As trusted advisors to our clients, it is not uncommon for them to ask advice on desktop or server anti-virus products. Given the increased malware threat to computers, the exploding number of vulnerabilities in desktop applications, protecting against malware is a top concern in a lot of companies.
Last year Microsoft released their ForeFront Client Security (FCS) 1.0 product, which is their first venture into the desktop and server OS anti-virus space. I’ve had some experience with Windows OneCare in a home environment but hadn’t given FCS a spin around the block to see how it compares with other more established vendors.
At my previous job I used Symantec Anti-Virus corporate 9.x, so I will make some comparisons in the review. Since then Symantec has released a much more full featured AV client called Symantec Endpoint Protection 11.0, so my comparison may be a bit dated.
FCS Installation
Installation of FCS is quite involved, comprised of many pieces, and took me several hours in a lab environment. It is not your typical single wizard deployment. Microsoft provides deployment guides for one, two, three, four, five and six server topologies. Given each topology has its own dedicated guide, you can image how complicated it is. See planning and deployment information here.
For simplicity, I stuck with the one server scenario. This required installing:
- All current OS security patches (should be standard practice)
- IIS 6.0 and ASP.NET
- SQL 2005 with SP2 plus reporting services
- MMC 3.0
- GPMC with SP1
- WSUS 3.0 with SP1 (plus configuring synchronization with Microsoft Update)
- ForeFront Security Client package
It took me several hours, mostly due to SQL 2005 and the service pack. It also requires a couple of service accounts, of course. One very surprising fact is that that FCS installs MOM 2005 under the hood. I was very surprised at this, since it didn’t seem logical that an anti-virus product would need MOM. It also could create complications if you are running Microsoft Systems Center Operations Manager 2007, since agents would need to co-exist. My lab didn’t have OpsMgr 2007, so I avoided any possible conflicts.
Configuration
To deploy FCS to computers you have to setup a Deploy policy. Here, Microsoft gives you several options. You can select OUs, GPOs, or groups which should receive the FCS client. However, you can’t really monitor the deploy status to see in real time how many agents are getting installed. In the deploy policy you can configure settings, such as virus protection (on/off), spyware, malware scanning schedule, overrides, exclusions, etc.
I did notice a lack of granularity for client configuration settings. The local user on the client can be prohibited from viewing any settings at all or only viewing settings. With Symantec you can lock or unlock nearly every possible client option so you can give some control to local user, but keep required settings locked down. You could even deploy various groups of settings, so clients could be really locked down but servers would allow administrators to change some settings. FCS does have an option to allow users to add exclusions and overrides, which is set at a policy level.
FCS allows for multiple policies, so various classes of clients/servers could get different settings even if they aren’t that granular. Some products like Symantec let you create A/V management groups and manage them separately from AD. If an organization’s AD is logically structured, it probably makes more sense to leverage AD which FCS does pretty well. The versions of Symantec I used were not AD aware, so FCS has a leg up here. I would hope that Symantec end-point protection 11.0 is AD aware, but I haven’t seen it in action.
In a company with highly mobile employees that may not be on the corporate network very often, relying on WSUS and GPOs for policy deployment could be a problem and should be taken into consideration.
Reporting
FCS uses a combination of SQL 2005 reporting services and its own console to report on FCS status. The main dashboard shows critical issues, computers with no issues and not reporting computers. There are also more in-depth reports that you can open as well, which directly utilize SQL reporting server.
Overall, I’d say the reporting is pretty good and has some nice bar charts and other eye candy for management type folks. Better than older Symantec products which had virtually no graphs or fancy reports that management folks could easily understand. It appears from the Symantec site that their 11.0 product has robust reporting and eye-pleasing charts.
The Client
The FCS client looks very similar to Windows Defender or OneCare. It provides antivirus and antispyware definition dates, last scan, and other tidbits of information. It does NOT show what WSUS server is providing the updates. You can view exclusions, which is nice. Nothing too exciting, but not bad either.
Since FCS depends on WSUS for updates, this can add a layer of complexity to troubleshooting issues or large geographical deployments. In addition to being familiar with the FCS console to monitor client status, you also need to be familiar with WSUS in case you run into problems with definition updates. I have nothing against WSUS, but it does make the product a bit more complicated than monolithic products.
You also have to ensure that each client has a unique WSUS registration ID, otherwise clients will not get updates. Generally this is not a problem administrators need to fix, but if you use some image cloning techniques such as NewSID you may run into the problem. It is likely images made via the Microsoft approved method, sysprep, would not experience this issue but I haven’t personally tried it.
Overall Impression
Microsoft chose to use a combination of existing products, such as WSUS, MOM 2005, SQL reporting services, pieces of Windows Defender and the OneCare client. As a result, I think the product is more complicated to install and maintain than competing products.
Having the MOM 2005 console in addition to the FCS console is also somewhat confusing and is my biggest sore point with FCS. While MOM 2005 (and Operations Manager 2007) are great products and I strongly recommend them clients, having a dedicated MOM instance for FCS is a puzzling requirement. If you already have deployed OpsMgr 2007, this would require doubling of agents and require a MOM 2005 console.
Recommendations
If an enterprise has Enterprise CALs, then FCS is included at no additional cost. If you don’t have ECALs for your clients, then pricing information can be found here. All environments are unique, and I always recommend that various vendors be brought into a lab environment for a ‘bake off’ of their products. Anti-virus is no different and FCS may work great for some companies, or another product may better fit the business and technical requirements. If you have to purchase an AV product, then doing hands-on comparison is even more critical. If cost is a primary main concern and you have ECALs, then FCS may well be a good fit.
You might also take a look at this recent Gartner magic quadrant of the endpoint protection market. The full reprint can be read here, which I really recommend.
Future
Microsoft has recently started a TAP for FCS 2.0. I have not seen what enhancements 2.0 brings to the table, but I hope they will make the installation and daily administration easier. Removing the dependency on MOM 2005 would be a welcomed change. In addition, better granularity in controlling client options would be a benefit in larger organizations.