Managing security products on workstations and servers is an important task and becomes critical when new threats appear to threaten the productivity of enterprise employees. You want to know that all systems are properly protected the day they are deployed, and that they are kept up-to-date with the newest threat-detection technology, whether pattern files or updated scanning engines. For this review, I've looked at five products that offer central, policy-based management of desktops and servers. To provide a consistent context, I asked each vendor to provide its product's management console along with desktop antivirus software. If you're looking for a discussion of desktop threat-protection mechanisms, you won’t find it here. This review and its ratings are unabashedly—and narrowly—focused on the policy management interface and don't evaluate each product's utility for its intended purpose of protecting your desktops. What this article does is review the server-based architecture each vendor implements for control of managed clients, the options to scale up for the management of large numbers of systems, and the approach each product takes to organize managed clients in a way that facilitates the assignment of client application configuration policies and application deployment.
For the purposes of this review, I define policies as settings that control the function of an aspect of the application software. In some of the products, policies are named groups of settings that can be copied or assigned as a single object; in others, individual settings inherit down through a policy domain hierarchy of domains and subdomains. Policies can also be implemented as a combination of these methods. There are many ways to organize a policy domain structure. Frequently, organizing systems by the details of the policy they need is an effective approach. Sometimes, administrative responsibility can be another level of organization. There is no one-size-fits-all approach.
F-Secure Policy Manager
F-Secure Policy Manager when combined with applications in F-Secure Anti-Virus Enterprise Suite manages the security of endpoints throughout the enterprise. The suite supports a variety of Linux as well as Windows servers and workstations. I installed Policy Manager with F-Secure Client Security 7, which is part of the Anti-Virus Enterprise Suite.
Policy Manager comprises many components. The management interface, Policy Manager Console, is written in Java and can run on a variety of platforms. Policy Manager Server, implemented as an extension of an Apache Web server, is the repository for software and policies and uses standard HTTP protocols to communicate with managed clients. Policy Manager Web Reporting is a Web-based graphical reporting system that will report enterprisewide status information, including out-of-policy systems. Policy Manager Reporting Option is a command-line reporting interface. Policy Manager Update Server manages automatic antivirus and spyware definition updates to managed hosts. The management agent is the client-side component and includes an end-user interface and a common interface for all F-Secure applications. It enforces policies created and assigned within Policy Manager Console. Policy Manager Proxy is a remote agent, intended primarily for network segments that have slow upstream connections, and downloads protection updates and distributes them to local systems.
Installation was fairly easy, and took me about 15 minutes. I installed the software on a Windows Server 2003 system. By default, the Web-based Policy Manager console can be accessed only from the local machine’s localhost address, which can be opened by way of a check box. During installation, you can specify the remote installation jar files of other F-Secure products, or easily configure them later. After installation I found a Status Monitor, which displays the status of the server and its host; Administration and Reporting modules; and an Automatic Update Agent interface, which displays the version of the most recent update for each product, the success or failure of recent update requests, the ability to manually check for updates, and access to the Update Agent’s configuration file. The Automatic Update Agent makes sure the console server always has the most current updates for distribution to managed clients. You configure the polling interval and the preferred sources for updates.
Policy Manager Console
Two access modes are available from the console: Administrative, which requires that you enter a passphrase defined during installation, and Read-only. The logon screen lets you define and save connection information for other servers, easing access for large enterprises that have many console servers. Within the console, you find two functional modes: Anti-Virus, which Figure 1 shows, and Advanced, which is selectable from the View drop-down menu. Anti-Virus Mode manages client protection features of F-Secure Client Security, including Virus Protection, Automatic Updates, E-mail Scanning, and Internet Shield. Advanced Mode manages policy settings and deployment to clients. Both modes share Internet Explorer 6.0–like drop-down menus and function icons at the top of the window, the Policy Domains pane at the left side of the window, and (when the console server has generated status messages or alerts) a Message area along the bottom. In both modes, I found the Policy Manager Console UI well organized and easy to use.
When you start the Policy Manager Console and select Advanced Mode, a tabbed Properties pane displays to the right of the Policy Domains pane, with a details pane to the far right.
