Anti-Virus Recommendations

[Daryl 1]

I'm looking for recommendations based on experience for which anti-virus program I should run on a SCADA PC running RSView32 and RSSQL. My main concern is system performance. I had considered using no anti-virus software as the PC is on a closed-circuit network, only four 192.168.x.x devices on a small switch, but there are external sources being connected occasionally in the form of USB devices and CD-ROMs, so I thought it better safe than sorry. thanks... Daryl Edited 2 Dec 2010 by Daryl

[waterboy 7]

I put MSE on some of ours just to see what effect it would have and its been fine. but I wouldn't put much. Certainly not Symantec, Norton, AVG or McAfee. Those applications have become bloated pigs. Perhaps MSE will also in time but so far its pretty unobtrusive. But the root of the problem is to find out who puts the external devices on these machines? thats the weak link.

[Ken Roach 194]

Another important step; disable AutoRun for all removable media. There's a Microsoft patch that goes along with a Group Policy Editor change. http://support.microsoft.com/kb/967715 I've fought a USB-based trojan infection on one client's system and this was our most important method for preventing re-infection.

[TConnolly 13]

+1 on MSE. http://www.microsoft.com/security_essentials/

[PLCMentor.com 60]

Daryl, We went to Vipre from Sunbelt about a year ago after suffering through the Symantec and Mcafee fun. Seems to work well and work light. http://www.vipreantivirus.com/ russell

[MattF 0]

A couple of options: Easiest: Ban all unchecked external sources - use 'sheepdip' machines with up-to-date software to virus check media / CDROMS before they get connected to the closed network. Most difficult: The 'AV' solution: If it's a closed network, how do you update it? (AV definitions / engine) You'll need to keep the machine continually patched as well - if you actually rely on this machine, don't forget to have a duplicate machine to test every single patch and AV update first, or a way to roll it back to a backup - which will then have to be updated with all patches added since the last backup. Be careful about adding more risk. Matt.

[paulengr 44]

Consider Kaspersky. It's also a bloated pig but it intentionally controls CPU usage to make itself much less obtrusive. In actual testing it was not really noticeable. The major downside with it is that there's no free version. But then considering the amount of energy and lost productivity wasted by these things, even free anti-virus software is not free. First off, consider why you are letting people stick USB's or CD's into the machine in the first place. Set up the machine to disable those devices in the BIOS and boot directly into the HMI. Don't give anyone the option of even doing anything secure. It usually means that you have to intentionally design some sort of "escape from the HMI" function into it though because of what you do to it. Personally, I'm in the midst of an installation of a large 22 screen control room. We don't have ANY PC's at all in the control room. There are screens (6 42" screens, 16 24" screens), keyboards, mice, a printer, and 22 thin clients. There aren't any PC's in the room. In the backend, there are 3 servers in locked machine rooms. There are USB slots but except for two (set up as office PC's, not HMI's), the USB slots are disabled at least as far as storage devices go. I don't want/need/run anti-virus software at all. If you run this way or with an HMI that doesn't need Windows, then there's no way for a virus to get into the system. Personally, consider the SCADA. Go with Inductive Automation Ignition. The standalone version is free and you can run it on Linux. Linux platforms do NOT have anti-virus software because the security model not only makes it impossible for them to run but also makes it very difficult for a virus to take root. If you've never worked with Linux, I strongly suggest you download Ubuntu. They have a "Ubuntu on a CD/USB" version that you can reboot a machine on, gives you access to all your files, etc., and most importantly, doesn't alter the hard drive. After you are satisfied with how it works, you can go ahead and install it. Since Ignition runs on pretty much any platform, you can even do test/development on a Windows PC and then run your plant floor machines on a Unix software system. If you truly want the ultimate in security, then forgo all the niceties that you get with say Ubuntu and go for openbsd. Ignition will still run on it, BUT this is the most secure operating system available bar none. Most of the newer security improvements that eventually trickle down into Linux and other BSD versions were innovations started in openbsd. If you are just dying to have Windows (if there's an alternative, I'm not a fan of a buggy platform as the basis for a SCADA/HMI), then consider Windows XP Embedded. This system has a special device driver that basically logs all changes to a drive into a RAM disk. On reboot, all changes to the underlying driver are zapped and you're back to the original starting system. Even if a virus were to load itself onto this system somehow, one reboot and all changes are GONE. And if you consider storing your "working files" (the HMI screens) on a USB stick, then you can trivially make updates and changes simply by swapping USB's that you only store data on (never programs).

