Endpoint security shootout: Five products compete to protect client systems

InfoWorld testing reveals key differences in platform support, security features, and reporting functions among Check Point, McAfee, Sophos, Symantec, and Trend Micro solutions

Every computer that connects to the Internet must have some form of anti-virus protection installed. The number and type of virus threats increase every year, with new ones appearing at an alarming rate. However, threats to the desktop are not limited to simple viruses, but often come as a coordinated attack via drive-by installation of malware and spyware. Further, not all threats are from the Internet: Unprotected vendor laptops can inject malicious programs directly into the enterprise, or malicious employees can siphon secrets to USB thumb drives. Security applications must be able to protect the desktop from both internal and external threats.

Because securing the client device – the endpoint, if you will – is so important, I decided to put five of the top enterprise endpoint security packages to the test. They include: Check Point Endpoint Security – Secure Access Edition; McAfee Total Protection for Endpoint 4.0; Sophos Endpoint Security and Control; Symantec Endpoint Protection 11; and Trend Micro OfficeScan Client/Server Edition 8.0.

All five products worked well in my test lab, performing their anti-virus and anti-spyware security duties flawlessly. However, there were other factors to consider in evaluating these products beyond the effectiveness of their virus and malware protection, as well as their other security services. I looked at how easy they are to administer, how straightforward it is to update and manage clients, and how well the systems report back the security health of the enterprise. I also considered OS support; some of the products support an array of platforms, whereas others are Windows-only.

Check Point Endpoint Security – Secure Access Edition
Endpoint Security - Secure Access Edition from Check Point is a good all-around package of client-security services for Windows users. The package includes anti-virus, anti-spyware, a desktop firewall, NAC, program control, and a VPN client bundled in a single agent. The browser-based management console is less cumbersome that McAfee Total Protection's, but it's also not as intuitive as that of Trend Micro OfficeScan. Check Point's reporting engine is very utilitarian but provides all of the information IT needs to keep up with the network's security status without information overload.

I installed Endpoint Security on a virtualized Windows Server 2003 server and had no trouble loading the associated applications. Endpoint Security's management platform runs on a Windows Server 2003 or Check Point SecurePlatform (Check Point's version of Linux). Unlike offerings from McAfee and Sophos, the Endpoint Security client supports only Windows 2000 Pro (SP4), Windows XP Pro (SP2), and Vista Enterprise.

Once up and running, the Endpoint Security management platform consumed more than 350MB of RAM (mostly in use by the included Web engine, Tomcat) but had minimal CPU impact on the server. The client claimed about 102MB of RAM, both at idle and during a manual scan, with a rise in CPU usage from about 0 percent to approximately 55 percent. As expected, Endpoint Security detected, caught, and handled all threats without fail.

Check Point's protection engine is based on anti-virus and anti-spyware technology licensed from Kaspersky Labs in addition to Check Point's own anti-spyware technology. This two-pronged approach uses both signatures and heuristics to detect potential threats before they land on the system.

Unlike with all of the other reviewed products in this roundup, admins must either install the Endpoint Security client via traditional software-distribution methods or from a shared location; there is no push support in the Endpoint Security Dashboard. For organizations already running a Check Point firewall, the vendor offers an interesting method for installing the client on captive portal users' systems: Admins can force users to install the client in order to gain access to the Internet.

I like the level of control offered by Check Point's policy editor. Each policy falls into either a trusted zone (that is, a local network) or an untrusted zone (the Internet and all other networks) and provides different levels of access for each. The client firewall comes with a decent set of predefined rules, and it's easy to customize inbound and outbound rules to meet your needs. The application control gives IT broad yet easily manageable control over programs. Each policy includes "enforcement settings," Check Point-speak for NAC, which worked well in my test scenarios.

The application permissions engine provides an easy-to-manage system for allowing or denying program execution on both clients and servers. This whitelisting service allows admins to create logical groups of applications, such as browsers and mail clients, and to determine whether each program is permitted to run. I could restrict which browsers my test clients could run by simply adding the specific executable to the Browsers group, then denying access. I find this to be very powerful yet easy to use.

