintervalislargelydependentonthetypeofconnectiontheclientshavewith theserver.Inlargeenterprises,themanagementserversmaybeinanotherphysical location.IftheWANlinksarelimitedinsize,theintervalshouldbereducedtoeliminate unnecessarytraffic.

13

 Tomaximizeprotection,theserverconsoleshouldalsohavetheabilitytoinitiatea definitionupdateforalltheclientsonanadhocbasis.Thisenablestheserverstoupdate thedefinitionsonallclientswithoutwaitingforthemtocheckin.Malwarehastheabilityto spreadthroughoutanorganizationveryquicklyandtherewillbesituationswherethere isnttimetowaitforclientstocheckinforupdates.Inthesecases,theabilitytoinitiatea definitionorconfigurationupdatefromtheserverconsolecouldmeanthedifference betweenafullenterpriseinfectionandonethatislimitedtoafewsystems.Issues surroundingthecommunicationintervalcanalsobemitigatedbyselectingproductsthat haveeffectiveheuristicenginesaswell.Productswithgoodheuristicenginesandother methodssuchasemulationcanprovideasoliddefenseagainstvirusoutbreaks,minimizing therelianceonimmediatedefinitionupdates.

AntiMalwareCanBeEfficientWithoutImpactingSystem Performance
Thisserieshasexaminedthefactorsthatcontributetoslowantimalwareperformance,the factorstoconsiderwhenselectinganantimalwaresolution,andfinally,thebestpractices fordeployingantimalwareproducts.Antimalwaresoftwareisanessentialdefense againstmalicioussoftwarethatshouldberunoneverysystemwhetherathomeorina largeenterprise.Theseproductshaveevolvedintothreatdetectionsuitesdesignedto protectsystemsagainstverysophisticatedattacks.Atthesametime,theyhavebecomeso resourceintensivethattheyimpactoverallsystemperformanceanduserproductivity.Its nowcriticaltoselectaproductthathasanefficient,integrated,singlescanengineandhas beenoptimizedfortheOSonwhichitistobeused.Thiswillresultinanantivirus,anti malwareinfrastructurethatseasytomanagewhileatthesametimeminimizingthe impactonsystemperformanceanduserproductivity.

14