Sadly, after finally mastering McAfee's ePO console after 10,000 hours of working with it I do like the granularity it offers, the fact I can sync it with AD and various OU levels (I have McAfee groups that roughly align with my OU structure), my login is LDAP pass-through, etc. I have it so it auto-deploys AV to workstations and some servers but not all (by design) etc. I managed to avoid the 5958 DAT fiasco, and I've had Vipre eat more legit .EXE's than any other AV.
How can you tell if you're getting better coverage from one product vs. another? Unless you run both in parallel in the same environment (50% have one, 50% have the other) I don't know how you could really know. As I've said before I run 3 different AV products in 3 different environments and I couldn't tell you with any certainly one is giving better coverage than another. Perhaps after the change you are getting more notifications of infected machines? The might do it. Out of the box McAfee ePO isn't set up to let you know when machines are infected, it wasn't until I horsed around with it that I started getting alerts. Heck McAfee's product even helped troubleshoot a SNORT detection because I just had the agent log all port traffic for a time. This isn't really a McAfee endorsement as much as it is just general commentary :-P David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, October 07, 2010 5:27 AM To: NT System Admin Issues Subject: RE: AV Opinions We will be moving away from McCrappy after our current agreement expires. Not necessarily because of how their product performs (but that is part of it), but because of the way they handled the 5958 DAT fiasco. They made promises to our company for compensation and then reneged on the deal. I doubt they really care now that they're in bed with Intel. -Paul From: Ray [mailto:rz...@qwest.net] Sent: Thursday, October 07, 2010 6:42 AM To: NT System Admin Issues Subject: RE: AV Opinions That's interesting, because we absolutely hated McAfee and it's enterprise console, and couldn't wait to get rid of it. We've ended up with significantly better coverage with Sophos than we ever did with McAfee. From: Alan Davies [mailto:adav...@cls-services.com] Sent: Thursday, October 07, 2010 2:42 AM To: NT System Admin Issues Subject: RE: AV Opinions Sophos seem to be excellent detection wise. As for not detecting Conficker below, that'll have been another issue as there is no AV product out there that can't detect it. If I had to guess, perhaps one host was infected and locked out AD, but all the Sophos alerts were from machines missing MS08-067 that were "getting infected" because the OS could not protect against it, but immediately cleaned by Sophos. Certainly behaviour I've seen before. You must patch Windows, AV can do everything on its own. One negative comment about Sophos - they are still, in my opinion, very low down the pecking order in Enterprise Management. They have a long, long way to catch up on McAfee and the like for agent management, alerting, mandatory policies, etc. You can work around these things and it's a great AV product, but if you're a large, sensitive environment, it may frustrate you a little. Going from 7 to 9 didn't improve these grumbles much ... a ________________________________ From: Ames Matthew B [mailto:mba...@qinetiq.com] Sent: 07 October 2010 08:12 To: NT System Admin Issues Subject: RE: AV Opinions We run Sophos here, and it seems to do a reasonable job. Corporate IS got caught last year with their pants down after a departmental server without any AV on it (or seriously out of date - guess someone got a good telling off for that) managed to get Conficker. Given we don't have a direct net connection to our deskstops or services network, they had not bothered to install the hotfixes to prevent this For what ever reason Sophos did not detected it, and quite a few machines got infected, and a couple of thousand user accounts got locked out. Took them a few days to get things under control - I wrote a little ldap tool to monitor the number of locked out user accounts :-) Sophos is a bit of a memory hog (not sure how it compares to other versions), taking around 150MB (savservice.exe alone is taking 108MB on my machine currently). We are currently using 7.6.20 tht, Matt ________________________________ From: Jim Holmgren [mailto:jholmg...@xlhealth.com] Sent: 07 October 2010 01:23 To: NT System Admin Issues Subject: RE: AV Opinions Give Sophos a long look. I firmly believe they are the best of breed that nobody seems to talk about. They don't market to the non-corporate crowd, so that probably has something to do with it. I asked this list and a few other resources when I was evaluating solutions. I did not hear from a single person using Sophos that did not like it. We are replacing Symantec with Sophos right now and it is going very well so far. Sophos will sync with AD (if you want) to automatically protect computers when you add them. It will remove Symantec cleanly (so far on about 25 test/pilot users it has been perfect) when pushing it out. It includes device control (want to block USB storage devices...2-3 clicks and you are done), a NAC component, and a firewall. It also includes clients for Mac/Linux and with each corporate license, you get a free at-home license. NFI - just a very satisfied customer so far. Jim ________________________________ From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Sent: Wed 10/6/2010 7:09 PM To: NT System Admin Issues Subject: AV Opinions At one of the shops that I look after, I have been asked to change the AV to something new and current. Vipre and Forefront excluded (I know enough about those already), what else are you guys using that's good? It's been a while since I looked at all the other vendors, I have such little time to eval for this need, I can't just download all vendors packages and trial each one for 30 days, I need to look at one and hopefully get it right:( Thanks for any opinions, jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: 85 Buckingham Gate, London SW1E 6PD http://www.qinetiq.com<http://www.QinetiQ.com> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin