Vaccinating your network

When Computer Associates (CA) acquired Cheyenne Software's InocuLAN, CA revamped the product and aimed it directly at the enterprise level. The result is one of the most comprehensive network virus scanners available. InoculateIT 4.5 comes as part of the Unicenter TNG suite or as a standalone product. I reviewed the standalone product, which ships on CD-ROM and includes a thin, concise manual.

Because InoculateIT is a client/server-based application, you must install each component separately. After you install the server component, you can install the client component by either taking the CD-ROM from workstation to workstation or setting up a share on the server.

Because CA aims InoculateIT at large networks, the product uses a domain manager paradigm on the server side. The Domain Manager applet gives you one intuitive user interface (UI) from which you can manage multiple domains and workgroups. To add client workstations to manage, simply enter the computer names into Domain Manager. You can then schedule the scan, specify the maximum amount of CPU time to use, and determine which file types to scan or exclude. Using Domain Manager, I quickly set up InoculateIT to scan all workstations on my TCP/IP network each morning at 2:00.

Like most modern virus scanners, InoculateIT uses a heuristics-based scanning engine. Rather than look for static behavioral traits, InoculateIT's engine dynamically monitors behavioral patterns for suspicious behavior. Therefore, the product can catch and trap new and unidentified viruses.

InoculateIT is thorough but not speedy. A data-file scan on a 10GB SCSI volume took more than 25 minutes, but the program detected—and inoculated—every test virus I introduced. When the scanner detects a virus, InoculateIT's comprehensive Alert Manager notification system informs you of the security breach. Alert Manager uses standard notification methods: network broadcasts, numeric and alphanumeric pager messages, email messages, SNMP traps, event-log records, and trouble tickets (i.e., sending the alert to a print spool on a network printer).

InoculateIT's virus-definition updates are freely available on CA's Web site. Updating the virus definitions is a two-step process. First, the server obtains the latest signature files. Then, the server sends the updated data to the clients. You can configure InoculateIT so that update files automatically download and install across the network.

InoculateIT's realtime scanning component runs quietly in the background and springs to life only when a user attempts to load an infected file on a client. As Screen 1 shows, the realtime scanning component uses the Local Realtime Manager, which offers administrators and users a rich selection of configuration options. Because the realtime scanner uses less than 1MB of system RAM and about 1 percent of CPU time while idle, you won't notice its presence until it detects an infected file.

A unique feature of InoculateIT is its ability to automatically log off client workstations when the software discovers an infected file. To test this feature, I sent an infected Microsoft BackOffice 2000 file to one of my workstations in an email message. Then I saved the file to the workstation's hard disk and attempted to copy it to the server. InoculateIT immediately detected the infected file, quarantined it to a secure directory, and disconnected the workstation from the network.

If you enable the product's Virus Wall feature, InoculateIT prevents client machines from copying infected files to the server (i.e., overwriting clean files). Unfortunately, Virus Wall protects only files that are smaller than 2MB. CA claims that this limitation improves performance, but because many executable and document files exceed 2MB, relying on Virus Wall exclusively might provide a false sense of security. Future releases of InoculateIT will lift the 2MB cap.

InoculateIT is a worthy addition to any corporate network. The product's reliable virus detection and intuitive client/server design place the package in the ranks of the leading network virus scanners.

InoculateIT 4.5
Contact: Computer Associates * 800-645-3042
Price: $695
Decision Summary:
Pros: Advanced scanning options; efficient client/server design
Cons: Relatively slow scanning time; inherent 2MB limitation in the Virus Wall file-protection feature