Need both Server+Desktop protection

[compsecure]

I am researching for anti virus products for my corporate network. Does anyone see any point in having an av scanner at every desktop if they gateway server is protected with an av solution? I realize that mobile users need to be protected when they leave the corporate network but i don't see any point at each desktop on the corp network

[MrLinus]

I realize that mobile users need to be protected when they leave the corporate network but i don't see any point at each desktop on the corp network

Layers. It's all about layers. To assume that your gateway device will stop everything is a big assumption, IMO. I'd actually consider having one AV developer for the gateway and a competitor for the desktop. This should help catch all the potential things that might come through (and some may come through things that your gateway won't see like a SSH tunnel that uses a terminal connection to home or to a webbased email that doesn't check).

Better safe than sorry.

[ZT3000]

actually consider having one AV developer for the gateway and a competitor for the desktop.

It will be much easier to manage corporate AV if the AV developer is the same from server to desktop.
If your gateway appliance contains a different AV vendor, as MsMittens has stated, then this is not a problem.

Remember that gateway appliances containing AV protection have ongoing subscription costs which generally are not cheap. But in your case, a server is used as the gateway appliance.

Think about this:
Virii can come from zipped email attachments, plain downloaded files which are executed, jumpdrives, CD Roms, floppies, etc, anywhere a file can be introduced into your network is the same entry point for Virii or malware (trojans, etc). So if you are only using AV protection on the gateway, then how do you have these other entry points covered??

I would suspect that you are juggling budget concerns.

[Tiger Shark]

I'd say that before you consider any advice I would look at my network and try to determine what the threat is and whether there are other forms of mitigation that may be more cost effective in the long run.

In my case there is absolutely no reason for anyone in my network that _requires_ the ability to receive executable content via email. Thus, I employ a Watchguard Firebox with the SMTP proxy set to remove all executable content from incoming email. I then employ a gateway mail server that scans all incoming email for spam and viruses. I'm not too worried about macro viruses in word documents because they are no longer an effective means of rapid transmission so there won't be (m)any zero day macro viruses and the desktops are set to warn by policy. Interestingly enough SPF, (Sender Policy Framework), is rather good at virus filtration though it is technically an anti-spam tool. I use BitDefender Professional on the gateway mail server and it has proven quite effective at picking up malicious code on HTML email too. Then I use Symantec AV for Exchange server on the main mail server. The only alerts I ever get from that is a "Scan Engine Failure" which usually seems to occur when someone sends a link rather than the actual file they intended to.

I have other admins that have control of certain parts of my network, (I'm sort of an ISP for them), but of my 350 machines, (excluding servers that are protected by Symantec Enterprise), I have only about 30 with AV on them and most of those are public access machines.

I further employ IDS with all the AV rules out there running as a "heads up" for myself plus a rule that alerts on any executable content being sent by email. I also block all outbound email transmissions that do not emanate from a valid email server and have the IDS alert me immediately it occurs.

So, yes, you can have a corporate network that does not employ AV universally.... But, and I repeat the "but", you need to understand the risk, the business rules required for your business to operate and the "little workarounds" for those exceptional cases.... for example, if a tech support chap needs to email an executable have them rename it to .txt and then rename it back... It passes right through the WatchGuard because it only looks at the extension... But it then goes through 2 AV products before it reaches the workstation.