/
Differences Between "Managed" and "Unmanaged" Anti-Virus Protection

Differences Between "Managed" and "Unmanaged" Anti-Virus Protection

Owned by Dennis H. Wiedeman
Last updated: Feb 24, 2012

 

Licensing Background Information: The campus (OIT) purchased 3,700 Sophos Anti-Virus (SAV) licenses back in August 2010.  The specifics were 3,700 on-campus licenses (and up to 3,700 licenses for use on off campus staff computers) for 3 years for $15,000.  So, the cost per seat is $1.35 per person per year.  These licenses will expire August of 2013.  OIT picked up the entire cost of the purchase at that time.

Non-Managed Systems Server Background:  Around seven years ago, a standalone server was created to provide "unmanaged" access to anti-virus and adware signature updates from a central Sophos server that OIT managed.  The idea was that local computer support could provide installatoin, configuration and day-to-day management for the anti-virus product on users desktops and end-points really only needed access to engine and signature updates.  So, it was decided to provide department-level credentials to user groups on campus to allow them access them updates from a central Sophos virus signature server.  However, this unmanaged server is, now, coming to the end of its useful life.  Further, this server is now providing services that are redundant to other anti-virus services being provided on a "managed" basis for the campus from within OIT.

Managed Systems Server Background: With the creation of the Windows Services Group (WSG) in 2010, certain specific commodity services were identified between the Help Desk, Desktop Support and Windows Services Group that should be combined into a single instance on campus so that redundancies could be reduced and a more comprehensive product expertise could be introduced to those services that may not have been possible previously.  A central Sophos Enterprise Console instance was brought up for WSG and the central instance that Desktop Support was managing was decommissioned after the client base was moved over from their instance of Sophos Enterprise Console to the WSG version.  However, the "unmanaged" version of the Sophos server and the Sophos server instance that is being managed in the Instructional Labs area of OIT still continued to provide service to their respective clients. 

Differences Between "Managed" and "Unmanaged" Sophos Anti-Virus Services

UNMANAGED ENVIRONMENTS – In an "unmanaged" environment, the local Computer Support Coordinators (CSCs) and their staff usually take on the responsibility to install, configure and manage anti-virus services for their clients.  The installation and configuration of these services traditionally occurs during the system imaging process. In the "unmanaged" environment, the following functionalities are left to either computer support personnel or the end-user to configure and manage:

 

