Travelling Users - Best companion to Avira?

Discussion in 'other anti-malware software' started by hutchingsp, Jun 29, 2014.

Thread Status:
Not open for further replies.
  1. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    I'm looking at options to enhance the security of our laptop users when they're away from the office.

    We do sensible stuff like no admin rights, firewall, and for antivirus we use Avira, but they're still a lot more exposed when on the road on some random internet connection than they are on the LAN behind our Palo Alto.

    I wondered if people had any suggestions on anything that works alongside Avira?

    I'm working on the principle that the two ways to stop "bad stuff" other than detection are behaviour, or by stopping the traffic to the download/payload to start with.

    Please keep in mind this is a business environment with potentially a few hundred laptops so deployment and central management and "hands off" for the end user plays a massive past here.

    I'm aware of stuff like OpenDNS Umbrella, any thoughts welcome.
     
  2. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    552
    Look into a VPN.
     
  3. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    We have one of those, but it isn't always practical to expect all users to tunnel all traffic through it all of the time i.e send someone to China or India and good luck having them connect to your VPN let alone at a decent turn of speed :)
     
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Last edited: Jun 29, 2014
  5. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    I'd been considering exploit protection, seems more and more products are coming to market - you have yours, SourceFire seem to have one (AMP) and Palo Alto have one on the way based off the Cyvera acquisition.

    I guess that's one approach, tbh I'm torn between that approach vs. something that does URL filtering that stops you visiting the URL to start with - we have email attachments covered my primary concern is when someone clicks a link.
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Why not both? Both are complementary and there are a few free endpoint URL filtering plugins around (although unsure if free for business use). But do keep in mind that filtering is reactive (signatures) and easily bypassed by generating new landings.
     
  7. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    $$$ plain and simple - unfortunately you guys want paying for the stuff you work on :)

    It's a very valid point that URL filtering is reactive - of course the real answer here is training so that nobody ever clicks any links but until then...

    Presumably you're working on similar approach to stuff like Cyvera? Their claim is sure, thousands of exploits and millions of new zero day variants but ultimately they all work in only a handful of ways and that's the behaviour they look for and block.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Not very familiar with Cyvera. Last I looked it seemed to me file-based only. Not sure how it would behave with memory-only exploits. Some time ago I did try to download a version to test it, but it wasn't available publicly. Would love to get my hands on a version to put it through our exploit testbed to see how it behaves.
     
  9. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    I only use Cyvera as an example, never seen or used it - it just made sense to ask Palo Alto as we use them at the edge.

    This is a bit of a leading question but how many issues do you see in enterprise environments with random applications?

    We have hundreds of apps in use some of which are niche product that are probably appallingly badly written but in our field they're the only package that does a certain job so you're stuck with it - false positives are a huge concern once you go over a handful of computers.
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    In our case we only shield a handful of pre-determined applications, which are the most popular attack-wise (main browsers, addons, java, pdf readers, ms office, media players, etc.). So it is not a system-wide approach which could have a negative impact on performance and FPs. There's an option of adding shields for custom apps and it works based on application profile. There's an "other" profile for situations like what you mention (crappy old apps with little or no support but which are required by the business). This other profile has more than enough mitigations but fine-tuned (or rather scaled down) to prevent FPs.
     
  11. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Ah OK, so that I'm clear then, in the example of someone clicking the link in a "You have missed a FedEx delivery" email, and then running the .exe MBAE wouldn't actually do anything?

    That's the scenario I'm most concerned about when folks are offsite since onsite we have stuff like URL filtering to stop them going there, and .exe blocking or WildFire (similar to FireEye) to check any PE executables they do download.
     
  12. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    552
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Correct, that's what MBAM is for, checks both the exe and the link with its IP Blocker.
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
  15. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Another thing you can do is to lock down the laptops by putting up SRP or Applocker policies; especially if they do not need to install programs. You might want to look into that.
     
  16. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Yeah EMET seemed worth a look but we have a lot (as in literally thousands) of apps in use across the business - it's definitely not a "next, next, done" job :)
     
  17. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Interesting, we have a Techbench stick so haven't used the installed version for ages - I didn't know it had that kind of feature.

    Presumably you guys still pitch MBAM as a complement more than a replacement for traditional antivirus?

    We use Avira and I'm struggling to think of the last time I saw a "proper" virus - it's all adware/malware/trojans these days where I would expect MBAM to catch it, which leaves me wondering why I'd still need antivirus (an important point when you're paying to license 800 endpoints).
     
  18. Pedersen

    Pedersen Registered Member

    Joined:
    May 4, 2010
    Posts:
    234
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    No, TechBench is only for disinfecting by using on-demand scans. The MBAM Premium/ForBusiness product is the one that includes real-time protection.

    Yes, we're moving away from that complement positioning, especially now with MBAE in the mix. But if you want to replace the traditional AV on the endpoint with something more capable of dealing with zero-day malware and zero-day exploits like MBAM+MBAE, we still suggest you keep some form of rudimentary virus filtering on some layer of the network (smtp, proxy, etc.). Also AV nowadays is such a commodity that it comes preinstalled with the OS, so why pay for it? MSE/WD is actually very good at proper viruses/worms with a very low FP rate.
     
  20. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Sorry bad wording on my part, I know what Techbench does but I didn't know how much full MBAM did.

    I've been looking quite a lot at Webroot as I can see a lot of merit in the cloud lookup model vs. definition based, where it gets interesting is that in most of the online comparisons Webroot aren't mentioned, but of the folks that are Avira always score right up there.

    It does make me wonder if we're pretty much using best of breed already, but that's a tricky discussion to have on here due to the A vs. B rules :)
     
Loading...
Similar Threads
  1. max2
    Replies:
    16
    Views:
    1,098
Thread Status:
Not open for further replies.