Overview
Malware, or malicious software — which can take the form of viruses, spyware, spam generators and other detrimental applications — is an increasingly greater problem for system administrators. The interconnectedness of computer systems and the porosity of the Internet means that a single infected system can pose a serious hazard. Malware authors are increasingly sophisticated in their approach as new avenues for infecting client machines are continually being explored and exploited.
Anti-malware software is evolving to keep up with this increasing threat. IT Services' intent is to continue to keep pace with the latest updates to the anti-malware software currently in place and explore features and options in that offering not yet implemented.
Current State
IT Services has a site-wide license for Sophos Anti-Virus that is available for all users with an active SUNetID. Most anti-virus nodes are run in standalone mode, which means that its settings are entirely managed locally and updates are obtained from the Sophos servers. Sophos offers the ability to flag programs as "suspicious," but the rate of false positives with this detection method is sufficiently high that IT Services has had to set the client to an "alert only" mode for items detected by this process.
Some individual departments have deployed their own Sophos Antivirus console. The Sophos clients in their area connect to that console. This allows local admins the ability to review and act on the state of nodes reporting into their console. Updates for the clients are downloaded from that local console.
Vision
Malware is always changing and becoming more tenacious. Without strong anti-malware measures, computers are vulnerable, and malware creators are always looking for new channels that they can exploit to their advantage, including social networking sites, instant messaging, and new loopholes in operating systems. The campus is encountering an increasing number of infections from "zero-day threats" that traditional signature-based detection by anti-virus clients cannot effectively stop.
Allowing Sophos Anti-Virus to block threats detected by its heuristic detection methods (as opposed to simply alerting the user) should significantly increase the protection provided to machines on campus. Version 9.5 offers a "live protection" feature that promises to solve the current problem with the high rate of false positives. Additionally, it offers additional protection from browser-based attacks, which have also become increasingly common.
There are potential advantages to moving to a central console to manage Sophos on end-user systems. Specifically, for users with Restricted and Confidential Data, support personnel would be able to proactively check on the health of that system and assist in addressing threats Sophos identifies. In this configuration, Sophos offers an additional tool to check for potentially sensitive types of data, which would help users better understand the sensitive data they store on their systems. For the larger community, there are opportunities for increased campus-wide efficiency if IT Services could deploy a central Sophos console. It could use the delegated administration features in version 9.x to allow individual departments who manage their users through a Sophos console to do so through the central console, rather than run their own instance--as it stands, there are multiple consoles run by multiple IT groups across campus. Use of a central console would also insure that individual departments are following the best practices for setup and configuration.
Roadmap
- Test and deploy the Sophos 9.5 client.
- Install a test environment of the Sophos 9.5 console on a virtual run by the Windows systems group.
- Test with a support personnel who already run the console to evaluate whether the delegated administration through a central console is sufficient for their needs.
- Test management of client systems through the console to validate potential benefits of using it for Restricted and Confidential Data users.
- Evaluate the data-protection features of the Sophos console.
Measures of success
- Significant decrease in number of infected systems.
- Decrease in number of department-run Sophos consoles on campus.
