Monday, March 13, 2006

Anti-Virus = Hidden Changes Hourly

In the Patch Management world, it is said that a patch could cause up to 10% failure on your network. Not bad when compared to a deadly worm or Russian hacker with a rootkit in your network.

Most PM Admins take the risk and do their job. They deal with the problems created by patching system and go about the day. After all, you know what caused the problem and you don't have to worry about some hacker that dropped God knows what into your kernel.

But there is something else that is updated much more often and gets MUCH less attention. Anti-virus. Most AVs update hourly with new sigs and scan engines, therefore AV is changing almost every system on your network over 20 times a day. But how often do we think about this issue? Never, until it causes a problem.

Issues do happen and they can be quite blind-siding.

Norton update kicks AOL users offline - Mid-March 2006
McAfee issues bad DAT - Early March 2006.
Sophos issues bad update - Late February 2006.
Norton update causes Outlook problem - January 2006
TrendMicro update causes big problem in Japan - April 2005

I am sure there are many many more that go unreported in the media. I remember when Sophos detected a SAP client file as a virus and started to delete them. It wasn't big enough to hit the news, but it did cause my employer then some extra work.

90 to 99% of the time, the updates are just fine and never cause a problem. But it is an issue you should be prepared for however. Setting your AV to automatically delete detected "viruses" isn't always the best idea.

Review your current AV policy and consider "Blocking Access" instead of "Deleting"...unless you are using Sophos but that is another blog. =)

No comments:

Post a Comment