Need some feedback on CPM vs McAfee VirusScan Enterprise

(imported topic written by BionicSecurityEngineer91)

I’m evaluating ESP 7.2 and CPM 1.5 as a replacement for McAfee EPO 4.0 and VirusScan Enterprise 8.7i (abbreviated to VSE in this thread), and I am running into some feature issues that I’d like to get feedback on from existing ESP & CPM admins.

1. End User Notification (to notify or not to notify)

CPM has the client-side UI dashboard, but lacks real-time threat notification (I’m new to CPM, so if you know a way to send an alert to the user…please send me a link or message).

I’m concerned the lack of an end user alert will hurt the user experience. Our computers operating VSE display a pop-up message with threat name and action taken to the end user anytime a threat is detected. My concern is that a user will not be aware that CPM has taken an action and continue working (potentially in a compromised state) without realizing they have “stepped on a land mine”. Right now users call the service desk for support if the McAfee VSE On-Access Scanner detects a threat and it’s not removed or cleaned, which helps us control the spread of threats.

Q. What’s the opinion on alerting the end user? Good / Bad / Indifferent?

Q. Has anyone moved from McAfee VSE to Trend CPM and found this to be an issue? If so, do you mind sharing your solution?

2. SNMP Alerting

Again, I’m being told that ESP and CPM both lack support for sending SNMP traps. Our McAfee ePolicy Orchestrator (EPO) console is configured to send a trap to our Security Incident Event Management platform for each virus alert, so our security team can perform event correlation and track the spread of infection. At this point I’m being told that my only alert option is to configure Trend ESP to send an email when “actions” are taken by CPM clients, but I find this option extremely limited and dependent to the email system working, which in a virus outbreak could be swamped with higher than expected mail traffic. I’m shocked that Trend ESP and CPM lack the traditional alerting capabilities that other vendors offer as standard features.

Q. Is this a common opinion by CPM/ESP admins?

Q. Has anyone figured out how to incorporate SNMP into the Trend ESP/CPM lineup, either by using a script called by an action (triggered by a threat detection) or through an addon product? I did see this post, http://forum.bigfix.com/viewtopic.php?pid=13884, and it mentions setting up reporting with traps, so I’m hopeful snmp may be viable.

3. Real Time Scan Monitoring

Again, CPM lacks a UI to monitor real-time scanning on a host, whereas McAfee VSE can be monitored remotely or locally to determine which files/folders are being inspected by the scanner, which aids us in the diagnoses of host and application slow downs. Our biggest problem with VSE is when the On-Access Scanner locks up scanning a file or folder on a high I/O host, and the result is the host usually hangs and requires a power reset to resolve, so we’re concerned the lack of monitor will hamper our troubleshooting efforts.

Q. Has anyone figured out how to perform real-time monitor CPM? I could use procmon.exe to monitor how much time the CPM process spends scanning a file, but this would be an intensive and undesirable process.

Last, I’m looking for any other performance, functionality, and reporting feedback from admins who have previously switched from McAfee VSE to Trend CPM

Q. How did your migration go?

Q. What lessons did you learn?

Q. What pitfalls did you discover?

Q. What was the sales to operations transition like?

(imported comment written by BenKus)

I will leave some of your questions to the Trend experts, but here is a reference post with some CPM fans that might help:

http://forum.bigfix.com/viewtopic.php?pid=11644#p11644

I will also add for #2 that we have a general purpose trigger mechanism that currently is built to send emails, but we built it so that it can plug-in notification mechanisms other than email (such as SNMP) without much trouble and we certainly can get you some more info on this if you ask your sales engineer.

Ben

(imported comment written by BionicSecurityEngineer91)

I’m encouraged to hear there is additional capability for alerting, and I will ask our support engineer about it.

I’m still very taken back by the lack of user notification, and I find myself constantly asking the question, “why would you NOT tell a user they have encountered a threat and what happened with that threat?”

It’s like hitting an invisible pothole in your car and wondering did it break something, am I ok, or should I ignore the creeky sound that just started?