At first glance, Check Point's reporting engine seems a bit sparse, as if reports and charts are missing. But upon further inspection, when compared to Symantec Endpoint Protection's information overload, Check Point's almost simplistic reporting engine is a nice change of pace. Three major groups of reports -- endpoint monitor, endpoint activity, and infection history -- break out nicely, allowing a quick and uncluttered view into each endpoint's status. Unfortunately, infection history detail goes back only 14 days.

Check Point's Endpoint Security – Secure Access Edition is a good mix of endpoint protection and flexibility. I like the granular control available in each policy definition, and the concept of trusted and untrusted zones doubles the security footprint. Unfortunately, client OS support is limited to Windows systems, and there is no push installation support in the product.

McAfee Total Protection for Endpoint 4.0
McAfee Total Protection for Endpoint bundles anti-virus, anti-spyware, host-intrusion prevention, and network access control. All of these systems are tied together with the management console, ePolicy Orchestrator (ePO) 4.0, which is a welcome upgrade from previous versions, featuring a completely retooled reporting engine that allows admins to create many different custom reports. Total Protection is not Windows-centric and provides protection for other popular operating systems.

When I first received Total Protection for Endpoint, I had a prerelease installation package that required following a convoluted script that would make Cecil B. DeMille proud. Fortunately, the shipping install package was a single setup program that does all the heavy lifting for admins. Other than specifying the database engine to use (it included MSDE), installation was relatively straightforward. Upon the setup's completion, my system was up and running, ready for me to check in the various packages and download all available updates.

I really like the breadth of OS support found in Total Protection. From ePO, you can deploy and manage policies on all 32-bit Windows platforms (including NT 4.0 with SP6a) and 64-bit Windows systems, as well as Novell NetWare, Linux, Mac OS X, Citrix MetaFrame 1.8, and XP Tablet PCs. As with the Sophos and Symantec products, I found that being able to manage a heterogeneous enterprise from a single console was a big plus.

Total Protection provides a couple of methods for deploying the ePO agent to unprotected desktops. Unlike with Check Point Endpoint Security, I can push the agent out to my test systems from ePolicy Orchestrator by selecting systems in the Lost & Found group and clicking the Deploy Agent button. ePO also synchronizes with Microsoft Active Directory, automatically adding any new systems added to AD. ePO constantly monitors the local network for unknown systems, making it easy to identify and update unprotected machines.

Assigning and defining security policies in ePO aren't nearly as intuitive as in other packages. Although ePO provides access to groups, users, systems, policies, and more, it suffers from a bit of drop-down box overload. It's difficult to see at a glance how policies are assigned and which ones are enabled on a per-client and per-group basis.

McAfee Total Protection for Endpoint comes pretty close to being exactly what its name says: absolute protection for clients. VirusScan Enterprise and McAfee Anti-Spyware deliver two flavors of scans, providing excellent real-time, on-demand protection from viruses and other potentially unwanted programs using a mix of signatures and heuristics. Total Protection didn't have any trouble identifying and trapping threats, whether from a questionable Web site or an infected file.

Total Protection uses a single scanning engine, allowing for a slightly smaller (80MB of RAM) footprint while in use. An on-demand scan consumed about 100MB of RAM and averaged 37 percent CPU usage with peaks to 100 percent.

Helping to lock down the desktop, Host Intrusion Prevention (HIP) provides application blocking, a client firewall, and general IPS rules such as buffer overflow and known application exploits. As with Trend Micro's Intrusion Defense Firewall, IT can create various rules with Total Protection as to what type of traffic is allowed or denied, both to and from a client. The application-blocking support is good, but it does not provide the same granular level of configuration found in Check Point's offering. Admins are limited to basic Allow and Block selections for each defined application.

The reporting module is where McAfee Total Protection shines. With this release of ePO, the reporting and dashboard services receive a major retooling, allowing admins to create custom reports and attach them to a dashboard for easy monitoring. In fact, ePO allows admins to create multiple dashboards for grouping related reports. The number of predefined reports is staggering, and I really like that I could quickly and easily create new exports in a variety of formats.

