eTrust Antivirus Expands Security Scope

Version 7 of CA product offers dual-engine scanning, detection capabilities but isn't easy to use.

Computer Associates International Inc.s eTrust Antivirus has loaded up with new features and increased its scope of coverage—from PDAs to network gateway systems—making it a top contender for IT managers who are in the market for a comprehensive anti-virus product.

In the fiercely competitive world of anti-virus products, eTrust Antivirus 7 holds its own against competitors such as Symantec Corp.s Symantec AntiVirus Corporate Edition and Network Associates Inc.s McAfee VirusScan. New in Antivirus 7 are dual- scanning engines, redundant signature distribution and a host of management features that made the product easy to control during our tests.

However, Antivirus 7s agent is larger than other products agents—24MB on our Windows 2000 Professional test system. And although the user interface is logically laid out and allowed us to quickly understand the configuration of the product in our testbed, it wasnt always easy to use because so much pointing and clicking was required to apply policies and build client groups (see screen).

During tests, functions that were supposed to be drag-and-drop operations, such as applying rules wed built, had to be applied by hand. This tedium was offset by the fact that we could apply policies to groups of users, and this is likely the way that most IT managers will use the product.

Once the policies were applied, it was relatively easy to keep track of them, although our tests also revealed that—as with most hierarchical-based products—we had to keep track of what rules we applied to different levels.

In the case of eTrust Antivirus 7, rules that are lower in the pecking order trump rules assigned at the top. In one case, we completely negated the good effect of one scanning policy by accidentally applying a more lax rule to a subset of machines.

We were able to surmount every obstacle we encountered, but IT managers should keep in mind that it will likely take several days to a week—and at least a small team of subject experts—to fine-tune the product for deployment to product systems. Based on our testing, we also recommend thorough testing of the separate components of the eTrust Antivirus family that are needed for managing PDAs and gateway systems.

In the case of PDAs, look for performance effects on file scanning, especially if services such as AvantGo Inc.s Mobile Internet service, which frequently change large numbers of files, are used.

For gateways, we found that filters helped us reduce processor load. Products such as McAfee VirusScan use a file caching system to track already-scanned files—something eTrust Antivirus 7 doesnt do.

CA took an interesting approach with this version of eTrust Antivirus, equipping it with two scanning engines that are administered from the same console. In tests, both engines capably identified files we intentionally infected with, a test file from the European Institute for Computer Antivirus Research. Using definition files that we updated from CAs support center, we easily quarantined the infected files.

The redundant signature distribution system worked just as described. When we disconnected one of our signature servers from the network during the virus file update, the agents found the backup we had designated, and updates completed without a hitch.

We could assign different virus scanning engines to the same group of computers, thereby increasing the likelihood of detecting virus activity. The engines enabled us to look at signatures while the heuristic scanner stood watch for viruslike activity from the systems where it was installed.

CA has also beefed up management for users who often move about inside the enterprise, making it possible for us to define how client systems configured their anti-virus posture based on where they were logged in to the network. This feature requires a lot of thought and testing to work well, but the payoff for us was that when we moved from one test subnet to another, our laptop systems could find preferred signature download systems and pick up new signature download schedules.

This is handy for organizations where staff frequently travel to different offices. For example, while working away from the designated "corporate HQ" network, we could tell our laptops to look at a new signature server so that the anti-virus engine was always up-to-date.

Were sure this is something CA did because it could, but we could also switch the virus-scanning engine based on location. We couldnt think of a good reason to do this and advise readers to keep policies as simple as possible.

Senior Analyst Cameron Sturdevant can be contacted at