According to Hollywood, viruses will either create complex graphical displays or take over the world after developing their own intelligence.

It's no wonder that the average user wants to 'see what happens'. The effects of a nasty virus in real life are rather boring. Instead of aspirations for world domination, a virus simply deletes important files and mails itself to all your mates pretending that it loves them.

All this proves is that users can't be trusted, and it's the friendly administrator who has to pick up the pieces when it all goes wrong. The only solution is to fight back and ensure your network has centralised virus protection from the server to the desktop.

For this latest benchtest, Network News has sourced seven of the latestscanners and put them under the microscope in our labs. We have paid a lot of attention to management and installation of the software, but most of all to the number of viruses caught.

We contacted the AV out-sourcer MessageLabs and requested the latest virus samples they had caught. As the company is responsible for scanning thousands of emails a day, it catches many viruses before the AV vendors release patches to update them.

In the interest of fairness, we updated all our scanners a few days before we received the virus payload to see which viruses each company caught without outside help.

We thought this was better than simply getting hold of the wildlist, which all AV vendors have access to, as virus writers don't wait until they appear on this list before unleashing their latest deadly creation.

COMMAND SOFTWARE
COMMAND ANTI-VIRUS

Command AV certainly shows its mettle when it comes to its detecting capability, a much-needed part of AV software. We were disappointed with the management software, however. While most of the scanners on review provide a clean interface from which remote installations take place, via a direct connection or automatically modifying login scripts, Command provides a far more manual approach.

The first task we faced was installing the central management software, CSS Central. Judging by the other software being tested, we thought this was the right place to start. We were wrong.

A menu titled 'remote installation' seemed a logical place to begin, but it only had a single option to email an installation file. We tried to use this anyway, but the software threw up an error message telling us that the remote installation directory was invalid. No matter how many times we tried to change this, the settings never held, and we were confronted with the same message.

In the end we gave up and searched the manual for a clue. Under the remote installation option, we finally found what we were looking for. For Windows 9x machines, the standard installation method is to use a batch file named 'onedisk.bat'. This, in addition to editing an installation .ini file, sets up the product according to administrator preferences.

The file can then be called from a login script for installation onto all machines on the network.

For Windows 2000/NT machines, the manual recommends using the default Windows installation method through an executable called msiexec. This is a command line based affair and doesn't make it easy to distribute the software.

Through a combination of both methods, we set the packages to our client machines. We turned to CSS Central to see what management options were open to us, but again we were disappointed. First we had to import a list of computers in our test domain and then import the configuration files. Once this was done, selecting any machine displayed its current configuration.

Bizarrely, the intuitive method of double clicking an option to change it does not work. Instead, the right-click menu is used to do the job.

Once the updates have been made, the configuration must be manually uploaded to a machine for the changes to take place.

This is not the only problem we found, as the software has a lot of legacy components in it. For example, all of the file browser menus are the old 16bit versions that don't support long file names or network connections unless they're mapped to a drive letter. As the system that improved on this, Windows 95, is almost six years old now, we can't think of any reason for this throwback.

In the software's defence, the client software is actually very good. It is easy to schedule scanning tasks via the system tray icon.

In our tests, the software scored a 93.77 per cent detection success. The software provides a DLL file that can be called from other programs such as email servers, making this a worthy gateway product.

However, in the enterprise, there are a lot of applications with far better management software, and in an environment such as that, this will often swing the vote.

PRODUCT INFO: COMMAND ANTI VIRUS: £185 (5 USERS)
Command Software 020 7931 9301
www.command.co.uk
Management **
Detection ****
Features ***
OVERALL RATING ***

PANDA SOFTWARE
GLOBAL VIRUS INSURANCE

Panda Software ran into trouble with the AV community recently when it failed to hand over samples of a new virus. Surprising for this particular company, which takes a unique view of AV software.

As well as providing daily updates, the company will take a sample of a new virus from an existing customer and return a patch for it within 24 hours. This doesn't mean that the desktop software is any slouch, as we found out with the Platinum version. It comes as two basic packages: Platinum and Lan. Platinum adds support for internet gateways and mail servers such as Notes and Exchange. We paid most attention to Lan, as this is the front-line machine protection.