Policy Domains is a multilevel hierarchical folder structure with some similarities to an Active Directory (AD) organizational unit (OU) structure. Each client receives the policies that are assigned to its folder. F-Secure offers several ways to assign clients to folders. Large organizations will want to use the autoregistration feature, which lets you import into the structure clients that have the F-Secure Management Agent preinstalled. Policy Manager will place new clients into a particular domain within the structure according to, for example, a partial WINS or DNS name or IP address network segment (other and custom properties are also supported). Discovery and manual placement is also supported, and I chose that option for my testing. Similarly, policy-based installation allows automatic deployment of F-Secure products and policies to systems according to signed policies obtained by the client management agent from the console server.
You set policies by selecting a Policy Domain from the left-hand panel and clicking the Policy tab in the central Properties pane. A hierarchy of products displays in the Properties pane: Expanding the appropriate product displays its policies. Policies inherited from the level above display in light gray; policies explicitly set at this level appear in black. To set a policy, click it and change the setting that displays in the details pane. A Force option allows you to reset explicit settings at a subdomain or host to values inherited from above. A Show Domain button displays the current policy setting throughout all domains. Using reporting options, you can list domains and policies where explicit settings override inherited settings.
After you've set policies, you must both save and distribute them. Unsaved policy settings will revert to the default when you exit the console, but the console prompts you to save settings upon exit. Saving and distributing policies is easily accomplished by clicking icons in the icon menu bar. After you've distributed a policy, it will take effect on managed clients using that policy.
The Installation tab of the Properties panel is the place to go to deploy products to discovered hosts, import autoregistered hosts into the domain tree, and review the versions of available software installation packages. I tested software deployment by pushing Client Security 7 to a Win2K Professional workstation. The deployment was smooth, with no surprises.
Anti-Virus Mode, which the F-Secure Client Security Administrators Guide describes in detail, is an interface designed to work with the Client Security 7 application. Some of the functions overlap with Advanced Mode functions, including policy settings relating to client scanning and the client management agent. Overall, this mode is well designed. The Summary tab provides useful, actionable information, such as the number of new autodiscovered hosts and the number of alerts issued for problems encountered. The Outbreak tab provides threat-related news that's automatically downloaded from F-Secure along with regularly scheduled detection and software updates. The Operations tab lets you apply new updates to clients on demand and start manual virus scans on clients within a selected portion of the domain tree.
Reporting is easy and flexible. Eight report types are provided, and you can filter the output by product and limit it to a selected policy domain or set it to include subdomains. Reports are generated in simple HTML format, which you can save using the standard browser-based function.
I found Policy Manager Console to be particularly easy to work with. Because the console manages one server at a time, the largest organizations with multiple Policy Manager servers won’t see a full organizational view. For organizations where multiple Policy Manager servers aren't deployed, F-Secure’s Anti-Virus Enterprise Suite with Policy Manager provides a workable solution.
Policy Manager with F-Secure Anti-Virus Enterprise Suite
PROS: Easy to implement, with client deployment options suitable for both large and small organizations; paired with F-Secure Client Security, the interface is easy to use and console screens provide actionable information; setting policies and determining policy inheritance is easy
CONS: The one-server-at-a-time view within Policy Console might put off larger organizations
RATING: 4 out of 5
PRICE: For F-Secure Anti-Virus Enterprise Suite, $30.82 per user for 1,000 users
RECOMMENDATION: A decent management system well worth consideration.
Kaspersky Lab Open Space Security
Kaspersky Lab has announced a major update of its enterprise antivirus and centralized management products under the new product umbrella of Kaspersky Open Space Security. The updated products include Administration Kit 6.0, Antivirus 6.0 for Workstations, and Antivirus 6.0 for Servers. Kaspersky Mobile Security, for Windows and Symbian OS–based mobile phones, rounds out the suite. I reviewed a “technical” release, a feature-complete late beta version, a few weeks prior to the RTM.