[TimWilborne 108]

I had to Google MSE. Am I actually hearing people vote for a Microsoft based virus protection? I've been using Eset Nod32 but I'm migrating to Windows 7 and haven't chosen a virus protection yet

[waterboy 7]

I hear you. I really do. I'm not a fanboy of M$, but it does what it should, does only what it should, and it does it pretty well. Considering that M$ would have an inside track on how to remove and prevent bugs well ahead of any others it seems to be a natural. Like something that should have been a part of the OS all along. Perhaps their guilt drove them to provide this product. Since there are third party competitors they can't make it part of the OS and install it as an update so they are giving it away for most customers. It wont install on server platforms and there is a 25 user limit (per business?) that may or may not be enforced. They still want to charge enterprise customers for its parent product (ForeFront) which cover all the enterprise and server services.

[paulengr 44]

MSE came about when CERT recommended that people use any other web browser than Internet Explorer due to the fact that ActiveX is unfixable. At the time, a lot of major companies (and end users) were announcing their swap over to some flavor of Linux among others. Microsoft readily admits that they consider MSE to be a "baseline" and not a legitimate full fledged virus checker, and they themselves recommend upgrading to something else. Personally, I recommend going a little deeper on the upgrades if this is at all a concern. This is like putting lipstick on a pig...no matter how you dress it up, even with "Aero", it's still a bloated pig operating system with more security holes than swiss cheese. It's hopeless.

[waterboy 7]

And yet with 90% market share Windows is what most users have to deal with. Recommending any flavor of nix to a public that is justifiably afraid of it is not a viable solution. Regardless of claims it is still not for the casual user. Mac is the only nix flavor that can claim to be easy to use and in order to allow that it became so proprietary that you can only do things "Steves Way". (oddly thats what thier 1984 commercial introducing the MacIntosh was rallying against, they seem to have become thier own enemy). This policy, for good or bad is no different than a strong policy enforced by the Admins of a windows system, except in the Mac case, management can't circumvent it because its inconvient for them. This could easily turn into a heated debate about nix vs. windows, Mac vs. PC, less filling vs. tastes great, but like all those it comes down to what you want or have to deal with. If you want or need secure windows, isolate it from user meddling and it will be fine. But the fact is that the same is true of *nix. Give every user root priveledges and you will be in the same mess as windows. Tighten up and use Windows UAC at its strongest setting and you will be annoyed to death with warnings because the application writers arent following the rules. Pick your poison they all taste bad. Heck the only reason Macs are currently safer is that there are fewer people writing hacks for it. (though the last 600+Mb update I got for OSX makes me wonder about that too.) Bottom line is that there are tradeoffs on every platform and no clear winner in all cases. Pick the application you want, on the platform you want, and do what it takes to make it work for you. In the case of the original posters question, simply remove access to external devices and patch by hand if necessary. If you remove external access, most of the patches become unnecessary anyway.

[Daryl 1]

Thanks folks, a lot of information there for me to consider. I actually think I'm going to go with what I see as the easiest and cheapest solution, the 'sheepdip' idea! Our business networks are the most secure I've dealt with in my lifetime, and even the IT Manager would struggle to remember the last time there was a virus incident. I'll also disable the CD and USB devices (mouse and keyboard are PS/2) for all non-admin users, and implement policy that any external sources must be checked on a business system before being connected to the SCADA system. thanks for all the suggestions