HELP - my boss won't pay for anti-virus software!

[Mail Ias]

I'm about to go to my boss with a proposal to spend about $500 - $1,000 on
anti-virus software. I'm afraid he'll not go along with it.

Here's what he'll say:
- We've never had a serious problem with them before, they're just an
annoyance. It's easier to just pay you to clean it up when it happens than
all the fooling around in advance.
- Only 6 of 12 computers have Outlook for email. The rest are blocked or use
an unknown program for email. All of those 6 Outlook users know better than
to open attachments.
- Our network is three hops away from any public IP addresses, and there's a
firewall there.
- We don't have any data anyone would want.
- We've got good backups
- You get get free AV software on the Internet

Here's what I've been doing lately:
- cleaning up a FunLove virus infection (yes, I know it's OLD, not sure where
it came from). Fortunately it's not destructive.
- Troubleshooting a critical application that wasn't loading (before I found
out Funlove had f*d it up).
- Installing AVG free edition on all the workstations -- I know it's not
licensed for commercial use. It's only temporary, unless el-cheapo boss tries
to tell me to use it anyway.
- Spent the better part of a day and a half cleaning up from a recent Netsky
virus because the one user who definitely knows better, clicked an attachment
and got infected. In her defense she was expecting an invoice from a new
temporary vendor, was under extreme time pressures and got an email that had
the attachment titled "your bill". OK, not totally defendable.
- Researching network wide AV solutions for our NT4 Server (2) with Windows
2000 workstation (12) network.

Assume you were in my position. You can't quit and find another job. Not an
option right now. Your job is not purely IT, you have other responsibilities
-- otherwise quitting would probably be an option if he wouldn't pay for the
software.

How would you convice this guy to cough up the cash for this?

 

[Geese_Hunter]

I'm about to go to my boss with a proposal to spend about $500 - $1,000 on
anti-virus software. I'm afraid he'll not go along with it.

Here's what he'll say:
- We've never had a serious problem with them before, they're just an
annoyance. It's easier to just pay you to clean it up when it happens than
all the fooling around in advance.
- Only 6 of 12 computers have Outlook for email. The rest are blocked or use
an unknown program for email. All of those 6 Outlook users know better than
to open attachments.
- Our network is three hops away from any public IP addresses, and there's a
firewall there.
- We don't have any data anyone would want.
- We've got good backups
- You get get free AV software on the Internet

Here's what I've been doing lately:
- cleaning up a FunLove virus infection (yes, I know it's OLD, not sure where
it came from). Fortunately it's not destructive.
- Troubleshooting a critical application that wasn't loading (before I found
out Funlove had f*d it up).
- Installing AVG free edition on all the workstations -- I know it's not
licensed for commercial use. It's only temporary, unless el-cheapo boss tries
to tell me to use it anyway.
- Spent the better part of a day and a half cleaning up from a recent Netsky
virus because the one user who definitely knows better, clicked an attachment
and got infected. In her defense she was expecting an invoice from a new
temporary vendor, was under extreme time pressures and got an email that had
the attachment titled "your bill". OK, not totally defendable.
- Researching network wide AV solutions for our NT4 Server (2) with Windows
2000 workstation (12) network.

Assume you were in my position. You can't quit and find another job. Not an
option right now. Your job is not purely IT, you have other responsibilities
-- otherwise quitting would probably be an option if he wouldn't pay for the
software.

How would you convice this guy to cough up the cash for this?

A. What software are you trying to get him to pay for?
B. IF the company has a history of using pirated software, the only
thing that will stop him is a visit & fine from the company that is
being pirated.
C. There are plenty of good AV Products that you could get for far less
than $500.00 - $1,000.00. & is that just the 1st years license fee.
D. Does anyone on your network use instant messaging & or Peer 2 peer
programs, if so, then there is a select few products that will stop the
virus from there.
E. A firewall won't stop most virus's, just hackers, mal-ware & a few
virus's that try to get into ports 135, 137 & 445, but it's doubtful
that the "firewall 3 hops away" is preventing any inbound protection.
F. Backups are backups, but if you do payroll onsite & that person is
ready to print the checks & she gets a virus or a worm that destroys the
hard drive like what happened to some ISS firewall users, what good is
yesterdays backup?

