Given the number of companies struggling these past few months with Sircam, Nimda, and other attacks on their computer networks, you are well aware that you need to have some kind of antivirus solution to protect your company. If you already have AV software, you might be thinking about changing it because of manageability, compatibility, or licensing issues.

In the past, you didn't have too many choices. You most likely have purchased individual software licenses for all your desktops. The trick was making sure these programs were installed properly and that everyone was diligent about updating the software with the latest virus pattern files, periodically scanning their hard disks, and ensuring that the protection was turned on and working for their email and floppy access. That's a lot of work to do on one computer, let alone on all computers in your office, at remote locations and being carried by travelling employees.

Of course, buying the right AV product isn't always easy. As an example, Symantec sells Norton AV as part of several different packages, depending on whether you want other software along with the antivirus checker. SystemWorks includes troubleshooting utilities and fax software, Norton Internet Security includes a personal software firewall and banner ad blocker, and a Norton AV bundle includes fax software. I recommend just purchasing the straight Norton AV version, since most businesses don't really need all these other things, and the additional programs can quickly add up to a lot of dough. The straight Norton AV program also works on the widest selection of operating systems (but not on NT Server and Windows 2000 Server versions, should you happen to have these running in your office).

Alternatives to Client-Side AV Software

Despite all this trouble, individual AV licenses remain the best strategy for most small businesses. Although it is hardly easy to maintain AV software, the alternatives aren't much of an improvement and sometimes offer more disadvantages. Two alternatives exist to deploying individual desktop AV products.

Managed AV service providers

The first is to make use of an Internet-based managed AV service provider, such as Virus Scan ASaP from Network Associates' Mcafee ASaP.com. Instead of buying a software package and installing the software from CD, you download a small piece of software from the Internet and use a Web page from the service provider to manage your AV deployment. The advantage of using these providers is that you minimize the amount of software downloaded to your machines, and they are supposedly simpler to operate and do just as good a job as the software-based AV products.

McAfee ASaP actually provides several different managed services and three support levels priced based on how rapid a response you want to problems. VirusScreen ASaP filters all of your corporate email through McAfee's servers before the email enters your corporate network. And while the good news is that viruses and other harmful emails are deleted before they hit your own computers, you may be uncomfortable having all your emails routed around the Internet in this fashion. McAfee offers the service for a minimum of one year and 25 desktops, and it costs from $20 per desktop per year, which is very reasonable given the protection you receive.

McAfee ASaP also has the WebShield e500 ASaP server, a piece of hardware that accomplishes the same function as the VirusScreen service except that the screening occurs on a server housed on your network - think of it as an email firewall that will scan and clean your messages before they penetrate your own network any further. This might be the best solution for corporations who are concerned about viral infections but don't have the staff or talent to deal with managed services. However, the service is pricey: it covers a minimum of 101 mailboxes, and you have to sign up for a minimum of two years of service. The total cost for this minimal configuration works out to something around $14,000. Still, when you consider the amount of lost time and productivity due to email outages, this could make sense for a midsized company.

VirusScan ASaP, their third offering, is a scanning tool managed from McAfee ASaP's central servers. You download a small piece of software, and the service automatically updates everyone around the network whenever they connect to the Internet. Your users don't have to worry about updating their software themselves because it is always updated. This service also comes as an extra-cost option with some of the SonicWALL and Linksys SOHO firewall appliances, and the nice thing about using it this way is that you can turn on a feature in these appliances so that only people who have installed VirusScan on their desktops have Internet access through the firewall. This is a very effective way to make sure your network is protected on the client side.

The downfall: this is also an effective way to annoy your users when the VirusScan software doesn't work, because users will be blocked from any Internet access across the firewall. You must also rely on McAfee ASaP to keep their servers up and working, because if they aren't, you don't have any protection. I was using an older version of their software not too long ago and was left high and dry one fine day when they migrated to newer servers. Resolving this situation required spending lots of time uninstalling their software and removing it completely from my computer before I could reload it again. The problem here is that the managed service provider has made their product so simple and idiot-proof that there's no room for customization or removing it easily - I had to use the Registry editor to completely remove all traces of it before I could reinstall it. If this scares you, or if you don't have a full-time network administrator who is willing to spend some time understanding the consequences, this alternative isn't going to work for you either.