The first thing to do was get the software up and running with the leastamount of hassle. Fortunately, Panda's administration software is reallyexcellent.

Running on a windows computer, this console can be installed anywhere on the network. Its first task is to detect all the machines on the network, so the desktop package can be distributed. For NT machines, it's just a matter of selecting them and hitting the install button. Provided administrator privileges are available on the machine, the process is automatic.

Even better is the fact that the installer asks how the remote installation should be configured. For example, should a task-bar item appear? And should it notify an administrator if a virus is found?

Hitting the 'set as default' check box will maintain the settings for all further installations of the software.

This basic method is best used to get the first couple of servers up and running. You can then move on to installing the workstation package, by either a direct installation on to Windows 2000/NT machines or automatically modifying login scripts for other platforms.

Installation via the latter associates new installations of the software with a server and acts as a way to group clients together. This makes management easier, as the software changes from a per-machine to a per-group entity. For the most part it means that a task need only be performed once, and the whole group is updated.

As with other software in this test, updates are best handled centrally via the server. This works by telling the client installations where they should look for the updates and how often. The default is to look in a special directory on the server, but there's no default schedule to govern how often they should do this.

The task instead falls to the administrator in a two-part fashion. First, the server needs to be scheduled to update from the main website. Second, the clients need to be scheduled to update from the central server.

The only task left is likely to be configuring the scanners to run to a schedule. Unfortunately, the administration software makes this a little harder than it should be.

We had trouble performing the operation on a group level, and instead were forced to individually select machines that we wanted to deal with. Aside from this, the package offers good management to sit over a respectable scanning engine - a score of 91.6 per cent in our tests.

The 24-hour virus guarantee makes this a worthy package to consider incritical situations.

PRODUCT INFO: PANDA GLOBAL VIRUS INSURANCE £250 (5 USERS)
Panda Software (01372) 824278
www.pandasoftware.com
Management ****
Detection *****
Features ****
Overall ****
OVERALL RATING ****

SYMANTEC NORTON
ANTIVIRUS CORPORATE EDITION

Symantec, and its Norton AntiVirus Corporate Edition, took the coveted Editor's Choice award in our AV benchtest last year because of its superb management software and a high virus detection rate. A year after we first looked at the software, we were relieved to find it still incorporated the elements that made it a winner.

The software works on a component basis so that the enterprise-wide virus scanning task can be spread throughout different computers. The components are: the system console, server AV protection, client AV protection and the quarantine server.

The console is the central point of management for all the other components and is based on the Microsoft Management Console. This allows it to sit on any computer in the network. The quarantine server is used to house any virus that one of the scanners picks up and can be situated anywhere on the network.

The remaining part of the package does the virus scanning. Both the server and client versions of the software give real-time file system protection and a scheduled scan ability. Conceptually, they remain different.

In the hierarchy of the software, a server sits above the clients that areassociated with it. These clients then communicate with the server. While this may sound complex, getting the system up and running is surprisingly easy. First, the management elements should be installed onto a local machine via the provided CD. After this, the remaining tasks are all performed remotely.

Using administrator privileges on Windows NT or 2000 machines, a remote installation can be directly performed. This is just a matter of selecting machines from a domain view and telling them which servers they should be associated with.

For Windows 9x machines, the job is a little harder, and the best bet is to perform a remote installation by modifying login scripts. Fortunately, the software is intelligent enough to install with default options that prevent users from seeing the scanning software. The system tray icon is invisible, and the user can't disable any part of the scanner.

Control can be given back to the user, but only through the managementsoftware. Administration from here can be performed on a machine or group basis. For example, we placed a scheduled scan of all hard drives on our group of client machines.

Perhaps the most important task of management software is to manage how the virus definition updates are performed. It's a waste of Wan bandwidth if all clients update from the Symantec servers. The alternative is to let the servers update and distribute the updates from there.

This is the default method that Norton has set up, although it can be changed to use the Norton LiveUpdate utility. This utility automatically connects to the Symantec server and downloads the latest updates. It's a superb piece of software and can be edited to operate on a schedule.

