Command AntiVirus
Security Products
Current Versions
Sales Info
Press Room
White Papers

CSS Central:
Solving the Unique Challenges of Centralized Management

By Mary Landesman

The Issues

When properly managed, networks enhance productivity and lower costs by sharing resources throughout the organization. They also pose unique challenges for those charged with administering them. System administrators and network managers must be able to acquire, assess, deploy, and maintain software for all of the domains within their responsibility. In addition, they must act as security managers, providing a defensive strategy against threats from areas such as computer viruses. Complicating matters is the complexity of the modern working environment. Network managers must administer a diverse mix of operating systems, workstations, servers, and users. Each of these has unique requirements which must be addressed in a timely and efficient manner. Often, these requirements must be met simultaneously in order to provide the effective defense required. The security and integrity of domain management presents some of the most pressing challenges the network administrator must face on a daily basis. This challenge increases proportionately based on the overall number of systems that must be managed.

Alarming Statistics

According to a recent study performed by the Computer Security Institute, 68% of respondents reported financial loss due to viruses. Of these respondents, 42% reported loss amounts totaling in excess of $36 million during the last two years. Conversely, the same statistics show that 96% of participating administrators were using some form of anti-virus protection. The discrepancies in these figures demonstrates that even though an overwhelming majority of administrators are using anti-virus software, a significant number of attacks are still occurring.

These perturbing statistics indicate that the current methods of managing anti-virus software are not sufficient. With over 19,000 known computer viruses and over 250 new viruses per month being discovered, businesses need a proactive management method to ensure total defense compliance throughout their enterprise.

Corporate Anti-Virus Policies

Throughout any organization it is difficult for administrators to achieve and maintain security compliance. To help ensure this goal is met, many corporations have formal security policies in place. Corporate security policies are generally implemented to define the specifics of a particular threat and outline the actions which are to be taken should an attack occur. When implementing policies for virus threats, the ever-changing nature of the viruses themselves, coupled with the cooperation necessary at all levels of the company, makes for a unique challenge.

The criteria for the software selection must be decided upon, the products must be evaluated and, finally, the software purchased. This stage of the process, as it will be dependent upon the operating systems being used, can be complicated by the diverse environments which are found in the modern corporate office. The network manager will be severely taxed if administration of the various platforms is not centralized. The users must be educated as to the proper use of the software. This training must convey the need for the software and subsequent components, as well as its proper use. As many casual users may not be aware of the very real threats involved, they may need additional training on viruses themselves and what steps they should take if one is encountered. However, in spite of the best training efforts, there is no guaranteed assurance that the users will maintain optimum configurations or otherwise comply with the anti-virus policy. It is this final factor that poses the most concern for the administrators. To effectively maintain compliance, administrators must be aware of the factors leading to a breakdown in security and the appropriate remedies.

Security Breakdowns

Breakdowns in security happen for a variety of reasons. Users may inadvertently or purposely disable or change settings on their software. This can lead to a lack of adequate protection on the local machine, which then serves as a weak point for the entire network. Administrators, responsible for compliance with in-house policies, need to be aware of those users who have disabled or removed security software. Additionally, they need the tools to prevent users from making such unauthorized changes. This can best be accomplished by providing administrators with a method which will allow them to remotely view user configurations, provide a locking mechanism when required, and re-synchronize settings as necessary.

Another cause of security breakdown stems from users having the incorrect version or out-of-date signature files for the anti-virus software on their system. Unlike conventional software, the anti-virus definition files must be continuously updated to remain effective. Failures in this area constitute one of the greatest risks to the security of the network. Yet many administrators do not update their anti-virus software as often as they should due to time constraints. Even if the administrator provides the updated files in a timely fashion, there is no guarantee the user will implement them. This again emphasizes the challenge of meeting the demands of the security requirements promptly, yet with minimal impact on the limited resources of the administrator.

Assuming that users have not changed the settings on their local machines and that the anti-virus software is current, the likelihood of an infection is decreased substantially. However, even if dynamic protection is used to perform on-access scanning, it is still good practice to perform periodic, thorough scans of the local and network drives. Though administrators may encourage users to adhere to these requirements, it is far too easy for the user to ignore the advice. Restricting the user from modifying or creating scan tasks can hamper the initiatives of employees who do wish to comply. A solution to both of these is to allow the users the ability to modify and create their own tasks, and also allow the administrator to push tasks to machines with pre-specified functions. For example, the network manager may wish to have a complete scan of all files on all drives performed nightly. A single task could be created specifying the time and files to scan. This task would be globally distributed to all users. This ensures compliance throughout the organization, without local user intervention. Being able to centrally manage and deploy scan tasks is a key component in an anti-virus network management tool.