  1. Installation – Usually, the deparment has access to an executable that they can use during the system imaging or installation process.  There is really no difference between an unmanaged approach and the managed approach during installation.  However, because systems are being configured one at a time for anti-virus services, slight variations in configuration can easily be introduced into each of the workstations, which can provide a slightly different set of challenges for the maintenance of the system configuration:
    1. Consistency – The time between configurations, and the tendency of support personnel to have documented installation procedures and then follow those installation procedures tends to introduce slightly modified versions of the base configuration throughout the organization.  Further, settings that are discovered over time and introduced to later installations will usually fail to be retrofitted back into the earlier installations.  These types of challenges are overcome in the "managed" environment, in that, policies can be established and set at the enterprise, department, group and/or individual level, and moving an unmanaged system into one of those policies provides consistent application of settings for an entire policy group at a time.  As modifications or additions are brought on to the policy group, those changes are delivered immediately to all participants in the policy, thereby establishing a consistent application of changes and additions across the board.
    2. Limited Expertise – There is a tendency on the part of all support organizations, large as well as smal, to develop a "sufficiency-based" expertise with second-priority computer services rather than developing a "comprehensive" expertise with secondary products.  The tendency to have insufficiencies in product expertise arise, many times, through no fault of the support organizaztion – certain expertise can only be derived from time, experience and having a sufficient base of systems that the system behavior can be understood for the anomalies that only occur on a rather infrequent basis.  One would like to think that additional expertise can be obtained by personnel specifically dedicated to provide specific services as a "primary" responsibility rather than as a secondary service.
  2. On-Access Scanning – This feature determines whether documents and files will be scanned just prior to their being exposed to the uesr.  This may be turned off by default in Sophos, as servers do not traditionally require on-access scanning, as all the scanning is done by the client.  Also, there are a number of other configuration settings dealing with on-access scanning that should be set to determine which files to be scanned or not scanned, file extensions to exclude from scanning, and whether to scan files with no extension.  Another aspect requiring configuration deals with how to clean up viruses as opposed to the preferences a client may have on cleaning up spyware, scanning downloads obtained through a browser, dealing with suspicious files, allowing or disallowing suspicious system behaviors that may be attributed to a virus or spyware and what to do with potentially unwanted applications.  All these settings are left up to the user to set and/or change in the unmanaged environment.
  3. Suspicious Behavior Monitoring – This also may be turned off by default.  One setting that is probably being overlooked for most systems is whether to block suspicious behaviors or to “Alert only”.  By default, this setting is turned to "On," meaning there are few, if any, details provided to the user concerning things that are occurring on their system that may be harmful.  The same thing goes for what a user needs to do with what are known as Buffer Overflows. No guidance is really provided to the end-user.
  4. On Demand Extensions and Exclusions – Users have to determine what is scanned and what is excluded for on-demand scanning, if users choose to access this feature.  They can add extensions as they feel necessary, but it does become redundant to have every user in an unmanaged environment deal with a list of extensions and exclusions that should probably be common to all users.  Further, there is no mechanism for standardizing the "white" or "black" lists across the department or group.  Finally, clean-up of files that may be infected or compromised with other forms of malware is left to the decision of the user. 
  5. Sophos Live Protection Management – “Should be” enabled by default, but it may not be and the user can change this at their discretion, irrespective of the impact it may have on the system.
  6. Web Protection Management – This aspect of protection deals with whether or not to block malicious websites and what to do with items that are downloaded from a website. This can be turned off at the desktop level, which may not be the optimum for this setting or environment.
  7. Malware Authorization Management – The user is pretty much left unto themselves to determine whether or not to authorize possible adware, potentially unwanted applications, buffer overflows, suspicious files, suspicious behaviors, and websites.
  8. Quarantine Managment – This functionality of Sophos determines the role of the user in cleaning up memory, disk sectors, files, file deletion, moving files to quarantine and authorization of applications on the system.  Again, consistency of application is going to be a major challenge in order to protect a system.
  9. Email Message Management – One of the most helpful features in Sophos is whether or not the user gets notices on their desktop when there is a potential problem.  Along with that, there is a need to determine whether or not anyone else is notified if, and when, there is a problem in detection, clean-up, errors, etc.  Chances are the departments are not using this feature which would mean the users are being left to make the decision on messaging.  Due to their relative lack of understanding of messaging in the malware environment, there will be a tendency on the part of most users to ignore or turn off messaging, thereby eliminating the feeling of having "nag notices" appear on their screens and interrupting the flow of their work.
  10. Updates and Upgrades – Even though credentials have been supplied to users to obtain updates to virus signatures, there is no guarantee that a system is getting it signature updates on a regular basis and there is no monitoring mechanism to put anyone on notice of a problem, although you would like to think it’s been sufficiently tested in each of the respective departments that there wouldn’t be any problems.  This is something that has to be manually checked by users, as there is nothing in place for the product to inform them that updates have not occurred.  Upgrades are a slightly different story, in that, the updating mechanism on a stand-alone system does not make any provision for version upgrades.  Therefore, either the local computer support or the users would have to monitor this and initiate these types of upgrades.
  11. Credentials – When the current licenses expire in August 2013, new credentials will have to be issued to computer support coordinators and users to apply to their SAV environment.  This will have to be done manually on each of the systems that are being manually updated.
  12. Scheduled Scans Managment – Each computer has to be manually set up to scan for infected or problem items via scheduled tasks.  But, there is no mechanism in place to notify anyone whether the scheduled task is even in place, whether the scans are taking place,  nor whether issues have been appropriately remediated.
  13. License Management – The only way unmanaged systems can be managed for purposes of license management is through an annual audit of the participating departments to obtain a manual head count from the local computer support personnel for the licenses they believe to be in force at the time.

MANAGED ENVIRONMENTS – The following aspects of malware management also differ between managed and unmanaged systems, with these features only being available to the user in a managed environment:

 

  1. Policy – By placing individual systems in a policy, configuration and monitoring settings can be applied for more people in a standardized fashion throughout the department.  Requests for specific differences in policy can be accommodated easily through the Console. 
  2. Updates and Upgrades – Can be transitionally provided to all users on a scheduled basis.
  3. Credentials – Can be applied one time on behalf of all users.
  4. Scheduled Scans – Can be set up and changed easily and quickly from the Console.
  5. Licensing – Can be easily determined from the information provided in the Console, as it keeps more information than OIT currently may have about the user base for SAV.
  6. Messaging – Can be turned off to the user’s desktop and can be turned on for email alerts to support personnel and can support multiple levels of support at the same time through establishment of policies that reflect support needs.
  7. Monitoring – Each desktop reports back to the Console, thereby providing information on the current status of updates, upgrades, last successful scheduled scan, as well as a history of updates and issues that have occurred on each system.
  8. Remediation – One of the major features of the managed environment deals with the handling of issues that arise from the various types of malware.  How one remediates viruses will differ from the way you might want to handle spyware, suspicious behaviors on the system, suspicious files that want to launch, adware that is trying to install on the system, downloads that people might try to bring in off the Internet and potentially unwanted applications that might try to launch from memory-based executables.

Suffice it to say there are numerous advantages to the managed environment over the unmanaged environment.  You would like to think the reduction in management, having a "permanent" set of experienced eyes looking over the one-time and day-to-day functionality and proactive handling of issues as they come up would be a sufficient off-set to the minor loss of control support personnel and users would experience.  The loss of control that is experienced by moving to a managed environment is usally due to the expectation that service levels will suffer.  But, it should be noted that in this particular situation, an increase in service should be the result of the managed environment due to the availability of enterprise system information, and the resulting reduction in situation reaction time that can occur due to on-going attention to system state on the Sophos Enterprise Console by a product specialist familiar with the subleties of malware management.

This is not to say the unmanaged environment can't or doesn't work – it just may require more effort on the respective parties to provide the same level of expertise, experience and automated handling of the policies, updates and remediation that users will require in this era of zero-day viruses and malware.