In our tests, the software detected 94.87 per cent of the viruses successfully, proving how good it is.

PRODUCT INFO: SYMANTEC NORTON ANTIVIRUS ENTERPRISE EDITION £214.30 (10 USERS)
Symantec (020) 7616 5600
www.symantec.com
Management *****
Detection ****
Features *****
OVERALL RATING *****

F-SECURE
ANTI VIRUS
The F-Secure offering is really a suite of security tools that includes an AV product. This setup means that every component in the suite can be managed through a single management server - policy administrator - running under IIS. The server is then accessed via a Java-based management console, which can happily sit anywhere on the network.

It's this console that is used to manage the distribution of software packages across the enterprise. As with the other products in the test, F-Secure works best if running under Windows NT/2000, as administrator privileges mean that AV client can be automatically copied to a machine.

Other operating systems, such as Windows 95, require modified login scripts.

We found that the default distribution settings give the user complete control over the software, which is a bad idea. To change this, the remote installation wizard needs to be used to create a custom software distribution.

Alternatively, the management console can be used after installation to change the settings.

In either case, the basic management principle remains the same: machines in the console are logically grouped together for easier management. This gives an option to manage on a group or single machine basis.

This works by saving the changes as a policy file which is then distributed across the network. In the event of a machine failure, the default configuration can quickly be distributed to return the network to its normal status.

Using a tree menu, it's easy to drill down to the component that needs to be managed. For example, we turned off the real-time file system protection on all of our test machines.

Editing options was also very easy. The only problem we had with the software was its presentation. The console is Java based, and on our Windows NT machine, it couldn't resolve the display properly. For example, the restrictions button that appears on most of the screens always read 'restric'. It's only a minor point, but sufficient to make managing the system far more difficult.

It's also difficult to remember that policies need to be distributed to take effect. On quitting the console, the software only queries if you want to save the policy; it won't automatically send it out.

Satisfied that the management software was up to scratch, it was time tolook at the virus scanning capability. First, we had to distribute thelatest updates, which is done via the management console to save on Wanbandwidth. We scanned our directory of viruses, and F-Secure correctly identified 99.63 per cent - the highest score in the test. This is a very competent system, with decent, although not the best, management tools.

PRODUCT INFO: F-SECURE ANTI-VIRUS £375 (5 USERS)
F-Secure 01223 478800
www.f-secure.com
Management ***
Detection *****
Features ****
OVERALL RATING ****
NETWORK ASSOCIATES
MCAFEE

Network Associates has had a rough ride recently, with repeated attempts to reorganise the company. Despite this, it still has some worthy products on offer, such as McAfee Active Virus Defence. This is the enterprise version of the well-known Dr Solomon's tool. The difference is that the McAfee branded version offers a management console.

This was our starting point, which we installed on to our domain controller. The process is an in-depth one, as the console needs to know where the client installation files are kept for remote distribution. While this involves setting up network shares on the server machine, the installation procedure makes this easier by doing the job automatically.

With this stage complete, we fired up the console. This presented a two-windowed view. The left panel is used for a tree structure, housing the layout of the network, while the right is for displaying information.

The first task was to create a virus domain. Conceptually, this is a grouping of machines under a server that is responsible for managing updates and warning messages. Once created, it's a matter of dragging and dropping computers from 'Network Neighbourhood'. Of these, one has to be designated as the server machine and is installed with a server management component.

Installation of the client software is now performed. Each domain has a list of default settings for each OS version of the software. Administrators can change these settings easily - including system tray visibility - before sending out the distributions.

There is a choice of how to perform remote installations. For NT/2000 machines, an installation can simply be pushed across the network. For Windows 9x, this doesn't work, so we had to get the console to automatically modify login scripts.

Once all the machines on the network have the client software installed, it's time to start managing them. Using the domain structure we could apply tasks, such as a scheduled scan, to the whole of a domain. The only part of the software that isn't clear is management of scheduled updates to the virus scanner.

