Product: VIPRE Enterprise
Product Homepage: click here
Antivirus (AV) software has been the bread and butter of the computer security industry for years and although it's not as "sexy" as modern intrusion detection or SIEM software it's still a necessity in any network. Although the AV market was originally dominated by just a few software giant's there are now a plethora of options available when evaluating an AV platform for your network.
Over the last couple of weeks I've had the pleasure of reviewing the VIPRE Enterprise AV platform from Sunbelt Software (a GFI subsidiary) quite thoroughly by deploying it in a test environment as well as on my laptop that I use on a daily basis. Here I will discuss my findings and talk about how VIPRE Enterprise works, what I liked about it, and where I think it could stand to improve.
VIPRE Enterprise advertises itself as a low-resource enterprise antivirus and endpoint protection solution. Taken straight from their website they state:
"Frustrated with Symantec, McAfee, Trend Micro, and other slow, bloated, hard-to-manage corporate endpoint protection? Say hello to an all-new technology that will make end-user threat management faster and easier than you ever thought possible."
This sounds like good news to me as the typical complaint I have with AV software is that it is bloated and has a heavy system footprint. The software itself consists of several components that I will discuss throughout the review. Those components are:
- Console: The server component used to administer the software installation and the managed agents. This communicated directly with the back end database.
- Database: Utilizes and existing SQL database or installs a SQL express database to manage the configuration, reporting, and quarantine schemas associated with the software.
- VIPRE Site Service (VSS): Manages communication between the databases and the agents.
- Micro-Installer: Used by the VSS to install the agent software.
- Agents: Installed on workstations or servers and responsible for running scans, quarantining files, etc.
- Report Viewer: A standalone application that is installed with the administration console that allows administrators to run reports based upon agent statistics.
Figure 1: The VIPRE Enterprise Architecture
I was quite surprised by the ease of installing the server components of the software. I've evaluated several enterprise-level AV solutions and they typically involve a very complex installation that usually requires a phone call to a support line. Armed with only VIPRE's quick start guide I achieved success immediately when installing the console components on Windows Server 2008. One reboot later I was in business and a pretty happy camper.
The next logical step for me was to deploy the agent to the machines in my test network. The process was outlined very clearly in the getting started guide and when followed precisely everything moved along pretty reasonably. I installed a few agents manually but chose to install the bulk of them remotely as that is the option that would be used by most enterprises.
One issue I did have with the agent installation is that User Account Control (UAC) must be disabled in order for the installation to work. Simply put, installing security software should never require you to disable other security features, even if only temporary. The administrative burden of disabling UAC via Group Policy, installing the agent, and then enabling it once again is painful. One other minor improvement I would like to see here is a bit of increased verbosity during the remote agent installation process. I did have a couple of intended failed installations by design, and more often than not the installation status field just froze at a particular state rather than providing a clear description of what the problem might be. As an example, when I left UAC enabled on a client the status screen stayed at "Installing Micro-Installer" indefinitely. The troubleshooting process to figure this one out could easily eat through the biggest part of someone's day. Fortunately, since encountering this issue originally I was informed that it has since been patched and agents no longer require that UAC be disabled for installation.
The biggest amount of time an administrator will spend on the management of AV software will be spent in administering the agents installed on the workstations and servers. This is all managed through the VIPRE Enterprise Console which I really enjoyed. It's really easy for an AV administration console to become overly complex and cluttered (McAfee anybody?) but the interface designers at Sunbelt really hit the nail on the head here.
The first thing you are presented with when you open the console is the administrative dashboard that gives a quick summary of the activity occurring in your network. This includes your license status, software and signature versions, recently detected threats, and agents that aren't communicating. It's simple, useful, and effective.
