Review: eScan Corporate Edition v11

eScan (http://www.escanav.com/) Corporate Edition is a centrally managed desktop security suite produced by MicroWorld, an Indian company with a direct presence in several countries including SA. We reviewed version 11. The company also offers an Enterprise Edition, which includes AV software for mail servers - that was not included in this test.

We must note at the outset that our testing uncovered some serious security flaws in the product. If you consider deploying eScan, you should take steps to mitigate these flaws - see under “security concerns” below - which will allow you to use the features of the product safely.

There are two major parts to the eScan solution: the desktop client, and the management console. The desktop client proved to be pretty good but relatively pedestrian - good enough at its main job and offering a mixed bag of other tools on the side. The management console, in contrast, was very good indeed, with solid admin services for any size organisation from a small SME workgroup to a large, geographically diverse corporate, but with at least one serious security failing which might dissuade a CSO.

The desktop client protects users through conventional signature antivirus for files and e-mail (POP3 and SMTP only - no native plugin for Outlook, nor support for IMAP), and also includes a number of other protections.

The core antivirus facility is really the important one. The rest is a mixed bag which may or may not be much use depending on your particular environment: in many cases there are superior best-of-breed options available, but having the whole lot packaged up into a single suite of competent tools could be an attractive option for smaller organisations.

The AV is fine - does the job and catches malware. The engine has passed several certifications, like Check-Mark and VB100, guaranteeing full protection against in-the-wild malware. It might lack the sophisticated analysis of more expensive AV solutions, but there are other (and arguably better) ways of mitigating the risk of a serious targeted malware attack.

eScan's AV is its most important feature, and there's not much to say about it: it quietly does what we expect.

Antispam is also provided, and works about as well as Outlook's built in agent unless you enable its ability to check SPF (sender policy framework) and RBLs (real-time blackhole lists), which help a lot. Smaller shops without a dedicated anti-spam solution will benefit from this.

A Web filter offers black- and white-list restrictions on browsing, as well as timed restrictions. The filters are relatively basic, and can be unintuitive. Customising lists is tricky, and it's not clear that a whitelist entry trumps a blacklist entry, for example. With no obvious way to find an entry in a list and remove it, users and admins could both be in for some headaches.

Much better is the firewall, which includes a lot of pre-configured rules for common applications and provides details on current connections and their controlling applications. It's on a par with most good personal firewall products, but combined with central management, it will shine: it's easy to lock down network connections and then allow specific clients access to network services on a selective basis. Personal firewalls are becoming marginalised in the growing world of Web and cloud services, so this feature may not be as useful today as it has in the past, but it's still well thought out.

An endpoint security module provides lockdown options for USB devices and applications. External storage can be blocked completely or forced to submit to virus scans and password protection before being used. Applications can be both white- and black-listed, with the same time controls as the Web filter. Savvy users can usually bypass application controls, but for the most part, this is a very effective option, combined with firewall rules, to keep unwanted applications, like peer to peer software, at bay.

Lastly, a privacy agent is provided to clean up installed browsers and temp files. eScan didn't detect the installed Google Chrome, despite that being set as the desktop's default browser, and only offered options to clean up Internet Explorer. Chrome is widespread enough now that we'd like to see that supported out of the box. The state of the art in this space is held by tools like CCleaner - eScan has a long way to go to catch up with that - and browsers are generally getting a lot better at looking after privacy anyway, so this feature didn't wow us much.

On the server, things get more interesting. eScan's Web Management Console is the service used to deploy and manage networks of systems and their various configurations. It is entirely Web-based, running off a bundled install of the Apache Web server with data stored in Microsoft SQL Server Express. Both are installed nearly silently (you are asked for a root password) when the suite is set up. You don't get the choice of port for the Web server - it uses 10443 by default, which could present challenges for organisations with strict firewall or routing rules. You can change the default port by manually editing the Apache configuration and restarting it.

The Web interface is slick and works well in any browser (even on a tablet, though the layout doesn't lend itself to smartphones). The taskbar agent on the server will fire up IE whether that's your default browser or not, but fears that it'd be IE-only proved unfounded - we tested with IE, Firefox and Chrome, and all worked. Chrome on an Android tablet worked too, where the default browser did not.

A wizard interface helps set up your network the first time but to be honest, it's almost completely redundant - the interface is really very easy to use and we never struggled to find the tools we needed. The excellent interface deserves the credit for that - the documentation could be a lot better. Although we had both a PDF user guide and online guides, a lot of information was simply missing or badly documented.

On screen, a left-hand expandable menu reminiscent of MMC agents loads up modules in the main view. It's quick and reliable, and very logically grouped together.

Role-based management is an area where the software is particularly strong. Admin roles can be restricted to particular system groups, and every part of the admin interface can be enabled or disabled per role, and user accounts are assigned to a single role. You can have managers with report-only views, and department admins with full rights to only a single subnet, for example. You can seed user accounts through from Active Directory, too. We particularly liked the delegation tools, but would have liked better reporting on user activity beyond the simple access log. MicroWorld's reps tell us this is a feature under development for a future version.

