A Tale of Three Anti-Viruses

The Cisco Web Security Appliance (WSA) has a lot of options for scanning “content” (whatever that means, I think it’s a fancy way of saying Web pages) to make sure it doesn’t contain any malware. No viruses, no pop-up ad machines, things like that. And on the surface, that’s all well and good. Defense in depth, because you should also have some sort of anti-malware on your workstation too (as soon as you take your machine home with you for the evening, you’re probably no longer protected by the proxy).

Someone has to set the darn thing up, though.

There are so many options there, and it’s not even remotely clear what most of them mean, what the differences are between them, and when you might or might not want to use any given feature.

Screenshot of (part of) one screen from the Cisco WSA, showing a confusing variety of 'anti-malware' options. — Just take it all in. (Click to embiggen.)

First, there’s “Web Reputation.” This evidently is based on some secret sauce, when the domain was registered, if it’s one of those weird dot-biz domains that nobody legitimate ever uses, things like that. But then under that is “Adaptive Scanning,” which I think means that even if you enable Web Reputation that sometimes it’s not really used. Or maybe if you use Adaptive Scanning, some of the stuff below might selectively not be used.

Here’s the Cisco page describing all these different features, in case you think the vendor can even tell you what any of this means.

So, under “Web Reputation,” we find “Advanced Malware Protection Services”. Note that there’s no such thing as BASIC protection. It’s advanced, or nothing. And the first thing under it is “File Reputation,” which is different from Web reputation maybe? I guess Web Reputation is where your friends say “that person has issues” and File Reputation is where you meet them and get to see all their issues head-on?

We then have choices for “File Analysis,” where you can specify what kinds of files you want to inspect. I’m not sure why this is here, because this feels like something that should be listed with the anti-virus scanners, but that’s not until the next big box.

Last, there’s “Anti-Malware Scanning Services.” Because protecting you from malware, and scanning the file to see if it contains malware, are evidently two different things.

Here, you have a choice of three popular anti-virus/anti-malware engines: Sophos, McAfee, and Webroot. You can enable any or all of them. It’s absolutely unclear whether you should enable all of them, or if one of them is better in some cases than others. The only thing I know about them is that you have to pay extra to enable the McAfee engine. I can’t speak to whether that makes it better in any sense, of course. It’s probably the name that’s most recognizable, to non-IT pros, but I doubt many non-IT pros are poking around in Cisco proxy devices. And these complex, possibly-expensive add-ons? One of them has no options, and the other two each have a whopping one option you can set.

Really, what I need is a best-practices guide. Something that says “for this kind of user base, enable these options and you’ll get a decent level of protection without wasting a lot of CPU on unnecessary and redundant checks.” But I suppose that’s not complicated enough.