Improving Management of Client Anti-Malware Solutions

By Ryan McGee, Senior Product Manager, Microsoft Forefront Product Team

See other Security Tip of the Month columns

As if the challenges of scanning, detecting, and removing malware weren’t enough, IT professionals have the difficulty of integrating a client protection solution into their existing infrastructure and managing this solution. Anti-malware suites pose greater burdens than other types of software installed on client computers due to their frequency of updates and update infrastructure; other enterprise software doesn’t often have weekly or daily update requirements. It is also unusual to need both broad and detailed centralized reports from the average piece of client software.

To remain in control of how content is deployed, network administrators must ensure that the update methods and policies are compatible with their existing organizational groups and management tools. In addition, simplified client monitoring, alerts, and reports are needed to detect and respond to outbreaks as they appear.

A related aspect of client security—one that is too often regarded as separate—is visibility into the security state of the environment. Administrators need to know not only where action is required on their part through real-time data but also to see emerging trends around malware affecting their environment. This is particularly important for identifying and fixing potential vulnerabilities that may reside in an individual computer or computers. With increasing compliance requirements on securing the environment, administrators also must be able to document and report on status to executives and auditors.

Addressing these challenges is part process and part technology. On the technology side, you can improve management capabilities by implementing a client anti-malware solution that:

• Employs a unified anti-malware engine, rather than separate engines for detecting viruses, spyware, and other threats such as rootkits.

• Reports malware activity and the security state information of your clients through a unified console.

• Integrates with your existing update infrastructure.

• Integrates with existing policy and configuration management technology.

A unified anti-malware engine provides a single view to the user and administrator when dealing with all threats, instead of requiring separate tools and reporting to manage outbreaks of various types of unwanted software. With this approach, administrators can more easily configure protection and monitor any malware activity with less of the uncertainty that can come from working across a diverse toolset. If your anti-malware solution enables you to choose an integrated engine, take the opportunity. If it does not, consider whether the increased ease of management a unified engine could deliver is valuable enough to merit including it on your list of must-have capabilities in any future technology purchase decisions.

In parallel to a unified client engine, a single console for viewing and managing all anti-malware settings can greatly simplify administration of your client protection. A central dashboard that the administrator can examine at a glance to gain enterprisewide visibility and reports on the current status of threats and vulnerabilities is an invaluable tool. With it, administrators can save time and hassle. They can also gain deeper insight into what’s happening in the environment and therefore are more able to remain in control. If your anti-malware solution provides a unified console capability that you have not deployed, consider the benefit of unification when it comes time to evaluate the IT project list.

A streamlined definition update infrastructure is a critical part of an effective client-side response to malware outbreaks. Because response often takes the form of both malware signature updates and software updates to address vulnerabilities, the more you can integrate the mechanisms for distributing both types of update, the better off you will be. Using a common infrastructure for update deployment can also improve the efficiency of your updating process. Administrators already familiar with the infrastructure will be better able to use it effectively under the time pressure of an outbreak response. They will also be better able to understand its capabilities and limitations when creating the response plan.

Integration with existing configuration management infrastructure helps improve manageability for many of the same reasons. Using a common mechanism for centrally managing all your client configurations, including anti-malware, enables smoother configuration changes—administrators can test and deploy a single configuration rather than making multiple changes to client configurations. It also gives administrators better insight into how anti-malware configuration changes may affect other client configuration policies, and vice versa. Users can benefit, too: fewer policy changes coming from IT means fewer unpredicted disruptions and help-desk tickets.

None of these technological adjustments can eliminate all the challenges of managing client anti-malware solutions—not even if they are combined with the best policies and practices. But by implementing solutions that have some or all of these characteristics, you can reduce the time your IT team spends on managing anti-malware and gain better control of your environment.

For a more in-depth analysis of client anti-malware technology, download this Microsoft white paper: Understanding Anti-Malware Technologies.