What is your setup, do you have an E-mail server on site?
There are plenty of was to get around his not wanting to shell out a lot
of money & you keeping your job. I wouldn't go to him until you have
plenty of ways to tackle this issue. And price being the top concern

 

[null]

I'm about to go to my boss with a proposal to spend about $500 - $1,000 on
anti-virus software. I'm afraid he'll not go along with it.

Here's what he'll say:
- We've never had a serious problem with them before, they're just an
annoyance. It's easier to just pay you to clean it up when it happens than
all the fooling around in advance.
- Only 6 of 12 computers have Outlook for email. The rest are blocked or use
an unknown program for email. All of those 6 Outlook users know better than
to open attachments.
- Our network is three hops away from any public IP addresses, and there's a
firewall there.
- We don't have any data anyone would want.
- We've got good backups
- You get get free AV software on the Internet

Here's what I've been doing lately:
- cleaning up a FunLove virus infection (yes, I know it's OLD, not sure where
it came from). Fortunately it's not destructive.
- Troubleshooting a critical application that wasn't loading (before I found
out Funlove had f*d it up).
- Installing AVG free edition on all the workstations -- I know it's not
licensed for commercial use. It's only temporary, unless el-cheapo boss tries
to tell me to use it anyway.
- Spent the better part of a day and a half cleaning up from a recent Netsky
virus because the one user who definitely knows better, clicked an attachment
and got infected. In her defense she was expecting an invoice from a new
temporary vendor, was under extreme time pressures and got an email that had
the attachment titled "your bill". OK, not totally defendable.
- Researching network wide AV solutions for our NT4 Server (2) with Windows
2000 workstation (12) network.

Assume you were in my position. You can't quit and find another job. Not an
option right now. Your job is not purely IT, you have other responsibilities
-- otherwise quitting would probably be an option if he wouldn't pay for the
software.

How would you convice this guy to cough up the cash for this?

You have the moral responsibility argument on your side. It's
irresponsible to everyone else on the internet to not have antivirus
protection. And what if a torrent of malwares issues forth from your
network that are not untraceable? Very embarasing and not good
advertising. Maybe even punishible by law.

Probably, though, the most convincing argument would be the economic
one. Say, for example, that you earn $1,000 per week with overhead.
That's $200/day. It cost him $300 for you to clean up one Netsky mess.
How many of these incidents can be reasonably expected in a year?
Three or four? $900 to $1200 for cleanup work? That's the break-even
point, just using your figure of $1,000 for AV licenses.


Art
http://www.epix.net/~artnpeg

 

[Spacen Jasset]

....

On Wed, 24 Mar 2004 20:04:29 GMT, (e-mail address removed) (Mail Ias) wrote:
You have the moral responsibility argument on your side. It's
irresponsible to everyone else on the internet to not have antivirus

....
I take offence, I don't have to use anti-virus software since I am quite
capable of keeping my computers virus free. And you're not gona force me to
use any such software! - on the other hand it is of course wise to use such
software especially where users are not, and need not be extensively IT
aware. But I object to the vague notion I detected in your message that
suggested people who don't run AV software maybe unclean in some way.

 

[null]

...
...
I take offence, I don't have to use anti-virus software since I am quite
capable of keeping my computers virus free. And you're not gona force me to
use any such software! - on the other hand it is of course wise to use such
software especially where users are not, and need not be extensively IT
aware. But I object to the vague notion I detected in your message that
suggested people who don't run AV software maybe unclean in some way.

Would you be offended if I asked you how you know your PC(s) aren't
infected with some virus without running a good on-demand anti-virus
scanner or two or three?


Art
http://www.epix.net/~artnpeg

 

[Black Dog]

I'm about to go to my boss with a proposal to spend about $500 - $1,000 on
anti-virus software. I'm afraid he'll not go along with it.

How would you convice this guy to cough up the cash for this?

No advice, just commiseration. Several years ago I was on the phone to the
sales guy from Sophos (I'd requested the info and demo package). Salesguy
asks me, in not so many words, was I buying or just kicking the tires. I
told him- just kicking the tires, because the bosses just won't shell out
the bucks.