(imported comment written by SystemAdmin)

I apologize - I would of responded earlier - but was on vacation. I will digest your inquiry and hopefully get you back some of our experience (which has still been very positive) later today.

Mike

(imported comment written by SystemAdmin)

Our experience with displacing McAfee with CPM - and the latest 1.5 update has been very positive. We had some complications on approx 100 workstations where VSE had not been installed properly (from an image) - and thus VSE would not uninstall properly (no fault of BF). Those systems were re-imaged. Otherwise as you can see from the other post - our deployment was very smooth.

Even with VSE we did not alert the user. We found that with notification on - the users would ignore the pop ups and not report them or they would complain about them. Instead we decided to be more alert from a support side and that we would utilize Big Fix, EPO and their alerting capabilities to keep on top of things (and be more pro-active to responding to threats). Unfortunately we found that McAfee was not always catching things and was also not reporting to us properly. So then we solely relied on Big Fix to manage VSE.

This is what we have in place now. We are utilizing the Big Fix Client Dashboard on each workstation/server - which will give indication if something bad was found (so there is a local view). We utilize the Big Fix dashboard and webreports with scheduled reporting that shoots us emails if something new is found. Then a support technician will investigate. With CPM we haven’t had as many incidents as in the old days. We are also using Web Reputation in CPM to help alleviate those nasty “drive bys” (with also scanners on the edge - a full layered plan of protection).

I haven’t looked into doing any SNMP alerting - but it has peaked my interest and I will be looking more into that. For moment we use a scheduled report that auto sends if something new is found (in the web reporter).

Real time and Manual scans have not been an issue with performance with CPM. VSE used to cripple many workstations and servers. Now we update definitions and run manual scans - and no one is the wiser (once in a great while we find a very old model out there that gets a bit sluggish with a scan - not many). It might be cool to start a manual scan on a system and to have the ability to locally watch the file scan scream by in a fancy window - but we typically start the scans remotely and wait for the final report data in the dashboard. It’s been good to us thus far.

VSE did give you more localized control - however the application was very bloated and was a huge resource hog. CPM is a “network based - enterprise” solution and it was a little awkward in the beginning to give up that local control. However the support team loves the remote abilities and it is more reliable then EPO was.

Other.

Our migration went well (see previous post). We learned that it is ok to change. Although we knew for years that VSE wasn’t cutting it - it was hard to make that switch. We would of never considered changing though - if we didn’t have Big Fix as a tool to do it. The biggest pitfall we found was - we tried to go into this migration without reboots. We started having CPM install failures (about 10%). However, once we put a reboot in the mix after a VSE uninstall - CPM install had higher success rates (once in a while a VSE remove didn’t fully delete registry or folders - so we had to use a custom task or hand remove the old entries). So, we learned that you can’t always do everything behind the scenes. Our support/operations team were part of the migration - and have been Big Fix users for years (going on 6 years) - so the transition was very easy. In fact - prior - they had no EPO access (it required an higher level engineer to support it). By going with CPM - we were able to move AV out of the Infrastructure/Engineering group and give the reigns to the Client Services/Desktop team and let them rule the desktop. It might not be the answer for everyone - but in our environment CPM has been very good to us.

Hope that answers things. If you like we can chat offline.

Cheers,

Mike

(imported comment written by BionicSecurityEngineer91)

I appreciate everyone’s feedback. I’ve made my decision, and it’s to wait on CPM until it matures some more.

(imported comment written by dmkollmann91)

Please help me. I have a new internet service with virus protection included but I am having trouble downloading because of Big Fix. F-secure tech said I needed a removal key to remove Big Fix from my computer.

(imported comment written by dmkollmann91)

I need help. I need the removal key to remove Big Fix from my computer. Diane Kollmann

(imported comment written by BenKus)

Hi dmk,

I am not sure what the Fsecure tech was talking about, but you can go to add/remove programs to uninstall any BigFix components.

Thanks,

Ben