Sophos SBE: anti-virus and anti-spam for small businesses
January 14, 2007 1 Comment
Sophos Small Business Suite – Engineered for small businesses
- Includes Sophos Anti-Virus Small Business Edition and Sophos Pure Message Small Business Edition
- Detects and disinfects viruses at every potential access point, ensuring networks are fully protected
- Blocks up to 98% of spam, keeping inboxes free of unsolicited bulk emails
- Updates automatically, providing a complete defence against the latest virus and spam threats
This product is squarely aimed at the small business IT administrator who wants a neat, simple solution to address their concerns about viruses, and the issues caused by the ever-increasing volume of spam email.
The concept of an all-in one product sounds appealing, although some might argue that this may deviate from a “best of breed” approach (more on that later). Similarly, most administrators (of large and small networks) want to be able to set something up, configure it and then touch it as infrequently as possible. They need protection from all the nasty malware and want to avoid filling their email systems with undeleted spam, but at the same time do not have time to spend maintaining this level of service to their users. “Fire and forget” is the requirement here, and Sophos Small Business Suite delivers it.
Before I look at the product itself, some background information about the versions and licensing, since these are key factors in deciding between similar products.
The current version of Sophos Anti-Virus Small Business Edition is v.1.0.2, which has been around since 2004, although of course like any anti-virus (AV) product it is regularly updated to tackle new types of malware and specific definitions of known viruses. This is the part of the suite which covers “traditional” AV for desktops and servers (such as file servers).
The other half of the suite is PureMessage, which provides anti-virus scanning for SMTP and NNTP traffic as well as within an existing Exchange information store. It also includes a flexible anti-spam solution for The version of Sophos PureMessage Small Business Edition which was shipped with this is also v.1.0.2, but a newer version has been released in January 2006 (v2.5.1) which is available as a download for registered customers, so existing users can benefit for free. This also highlights a key stage for the product’s development – the version numbering is being brought into line with the enterprise-class Sophos PureMessage solution because it includes the same feature set as that edition.
Sophos Anti-virus Small Business Suite provides a number of tools to enable network administrators to better protect their systems, including:
- Anti-virus software for servers and desktops
- Central management console to deploy AV and updates to machines, and check on status
- Anti-virus and spam filtering for email – SMTP and existing message stores
- Messages can be deleted, quarantined or flagged according to customised rules
Supported Operating systems: Windows 98 / ME / 2000 / 2003 / XP Home / XP Pro / Mac OSX 10.2+
Supported email servers: Exchange 2000 / 2003 on Windows 2000 / 2003 with IIS
Like most such products, Sophos SBE comes with subscription options from one to five years which include not only virus definition updates, but real version upgrades and unlimited 24/7 support. This is where you can make good savings by making a long-term commitment, since 2 years will be just 1.5 times the one year price with similar discount levels through to 5 years at only 3 times. Similarly you make a saving of 20% buying the suite rather than the separate products. Recommended pricing for SBE suite is £449 / US$639 for ten users for one year, you will find slightly cheaper deals depending on your reseller or online vendor, and as mentioned, you should pay attention to the subscription length as that has the biggest effect on the cost. You don’t have to pay an inflated price for servers, either (as with some corporate AV), they are just ‘regular’ seats as long as they do not represent more than 10% of the installed base (or a single server), and in the type of environment this product is aimed at that is likely to be more than adequate.
The anti-virus and message management components of the suite are installed separately. While this may be a little long-winded for firms using an all-in-one solution such as Windows Small Business Server, it makes sense since the configuration options are entirely different due to the nature of the products. I had no real difficulties installing on both Windows Server 2000 Standard, and SBS 2003.
During installation it creates two service accounts – you get a prompt when it does this but no assistance to explain exactly what they are used for or what rights or group memberships will be assigned to them. Personally I have some issues with this, as I feel I should not have to dig through the documentation to see what possible holes are being created in system security. I realise, however, that in the target market for this there will be those who just want to get on with it and not worry about such details, so it is arguably a reasonable approach to take.
The Sophos Control Center for managing your clients is started at the end of the installation and a wizard takes you through the initial stages of configuring update options then discovering clients on the network, choosing which ones to install to and then remotely deploying the client software and the update agent depending on the configuration choices you make.
The Pure Message component is similarly very easy to install, although there is much less “prompting” of how to configure it (through a wizard showing you all the areas to consider). The basics are there so you would have AV protection and basic, unconfigured Spam filtering from the outset. I wonder how many people may leave everything at defaults and wonder why this is not giving them the results they expect.
Usability for administration
The Control Center can be installed on an admin desktop as well as having it on the server which runs the updating service, to make daily checking or maintenance easier. A nice colour coded system is used to show machines which are fully up to date, out of date or not managed, and any specific alerts for each machine are shown in a bottom pane. You are also shown whether the on-access scanner is currently running or not. You can easily force an immediate update to one or more machines you choose (for example if you know there is a new update which you urgently require to counter an outbreak). Overall this is a well-laid out and simple tool to use, and for the time-pressed admin is an easy daily check – all green is good.