The online help is very vague about the correct method of doing this. After investigating, we found that all members of a domain are configured to automatically update from the server machine. This means that only the server machine needs to visit the web to update, and all the client machines will follow.

This does highlight one of the major drawbacks of the management software: not all of the functions of the client distributions can be easily modified remotely. This is unfortunate, as the console is otherwise one of the easiest applications we used.

After performing the update, we pointed the virus scanner at our test files. The scanner successfully picked up 94.51 per cent. This further highlights the calibre of the software, which has a decent management utility in addition to quality virus detection.

PRODUCT INFO: NAI MCAFEE ACTIVE £385 (5 USERS)
Axial Systems (01628) 418000
www.axial.co.uk
Management ****
Detection ****
Features ***
OVERALL RATING ****

COMPUTER ASSOCIATES
INOCULATEIT

CA's entry into the AV field, InoculateIT, is aimed predominantly at the Windows-based network. It's also compatible with CA's Unicentre, which is included on the CD - this offers network management on a par with HP'sOpenView.

Installation of the product for Windows NT/2000 was a straightforward affair, as the software comes with a remote installation package. Other clients have to be installed either through a modified login script or manually.

We would suggest modifying the login script, as a program called avupdate.exe can then be used to keep the scanner up to date. The only thing that we couldn't find was a method of customising the payload to meet the local security policy.

Once the system is installed, its time to switch to the management software. On first loading, it presents a choice of tasks: domain manager or local management. Local management deals specifically with the machine at hand, while domain manager is designed for the whole network. We picked domain manager and continued to a rather dated looking interface.

A tree menu runs down the left-hand side of the screen and is used to navigate through the managed machines, of which there are two ways to organise: point-to-point or AV domains.

A point-to-point connection is used to connect to a single machine, such as a server, and manage just that one object. Domains, on the other hand, are used to group together machines and manage them as such. Each domain has a server, the master computer, is in charge of that domain.

Machines will update from this. The domain structure is more useful when it comes to assigning jobs and schedules, as they can be applied to a domain or single computer.

The console is not very intuitive. For example, the tool bars don't have pop-up help to explain what the icons mean, and there's no right-click shortcuts for tasks. All options must be selected manually from the menus.

The software does allow management on a domain level for updates. In fact, the only tasks that we couldn't perform on remote clients were restrictions.

Performing the update manually, the scanner successfully detected 94.87 per cent of our test viruses, placing it, in detection rates, near the top of the stack.

PRODUCT INFO: COMPUTER ASSOCIATES INOCULATEIT: POA
Computer Associates 01753 241970
www.inoculateit.com
Management ***
Detection ****
Features ***
OVERALL RATING ***

Top tips when installing AV software

AV software is worth having at both the gateway - email, proxy servers etc - and desktop levels. Choosing packages made by the same company may not be the best idea. Different vendors update at different times, and they are usually all capable of detecting viruses that other companies can't. We'd suggest mixing the manufacturers of the gateway and desktop software.

Another important area is updating the software. In vital areas, such as the company's gateway, updates should be performed as regularly as possible.

The best protection is ensured via the combination of the newest signaturefiles and scanning engine. The recent virus scare, where viruses hid insideMac Office 2001 documents, was only rectified by an update to the scanningengine.

CONCLUSION

When we embarked on this test, we sourced a number of new viruses that had only just been caught in the wild. We then downloaded the virus updates from each vendor on exactly the same day, which would give each company very little chance of successfully catching them all.

This was evident in the results, where scores as low as 87 per cent were recorded. Of course, in the real world, this would not be so bad, as the majority of users would have time to install the relevant patches before the viruses hit - and this is worth taking into consideration. Although F-Secure caught nearly all of the viruses, we decided to give the Network News Editor's Choice Award to Symantec.

Norton AntiVirus is an extremely mature piece of software that won the award this time last year. We were pleased to see that the company has held on to its roots and has only made minor changes to the management. This, combined with impressive detection rates, won the day.

This is not to say, however, that we were not impressed with F-Secure. The extremely high detection rate, mixed with good management software, very nearly stole the show.

In the end, it was only a few minor problems that convinced us to give itour Recommended Award instead.