Auto-deploying AV definitions has become common place throughout the industry. However, this post from the SANS Internet Storm Center raises the question about whether we should stagger deployments, much as we should be doing with security patches. This is a hard call.
AV updates can happen a lot, depending on how you've set yourself up to subscribe. I know when I was in charge of AV, myself and my partner in crime decided we'd pull AV definitions as soon as our vendor had 'em ready. As a result, he set up an hourly check and deployment. We had been burned by a couple of incidents where a virus got in before definitions were available. You can't do anything about that. However, you can minimize your exposure by pushing definitions as soon as you can. That's where we decided to be.
With that said, seeing problematic updates is disconcerting. While McAfee is cited, I've seen issues reported with AVG, Symantec, and Microsoft Essentials. In other words, it doesn't seem to be as clean as before, probably because we're fighting from behind by using AV technology. I'm almost at a point where I'd recommend deploying to a test set of workstations and servers and if there are no issues reported after about 4-6 hours, pushing to the rest. The problem is getting the right set of test systems.
I'm already not a big fan of AV on systems where Microsoft SQL Server is installed. I've seen issues with the filter drivers modern AVs use, both at the file system and network layers, even with all the SQL Server related files excluded from scans. This just makes me increasingly wary about putting AV on SQL Servers. In 2012 I wish we weren't having this discussion. The promise of Host-Based Intrustion Prevention Systems (HIPS) hasn't lived up to the hype, much like we suspected they wouldn't. We are still with the same sorts of threats, with the same sort of dated response. We need to do this better, but how?