"My network's pretty safe" I told salesguy," it's the bosses and their
laptops that drive me round the bend." I push "send and receive" and get a
virus email from one of said bosses. I laugh out loud. "PHB just
contracted a virus, looks like hubris" I tell salesguy. Look out the
window. PHB is getting out his van, laptop in hand, heading my way.

You'd think-- perfect opportunity to convince PHB of the benefits of buying
Sophos (or ANYTHING). Nope. Never happened.

Flash forward a year or two. NT server gets hosed by funlove (brought into
my network on a boss laptop) and is serving up viruses to the whole network.
Now will they shell out for AV? Nope. I use the old demo of Sophos to kill
the thing as much as possible, explaining to the PHB's that there is no free
AV for NT. The NT server is now a doorstop since I won't plug her back into
the network till she is a) decontaminated and b) PROTECTED from reinfection
with something more that a two year old piece of demo software. But, hey,
she looks quite nice there holding up that piece of crap wireless access
point ;-).

Happened again early this year when this particular PHB was some 2000 miles
away. An embarrassing number of emails containing somewhat sensitive
information mailed to all our friends and colleagues courtesy of bugbear. I
call him and tell him he is infected. PHB runs a six month old version of
Stinger and Norton AV with virus definitions from 2001 on his machine and
then tells me it scans clean.

I finally fixed it yesterday (12 files infected with bugbear- updated
stinger got 'em no problem).

Pheww. Good to get that rant off my chest.

Stella

 

[FromTheRafters]

I'm about to go to my boss with a proposal to spend about $500 - $1,000 on
anti-virus software. I'm afraid he'll not go along with it.
[snip]

How would you convice this guy to cough up the cash for this?

Not all self-replicating malware will fall into the "merely an
annoyance" category. It only takes one really nasty one to
corrupt the system and the backups. If he values his data,
he should consider paying for a good AV product to help
protect it.

 

[FromTheRafters]

...
...
I take offence, I don't have to use anti-virus software since I am quite
capable of keeping my computers virus free.

I would be interested to learn how you manage to do this.
Isolationism? If you do decide to run some new program,
how do you determine that it is virus free?

For some time I was "viewing" programs in an editor and
trying to determine what sort of actions it would take from
text strings I found within - but this wasn't very effective. I
also ran "InControl" on a test computer and ran the suspect
executable to see what if any changes it made to the registry.
This was also not very effective in the case of "viruses".

Now I use AV software in addition to all of the other
safe computing methods I chose to adopt.

Without AV - how do you know?

 

[Boyd Williston]

I'm about to go to my boss with a proposal to spend about $500 - $1,000
on anti-virus software. I'm afraid he'll not go along with it.

Here's what he'll say:
- We've never had a serious problem with them before, they're just an
annoyance. It's easier to just pay you to clean it up when it happens
than all the fooling around in advance.
- Only 6 of 12 computers have Outlook for email. The rest are blocked
or use
an unknown program for email. All of those 6 Outlook users know better
than to open attachments.
- Our network is three hops away from any public IP addresses, and
there's a
firewall there.
- We don't have any data anyone would want.
- We've got good backups
- You get get free AV software on the Internet

Here's what I've been doing lately:
- cleaning up a FunLove virus infection (yes, I know it's OLD, not
sure where
it came from). Fortunately it's not destructive.
- Troubleshooting a critical application that wasn't loading (before I
found
out Funlove had f*d it up).
- Installing AVG free edition on all the workstations -- I know it's
not
licensed for commercial use. It's only temporary, unless el-cheapo
boss tries to tell me to use it anyway.
- Spent the better part of a day and a half cleaning up from a recent
Netsky
virus because the one user who definitely knows better, clicked an
attachment and got infected. In her defense she was expecting an
invoice from a new temporary vendor, was under extreme time pressures
and got an email that had the attachment titled "your bill". OK, not
totally defendable.
- Researching network wide AV solutions for our NT4 Server (2) with
Windows
2000 workstation (12) network.