One of the nicer features of the update method (configured during initial installation but easy to get at from the console) is that you can specify alternative download locations for clients, including going directly to Sophos when your server is unavailable, such as for users working from home.
If you use Windows Firewall (or any other client-side software of this type) you will have to configure it to allow the update service (RouterNT.exe) to fetch updates, otherwise it will install the AV product OK and run the on-access scanner but won’t update – such machines will show in the console as “unmanaged”. I was slightly disappointed that the advice on Sophos’ support pages for dealing with this only describes how to do this manually on each machine, and does not even hint at the possibility that this can be done centrally using Group Policy. While I realise a step-by-step for configuring GP would be impractical since all AD environments differ, some mention of the principle, and of where to find the relevant GP settings would have been a useful pointer for the typical admin in this market who may not be familiar with these ideas.
The console for Pure Message is an MMC, although there are a couple of oddities to this such as the “apply” and “reset” buttons right at the bottom of the screen. These are very easy to overlook, especially if using a remote desktop session to check or change the configuration (as is fairly common practice for a lot of system administrators). This is especially problematic since you can change tabs and it remembers the changed settings on a previous page, but they are not yet applied, you can still reset back to the current running configuration, but this undoes changes on every tab and this is definitely not obvious. Closing the console applies the changes without any further prompt, which I think is risky. For the target market, this needs to be made more ‘fiddle-proof’. If an inexperienced admin has changed some things and is not sure what he has done, it is quite possible they would close the console thinking “at least I did not apply the changes so it will be OK”. Maybe an MMC is not the right platform for this tool and a more interactive application which prompts on exit would make sense.
Usability for users
If your users do not have admin rights to their machines then they cannot change or configure the on-access (background) scanner nor schedule scans periodically, which is probably no bad thing. They can launch the Sophos AV software locally and run an immediate scan – by default this would be for Local fixed disks, but they can also choose other drives such as CD’s or browse to just scan a particular folder. While they can configure certain options such as whether to scan inside archives, they cannot change centrally managed things such as the list of extensions to include, or files / folders to exclude from scanning. I was surprised to find this was not initiated through a more user-orientated right-click context menu for explorer such as a “Scan this folder with Sophos Anti-Virus” option, since some of this is non-obvious for users, but with the on-access scanner running there should be little need for them to use this very often. However, it is useful for a desktop support person to be able to get at this easily without having to log on as admin.
A quick note about the executable extensions list. There are two key factors which help Sophos to detect viruses regardless of this list – firstly, you can choose to detect that a file is executable based on its content rather than its (possibly fake) file extension. Also, it seems very good at doing this within a variety of archive files, even when nested. Renaming an archive file to the wrong extension does not make much difference either, so Sophos give you more peace of mind that it is very hard for any malicious files to get past your defences using these sort of techniques.
The Pure Message spam filtering function is very flexible, allowing you to alter the levels at which it will mark emails as suspected Spam or definite Spam. You can choose whether or not to indicate this in the subject line of the email (to enable users to filter them into folders for example, or to take more care when opening). The filtering of email and viruses is customisable to determine whether mails are deleted, quarantined and / or delivered. All of this customisation is great, and is far beyond most other products in this class.
However, the big problem is that for all this customisation it does not seem to stop or even to suspect some mails which seem quite obvious Spam, whereas Outlook 2003 happily picks them out without breaking stride. These are mainly emails with subjects like “TheMicroCapJournal revaporize darii nasalization” with body text in gibberish (“hippoglosinae unaffirmation engastrimythic cantankerous unwarlikeness thamnium”) and the “real” part of the mail embedded in an image. This is certainly not a new technique, and I would have hoped that these would be easy enough to spot, when this particular example only received a “spam score” of 32%. Maybe checking the average word length would help – in English usage something over 10 like this one should be obviously trying to fool a Bayesian filter. Bringing the levels down to include all these mails would increase the false-positives too much (I tried with levels of 20% and 70% for a week).
On the plus side then, when the filtering works it does what you need: gets rid of obvious stuff completely and gets the rest out of the way, either to quarantine or into users’ folders. It just needs some improvements in the engine to be a little smarter.
Overall, as a suite of products this performs very well and is ideal for the target market. Essentially it does what is designed to do and keeps it simple to ensure it is easy to set up correctly.
It allows an administrator to centrally manage their virus protection for both email and desktops, including remote workers. It is only let down by the variable performance of the spam filter and by still having two consoles for management which makes it ‘feel’ like two separate products. Despite these minor things, I would highly recommend this as a great solution for small businesses, and this software suite gets a well-deserved 8/10.
This review is © Adam Vero 2006 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.