Forefront Client Security, Microsofts initial foray into enterprise desktop security, holds out the promise of anti-virus and anti-spyware detection and cleaning services that integrate tightly in companies existing network infrastructure and provide superior visibility into, and reporting around, these ongoing processes. However, eWEEK Labs tests indicate that at this time, FCS delivers only on some of these promises.
In particular, we found that while FCS meets the base-line requirements for an enterprise security solution, the case for FCS will sound sweetest when preached to an end-to-end Microsoft infrastructure choir.
FCS is designed to fully capitalize on Microsofts burgeoning portfolio of management and reporting solutions, at least theoretically easing management through the use of existing systems. FCS relies on Active Directory for policy deployment, WSUS (Windows Server Update Services) 2.0 or later for signature and software deployment, and MOM (Microsoft Operations Manager) 2005 for client monitoring and alerting. In addition, FCS requires a full-blown version of SQL Server (rather than MSDE or SQL Server Express) to provide robust reporting and data collection services.
Companies with a heavy investment in Active Directory Group Policy and in WSUS should find FCS a cozy match for their environments. However, companies that have deployed third-party management or patching alternatives might be better off giving FCS a pass, as the product totes with it a plethora of potentially redundant systems.
Whats more, we found that FCS detection capabilities still have a ways to go before they match the performance of more entrenched anti-virus players. For instance, we were unimpressed with FCS detection rates and discovered some isolated incompatibilities that could hamper the FCS testing process. Even from a management perspective, we were taken aback by how many application consoles we needed to consult while operating and maintaining an FCS deployment.
Another drawback is that FCS client support is more limited than wed like. FCS can be installed on Windows XP Service Pack 2, Windows Vista or Windows 2003 but does not work with Windows 2000 or earlier operating systems.
However, from a visibility standpoint, FCS scored well with us. We appreciated the way its modular design helped set apart the products excellent reporting capabilities from its data collection and policy deployment functions, thereby keeping information flowing even while our test network was under attack. According to customers we consulted during our review, Microsofts FCS support services also shine, exceeding customer expectations in helping decipher, detect and clean previously unknown infections and outbreaks.
Solid reporting and helpful customer service aside, FCS has significant hurdles to clear to diffuse negative public perceptions that began to take root before the product was even released, due to the fact FCS is based on the same underlying technology as Microsofts much-maligned, consumer-grade Windows OneCare Live. Earlier this year, OneCare Live suffered a series of public blunders, performing poorly on several independent malware detection tests and, worse, incorrectly quarantining entire mail stores rather than individual messages or attachments. Competitors such as Symantec have not been shy about calling Microsoft to the mat for these failings.
Microsoft is working diligently to remedy this image problem by gaining certifications from respected anti-virus research groups. FCS has already garnered West Coast Labs Checkmark certifications for wild list virus detection; wild list cleaning; and Trojan defenses on Windows XP, 2003, 2000 and Vista-based systems. FCS is also undergoing certification from ICSA Labs, which has already given clearance to OneCare Live.
Pricing for FCS, which started shipping in May, is based on a subscription model, with recurring charges for both the client and central management components, but no upfront cash outlay. Client agent prices start at $1.06 per user (or per device) per month, while the Security Management Console component costs $206 per month. Volume discounts are also available. Considering that the Security Management Console licensing fee includes the costs of SQL Server 2005 and MOM 2005, we found the pricing to be more than competitive. The licenses for these components, however, are restricted to use solely with FCS.
Management
Management
We were somewhat disappointed with FCS disjointed management facilities, which for us fell short of the integrated, cohesive and simplified management experience for which Microsoft is aiming. Rather, as we moved back and forth between the management consoles for WSUS, Active Directory, MOM and FCS itself, we felt that we were straddling too many disparate applications for comfort. We hope to see FCS management story become better aligned as Microsoft moves to an MMC (Microsoft Management Console)-based approach for WSUS 3.0.
However, the Forefront customer whom we interviewed during our review disagreed with this perspective. Kevin Hayden, desktop engineering manager for Analog Devices, indicated his team does not spend much time in the MOM console, for instance, except when trying to isolate an alert. According to Hayden, after initial setup and trials, Forefront management was a pretty simple, single-console affair. Whats more, Hayden told us the inclusion of MOM gives his staff a leg up on a client operations management project they have in the works.
Disparate management perspectives aside, one thing we can say for sure is that with all software components that FCS requires, administrators of the product will have to throw some significant hardware at their deployments. For a single-server configuration that hosts all elements of the FCS platform, Microsoft recommends at least a dual 2.85GHz CPU server with 4GB of RAM. FCS component prerequisites may be split among as many as six servers, separating out the reporting, collections, management and distribution server components as well as the reporting and collection databases. Like Hayden, however, we opted for a two-server setup, sing an existing WSUS 2.0 server while hosting all other elements on a single machine.