Many corporations require that a certification process be completed prior to rolling out any software, including updates. In addition, default settings within the anti-virus software may need to be changed to suit the needs of the group or individual. Ideally, changes such as these should be accomplished prior to distribution, thus ensuring the administrator achieves the anti-virus goals with minimal intervention. Many software vendors require administrators to install the software onto a system, change the settings, and rebuild the file package to customize installations. A more proactive course allows for the editing of all options, prior to any installations, via a single initialization file. Another proactive method would allow administrators to change settings remotely after installation via a central console. As importantly, administrators must be provided with a method of managing the users and controlling the files or configurations of the individual or group.

Large corporations may be spread out over a large geographic area or among multiple floors of an office building. Managing the hundreds of computers involved often requires a substantial staff. These additional costs must be factored in when calculating the total cost of ownership of specific software or security requirements. Providing a domain management tool which allows for this administration from a central console significantly reduces the total cost of ownership of anti-virus software and thus overall security requirements. A complete management package should be expected to:

  • easily download files to a central staging directory;
  • silently and automatically deploy files and updates to remote and local users;
  • provide a management console for viewing and changing settings throughout the domain;
  • work in a multi-platform environment;
  • provide a locking mechanism to protect configurations.

Current market solutions generally focus on only one or two of the needed aspects. For example, several distribution packages are available which focus solely on distribution and do not allow for management after deployment. Secondly, the file-based nature of these programs is not intuitive in discerning or establishing the individual configurations required by a specific set of users. Finally, the software deployment executes solely via the login script, bypassing those users who do not routinely login and out each day. Other solutions focus on restricting the user from certain types of access. Files and executables are locked down prohibiting all changes from taking effect. Each time a user needs anything modified, the systems administrator must be called in to assist. While there are management consoles which will assess or audit basic information from a system, there are no tools available to dynamically change software settings or verify the integrity of the anti-virus software in place. Often, it is the sheer complexity or strenuous system requirements that prevents the administrator from using even those tools which are available.

The solution

Command Software Systems has long been concerned about the total cost of ownership faced by the systems administrator and is committed to simplifying the administrative tasks faced by network managers. CSS Central provides administrators with a uniquely proactive tool to effectively manage and maintain the anti-virus strategy from a centralized console. Instead of file-based administration, CSS Central presents a unique user-based interface which allows for the flexibility to group users according to their anti-virus needs, platform, or any other criteria established by the administrator. Simple drag and drop controls makes this grouping even simpler. In addition, by providing a graphical user interface built around standard Microsoft principals, the overall ease of administration increases. Taking this unique concept one step further, the multiple document interface (MDI) facilitates comparisons between groups or users. Synchronization and inherited options facilitate efficient configurations. Automated downloads and deployment of update files, coupled with the ability to configure and deploy individual tasks further increases the functionality.

Feature List

Centralized Task Management
Centralized Task Management provides for the administration of task files on remote machines. Administrators can display tasks and scan statistics and change settings to individual task files, including action to take on infection and scheduling functions. Additional task files can be deployed to a single user, a group of users, or throughout the entire organization.

Centralized Configuration Management
Centralized Configuration Management provides for the administration of CSAV settings on remote machines, including the ability to deploy settings to remote machines by selection and/or group. Two-way synchronization pushes the desired configuration to the user or group, or can pull the configuration from the user or group and reset the user/group properties on the management side.

Locking Mechanism
Remote configuration settings can be locked to prevent modification by unauthorized users, yet still allow for local task creation. Users can be prevented from disabling on-access scanning, or changing the action to take on infection. In addition, specific file types can be included or excluded, email notification can be specified, and centralized logging can be managed with no worries that the user will disable or change the configuration.

Automated Pull
Administrators can schedule updates and product downloads for all licensed platforms. Files will be automatically downloaded to the appropriate staging directories. On-demand downloads can be accomplished by the clicking of a button. A secondary FTP site can also be specified.

Automated Deployment
Administrators can deploy the updated files to users in two ways:
(1) Users can be automatically "pushed" the updated files
(2) Users can automatically "pull" the files at their next login or at a preset time

Administration Features

  • Can administer a single user or groups of users
  • Groups and users are displayed in a tree view
  • Drag and drop support for users and groups
  • Inherited settings promotes efficiency
  • User objects are denoted with platform-specific icons
  • Group nodes are expandable/collapsible
  • Allows multiple administrators to maintain a group of users from different locations
  • Automated notification if an infection is found

System Requirements
CSS Central can be installed to either Windows NT v4.0 or Windows 95 with the necessary hardware requirements to support these operating systems. Supports remote management of Windows NT v4.0 and 3.51 (server and workstation), as well as Windows 95 workstations running Command AntiVirus. Deployment can be accomplished to Windows 95, Windows NT v4.0 and 3.51 (server and workstation) and, through automatic updating, to Windows 3.1x. The workstations must be using either TCP/IP or IPX/SPX protocols.