VirusScan ASaP can be had for as few as two desktops with a minimum service period of a year. The cost starts at about $4 per desktop per month for the lowest service level and is on par with most of the standalone AV software products.

Installing an AV server

If none of these solutions seems appealing, you can use another method to centralize virus protection: install your own AV server and use it to distribute the AV pattern files to the rest of your network. This server, such as Norton's AV Corporate Edition or Trend Micro's Virus Control System, typically involves some serious time to set up because you must specify how you will enforce general security policies, how you will keep track of which pattern files have been downloaded to all of your various desktops, and so forth.

The trick here is that you are essentially managing another firewall on your network, and you will have to make sure that the AV server doesn't get in the way of your other hardware-based firewalls. Many of these products have fairly steep prerequisites for additional software that you must first install, such as Microsoft's Internet Information Server (IIS), Active Directory Services, or a database server. If you have these products already installed on your corporate network, you might still want to set up secondary Web, directory and database servers to just handle the AV services.

But that is just the server side of things. Having an AV server doesn't obviate the need to install individual desktop software; it just means you have to install a special software agent that works in conjunction with the central AV server. While you don't have as much desktop software to deal with as the old-style standalone method, you must still make sure each desktop can communicate with the AV server (typically this is done over a TCP/IP network connection). If you have limited security or server management experience, this will not be the time to learn how to get all this software going.

Recommendations from the Field

So what is the best course of action? For many, at the moment, installing AV software on individual desktops remains the answer, which is ironic and unfortunate but also many admins' most secure choice for now. Perhaps the centralized and managed provider solutions will improve in another year or so and become worth considering, but in the meantime I have several recommendations if you do decide to continue with desktop AV solutions.

Setting up your desktop AV software

To show you what is involved, I will walk you through setting up Norton's AV product. Norton AV requires setting up two separate programs: the actual AV software itself and an additional software program called Live Update, used to schedule and update the virus definition files. The trick becomes downloading the updates as soon as they are available, and making sure you (and ultimately your end users) stay current with them. Otherwise, you run the risk of being infected when that next big virus or worm hits.

Before you install Norton AV, make sure all your computers have your email software installed and set up correctly. While you can do this after you get Norton AV on your machines, it is best to have the email software configured properly beforehand, since Norton AV will discover which email accounts you have set up and will ask you if you want to protect them before finishing up its installation. Make sure that after you install Norton AV, you run Live Update immediately and update your virus pattern definition files.

For Windows, you want to pay attention to three different items on the NAV configuration:

• the general automatic protection features,
• the floppy disk scanning features, and
• the email protection features.

Each is important for different reasons. And remember, you need to go through this process for each of your office computers.

System scans and OS backup

There are two more things I'd like you to do with Norton AV: initiate a full system scan on each machine and create a series of emergency disks for at least one of the machines. If you have more than one version of Windows, create the emergency disks for the more recent operating system version, at the very least. If your PC comes with an internal Zip drive, you can speed things up by creating an emergency Zip disk instead of on a series of floppies.

Any AV solution is functional if you do all of the ongoing maintenance chores. If you protect some but not all PCs in your enterprise, you are leaving yourself wide open for infection: this happened to me one time and was an important lesson learned. So take care, spend the time to get things setup properly, and don't forget those periodic scans!

David Strom has written over a thousand articles for various computer trade publications and Web sites, and publishes his own essay series called Web Informant that can be found at http://strom.com. His latest book, Home Networking Survival Guide, was published in Sept. 2001 by McGraw-Hill/Osborne and can be found at Amazon.com and other major book retailers.