The first screen which opens when you log in is a dashboard view showing graphs of deployment/update status, malware activity, and more. The dashboard can be customised with a host of different data, which works beautifully, but, unfortunately, the view is shared by all users. We'd definitely like to have each user, or at least each role, remember its own unique dashboard views.

To manage clients, you need to discover them (or configure them manually). The management console can discover available clients in several ways: it can scan a Windows network for workgroups and PCs, examine an IP address range, or integrate with Active Directory. Once discovered, you can push eScan agent software down to a remote system or perform a number of other admin functions, like setting up scheduled tasks, installing software or initiating remote desktop connections. We were pleasantly surprised at some of the Swiss-army-knife variety of tools on offer.

Client systems are then imported into managed groups, which can contain as many subgroups as needed to make your domain manageable. Clients are separated into normal vs roaming users - roaming users are remote users who may not have regular connections to receive updates and policy changes, and so are treated differently.

The actual protection profile of client software is managed through policies, which mirror every option of the desktop software in exacting detail. Every feature of the desktop suite, and some extra ones besides, can be configured as part of a policy.

Every group has a default policy, and when updated, the policy can be rolled out to every group member and, if necessary, every subgroup too. Beyond the groups, specific computers or groups of computers can be assigned policies of their own, which will take precedence over that system's group policies.

Each policy can apply to as many or as few parts of the desktop suite as you like. For example, a company-wide antivirus policy could be accompanied by department-specific Web filtering policies, implemented via subgroups.

This combination of subgroups and individual controls is a powerful feature but one which could cause conflicts - there is no option to report on policy changes which have overridden the policies of a sub-group, for example.

Tasks - turning services on and off, forcing scans or updates, and so on - are managed the same was as policies: per group/subgroup, and per computer if necessary. Tasks can be run one off or scheduled to occur (or recur) in the future.

The management console offers downloadable reports on malicious activity, which can be edited and tuned within a relatively narrow set of parameters, but sufficient for most administrative needs. The reports themselves are generated lightning-fast, which is always appreciated.

The system can notify an administrator by e-mail if an outbreak is identified, when malware activity crosses a user-defined threshold (25 incidents a day by default). In practice, we'd couple that with an e-mail-to-sms gateway or similar to ensure immediate notification.

Useful links are provided to download a rescue disk image, along with free software to burn it to optical media.

The desktop software is lightweight enough not to cause any noticeable performance drag. The scanning engine itself is quite slow - about half the speed of rivals we tried (we compared time to scan a full hard drive, on an idle system). That is unlikely to cause any problems to desktop users - you wouldn't notice any delay in single files - but it does suggest that further testing would be warranted before considering eScan for server-specific solutions such as e-mail or file servers.

Unfortunately, we did have a number of security concerns with the eScan suite.

The product page at the eScan Web site declares that the server supports SSL, but in its default configuration, this is not enabled. The server by default uses HTTP not HTTPS, sending credentials in plaintext over the wire. For an enterprise security product to be exchanging plaintext passwords in this day and age is, frankly, a cardinal sin.

This means that any attacker on the network would be able to snoop admin credentials and gain access to the backend. With that access, and the suite's ability to push software and policies down to clients, the entire network of “protected” PCs could be silently compromised. The lack of thorough auditing for admin roles means detection of malicious activity would be harder to spot, too.

The server doesn't alert the user that a connection is insecure, which would be useful, especially for SME customers who may need clear pointers to resolve issues like this.

The server can use SSL, though. Reconfiguring it for encrypted connections requires manually editing apache configuration files and setting up certificates, then installing eScan's self-signed certs on clients accessing the backend. Making it worse, the location of the readme file explaining this process is not included in the documentation, only mentioned in the release notes.

We'd like eScan to do several things better here:

* Use SSL by default
* Alert admins when they are connecting over an insecure connection
* Make switching to SSL an easy configuration choice, not a manual process
* Document the process, and issues, more thoroughly
* Provide a third-party signed certificate

There are other steps you could take to mitigate the risk. eScan only exposes passwords over the network, so restricting admin access to only the console on the management server would prevent sniffing. A proxy or VPN could provide secure remote access to the server.

Going deeper, we also have lingering concerns about the integrity of the updates pushed from server to client. With the server not using encryption by default, spoofed or manipulated updates could compromise clients without the server itself being attacked. We didn't test this, but must note that it's a possibility.

MicroWorld confirmed that several of these issues are on the agenda to be fixed in an upcoming version of the product. Our recommendation to anyone looking to deploy eScan in a network would be to either be prepared to do the extra work to secure it, or wait for the updated version.

With prices from from R230 to R140 per user per year (depending on the size of your organisation), eScan is competitively priced, especially with its eclectic bundle of additional tools.

We liked the client software well enough: it's good at its core function and has plenty of additional features if you don't have better dedicated tools available.

And we liked the server tools and management console a lot - they are well thought out, accessible, reliable, and responsive. The exposure of admin credentials is a serious concern, though.

MicroWorld confirmed a lengthy list of feature improvements promised for an upcoming version: our recommendation would be to wait for that. If you're already an eScan customer, you'd be well advised to look into the steps required to secure your installation.

Vendor site: http://www.escanav.com