Endpoint security shootout: Five products compete to protect client systems

InfoWorld testing reveals key differences in platform support, security features, and reporting functions among Check Point, McAfee, Sophos, Symantec, and Trend Micro solutions

Sophos' Application Control allows admins to create whitelists of approved programs: You can block specific applications or entire groups, such as remote-management tools. Beyond application control, Sophos also helps cut down on data leakage by blocking users' access to local storage devices, wireless connections such as Wi-Fi and infrared, instant messaging, and file-sharing applications.

Network access control is managed through a separate browser-based UI accessible from the Enterprise Console. The predefined policies and profiles make quick work of getting a NAC system up and running, and the wide range of configuration options means admins can create a system to meet just about any situation.

The Enterprise Console is where admins will spend most of their time, and unlike with McAfee's ePO, it is time well spent. The console is well laid out and easy to navigate, with the graphical dashboard providing at-a-glance status reports of the network. The reporting engine is good if not overly flashy. I like that I can click on a detected item name in the Alerts report and find out additional information about the threat.

I was really impressed with Sophos Enterprise Security and Control. The administrative console provides an overview into the health of the enterprise, and the policy quick links make accessing specific policy items fast and easy. I like that I can manage my heterogeneous enterprise from one console, and the level of protection is top notch.

Symantec Endpoint Protection 11
One of the best-known vendors of anti-virus software, Symantec scores with its latest offering, Symantec Endpoint Protection (SEP) 11. A bundled mix of anti-virus, anti-spyware, firewall, intrusion prevention, and application and device control, SEP provides a well-rounded suite of protection for both clients and servers. The centralized management console, Endpoint Protection Manager, does a good job of providing a one-stop management tool for admins, and the reporting engine issues a wealth of information, but only if you know how to look for it.

Installation of SEP on my test Windows 2003 Server went off without a hitch. Make sure your host server has plenty of resources: Between SEP's database engine and other core services, it consumed more than 300MB of RAM. Also, Endpoint Protection is the only product in this roundup that has a Java-based management console, and it suffers from mild Java lag. On the client side, RAM demand is light, with only about 10MB in use at idle and less than 55MB and 28 percent CPU utilization during a full system scan.

Symantec Endpoint Protection comes with a nifty deployment wizard that walks admins through the process of pushing out the agent to unprotected clients. If your organization has a standard software-distribution system in place, you can simply distribute a single executable install package to unprotected systems or allow individuals to launch the install from a shared folder. SEP can also talk to Active Directory to import organizational groups for better client management.

Like McAfee's and Sophos' offerings, SEP will protect not only 32- and 64-bit Windows systems, but also 32- and 64-bit Linux, Novell Open Enterprise Server, and VMware ESX. Unlike Sophos, SEP does not currently support Mac.

The heart of Endpoint Protection is the anti-virus and anti-spyware detection engine. SEP employs a single-protection technology composed of multiple scan engines to detect and scan for viruses and malware. As files are copied or created, SEP intercepts them and passes them to the appropriate scan engine.

Much like Sophos' Behavioral Genotyping, Symantec's TruScan Proactive Threat component protects the client from unknown and zero-day threats by monitoring the behavior of programs to determine their intent. TruScan detects and logs discovered instances of potential unwanted programs for admins to review. TruScan can also detect commercial keyloggers and remote-control applications, and admins can log, ignore, terminate, or quarantine these programs.

The firewall engine built into SEP is first rate and provides a very fine level of control over protocols, ports, and applications. The default firewall rule set is very detailed, providing a secure out-of-the-box configuration. A handy firewall rule wizard helps admins create any additional custom rules as necessary. The intrusion-prevention engine complements the client firewall, but other than a couple of check boxes, it doesn't allow for any real customization.

Application control in SEP is not nearly as intuitive as that of Check Point Endpoint Security. The rule builder is very extensive, allowing the agent to check for many different conditions, such as Registry access, launch process attempt, and terminate process attempt. The application control rule builder would benefit from an interview-based wizard to walk admins through the rule-creation process. The current rule engine is powerful, but it's not very intuitive, making it cumbersome to use. Admins who take the time to learn the application-control rules engine will find it more than capable of locking down not only applications but the behavior of devices, such as USB drives.

SEP's reporting engine could also welcome a user-friendliness makeover. There is a wealth of information available to the admin, but because the report engine generates so much information, finding what you're looking for can be difficult. In a future version, I would like to see interactive reports. For example, I was able to create a chart of attacked PCs, but all that was reported was the group and number of attacks. I'd like to be able to drill down into the chart to see which systems were attacked for further analysis.