Kaspersky's Administration Kit 6.0 is the server-based centralized management component of the Open Space Security suite. Installed on a single server or a hierarchy of servers in larger organizations, Administration Kit makes use of a SQL Server or MySQL database to track the status of managed systems. The administrative server also serves as a central distribution point for product updates, including antivirus and malware detection rules. Because Kaspersky publishes newly developed pattern files hourly, administrative servers check for and download them hourly. An agent service runs on managed systems and reports scanning activity and detected threats to the administrative server. The administrative server polls each of its clients every 15 minutes to determine status and health; clients poll their administrative server hourly, checking for updates.
I started by installing Microsoft SQL Server Desktop Engine (MSDE) 2000 SP3, as instructed by the Administration Kit Deployment Guide. Installing Administration Kit was next. The install generated a security certificate to secure administrative data and created a password-protected backup of the certificate to be used when necessary to restore an administrative server installation. Kaspersky Lab supplies a utility to back up and restore this data. The server itself will be protected according to the antivirus application policies of the group you assign the server to.
Using the Console
Standard Windows users—that is, Windows local machine and domain accounts—are used to authenticate access to the administration console. Within the console, you can grant administrators access to individual administrative servers or to the group within the console tree structure that holds administrative servers.
The Administration Kit is designed to manage all Kaspersky Lab applications. You use a wizard to create installation packages complete with the information needed to connect to a particular administrative server. Anti-Virus 6.0 for Workstations is remotely deployable. I tested the remote deployment and found few surprises. After you create installation packages, you can use the wizard to assign computer names to them and schedule them for execution. You can reuse the packages by rescheduling them with new systems.
The Quick Start Wizard made easy work of initial implementation tasks, including creating default alert notification settings, a default Anti-Virus 6.0 for Workstations policy, a scanning task, and a software and detection rules update task. The wizard downloaded current updates.
As Figure 2 shows, the administration console has a familiar layout. On the left, you’ll find a hierarchy of administration servers, although in Figure 2 only one server, localhost, is shown. Below the server you find objects and tasks such as Groups, Updates, Remote install, Reports, and Events. Clicking any object or task will display associated objects and tasks. Clicking Remote install, for example, displays remote installation–related tasks for creating an installation package, installing a package, or uninstalling a package, along with a list of installation packages you have created.
Groups are the key organizational unit for Kaspersky Lab application management, and you create groups and subgroups to organize managed systems. Kaspersky Lab calls the collection of groups the "logical network." Within a Group you’ll find folders for policies, group tasks, and administrative servers. In large implementations, the Administration servers folder lets you assign a slave server to service the group. Group tasks let you configure and schedule activities such as applying software and protection updates to clients and scheduling system scanning. The Policies folder is the container for named policies.
The Network:Domains folder contains domains, workgroups, and computers discovered on the network and configurable by IP scan, network browsing, and AD interrogation. Move systems from the Network folder structure to the groups that make up your logical network, which you create under the Groups folder. When you delete a computer from a group, it shows back up under the Network folder. For each domain, you can configure a group into which the administration server will automatically place newly discovered systems and apply the policies associated with that group.
A named policy seen in the administration console holds all the settings for an installed product, such as Anti-Virus 6.0 for Workstations. Policies can be marked active or not, and can be cut, copied, and pasted to the Policies folders for other groups. Policies are inherited down through the logical network. By default, inherited policies don’t display in the Policies folder of subgroups, a default that you can change from the right-click menu of any Policies folder. Two event-based types of policies are possible: a mobile user policy, applied when a user disconnects from the network; and an event-enabled policy, applied when a virus outbreak event occurs. Multiple instances of policies for the same application might occur within the same group, either explicitly or by inheritance. I’m not sure what happens when you have two normal (not event-driven) active policies for the same application in the same folder, though I was able to create such an instance.
Tasks management is similar to policy management. Tasks are inherited down the logical network, and inherited tasks are not displayed by default.
The documentation that I saw was useful, although I got the impression it was incomplete: There was no Administration Kit Users Guide, for example. Fortunately, the administrative console’s Help documentation was thorough and very useful, and I relied on it for much of my testing.