Figure 2: The Administration Console is very clean and intuitive to use
The thing that impressed me the most about the administrative console was the flexibility it had in managing the installed agents. Each agent is installed based upon a site policy which configures the level of protection the agent provides, how detected threats are handled, and the general agent behavior on the client. The part that amazed me was how quickly you could deploy changes to agents. In the majority of enterprise AV products I've worked with you must modify a policy and then push it out to all of the devices affected. This isn't always easy and is by no means quick. In VIPRE, a change to a policy can take place with just a couple of seconds. For instance, by default a policy will hide the VIPRE tray icon on a workstation that has an installed agent. I decided I wanted to change this for a particular group of machines so I edited the policy and told it to show the tray icon. When I did this I happened to have the machine the policy applied to right next to me, and after I clicked the apply button the tray icon showed up within a matter of seconds. This scores major points in a world where time is money.
Figure 3: Modifying the default agent policy
Aside from this, all of the standard and expected functionality is there. You can run scans, view logs, and apply updates remotely from the console. One additional bonus that I really liked was the ability to remotely shut down clients and provide a pop-up that explains what's happening and why it's happening. This can be done for the required reboot during agent installation or if a particular threat is detected. Everything works consistently and quickly.
Accuracy and Performance
The most important aspect of any AV software is its accuracy. That is, how good of a job it does at actually attacking malware. Luckily, I happen to work somewhere where I have a plethora of malware samples available to me. I threw every sort of malware I could find at my VIPRE protected clients with very positive results. This included bots, worms, trojans, packers, crackers, backdoors, and everything in between. I even threw in some commercial and freely available security software that I used commonly in my day to day security analysis and penetration testing work. Overall, VIPRE detected the majority of everything I used. I compared these results to other popular AV products using this free service and it tested in the upper tenth percentile meaning that it was among the best when it came to accuracy of detection.
Figure 4: VIPRE blocking a password hash dumping tool from running
The next criteria I really wanted to examine was the performance of the agent software. This is one of my big things when it comes to evaluating AV software and since Sunbelt uses performance as one of their biggest selling points then I planned on being extra hard on this one. The results? Blazing success.
The system footprint of the agent was minimal and virtually undetectable. I simulated the entire lifecycle of an agent by doing an unannounced installation on a workstation that was currently being used by a colleague. I spoke with the user afterwards and explained what I had done and he had not noticed any changes in the performance of the system. The next day I asked the user to continue using the machine and report if it seemed any slower and the results were again very positive. I kicked things up a notch at that point by performing live scans while the user was actively using the system. Of course, I did this with knowledge of the user. The user reported a very minimal slow down of the system when opening large files or moving chunks of data around. I know a few other AV products that will remain nameless that render a machine virtually unusable during a live scan, so the results hear speak to the performance of VIPRE.
Overall, I'd give high ratings regarding the performance of the product. I took a hard look at the numbers and the processor and memory utilization were below that of most of its competitors and I was actually able to verify the low system footprint with an actual end user, which is always a positive thing.
The last thing I wanted to be sure and evaluate was the reporting mechanism associated with the software. I've said it before and I'll say it again that if software can't effectively report on its success then that success doesn't really exist....or not at least in the eyes of the management that is viewing it. VIPRE comes with a report viewer that runs as a separate application from the main administration console. The tool is very simple and easy to use which is great for me. If I had my way about things I'd spend as little time as possible making reports and more time getting things done. I don't think most sysadmins will disagree with me on that one.
Using the report viewer you can essentially create reports based on all of the data within the VIPRE database. Some basic reports are already included in the module such as an executive summary, infected machine summary, threats found detail, and top 25 infected machines. Of course, you can schedule these reports for automated creation which I always find to be handy as it forces me to review AV details that I might overlook or forget about.
Figure 5: Creating an Executive Summary with Report Viewer
Overall I was really pleased with VIPRE Enterprise. The only real weak points I noted are the difficulties and lack of verbosity in agent installation. I'd also like to see some additional functionality as it pertains to grouping clients (without having to create a separate site). Lastly, Linux support at the agent level would be welcomed as networks continue to become more OS heterogeneous. I was informed by the VIPRE development team that centralized management and deployment support of the Mac agent is scheduled for Q2 2011, so that's a step in the right direction. Other than that the guys at Sunbelt have done a wonderful job with it and I wouldn't have a problem managing a large network that used the software as an enterprise AV platform. You can learn more about VIPRE here.
You can find more information about VIPRE Enterprise here.