Versions Compared

Version Old Version 4 New Version 5
Changes made by

Dennis H. Wiedeman

Dennis H. Wiedeman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Differences Between "Managed" and "Unmanaged" Sophos Anti-Virus Servicesconfiguation. 

UNMANAGED ENVIRONMENTS – In an "unmanaged" environment, the local Computer Support Coordinators (CSCs) and their staff usually take on the responsibility to configure anti-virus services for their clients.  The installation and configuration of these services traditionally occurs during the system imaging process. In the "unmanaged" environment, the following functionalities are left to either computer support personnel or the end-user to configure and manage:

  1. Installation – Usually, the deparment has access to an executable that they can use during the system imaging process.  There is really no difference between an unmanaged approach and the managed approach during installation.  However, because systems are being configure one at a time for anti-virus services, each of the workstations will need to be individually configured for use, which provides a slightly different set of challenges for the installation configuration:
    1. Consistency – The time between configurations, and the tendency of support personnel to have and follow installation procedure documentation available to them tends to introduce slightly modified versions of the base configuration throughout the organization.  Further, settings that are discovered over time and introduced to later installations will usually fail to be introduced back into the earlier installations.  These types of challenges are overcome in the "managed" environment, in that, policies can be established and set at the enterprise, department, group and/or individual level, and moving an unmanaged system into one of those policies provides consistent application of settings for an entire policy group at a time.  As modifications or additions are brought on to the policy group, those changes are delivered immediately to all participants in the policy, thereby establishing a consistent application of changes and additions across the board.
    2. Limited Expertise – There is a tendency on the part of all support organizations, small as well as large, to develop a "sufficiency-based" expertise with secondary computer services rather than developing a "comprehensive" expertise with secondary products.  The tendency to have insufficiencies in product expertise arise, many times, through no fault of the support organizaztion – certain expertise can only be derived from time, experience and having a sufficient base of systems that the system behavior can be understood for the anomalies that only occur on a rather infrequent basis.  One would like to think that additional expertise can be obtained by personnel specifically dedicated to provide specific services as a "primary" responsibility rather than as a secondary service.
  2. On-Access Scanning – This feature determines whether documents and files will be scanned just prior to their being exposed to the uesr.  This may be turned off by default in Sophos, as servers do not traditionally require on-access scanning, as all the scanning is done by the client.  Also, there are a number of other configuration settings dealing with on-access scanning that should be set to determine which files to be scanned or not scanned, file extensions to exclude from scanning, and whether to scan files with no extension.  Another aspect requiring configuration deals with how to clean up viruses as opposed to the preferences a client may have on cleaning up spyware, dealign with suspicious files, allowing or disallowing suspicious behaviors and what to do with potentially unwanted applications.  All these settings are left up to the user to set and/or change in an unmanaged environment.
  3. Behavior Monitoring – This also may be turned off by default.  One setting that is probably being overlooked for most systems is whether to block suspicious behaviors or to “Alert only”.  By default, this setting is turned to "On," meaning there are few if any details provided to the user concerning things that are occurring on their system that may be harmful.  Same thing goes for what a user needs to do with what are known as Buffer Overflows. No guidance is really provided to the end-user.
  4. On Demand Extensions and Exclusions – Users have to determine what is scanned and what is excluded for on-demand scanning, if users access this feature in the first place.  They can add extensions as they feel necessary, but it does become redundant to have every user in an unmanaged environment deal with extensions and exclusions that should probably be common to all users.  Further, there is no mechanism for standardizing the white or black list across the department or group.  Further, clean-up of files that may be infected or compromised with other forms of malware is left to the discretion of the user. 
  5. Sophos Live Protection Management – “Should be” enabled by default, but it may not be and the user can change this at their discretion, irrespective of the impact it may have on the system.
  6. Web Protection Management – This aspect of protection deals with whether or not to block malicious websites and what to do with items that are downloaded from a website. This can be turned off at the desktop level, which may not be the optimum for this setting or environment.
  7. Malware Authorization Management – The user is pretty much left unto themselves to determine whether or not to authorize possible adware, potentially unwanted applications, buffer overflows, suspicious files, suspicious behaviors, and websites.
  8. Quarantine Managment – This functionality of Sophos determines the role of the user in cleaning up sectors, files, memory, file deletion, moving files to quarantine and authorization.
  9. Email Message Management – One of the most helpful features in Sophos is whether or not the user gets notices on their desktop when there is a potential problem.  Along with that, there is a need to determine whether or not anyone else is notified if there is a problem in detection, clean-up, errors, etc.  Chances are the departments are not using this feature which would mean the users are being left to make the decision on messaging.  Due to their relative lack of understanding of messaging in the malware environment, there will be a tendency on the part of most users to ignore or turn off messaging, thereby eliminating the feeling of having "nag notices" appear on their screens and interrupting the flow of their work.
  10. Updates and Upgrades – Even though credentials have been supplied to users to obtain updates to virus signatures, there is no guarantee that a system is getting it signature updates, although you would like to think it’s been sufficiently tested in each of the respective departments that there wouldn’t be any problems.  This is something that has to be checked by users, as there is nothing in place for the product to inform them that updates have not occurred.  Upgrades are a slightly different story, in that, the updating mechanism on a stand-alone system does not make any provision for version upgrades.  Therefore, either the local computer support or the users would have to monitor this and initiate these types of upgrades.
  11. Credentials – When the current licenses expire in August 2013, new credentials will have to be issued to computer support coordinators and users to apply to their SAV environment.  This will have to be done manually on each of the systems that are being manually updated.
  12. Scheduled Scans Managment – Each computer has to be manually set up to scan for infected or problem items via scheduled tasks.  But, there is no mechanism in place to notify anyone whether the scans are taking place nor whether issues have been appropriately remediated.
  13. License Management – The only way unmanaged systems can be managed for purposes of license management is through an annual audit of the participating departments to obtain a count from the local computer support personnel for the licenses they believe to be in force at any given time.

 MANAGED ENVIRONMENTS – The following aspects of malware management also differ between managed and unmanaged systems, with these features only being available to the user in a managed environment:

  1. Installation – Can still be accomplished at the local system via a command line that carries the path and credentials necessary to install. 
  2. Policy – By placing individual systems in a policy, configuration and monitoring settings can be applied for more people in a standardized fashion throughout the department.  Requests for specific differences in policy can be accommodated easily through the Console. 
  3. Updates and Upgrades – Can be transitionally provided to all users on a scheduled basis.
  4. Credentials – Can be applied once for all users.
  5. Scheduled Scans – Can be set up and changed easily and quickly from the Console.
  6. Licensing – Can be easily determined from the information provided in the Console, as it keeps more information than OIT currently may have about the user base for SAV.
  7. Messaging – Can be turned off to the user’s desktop and can be turned on for email alerts to support personnel and can support multiple levels of support at the same time through establishment of policies that reflect support needs.
  8. Monitoring – Each desktop reports back to the Console, thereby providing information on the current status of updates, upgrades, last successful scheduled scan, as well as a history of updates and issues that have occurred on each system.
  9. Remediation – One of the major features of the managed environment deals with the handling of issues that arise from the various types of malware.  How one remediates viruses will differ from the way you might want to handle spyware, suspicious behaviors on the system, suspicious files that want to launch, adware  
  10. Standardization of