Assume you were in my position. You can't quit and find another job.
Not an option right now. Your job is not purely IT, you have other
responsibilities -- otherwise quitting would probably be an option if
he wouldn't pay for the software.

How would you convice this guy to cough up the cash for this?

As a former boss of mine said, 'Get all your ducks in a row first.' Don't
just go in with the proposal, go in with a well researched and constructed
cost/benefit analysis.

The potential loss from a virus infection is 2-5 days of no network
activity whatsoever, and unrecoverable loss of critical data.

A firewall does not and cannot provide protection against virus infection.

You have an example of how even the best trained person can accidentally
cause an infection.

Using 'free' AV software (which is for non-commercial use only) puts your
company at serious financial risk.

Now, here is how I'd approach the boss. "In spite of our firewall and
training of users not to open attachments, we have had another virus
infection. I estimate that the minimum cost of each of these is (x
dollars). I recommend that, instead of waiting for another infection,
which could be as expensive as (give a sound, but high, estimate of being
down for 5 days), we spend no more than about $1000 to prevent problems
before they happen."

 

[Doug Fox]

Owners of data (or information) are responsible for their data/information
availability, confidential and integrity. (The triad of information
security.) If the owners do not care for their data confidentiality,
integrity, and availability; the custodian of these data cannot do much.

In this situation, the custodian should document the risk and request the
owner of the data to accept the risk. In case being audited, the custodian
can show to the auditor that he/she has taken proper measures to
minimize/reduce the risk.

 

[Steven Stern]

I'm about to go to my boss with a proposal to spend about $500 - $1,000 on
anti-virus software. I'm afraid he'll not go along with it.
[snip]

2000 workstation (12) network.

Assume you were in my position. You can't quit and find another job. Not an
option right now. Your job is not purely IT, you have other responsibilities
-- otherwise quitting would probably be an option if he wouldn't pay for the
software.

How would you convice this guy to cough up the cash for this?

The best response was "get your ducks in a row". Make the economic argument
citing

1. the cost of your time
2. opportunity cost: the time you spend cleaning up viruses when you could
be doing something else and the cost of not getting that done
3. the cost of lost productivity when the network or an employee's
workstation is down
4. the risk cost of losing important data

Given the size of your network, you can get F-Prot for about $60 for 10
workstations. See http://www.f-prot.com/products/prices/price_win.html

Use a different solution on the servers for some redundancy.

If he won't buy AV software, make sure you get paid overtime!


Steve Stern
Manager, WUGNET VirusCentral Forum
http://go.compuserve.com/viruscentral?access=public

 

[William Morris]

aware. But I object to the vague notion I detected in your message that

suggested people who don't run AV software maybe unclean in some way.

Not unclean, just ignorant (for those who don't know any better) or stupid
(for those that do).

Pick whichever shoe fits.

 

[Mail Ias]

Given the size of your network, you can get F-Prot for about $60 for 10

workstations. See http://www.f-prot.com/products/prices/price_win.html

Wow! For that price I could just go ahead and order it without any problem.
Is it really any good?

 

[Steven Stern]

Wow! For that price I could just go ahead and order it without any problem.
Is it really any good?

I'm using Norton on my PC and, when I was running a big network, used Symantec
Corporate Edition. However, the reports I've heard from F-Prot users are
almost uniformly positive. When my Norton subscription expires, I'm going to
buy F-Prot.

I found this review (FWIW):
http://antivirus.about.com/library/reviews/winscan/aaprfpwin.htm

Steve Stern
Manager, WUGNET VirusCentral Forum
http://go.compuserve.com/viruscentral?access=public

 

[Mail Ias]

I've been working with the trial version now. Looks like the email scanning
capability is weak.

I sent the test machine (Windows 2000 with Outlook 2000) the eicar test virus.
Both as a text file and as a .com executable. I can't tell when the Real
Time scanner gets it. Both NAV and AVG catch it as soon as it comes in.
F-prot will pop a window with a note when it finds it, but I can't find any
log it creates. F-prop just deletes it and goes on it's way. I'd like to be
able to see what is going on.

Also, can't tell if there is an effecient way to update all the machines on a
network. I really need a better solution than for each client to individually
download the updates.

