Mastering Anti-Virus in Pasco County
- By Dian Schaffhauser
If your district is still having its client computers downloading anti-virus updates from a vendor site, machine by machine, Kevin Stiles, network specialist for the Pasco School District in Washington, has some feedback: You're working too hard; you're wasting bandwidth; and that approach really isn't scalable.
Six or seven years ago, however, that's exactly what Stiles' district was doing. The thousand or so computers in use at that time were running McAfee anti-virus software. "It was becoming unmanageable to keep them running," he said. "Too many things were slipping through, including very old viruses." The IT team couldn't control when--or whether--the deployments of updates were happening. Visibility across the enterprise was nil.
Several IT staffers were running a free version of AVG on their home networks, and based on that, they made a recommendation to have the district move to the enterprise version of the software, AVG Anti-virus Network Edition. A major selling point was cost. "We were given the option of spending $6,000 for two years [for AVG's software] or spending $30,000 a year [for an alternate solution]. We didn't have money to burn."
Suddenly, the anti-virus free-for-all became an organized, methodical routine controlled by the IT department. "It made a big difference in our workload and also in our state of mind," said Stiles.
How AVG Works at the District
Currently, district servers pull the updates for the software multiple times during the day. Every four hours, client computers inside the firewall check in with those servers to see if there's a new update to install.
According to Stiles, the draw on bandwidth for all that network communication is minimal. "It's basically, do you have anything? And then it's quiet," he said. "Network traffic is low, and its impact on the [client] machine's operation is low." The virus scan itself typically runs in the afternoon.
The district has about 3,000 workstations deployed across 15 schools and administrative offices. Two virtual servers running on VMware Server from VMware inside the firewall handle updates for machines in all the school sites except one, pulling data from an internal DNS server. The two servers also act as failover backups for each other. A Kemp Technologies load balancer manages traffic between the two servers.
Client machines that aren't on the internal network, such as notebook computers taken home for the weekend or during breaks, connect to a virtual server located outside the district's firewall, getting its information from an external DNS server. That ensures, said Stiles, "We can still regulate what updates they get and track which updates they've received."
An advantage of the current set-up, Stiles points out, is that when a machine has gone missing or hasn't called in for a while, those DNS entries provide clues that may help in tracking down its possible location. Explains Stiles, "I can track back to find out what information is on the machine, because it stores basic things like MAC addresses and host names and gives me another avenue to fall back on while attempting to hunt down a missing or malfunctioning machine."
The school that isn't part of the primary AVG set-up is located in a remote setting and has its own server handling updates to about 60 PCs, running over a single T1 data line. That server is multi-functional, also handling software distribution, re-imaging, and information/inventory collection for the district's Novell's ZENworks configuration management system. Stiles calls the additional load on the server to support the AVG system "negligible." "It is an older server-class machine we retired a couple of years ago from its primary function due to lack of power and re-purposed to save costs."
On occasion, if a particular machine hasn't connected to one of the servers for a period, the software itself will pull the update directly from AVG, but that's not a preference, Stiles said, since it may get out of synch with what is on all other systems.
As a last resort, the district uses ZENworks to force an update, particularly when there's concern about a specific virus getting through.
The approach is effective. Stiles said the last outbreak that struck hit about 20 computers, and that was before AVG was introduced to the network.
The Pain of Change
Earlier this year Stiles evaluated the viability of upgrading to version 8 of AVG's enterprise software from version 7.5, which the district had been running. As part of the bi-annual contract that the district has with reseller Walling Data to license AVG on 3,500 computers, the upgrade had no additional cost tied to it.
After a week of testing, he gave the OK. The update coincided with an upgrade of the network management system as well as a reload of operating systems, all of which required a new image to be applied to workstations. "It was a very long, painful summer," said Stiles.
Now, he noted, there's a noticeable decrease on the load of those servers running the new edition of the software compared to the older version.
Stiles isn't a big fan of change. "Change makes life hard for users and for you," he explained. But he also recognizes that sometimes an IT person has to take stock of how his or her systems are running. For him, that happens every time the AVG contract comes up for renewal. "You should always be looking for something that is better or would fit your needs better." In his case, AVG still fits. "It's effective. It requires very little maintenance. You get a superior bang for your buck."
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal and Campus Technology. She can be reached at [email protected] or on Twitter @schaffhauser.