> Security Manager > Assess your Antivirus Needs

Assess your Antivirus Needs

Catalog environment details

To understand potential points of failure, you must first catalog the environment where you will be deploying AV Defender.

Consider the following questions to help you to understand the environment:

  • What is the current antivirus solution?
  • How many workstations will I need to deploy AV Defender? Understanding the number of workstations that you are deploying AV Defender to will help you to evaluate the amount of work required.
  • How many remote users access the network? Remote users can be a challenging issue. You will require their assistance in the case of any issues or problems. Knowing the number of remote users will assist you in planning the deployment.
  • What is the physical map of the network environment? To reduce bandwidth usage, it is strongly recommended that you use a Probe and an update server deployed in every physical location. For example, if you have five sites then you would install one update server and one Probe(at a minimum at each site. This will ensure that all of the computers you are managing do not download updates from the external cloud.
  • How many servers are there?
  • What is the function of each of the servers?
    • Documenting the servers in the network environment and their individual functions will allow you to decide what will be the new deployment order of your modified environment.
    • It is strongly recommended that you first deploy AV Defender to servers whose applications are not resource-intensive (for example, file servers and domain controllers).
    • Deploying AV Defender to Exchange servers, SQL servers, and database servers should be left until you are deploying to the final group of servers.
  • What applications are currently installed?
    • Consult the SolarWinds N-able Known Conflicts list.
    • Which of these applications are business critical? For all business-critical applications, it is strongly recommended that you consult with the software vendor's web site in order to familiarize yourself with the antivirus/anti-malware exclusions that are recommended.
    • Which of these applications represent a possible conflict for AV Defender?
  • Do all of the computers to which AV Defender will be deployed meet the minimum recommended system requirements?

Understand potential points of conflict

After you have completely cataloged the environment that you are deploying AV Defender, you can identify potential conflicts much more effectively. The following is a list of potential conflicts categorized by type. Review this list and determine if any of your installed applications match any of the categories described below. If so, you will need to configure appropriate exclusions when you deploy AV Defender.

Competing security applications

The most common cause of performance issues is competing security applications or the remnants of security applications that continue to affect your network. If you have any applications that resemble the following descriptions, it is strongly recommended that you either remove the application or research and test the AV Defender deployment in a non-production environment to ensure that no points of conflict exist.

Category

Description

Competing Antivirus Applications

A competing antivirus application is one that performs antivirus functions on the device similar to those carried out by AV Defender. For a product to fall into this category, it must run actively on the device. Examples include Symantec AV and Kaspersky.

Competing Anti-malware Applications

Anti-malware applications perform real-time or scheduled anti-malware scans. Although AV Defender is seen primarily as an antivirus application, antivirus and anti-malware functions have become synonymous over time. These applications represent a conflict with AV Defender. Examples include Spybot or Malwarebytes.

Competing Firewall Applications

These applications perform firewall and traffic inspection functions on the computer. They can exist as a standalone application or bundled with VPN or other applications. These applications represent a conflict when you are using the AV Defender Firewall module. If you do not use the firewall module, this may not be considered a conflict however it is strongly recommended that you create exclusions for the application in question. Examples of firewall applications include ZoneAlarm, Windows Firewall, and Fortinet Security Software.

Database Applications

Applications that utilize a database or that administer a database represent a potential conflict with AV Defender. It is important that you add exclusions to the database files themselves as removal can corrupt the package. Process exclusions should also be created for the database application if it is resource-intensive. Examples include SQL and Quickbooks (which utilizes a database).

Network Intensive Applications

As with most security applications, AV Defender scans incoming and outgoing network traffic from both a behavioral as well as a signature standpoint. As such, it is strongly recommended that you create exclusions for these types of applications proactively, otherwise, performance may be affected. Examples of this kind of application include Vulnerability Scanners and Timerline.

Understand protection needs and SLAs

There are two aspects to the service that must be considered when you are pricing and planning your antivirus offering: the cost of software and hardware and the cost of labor.

With AV Defender, SolarWinds MSP makes the cost of software both easy and predictable as you simply pay for the number of nodes you have provisioned regardless of the features that are enabled.

The cost of labor can be somewhat harder to predict and must be based on your previous experience in maintaining and administering antivirus solutions.

Labor costs will change based on the features that you have deployed. With each feature that you deploy, you will provide the customer with increased benefits in exchange for adding potential points of failure to the overall solution. For maximum profitability you should ensure that you are providing the service that your customers are paying for and nothing more.

To effectively understand this issue, you will need to determine the answers to the following questions:

  • What are the customer's needs related to antivirus protection?
    • What are their tolerances for various security issues?
    • What is their tolerance for false negatives?
    • What is their tolerance for false positives?
    • What is their tolerance for performance issues?
    • Based on their tolerance levels, you can choose either aggressive or permissive scanning settings.
    • If the customer tolerance for performance issues is extremely low, it is strongly recommended that you first deploy a very lightweight profile and then step it up as time goes on.
  • What are the customer's needs with respect to firewall protection?
    • Do they have a requirement for HIPS? If HIPS is required, the firewall module must be used.
    • Do they have a hardware firewall?
  • What are the customer’s needs with respect to behavioral scanning?
    • Do they have a low tolerance for false negatives?
    • Do they have a high tolerance for false positives?

      If the answer is yes to both of these questions, then they are a good candidate for behavioral scanning.

  • Do my customers want to control user access to websites or applications? If yes, then content control should be provided to the customer.

Based on the answers to these questions, you have a good idea of what your customer's security needs will be. To ensure profitability, only features that are required by the customer and are built into the Service Level Agreement (SLA) should be enabled on the target device.

Build Notification requirements

Notifications are a key part of any managed service offering. To configure notifications to meet the needs of the customer, you must first understand the Service Level Agreement (SLA).

  • What are the SLA obligations regarding actions for unprotected systems? The notifications configured for the AV Defender Status service should match this
    • What are the SLA obligations regarding unresolved infections?
    • The notifications of the AV Defender Security Events service should match this requirement.
  • In addition, you may need to customize the service details to match your customer's expectations for notifications.