Total Protection is a solid, well-rounded endpoint security package that fires on all cylinders. I like the enhanced reporting capabilities in ePO, and the single-engine virus and malware scanner works very well. Moreover, the expanded platform support fits in nicely with most large organizations. My biggest complaint is that it's hard to easily see my policies and how they're assigned to each group or individual client.

Sophos Endpoint Security and Control
Sophos Endpoint Security and Control offers a tight mix of virus and spyware protection, along with client firewall, application control, host intrusion protection, and network access control. Furthermore, its intuitive browser-based management platform works well.

I had no trouble installing Sophos' Enterprise Console on my Windows Server 2003 virtual test bed. Like Trend Micro's OfficeScan, server resources were pleasingly light, requiring only about 100MB of RAM when logged into the console using Internet Explorer. During installation, I chose to have Sophos install MSDE on my server. Alternatively, admins can elect to use an existing Microsoft SQL server.

Deploying the Sophos client to users' PCs is a push process from the Enterprise Console. The Find New Computers wizard lets admins choose between importing a list of computers from Active Directory or performing a network scan based on network (NetBIOS name) or IP address range. I used the Active Directory method and had no problems installing the full client to my test machines.

Endpoint Security provides protection for not only Windows machines, but also Mac, Linux, Unix, NetWare, and OpenVMS systems. The list of supported platforms is extensive and includes both 32- and 64-bit platforms. Best of all, admins can manage and monitor all flavors of clients from a single Sophos Enterprise Console. Like Trend Micro's and Symantec's respective products, Sophos includes virtual environments as part of the supported package.

One feature that busy admins will appreciate is Sophos' ability to uninstall any third-party anti-virus programs already present on users' PC. One of my target systems came with another vendor's endpoint client package, and Sophos cleanly removed it prior to installing the new package.

Enterprise Security and Control is exactly what its names suggests: a full suite of security services blended together to allow administrators to tailor both inbound and outbound security. The real-time anti-virus and anti-spyware detectors share the same engine and the same virus/malware definitions. Endpoint generates an MD5 hash of each scanned file. If, on subsequent scans, the hash is unchanged, then Sophos skips scanning the file, saving CPU cycles.

Complementing the signature-based detection is what Sophos calls Behavioral Genotyping. This behavioral engine checks potentially malicious traffic against existing definitions in order to help stop new or unknown attacks. As long as the attack is a variant of an existing virus -- and most viruses are -- Sophos will detect it and block it. Each threat I threw at Endpoint Security was caught and handled according to my security policy. No surprises here.

Sophos' Application Control allows admins to create whitelists of approved programs: You can block specific applications or entire groups, such as remote-management tools. Beyond application control, Sophos also helps cut down on data leakage by blocking users' access to local storage devices, wireless connections such as Wi-Fi and infrared, instant messaging, and file-sharing applications.

Network access control is managed through a separate browser-based UI accessible from the Enterprise Console. The predefined policies and profiles make quick work of getting a NAC system up and running, and the wide range of configuration options means admins can create a system to meet just about any situation.

The Enterprise Console is where admins will spend most of their time, and unlike with McAfee's ePO, it is time well spent. The console is well laid out and easy to navigate, with the graphical dashboard providing at-a-glance status reports of the network. The reporting engine is good if not overly flashy. I like that I can click on a detected item name in the Alerts report and find out additional information about the threat.

I was really impressed with Sophos Enterprise Security and Control. The administrative console provides an overview into the health of the enterprise, and the policy quick links make accessing specific policy items fast and easy. I like that I can manage my heterogeneous enterprise from one console, and the level of protection is top notch.