The Kaspersky Administration Kit is a capable product. Combined with Anti-Virus 6.0 for Workstations, which I used as a review application, it offers a broad scope of threat detection and protection that I haven't discussed. The structure of the management console occurred to me as less than ideal. For larger organizations I think the verbosity of the console tree would become cumbersome. My perspective is that displaying the Policies, Group tasks, and Administration servers folders under each group is unnecessary. However, these are minor issues. The core functionality is broad in scope and includes features (such as monitoring the activity of Office products) you won’t find in many other products.
Lab Open Space Security with Administration Kit 6.0, Anti-Virus 6.0 for
Workstations, and Anti-Virus 6.0 for Servers
PROS: Flexible, easily understood policy structure using a named policy approach; policy and task inheritance through the group structure is clean; effective system discovery and simple manual assignment to groups
CONS: Limited automatic assignment of new systems to policy groups—might designate only one policy group for each domain or workgroup computers belong to; inelegant console organization
RATING: 4 out of 5
PRICE: For Anti-Virus 6.0 for Workstations and Anti-Virus 6.0 for Servers; 10 nodes: $35 per node; 100 nodes: $22.50 per node; 1,000 nodes: $16 per node; contact vendor for volumes greater than 1,000 nodes
RECOMMENDATION: A competent management structure, but the console layout is unimpressive.
CONTACT: Kaspersky Lab
McAfee ePolicy Orchestrator 3.6.1
McAfee's ePolicy Orchestrator (ePO) comprises a number of components. ePO Server manages policies, handles events, orchestrates tasks, and coordinates software and protection updates. ePO uses SQL Server databases to store information about the logical managed system structure, represented by the ePO console’s console tree. ePO consoles can be installed locally and remotely, allowing administrators flexibility in management. An ePO agent resides on each managed system, enforcing policies, reporting events, and retrieving updates. A rogue system detection sensor, installed on one or two systems on each subnet, listens to broadcast messages to detect the presence of systems without an ePO agent, initiating a configurable action when one is detected. A master repository, maintained on the ePO server, obtains all updates according to a designated schedule. The ePO server distributes updates to strategically placed update repositories throughout the network. Depending on the network, you can choose to make update repositories available via HTTP, FTP, or Universal Naming Convention (UNC) file-sharing protocols, or to promote a managed system to SuperAgent status, caching updates for the benefit of other local systems. McAfee also supports manually maintained repositories to protect isolated networks from physically introduced threats.
By default, agents check the ePO server once every hour for updates. When necessary, the server administrator can request immediate communication from agents—for example, to effect an immediate policy change.
Within ePO policies are sets of configuration settings for a particular software application, and they can be designated for assignment to a location in the console tree. Appropriate policies are sent to client agents, which check the client’s status periodically (every 5 minutes by default) for compliance, and reinstate and report any out-of-compliance conditions. Events reported to the ePO server are handled according to notification rules you set up and can include notification messages, ePO-based tasks such as agent deployment, and running any external program.
McAfee suggests organizing your console tree for efficient policy deployment and supports multiple levels of groupings. McAfee calls the first level Sites; below Sites are Groups. Grouping similarly configured systems is recommended. A special Lost and Found group (essentially a holding area for systems requiring manual placement) is created for the directory and for each site and contains discovered systems when their placement within the directory structure can’t be determined. By default, policies are inherited down throughout the directory structure and can be overridden at any point.
Console security is provided by two types of McAfee user IDs: administrators and reviewers. Global Administrators have full access; Site Administrators can manage their own site and view other sites. Similarly, Global Reviewers can view, but not alter, the settings of all sites, and Site Reviewers can view their own site only.
A feature large organizations will appreciate is ePO's ability to automatically place new systems into the correct location in the directory tree. When this occurs, automatic actions, such as deploying an agent and products and applying specific policies, can occur without administrative effort. IP address- based rules and AD integration are two methods ePO supports to accomplish this functionality.
I installed ePolicy Orchestrator on a Windows Server 2003 system. For testing, I allowed the program to install MSDE 2000 rather than use another SQL Server system, and the installation completed uneventfully. This was one of the easiest products to install in the group. In the Console
After logging on to the console with credentials created during installation, I explored the console tree. As Figure 3 shows, below the top level McAfee folder (which you can rename), I found two levels: ePolicy Orchestrator, and Reporting. My ePO server was the only object under the ePolicy Orchestrator level, and its folder contains the Directory, Policy Catalog, and Repository, along with Notifications and Rogue System Detection. For the purposes of this review, I spent little time in the Reporting section.