Microsofts decision to use WSUS and Windows Automatic Update client to deliver both the client software packages and malware signatures seems to us an odd match to fit the needs of a signature-based security solution. A WSUS server is designed to synchronize with Microsoft Update servers only on a daily basis, and Automatic Updates is designed to install software only once a day. During tests, we found Microsoft released new signature files between three and six times a day, so WSUS and Automatic Updates—at least in their default configurations—fall short. Fortunately, Microsoft has addressed these shortcomings by providing a component for installation on the WSUS server that bumps synchronization frequency to once per hour. Along similar lines, FCS client software component triggered more frequent update checks.
Companies that have chosen a third-party patch delivery system will likely be loath to install and maintain WSUS on top of their existing systems, not to mention re-enable Automatic Updates on their clients. Microsoft does offer signature file downloads from its Web site, and these files can be installed manually or with a script. However, this is hardly an ideal solution given the frequency of signature updates. Moving forward, we expect to see third-party patching vendors offer scripts or other mechanisms to automate this process for their own customers, which would make life easier for companies out to mix FCS with non-Microsoft patching products.
During tests, we configured FCS updates by visiting the WSUS console, enabling WSUS synchronization, and approving the signature files and FCS client installation package to push out to our Windows endpoints. We also configured WSUS to automatically accept, download and deploy future updated signature files.
Before we could begin deploying FCS components to our clients, we had to visit a separate interface, the FCS Management Console, to create a security policy to govern the process. FCS security policies allowed us to centrally control whether to engage anti-virus or anti-spyware defenses, enable heuristic detections, schedule scan times, or create exemptions (either file folders or file types). We could also schedule periodic security-state assessments, providing a Baseline Analyzer-type scan to look for missing patches, unnecessary services or passwords susceptible to compromise.
After wed created our policies, we were ready to deploy them via Active Directory. From the FCS console, we assigned one of the policies wed drafted to a Security Group or an Organizational Unit, which triggered the creation of a new GPO (Group Policy Object) consisting of a number of specific registry changes, which FCS then automatically linked to our targeted Active Directory object. We could also assign the FCS policy directly to an existing GPO, or we could copy it to a file for manual distribution using FCS command-line policy distribution tool.
Reporting
Reporting
The FCS console presents a dashboard with an executive-level view of the deployment, presenting at-a-glance insight into the ratio of clients reporting issues versus those without problems and those who have not reported in recently. The dashboard also presents quick links to create a variety of summary reports that provide a top-level view of infection status with total systems affected, aggregate malware reports and enterprisewide security-state assessments. We particularly like the Deployment Summary report, which breaks down the status of policy deployment, spyware and anti-virus signature distribution, and client engine deployment onto a single page and even singles out some of the information on a per-security-policy basis.
From these high-level reports, we could quickly drill down to more specific details and instances as needed by administrators tasked with resolving the problems—for instance, identifying missing patches and unnecessary services from a specific machine on the network.
The reports are initially presented as a Web page, but we could easily export reports to XML, CSV, Excel or PDF formats. Using the included MOM reporting engine, we could access the same reports as above, plus a few others, or design our own reports with the SQL Report Builder. We found we could use the MOM report engine to schedule periodic snapshot reports to provide regular insight into ongoing system behavior.
Detection
In our malware detection tests, we quickly noticed that FCS real-time file system did not initially work in our tests using virtualized client instances. For instance, with all protections enabled, we were able to download our malware bundles to the virtualized clients hard drive either from the Web, a file share or a thumb drive. Fortunately, the real-time protections worked as expected on a Windows XP-based laptop client, and we suspect that FCS does not interact in an expected fashion with VMwares virtualized disk drives. Although this circumstance is certainly not a deal breaker, it may hinder the FCS testing process in some organizations.
During a disk sweep, FCS did detect 10 different malware strains infecting 14 of our sample files. The Windows Filter Manager, meanwhile, helped block the installation of these infected bundles before they could take root on our system. However, our malware test suite consisted of 29 executables known to contain malware (a mix of viruses, adware, Trojans and other malware)—which added up to a lackluster sub-50 percent detection rate. We verified this by individually submitting the samples to www.virustotal.com, which ran each of our samples through 31 different scanners and assessment solutions.
However, some buggy behavior tempered even this marginal success. When we found the malware with our manual scan, we noticed the icon in the system tray changed from its usual state (a green check mark) to a warning (a red x). When we closed the client interface without choosing a course of action to clean the found infections, we discovered that the next time we opened the interface, the system tray icon had reverted to a green check mark, and the history contained no mention of the previous scans findings. Findings were correctly reported to the central console, however.
Analogs Hayden acknowledged FCS has not yet coped with some minor threats (such as tool bars) around his network as well but said he was quite happy with the softwares performance nonetheless. FCS had already detected many malware instances around his network that Analogs previous solution had missed.
But, more important, Hayden said Microsofts Premier Support Services team was ready to assist when an outbreak hit the network. Microsofts team even went so far as to accept a full disk image to help isolate an unknown infection, something his previous anti-virus vendor was unwilling to do. ´
Senior Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