Overall, Symantec Endpoint Protection is a good all-around security package. Its only real weakness is its reporting engine. The anti-virus/anti-spyware protection is solid, and I like that wider range of operating systems supported. The client firewall is one of the best going, but the application protection is a bit of a management chore.

Trend Micro OfficeScan Client/Server Edition 8.0
Trend Micro's OfficeScan Client/Server Edition 8.0 bundles all of the required protection services into a platform that's easy to install and deploy. OfficeScan includes anti-virus and anti-spyware protection, firewall, intrusion prevention and detection, Web-threat security, and integration with Cisco Network Access and Control 2.0. Admins centrally manage OfficeScan via their browser, and the product is capable of overseeing multiple domains.

Installing OfficeScan took about 45 minutes on my virtual test bed. Server resources were light, requiring less than 100MB of RAM with the management console open (including Internet Explorer usage). The console was easy to handle and fairly intuitive to navigate, unlike McAfee's ePolicy Orchestrator. Admins can install the client engine either through a Web link to the OfficeScan server or via push from the management UI.

The OfficeScan client will run on any version of Windows from 2000 to 2008, including 64-bit Vista. The OfficeScan Server requires Windows Server 2000 through Server 2003. Virtualized environments such as those from Microsoft, Citrix, and VMware are also supported. Unlike the products from McAfee, Sophos, and Symantec, Trend Micro's offering does not support non-Windows platforms.

The heart of any anti-virus system is its real-time protection. OfficeScan uses separate engines to inspect traffic for virus and spyware activity. Both engines use signature matching to detect the digital nasties, and unlike Symantec's and Sophos' respective products, OfficeScan does not have a behavioral detection engine for spotting zero-day attacks. A behavioral detection engine is in the works and should be available in the next major release.

During my tests, OfficeScan detected and blocked all of the viruses I threw at it, and it had little trouble picking out malware from a malicious overseas Web site. It processed the threats based on the policy in place, cleaning, quarantining, or deleting as prescribed. The real-time protection worked well in all my tests, and resource usage was very low: about 50 percent CPU usage and 55MB of RAM during an active scan.

The client firewall included in OfficeScan is solid if not flashy. Defining firewall settings entails defining a security policy, then assigning the policy to a user profile. The security policy dictates how the firewall will function, blocking all inbound and outbound traffic, blocking all inbound traffic, or allowing all traffic. Admins can add exceptions to each policy, for example, to allow remote connection to the desktop while denying all other inbound traffic. You can also define exceptions based on protocol, port, and IP address.

A step above the built-in OfficeScan client firewall is the Intrusion Defense Firewall (IDF) plug-in, available as a separate license from Trend Micro. IDF performs deep-packet inspection on all incoming and outgoing traffic and helps eliminate illegitimate network traffic. It is a full-featured stateful packet inspection engine that doesn't require additional RAM or add any noticeable latency on the network.

OfficeScan is the only package in this roundup that includes built-in support for Cisco NAC policies and agents. For those companies already deploying Cisco NAC, OfficeScan can directly integrate with your existing policy servers, providing network access control through the included Cisco Trust Agent.

The reporting engine is a weak area in OfficeScan, numbering a summary page in the management UI. To be fair, graphical representations of outbreaks and client connections are easy to read, as is the Update Status section showing signature and application versions. Unlike with McAfee ePolicy Orchestrator, admins cannot create customized reports or charts with OfficeScan.

Trend Micro's OfficeScan is a good all-around package for securing Windows-based clients. The management console suffers from some organizational problems, but access to all systems and policy objects is only a click or two away. Reporting is limited, but the tight integration with Cisco NAC is a definite plus.

Closing thoughts
I went into this review without any preconceived notions as to which product would fare the best, and I was pleasantly surprised to see that Sophos Endpoint Security and Control just edged out Symantec Endpoint Protection for top honors. The Sophos solution provides excellent client platform support and includes the core services to keep endpoints secure. At the same time, it's easy to use and administer. Its well-rounded reporting engine is key in garnering the top score in this roundup.

InfoWorld Scorecard
Reporting (15.0%)
Features (20.0%)
Threat defense (25.0%)
Value (10.0%)
Management (20.0%)
Platform support (10.0%)
Overall Score (100%)
Check Point Endpoint Security - Secure Access Edition 7.0 8.0 9.0 7.0 8.0 6.0 7.8
McAfee Total Protection for Endpoint 9.0 8.0 9.0 8.0 7.0 9.0 8.3
Sophos Endpoint Security and Control 8.0 8.0 9.0 9.0 9.0 9.0 8.7
Symantec Endpoint Protection 11 7.0 8.0 9.0 9.0 8.0 9.0 8.3
Trend Micro OfficeScan Client/Server Edition 8.0 7.0 7.0 9.0 7.0 8.0 6.0 7.6
| 1 2 Page 6