Within the directory structure, I found Policies, Properties, and Tasks tabs in the details pane. I created a site and groups within the directory structure. The process was intuitive using the right-click menu. I found my ePO server in the Lost&Found folder. Clicking the server name displayed the default policies inherited from above on the Policies tab. On the Properties tab I found 27 items of system information and a summary of installed McAfee products—at this point, the agent and ePO. The only task on the Tasks tab was the ePO Agent Deployment task, inherited from the directory level above.
Clicking Policy Catalog, I found a display of McAfee products, each containing default policies. Intrigued by a “Show Me” link, I clicked it and was rewarded with a brief flash demonstration of the tasks I could perform within the Policy Catalog section. The interface is easy to work with. I duplicated one of the Virus Scan Enterprise policies, named it, and was presented with a tabbed screen offering access to all the related policy options. Each tab has an Inherit check box: Selecting it disables all the settings on that tab and allows the settings inherited from above to take effect. Each tab also has a drop-down list offering server and workstation options, which creates the ability to implement distinct settings for the two kinds of targets.
I found working with named policies easy to understand. Starting in a low-level group, I made a copy of the default ePO agent policy, modified some settings, and applied the change. Looking at the top level, the new policy wasn’t available for assignment there, so I did a copy-and-paste operation to make it available throughout the directory tree. At each level, applying a policy is a matter of clicking Edit on the applications policy configuration line, selecting the desired policy, then clicking Apply.
Because each managed system needs to know the location of its ePO server, the ePO installation process creates a customized agent deployment package for systems that will report to it. McAfee supports most software deployment methods for agent deployment. With one option, ePO will automatically deploy agents as systems are added to sites or groups within the directory tree.
To deploy McAfee software such as Virus Scan Enterprise, you simply “check-in” its installation package to ePO. This is a wizard-driven process in two parts: First check in a product catalog (.z) file, which describes the installation package, then check in the product policy (.nap) files, which describe policy options associated with the product.
The ePO console is well organized and easy to find your way around. Using the familiar tree-on-left, details-on-right organization was a structure I found logically consistent; I had no trouble locating what I needed to complete a task. The documentation is also very helpful. The ePO Walkthrough Guide is an excellent place to start and clearly describes the structure and concepts fundamental to effective implementation and use of ePO and presents instructions for an initial test deployment.
I tested policy-based automatic deployment by deploying a Rogue System Detector, then set up a conditional task that would deploy the ePO agent to rogue systems within a particular IP address range. The Rogue System Detector detected all the systems on my network and initiated a push install for the ePO agent.
For a system as configurable as it is, ePO is surprisingly easy to use. Not as easy, perhaps, as simpler systems, but well done. The architecture allows administrators to design an implementation that will eliminate many day-to-day tasks, such as insuring that new systems run protection software according to policy.
Orchestrator 3.6.1 with VirusScan Enterprise 8.5i
PROS: Well designed console structure; named policies with inheritance makes for easy, flexible policy assignment
CONS: AD-based discovery is a work in progress
RATING: 4.5 out of 5
PRICE: On a per-node basis and includes ePolicy Orchestrator and VirusScan Enterprise perpetual license and 1 year of gold support that includes technical support and product updates; $29.85 per node for 1,001 nodes; after the first year, additional support is $11.94 per node. Volume pricing is available.
RECOMMENDATION: A well-designed application for large to largest organizations.
888-VIRUS-NO or 888-847-8766
Sophos Endpoint Security
Sophos Endpoint Security is a product suite consisting of three integrated applications: Sophos Enterprise Console 2.0, Sophos Anti-Virus 6.5,. and EM Library 1.3. Here, I focus on the Enterprise Console, which allows centralized configuration of policies and applications against multiple groups.