 

[Spacen Jasset]

Would you be offended if I asked you how you know your PC(s) aren't
infected with some virus without running a good on-demand anti-virus
scanner or two or three?

Well hmm. There is a saying that goes along the lines of "the only secure
computer is a switched off computer"

I do actually have some av-software about, and miscellaneous other tools
which include but are not limited to kernel level debuggers.

 

[Spacen Jasset]

I would be interested to learn how you manage to do this.
Isolationism? If you do decide to run some new program,
how do you determine that it is virus free?

For some time I was "viewing" programs in an editor and
trying to determine what sort of actions it would take from
text strings I found within - but this wasn't very effective. I
also ran "InControl" on a test computer and ran the suspect
executable to see what if any changes it made to the registry.
This was also not very effective in the case of "viruses".

Now I use AV software in addition to all of the other
safe computing methods I chose to adopt.

Without AV - how do you know?

Well yes, I should have kept quiet. I do have some av-scanners, I never run
them on demand though. I've got other tools which include debuggers, and I
to tend to take at least a hex editor to executable files before I run them.
and ofcourse I don't run anything I get though email, usually.

But er, infact I can't really know can I. But then you can't really know you
haven't got a virus either even if you are using 5 reputable ones.

I think I should have made my point differently...yes.

 

[Spacen Jasset]

Not unclean, just ignorant (for those who don't know any better) or stupid
(for those that do).

Pick whichever shoe fits.

How rude I think you're calling me stupid. Now the things is this. Even
your virus scanner doesn't trap new viruses (most of the time) so, you like
me, being faily sensible don't open suspect emails, and take other
precautionary action. In my opinion: if you know how to prevent viruses
properly, then that's better defense than any anti-virus program can afford
you.

In other words if you've got all the patches, you're firewalled, you know
not to open suspect emails etc. Then you are 99.9% certain of avoiding a
virus infection.

On the subject of anti-virus software in the workplace then that is a
different matter becuase people genrally are not so well edicated, and
shouldn't neccessarily have to become so -- they quite rightly just want to
do thier job. So ofcourse anti-virus software is highly recommended.

 

[FromTheRafters]

Well yes, I should have kept quiet. I do have some av-scanners, I never run
them on demand though.

Can I assume that you mean "on access" here?

I've got other tools which include debuggers, and I
to tend to take at least a hex editor to executable files before I run them.
and ofcourse I don't run anything I get though email, usually.

I suspected that you had a good system for avoiding malware. It
actually isn't that difficult to avoid a large percentage by just being
aware. Sometimes having an AV (especially "on access") is a bad
thing because it promotes (or at least seems to allow) laziness to
infiltrate normal safe computing practices.

....don't worry - your AV's on access scanner will catch it - go
ahead - click it and see.

But er, infact I can't really know can I.

Only if you are capable of determining what a program does
by analyzing it yourself can you know for sure either way. AV
programs make it easier to identify the ones they know about,
but further analysis can prove them wrong in either case.

But then you can't really know you
haven't got a virus either even if you are using 5 reputable ones.

True, but they are pretty good at telling you when they "think"
they have recognized something.

I think I should have made my point differently...yes.

It was kinda funny really - Art probably only uses his AV as
"on demand" and probably only to scan his system before
ghosting his drive. His comment does actually make sense
in the context of the thread because the topic was about an
admin of a network who can't rely on local users to adhere
to safe practices. In this case - it *is* irresponsible to not
have any AV tools at all. Individuals (if they're savvy enough)
can get by without AV programs as long as the rest of their
toolset is up to the task. A network administrator doesn't
have the luxury of total control (but a policy editor goes a
long way toward that goal).

 

[Spacen Jasset]

....

Can I assume that you mean "on access" here?

Yes, that is what I had hoped to say.
....

I think you're right the points you make. I think it is right to use
anti-virus software in the workplace. But I also think it's probably more
wise to strip executable attachments from email, and have a firewall. I
don't think it's fair to blame the general PC user, at home, or at work.

Microsoft is, or will be adding some security features in service pack 2 for
windows XP, that can only be a good thing -- we will have to see how it work
out but the idea is, I think, the right one.