How good are antivirus defenses?

As everyone knows, new viruses are introduced constantly, and the vast majority of virus attacks in the enterprise come by way of e-mail. This means antivirus defenses at the messaging gateway, server and/or desktop need to be updated regularly and frequently to prevent a virus from entering the network. Further, the antivirus defense capabilities need to draw upon a sufficiently large database of all known viruses and to have the ability to stop unknown viruses.

Everyone involved in managing a messaging system knows all of that. However, there are two important questions to address in this regard:

First, should antivirus capabilities be deployed outside of the corporate network?

In other words, should you use a managed service provider (MSP) to host your antivirus capabilities so that viruses can be eradicated before they ever get to your network? The advantage of this approach is that there is virtually no chance that a virus can enter your network through the messaging system using such a provider, since virus-laden messages never reach even the perimeter of the corporate network. A further advantage, particularly for smaller organizations that may lack sufficient IT resources, is that antivirus capabilities are always kept up to date. The disadvantage, of course, is the cost of such an approach, which is typically higher than the internal cost of deploying and managing antivirus capabilities.

The second question is, are internal antivirus capabilities, particularly those at the desktop level, as good as those provided by an MSP?

Some MSPs that offer antivirus capabilities run e-mail through multiple antivirus programs whose signatures are updated every few minutes, meaning that the chance of a virus getting through is nil. Further, the hardware on which these antivirus systems run is very robust, so antivirus signature files can be much larger than is practical with internal systems, potentially resulting in a greater ability to catch viruses. One antivirus MSP provided its January 2003 statistics to me; that report shows that four well-known antivirus packages were able to detect just 52% to 84% of the viruses that this MSP detected during the month.

What I’d like to find out – particularly from people who manage networks and/or messaging systems and either run internal antivirus software or use antivirus MSPs – is this: How satisfied are you with your current, internal antivirus capabilities? How often do viruses get through your defenses? What improvements would you like to see?

The goal of this is not to criticize or praise particular vendors, but merely to understand if MSPs’ antivirus defenses are significantly better than what can be done internally. Please drop me a line at mailto:michael@ostermanresearch.com