Symantec Endpoint Protection 11
One of the best-known vendors of anti-virus software, Symantec scores with its latest offering, Symantec Endpoint Protection (SEP) 11. A bundled mix of anti-virus, anti-spyware, firewall, intrusion prevention, and application and device control, SEP provides a well-rounded suite of protection for both clients and servers. The centralized management console, Endpoint Protection Manager, does a good job of providing a one-stop management tool for admins, and the reporting engine issues a wealth of information, but only if you know how to look for it.

Installation of SEP on my test Windows 2003 Server went off without a hitch. Make sure your host server has plenty of resources: Between SEP's database engine and other core services, it consumed more than 300MB of RAM. Also, Endpoint Protection is the only product in this roundup that has a Java-based management console, and it suffers from mild Java lag. On the client side, RAM demand is light, with only about 10MB in use at idle and less than 55MB and 28 percent CPU utilization during a full system scan.

Symantec Endpoint Protection comes with a nifty deployment wizard that walks admins through the process of pushing out the agent to unprotected clients. If your organization has a standard software-distribution system in place, you can simply distribute a single executable install package to unprotected systems or allow individuals to launch the install from a shared folder. SEP can also talk to Active Directory to import organizational groups for better client management.

Like McAfee's and Sophos' offerings, SEP will protect not only 32- and 64-bit Windows systems, but also 32- and 64-bit Linux, Novell Open Enterprise Server, and VMware ESX. Unlike Sophos, SEP does not currently support Mac.

The heart of Endpoint Protection is the anti-virus and anti-spyware detection engine. SEP employs a single-protection technology composed of multiple scan engines to detect and scan for viruses and malware. As files are copied or created, SEP intercepts them and passes them to the appropriate scan engine.

Much like Sophos' Behavioral Genotyping, Symantec's TruScan Proactive Threat component protects the client from unknown and zero-day threats by monitoring the behavior of programs to determine their intent. TruScan detects and logs discovered instances of potential unwanted programs for admins to review. TruScan can also detect commercial keyloggers and remote-control applications, and admins can log, ignore, terminate, or quarantine these programs.

The firewall engine built into SEP is first rate and provides a very fine level of control over protocols, ports, and applications. The default firewall rule set is very detailed, providing a secure out-of-the-box configuration. A handy firewall rule wizard helps admins create any additional custom rules as necessary. The intrusion-prevention engine complements the client firewall, but other than a couple of check boxes, it doesn't allow for any real customization.

Application control in SEP is not nearly as intuitive as that of Check Point Endpoint Security. The rule builder is very extensive, allowing the agent to check for many different conditions, such as Registry access, launch process attempt, and terminate process attempt. The application control rule builder would benefit from an interview-based wizard to walk admins through the rule-creation process. The current rule engine is powerful, but it's not very intuitive, making it cumbersome to use. Admins who take the time to learn the application-control rules engine will find it more than capable of locking down not only applications but the behavior of devices, such as USB drives.

SEP's reporting engine could also welcome a user-friendliness makeover. There is a wealth of information available to the admin, but because the report engine generates so much information, finding what you're looking for can be difficult. In a future version, I would like to see interactive reports. For example, I was able to create a chart of attacked PCs, but all that was reported was the group and number of attacks. I'd like to be able to drill down into the chart to see which systems were attacked for further analysis.

Overall, Symantec Endpoint Protection is a good all-around security package. Its only real weakness is its reporting engine. The anti-virus/anti-spyware protection is solid, and I like that wider range of operating systems supported. The client firewall is one of the best going, but the application protection is a bit of a management chore.

Trend Micro OfficeScan Client/Server Edition 8.0
Trend Micro's OfficeScan Client/Server Edition 8.0 bundles all of the required protection services into a platform that's easy to install and deploy. OfficeScan includes anti-virus and anti-spyware protection, firewall, intrusion prevention and detection, Web-threat security, and integration with Cisco Network Access and Control 2.0. Admins centrally manage OfficeScan via their browser, and the product is capable of overseeing multiple domains.

Installing OfficeScan took about 45 minutes on my virtual test bed. Server resources were light, requiring less than 100MB of RAM with the management console open (including Internet Explorer usage). The console was easy to handle and fairly intuitive to navigate, unlike McAfee's ePolicy Orchestrator. Admins can install the client engine either through a Web link to the OfficeScan server or via push from the management UI.

