We currently run VirusScan Enterprise 8.8i Patch 1 on our workstations and we've noticed that a lot of JAVA based malware seems to get past the on-access scanner. In particular we find that malicious .CLASS files go undetected in the users profile folder on the local workstation. It's only when we perform an on-demand scan of the workstation or the server which holds the user's roaming user profile that they are detected. I think the reason for this is that by default we disable the "scan inside archive files" on the on-access scanner on machines because we've always been told that this can add to the resources needed to scan inside ZIP files and that as the files are extracted from the ZIP file, they will be scanned individually then.
I've spoken to our support company and we think that these threats may be missed by the on-access scanner because .CLASS files may be considered as archive files and without the option switched on we're obviously missing them. We've put this back on for a small subset of users to see what performance impact it may have and it does cause some issues for some users (long opening times for applications and files). The answer probably is to add some exclusions to VirusScan.
Is this the right way to go ? Is there anything else I could be doing to improve detection ?
Would HIPS help us in this instance ? We've never fully implemented HIPS in our enivronment and only have it running on 60 or so machines. We only enable the IPS option at the moment and pretty much leave it running in it's default configuration (block High level threats, log Medium level threats, Ignore Low level and informaton). How do others run the IPS element and have they found it effective in increasing protection. I think we've always been scared about enabling HIPS organisation wide because of some of the complexity in it. Other vendor solutions seem to implement HIPS with a tick box and not to such a granular level (not saying that there are as effective though).
Any thoughts welcome.