You might consider EM Library the heart of Sophos Endpoint Security—it gets software and threat-detection updates and distributes them to other libraries and distribution points throughout the enterprise. Sophos Anti-Virus provides endpoint protection, and Enterprise Console manages your policies and endpoints. Using Enterprise Manager (called in the Start menu the EM Library Console), you configure update sources and schedule when and how often EM Library will look for updates. Sophos supports two strategies to allow large organizations to distribute the update library. A Central Installation Directory is a network share that EM Library will push a copy of the updates to. Child libraries are secondary installations of EM Library for networks with low-bandwidth Internet or WAN connections. A Parent library notifies Child libraries of new updates, and the Child libraries download them according to a schedule. Sophos supports networks with no Internet connectivity by allowing an installation of EM Library to use a removable device as a Parent library.
Sophos Anti-Virus includes spyware, adware, and potentially unwanted applications (PUA) protection in one engine with a single scan. Sophos uses a technology it calls Behavioral Genotype Protection for defense against zero-day attacks.
From a policy perspective, Sophos’s approach is to create named policies and apply them to named groups of systems in the console tree. This works well when administrators are able to implement a fairly uniform set of policies across the enterprise. Named policies let administrators easily keep track of the policies applied to groups. I think that management applications that use named policies are more intuitive and easier to implement than are packages that allow a more granular designation of policies.
The Network Startup Guide guided me to a quick and easy installation. A default installation process will install the console, antivirus, and client firewall components and either install MSDE or let you connect to an existing SQL server. The EM Library, where software and threat recognition updates are stored, is created either as a local shared directory or can be placed on another server. Enterprise Manager opens when the installer completes, guiding you to complete the required initial configuration. It first had me configure primary and secondary sources for updates, defaulting the primary to a Sophos server. Sophos supplied an account ID and password with its license, which I entered as required to authenticate access to Sophos update servers. Scheduling checks for updates was next: I accepted the default, in which checking occurs every 10 minutes. Sophos Anti-Virus supports a wide variety of client platforms across the Windows/Linux/Unix/Macintosh spectrum. In the next step, I selected the platforms I wanted Sophos to download updates for, then started the initial download. Finally, Enterprise Console opened.
Upon opening, the console presents a high-level status summary. Drop-down menus let you filter the view to specific states. Enterprise Console uses a familiar structure, with computer and policy hierarchy trees at the left and a details pane on the right. Icons that display across the top of the interface provide rapid access to key functions. Enterprise Console uses named groups of client computers and named policies to facilitate administration. The first task is to create computer groups, which is as simple as creating a new directory in Windows Explorer.
The next step is to set up several types of policies. Updating policies specify the primary and secondary update sources (used by client agents) in the form of UNCs or Web addresses and how often EM Library will download updates. Because different client types (e.g., Windows XP and Windows 98) require different update packages, within a named policy you configure parameters for each package type. For mobile users, the secondary source might be an externally accessible Web site.
Antivirus policies let you configure both scheduled scans and on-access scanning, as Figure 4 shows. You can designate additional file types and file exclusions for on-access scanning on Windows and Macintosh computers and to enable scanning for unwanted applications and inside archive files. When threats are detected, a message displays by default on the affected system; optionally, you can configure email and SNMP alerts as well. When scanning for unwanted applications is enabled, you configure authorized applications in this interface.
Assigning computers to groups is the next step, and Sophos supports three types of network scans: AD, IP address range, and network discovery. Grouping computers is a matter of highlighting and dragging them to a group. Assigning policies works the same way: You drag a policy to a group. You can drag groups into other groups to create hierarchies, but policies don’t automatically inherit down the chain.
Deploy software to groups by selecting the group and clicking the Protect Computers icon. Enterprise Console prompts you for a user ID with domain administration rights and installs Sophos Anti-Virus and, optionally, Sophos Client Firewall to systems in the group. The documentation suggests that if this doesn’t work, you should deploy the agents through a local installation, which is how I tested.
Overall, Sophos Endpoint Security suite is easier to use than some of the other products in this review, and it lacks some of the flexibility of the larger products. I think its simplicity and ease of use will please relatively stable organizations with fairly uniform requirements across the enterprise. Organizations with more diverse requirements, many thousands of computers, and rapid constant implementation of new systems might prefer one of the other systems.