The OfficeScan client will run on any version of Windows from 2000 to 2008, including 64-bit Vista. The OfficeScan Server requires Windows Server 2000 through Server 2003. Virtualized environments such as those from Microsoft, Citrix, and VMware are also supported. Unlike the products from McAfee, Sophos, and Symantec, Trend Micro's offering does not support non-Windows platforms.

The heart of any anti-virus system is its real-time protection. OfficeScan uses separate engines to inspect traffic for virus and spyware activity. Both engines use signature matching to detect the digital nasties, and unlike Symantec's and Sophos' respective products, OfficeScan does not have a behavioral detection engine for spotting zero-day attacks. A behavioral detection engine is in the works and should be available in the next major release.

During my tests, OfficeScan detected and blocked all of the viruses I threw at it, and it had little trouble picking out malware from a malicious overseas Web site. It processed the threats based on the policy in place, cleaning, quarantining, or deleting as prescribed. The real-time protection worked well in all my tests, and resource usage was very low: about 50 percent CPU usage and 55MB of RAM during an active scan.

The client firewall included in OfficeScan is solid if not flashy. Defining firewall settings entails defining a security policy, then assigning the policy to a user profile. The security policy dictates how the firewall will function, blocking all inbound and outbound traffic, blocking all inbound traffic, or allowing all traffic. Admins can add exceptions to each policy, for example, to allow remote connection to the desktop while denying all other inbound traffic. You can also define exceptions based on protocol, port, and IP address.

A step above the built-in OfficeScan client firewall is the Intrusion Defense Firewall (IDF) plug-in, available as a separate license from Trend Micro. IDF performs deep-packet inspection on all incoming and outgoing traffic and helps eliminate illegitimate network traffic. It is a full-featured stateful packet inspection engine that doesn't require additional RAM or add any noticeable latency on the network.

OfficeScan is the only package in this roundup that includes built-in support for Cisco NAC policies and agents. For those companies already deploying Cisco NAC, OfficeScan can directly integrate with your existing policy servers, providing network access control through the included Cisco Trust Agent.

The reporting engine is a weak area in OfficeScan, numbering a summary page in the management UI. To be fair, graphical representations of outbreaks and client connections are easy to read, as is the Update Status section showing signature and application versions. Unlike with McAfee ePolicy Orchestrator, admins cannot create customized reports or charts with OfficeScan.

Trend Micro's OfficeScan is a good all-around package for securing Windows-based clients. The management console suffers from some organizational problems, but access to all systems and policy objects is only a click or two away. Reporting is limited, but the tight integration with Cisco NAC is a definite plus.

Closing thoughts
I went into this review without any preconceived notions as to which product would fare the best, and I was pleasantly surprised to see that Sophos Endpoint Security and Control just edged out Symantec Endpoint Protection for top honors. The Sophos solution provides excellent client platform support and includes the core services to keep endpoints secure. At the same time, it's easy to use and administer. Its well-rounded reporting engine is key in garnering the top score in this roundup.

InfoWorld Scorecard
Reporting (15.0%)
Features (20.0%)
Threat defense (25.0%)
Value (10.0%)
Management (20.0%)
Platform support (10.0%)
Overall Score (100%)
Check Point Endpoint Security - Secure Access Edition 7.0 8.0 9.0 7.0 8.0 6.0 7.8
McAfee Total Protection for Endpoint 9.0 8.0 9.0 8.0 7.0 9.0 8.3
Sophos Endpoint Security and Control 8.0 8.0 9.0 9.0 9.0 9.0 8.7
Symantec Endpoint Protection 11 7.0 8.0 9.0 9.0 8.0 9.0 8.3
Trend Micro OfficeScan Client/Server Edition 8.0 7.0 7.0 9.0 7.0 8.0 6.0 7.6
From CIO: 8 Free Online Courses to Grow Your Tech Skills
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies