A response to my previous blog post asked a fair question: what sets
NOD32 apart or even on par with Trend Client-Server Messaging? I decided that I
would do some testing with Trend. Since I am using NOD32 without the Exchange
component, I tested Trend Client-Server without the Messaging component.
I've been building a UBCD4WIN version 3.12 ISO file as my test case. UBCD4WIN includes a
large number of plug-ins. One of them is keyfinder.exe, the Magical Jelly Bean
Keyfinder version 1.51. This handy program can display and update Windows and
Office installation keys.
I installed the Trend 3.5 agent on my workstation and tried the UBCD4WIN
build. The build failed because the keyfinder.exe file was missing. By
uninstalling and re-installing UBCD4WIN, and temporarily disabling the Trend
agent, I confirmed that Trend is deleting this file without logging it as a
virus or spyware and without sending it to quarantine. Trend is supposed to
encrypt and save suspicious files on the client in C:\Program Files\Trend
Micro\Client Server Security Agent\Suspect, but that folder is empty. I finally
got Trend to leave the file alone by adding keyfinder.exe to Trend's exclusion
Is this a bug? I guess I'd better try the latest version, Trend 3.6 with Patch 1.
I downloaded the 336MB installation file, upgraded the server, and let it push
out the 3.6.1095 client. No reboot was requested.
After removing the file exclusion from the Trend configuration, I opened Windows
Explorer and highlighted keyfinder.exe (but did not execute it). The Trend icon
in the system tray indicated activity, then I got a message from Windows
indicating that my system may be vulnerable because Trend was not running. The
Trend system tray icon disappeared when I put the mouse over it. So scanning
keyfinder.exe caused the Trend Real-Time scanner to crash.
I rebooted the client and did the same test, highlighting the file in Windows Explorer. This time keyfinder.exe was
not deleted and the Trend real-time agent did not crash. However, the
UBCD4WIN build process, which actually copies keyfinder.exe, failed again
because access was denied on that file. When I went back to look at
keyfinder.exe in Windows Explorer, it was deleted before my eyes. The Trend
Client/Server Security Agent real-time scan window still tells me that there are
0 infected files; “Last virus/malware found” is blank. So Trend is again
deleting it without any warning or logging. I had to add the file back to the
exclusion list so I could complete the UBCD4WIN build.
Once I got the UBCD4WIN build to complete, I tested it with various levels of
extension exclusions as I had NOD32. The results, along with the NOD32 2.7
results from the previous post:
|Trend Client-Server 3.6.1095||NOD32 2.7.39|
|Trend Intelliscan||14 minutes||N/A|
|Scanning only specific extensions||12 minutes||14 minutes|
|Scanning all extensions||15 minutes||20 minutes|
Some other numbers that are interesting from a system administration point of view are
installation size and memory overhead. The table below summarizes these numbers
for both server and workstation installations.
|Trend Client-Server 3.6.1095||NOD32 2.7.39|
|Installation File Size||336MB||25MB|
|Installed Folder Size||1010MB||86MB|
|Installation File Size
(from client packager)
|Installed Folder Size||197MB||28MB|
The server install of Trend Client-Server includes its web-based management
console. The server install of NOD32 includes the
ESET Remote Administrator Server and Console 2.0.56.
ESET NOD32 has a reputation for being lean and fast. Compared to Trend Client-Server 3.6, NOD32
definitely looks “lean” on disk space and memory footprint. However, Trend
allowed the UBCD4WIN build to proceed a little faster than NOD32.
My greatest concerns with Trend come from areas other than performance. One
was the experience back in February 2007 of Trend passing on a “possible worm”
to the client desktop, which would have allowed users to run the worm. I was amazed that there
was no way to configure Trend to not pass possible malware to end users. The
other experience is the one described above: deleting a file without
warning and without logging. I wonder if I have lost other files that way and
will never know.
Clearly there is no perfect anti-virus solution. Both NOD32 and Trend CS(M)
have their own configuration hassles and “gotchas.” I do
appreciate the reduced memory footprint of NOD32, and the fact that my SBS
server no longer sends me a daily alert that it is running out of allocated
memory. We'll see how well it performs in the long term.