Security with Enterprise Console 2.0, Sophos Anti-Virus 6.5, and Sophos
Client Firewall 1.0
PROS: Simply designed console is easy to navigate; assignment of systems and named policies to groups is as easy as drag and drop
CONS: Policies don’t inherit down the group structure and must be explicitly assigned to folders and subfolders
RATING: 4 out of 5
PRICE: For Endpoint Security, including Enterprise Console 2.0, Sophos Anti-Virus 6.5, and Sophos Client Firewall 1.0; $28.51 per 1 year, $42.77 per 2 years, $57.02 per 3 years for 500-999 seats
RECOMMENDATION: This product's simplicity and ease of use recommend it to businesses with basic needs.
Trend Micro OfficeScan 7
Trend Micro is close to releasing a major upgrade to its product line, but for this review, I worked with the currently available version of OfficeScan. OfficeScan 7 Client/Server edition is a tiered threat-management system. It has an integrated Web-based management console that operates under Microsoft IIS or Apache Web servers. With OfficeScan, Trend Micro includes a license to use Control Manager, its premium Web-based management console. Although Control Manager requires IIS (Trend Micro is working to relax that restriction), it provides the ability to manage other Trend Micro security products under a single umbrella console. Trend Micro also offers Control Manager in an Enterprise Edition, which adds support for a cascading server structure and a reporting system for managed clients and child servers.
OfficeScan protects desktops, mobile systems, and servers from viruses, Trojans, worms, hackers, and network viruses in addition to spyware and mixed threat-attacks. Its architecture is multi-tiered. Control Manager and OfficeScan install on a Windows server. Control Manager uses a SQL Server (MSDE by default) database to store client information. An agent on client systems communicates with the OfficeScan server to report its status and to determine where to download updates. Optionally, you can configure a client agent to cache updates from the OfficeScan server for distribution to other local clients within designated IP address ranges. Alternatively, you can configure child OfficeScan distribution servers at remote sites. When laptops and other mobile systems fail to connect to the OfficeScan server—as they would when away from the office—you can configure them to connect to Trend Micro servers to get available updates. The ability to install second-tier OfficeScan servers allows OfficeScan with Control Manager to serve large multisite organizations.
On clients, the Control Manager agent includes a single Communicator, which coordinates communication with managed servers. OfficeScan installs an agent for each Trend Micro product installed on a client.
Server requirements are minimal: Windows 2003 or Win2K Server, IIS, and Java Runtime. Trend Micro also supports OfficeScan under NT 4.0. The Control Manager console offers you several options to deploy the agent, including using a third-party facility to deploy an agent MSI package, Group Policy, or a direct remote deployment. Server components require an x86 or IA64 OS; client components are supported on x86, x64, and IA64 systems. OfficeScan includes support for users of Cisco NAC 2.0 and supports deployment of the Cisco NAC agent.
I installed Control Manager 3.5 and OfficeScan Corporate Edition 7.3 on a Windows 2003 system. Installation guides for both products clearly describe the system requirements, planning guidelines, and detailed installation procedures. Installation took a couple of hours, including time during which I scanned the documentation, but proceeded with few surprises. I needed to install a Control Manager agent with OfficeScan before Control Manager would recognize OfficeScan's presence on the same server, a requirement that wasn’t clear until I had a conversation with Trend Micro technical support. Control Manager makes use of a SQL Server database and offers to install MSDE as an alternative.
Console access is configurable to require Secure Sockets Layer (SSL) and HTTP Secure (HTTPS) communications. Control Manager supports use of both AD domain user IDs and Trend Micro user IDs to authenticate console access. You can assign one of three access levels to an ID: Administrator, Power User, or Operator, and can assign each user granular access rights to the various hierarchy levels of your organization’s Trend Micro products and product servers to accommodate decentralized management.
Two consoles were relevant for this review: the Control Manager console and the OfficeScan console. When I first spoke with Trend Micro, I was told that administrators could use the Control Manager console in lieu of the OfficeScan console. Technically, that may be true—because you have the ability to drill in to the OfficeScan console from the Control Manager console, as Figure 5 shows. Because of the limited screen area, I found it easier simply to use the OfficeScan console for most OfficeScan-related tasks and use the Control Manager console only when needed. Control Manager does add a number of features, most notably a reporting function that greatly enhances your ability to report which threats are being detected, where they are coming from, and the general status of managed systems.
