We all have a policy to counter the threat of malicious virus threats and while they look good in the procedures manual, does the reality match your expectations? It's all well and good installing antivirus (AV) software on all our desktops and servers but how do we ensure they all carry the very latest detection engines and virus signature files?

In a large organisation just keeping track of AV software configurations can be a tough task. For example, I have a colleague who religiously updates his AV signatures and quite reasonably thought this was offering protection. However, the scan engine on his software was not the latest version-although it happily worked with the latest AV data files, it nevertheless had a security vulnerability which was unfortunately exploited by a virus that could have been detected and stopped with the latest engine.

What is needed, at the very least, is a secure and robust way to manage the deployment and updating of virus data files on your organisation's myriad PCs. Wouldn't it be nice if you could simply plug in an appliance and have it look after the administration and rollout of AV software to all your network clients? And, taking it a step further, it would also be great if the antivirus appliance (AVA) also acted as a first line of defence and actually scanned incoming e-mail and attachments for viruses?

For this feature, the Lab tested three such appliances, two of which include both client administration and active virus scanning, while the third handled only client administration.

Features that you will want to look for in an active antivirus appliance are quite extensive. For a start, can the AVA function in both proxy and transparent mode? In proxy mode you will have to reconfigure all your clients to look at the AVA instead of your mail server for example. It may be that in your situation it would be easier if you could simply plug the AVA into the data stream so that all network traffic simply flows through the appliance and is scanned transparently.

Checking e-mail is certainly a high priority, so support for SMTP and POP3 is certainly mandatory but what about FTP (both Gets and Puts-you do not want a staff member unwittingly FTPing an attached virus past your defences)? While on the topic of e-mail, many attachments are compressed so the AVA had better be able to examine compressed files.

The Web can also provide an attractive conduit for viruses into your organisation, so it would be nice if the AVA checked all HTTP traffic for Java, ActiveX, and Visual Basic viruses, or perhaps even blocked downloadable objects completely.

What does the AVA do with the viruses once it finds them? Obviously the standard clean, delete, and quarantine options should be available but in the case of an infected e-mail it would be helpful if the AVA sent a message back to the sender warning them that they passed on malicious code.

Obviously the whole process should be as automated as possible-the updating of the AVA's virus signature files and scan engine should be automatic and, in the case of the former, a daily or weekly schedule would be desired. The scanning engine should also include "heuristics", that is the ability to spot a new virus, where there is no signature on record, simply by analysing the code and looking for undesirable actions.

Another neat feature to look out for is load balancing where one or more of the appliances can share the load and if one were to fail for example the other could maintain antivirus security, albeit at a reduced throughput.

Other useful features include blocking unwanted e-mail, spam, and "time-wasting" Web sites. This may simply be a case of the product providing the ability to define e-mail addresses, message contents, or Web site addresses, and content that you wish blocked.

And at the end of it all you would certainly like to be able to capture logs of the activity to help identify common threats and, if nothing else, justify the existence of the appliance.