Endpoint security shootout: Five products compete to protect client systems
InfoWorld testing reveals key differences in platform support, security features, and reporting functions among Check Point, McAfee, Sophos, Symantec, and Trend Micro solutionsFollow @infoworld
When I first received Total Protection for Endpoint, I had a prerelease installation package that required following a convoluted script that would make Cecil B. DeMille proud. Fortunately, the shipping install package was a single setup program that does all the heavy lifting for admins. Other than specifying the database engine to use (it included MSDE), installation was relatively straightforward. Upon the setup's completion, my system was up and running, ready for me to check in the various packages and download all available updates.
I really like the breadth of OS support found in Total Protection. From ePO, you can deploy and manage policies on all 32-bit Windows platforms (including NT 4.0 with SP6a) and 64-bit Windows systems, as well as Novell NetWare, Linux, Mac OS X, Citrix MetaFrame 1.8, and XP Tablet PCs. As with the Sophos and Symantec products, I found that being able to manage a heterogeneous enterprise from a single console was a big plus.
Total Protection provides a couple of methods for deploying the ePO agent to unprotected desktops. Unlike with Check Point Endpoint Security, I can push the agent out to my test systems from ePolicy Orchestrator by selecting systems in the Lost & Found group and clicking the Deploy Agent button. ePO also synchronizes with Microsoft Active Directory, automatically adding any new systems added to AD. ePO constantly monitors the local network for unknown systems, making it easy to identify and update unprotected machines.
Assigning and defining security policies in ePO aren't nearly as intuitive as in other packages. Although ePO provides access to groups, users, systems, policies, and more, it suffers from a bit of drop-down box overload. It's difficult to see at a glance how policies are assigned and which ones are enabled on a per-client and per-group basis.
McAfee Total Protection for Endpoint comes pretty close to being exactly what its name says: absolute protection for clients. VirusScan Enterprise and McAfee Anti-Spyware deliver two flavors of scans, providing excellent real-time, on-demand protection from viruses and other potentially unwanted programs using a mix of signatures and heuristics. Total Protection didn't have any trouble identifying and trapping threats, whether from a questionable Web site or an infected file.
Total Protection uses a single scanning engine, allowing for a slightly smaller (80MB of RAM) footprint while in use. An on-demand scan consumed about 100MB of RAM and averaged 37 percent CPU usage with peaks to 100 percent.
Helping to lock down the desktop, Host Intrusion Prevention (HIP) provides application blocking, a client firewall, and general IPS rules such as buffer overflow and known application exploits. As with Trend Micro's Intrusion Defense Firewall, IT can create various rules with Total Protection as to what type of traffic is allowed or denied, both to and from a client. The application-blocking support is good, but it does not provide the same granular level of configuration found in Check Point's offering. Admins are limited to basic Allow and Block selections for each defined application.
The reporting module is where McAfee Total Protection shines. With this release of ePO, the reporting and dashboard services receive a major retooling, allowing admins to create custom reports and attach them to a dashboard for easy monitoring. In fact, ePO allows admins to create multiple dashboards for grouping related reports. The number of predefined reports is staggering, and I really like that I could quickly and easily create new exports in a variety of formats.