Logging into Control Manager displays the home page, a status summary of all product versions, and recent threat detection. Five top-level menu choices—Home, Services, Products, Reports, and Administration—are listed across the top of the home page. Much of the configuration will occur on the Administration pages. Companies using many Trend Micro products that span many servers will be able to organize them in a hierarchical structure within Control Manager. In this environment, Control Manager lets you view all servers from one location, create reports. and log into individual servers to administer the product each hosts.
After I completed the installation of Control Manger, OfficeScan, and a patch update for each, I continued as the Control Manager Installation Guide suggested, by creating another administrative user and initiating a manual download of all updates. Then, from the OfficeScan console, I completed OfficeScan’s post-installation configuration: modifying default scan settings, global client settings, and client privileges. Scan settings determine what, when, and how threat scanning will occur. Client privileges determine how clients can modify the operation of the virus scan. The Global Client Settings-Grouping rule is an important one: With it, you decide whether to ask OfficeScan to group clients by NetBIOS domain name, AD domain, or DNS domain.
Deploying OfficeScan to clients is the next step, and Trend Micro offers the full range of alternatives, including remote deployment from the OfficeScan console and a client-initiated deployment from an OfficeScan Web page. Remote deployment to Windows XP systems requires that XP's Simple File Sharing be disabled to allow the OS to pass to the client the administrative credentials required for installation; Windows Firewall on the XP client musn't prevent the connection. The console made deployment easy, allowing me to drill into the domain, select clients, supply credentials, and initiate the install. On the client, three Trend Micro services appeared: a listener, a firewall, and a scanner.
Organizing clients and managing policies wasn’t as direct as I found with other products. In addition to the default domain-oriented groups that OfficeScan created, I was able to add other groups to the client tree structure. Unlike Control Manager's ability to create a multi-tiered structure organizing trend Trend Micro products and servers, OfficeScan doesn't support creating subgroups of existing groups when organizing computers for policy management.
After selecting a group, you have two ways to apply policy settings: by directly changing the settings on panes accessible from the Scan Options and Client Privileges menu, and by exporting the policy settings to a file from another appropriately configured group, then importing them to the group that you want to configure. The ability to export a group's policy settings to a file can be viewed as a form of named policy settings, albeit much less elegant than the named-policy facilities that some of the other products implement.
Trend Micro's system and application management features are less well developed than the other products I review here. Although Control Manager offers the largest enterprises a flexible view of the many Trend Micro products and servers that might be in use, each product server must still be administered individually, using the console interface designed for the product. In this review, I found the integration of the Control Manager console with the OfficeScan console left a lot of room for improvement. The simple ability to open an OfficeScan console for a server in its own browser window from Control Manager would be a significant improvement. Within the OfficeScan console, the single-level computer group structure limits an administrator's ability to organize the policy structure, and the need to export and import a group policy to effect named policy administration is somewhat cumbersome. I'm hoping that the upcoming new version of OfficeScan will improve the centralized management features.
OfficeScan 7.3 with Control Manager 3.5
PROS: Server-based communication architecture capable of serving large organizations, broad support for platforms and languages
CONS: Policy management procedures occur to me as less sophisticated compared to competing products; integration of the Control Manager console for management of OfficeScan functions has much potential for improvement
RATING: 3 out of 5
PRICE: For Trend Micro OfficeScan with Control Manager 3.5 (which is included for free); $18.90 per user for 1,000 users
RECOMMENDATION: From an administrative perspective, this product is difficult to work with.
CONTACT: Trend Micro
All of these products have great capabilities. If I had the opportunity to fully compare all the features of these products, I might reach a different conclusion. But for central policy-based management, I am most impressed with McAfee’s ePolicy Orchestrator for its ability to achieve relative ease of use and broad functionality. For that, I award ePO Editor's Choice.
John Green (firstname.lastname@example.org) is president of Nereus Computer Consulting.