Delaying AV Definitions?

, 2012-08-21

Auto-deploying AV definitions has become common place throughout the industry. However, this post from the SANS Internet Storm Center raises the question about whether we should stagger deployments, much as we should be doing with security patches. This is a hard call.

AV updates can happen a lot, depending on how you've set yourself up to subscribe. I know when I was in charge of AV, myself and my partner in crime decided we'd pull AV definitions as soon as our vendor had 'em ready. As a result, he set up an hourly check and deployment. We had been burned by a couple of incidents where a virus got in before definitions were available. You can't do anything about that. However, you can minimize your exposure by pushing definitions as soon as you can. That's where we decided to be.

With that said, seeing problematic updates is disconcerting. While McAfee is cited, I've seen issues reported with AVG, Symantec, and Microsoft Essentials. In other words, it doesn't seem to be as clean as before, probably because we're fighting from behind by using AV technology. I'm almost at a point where I'd recommend deploying to a test set of workstations and servers and if there are no issues reported after about 4-6 hours, pushing to the rest. The problem is getting the right set of test systems.

I'm already not a big fan of AV on systems where Microsoft SQL Server is installed. I've seen issues with the filter drivers modern AVs use, both at the file system and network layers, even with all the SQL Server related files excluded from scans. This just makes me increasingly wary about putting AV on SQL Servers. In 2012 I wish we weren't having this discussion. The promise of Host-Based Intrustion Prevention Systems (HIPS) hasn't lived up to the hype, much like we suspected they wouldn't. We are still with the same sorts of threats, with the same sort of dated response. We need to do this better, but how?






Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.


1,567 reads

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...


1,530 reads

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.


360 reads