Endpoint security shootout: Five products compete to protect client systems
InfoWorld testing reveals key differences in platform support, security features, and reporting functions among Check Point, McAfee, Sophos, Symantec, and Trend Micro solutionsFollow @infoworld
Much like Sophos' Behavioral Genotyping, Symantec's TruScan Proactive Threat component protects the client from unknown and zero-day threats by monitoring the behavior of programs to determine their intent. TruScan detects and logs discovered instances of potential unwanted programs for admins to review. TruScan can also detect commercial keyloggers and remote-control applications, and admins can log, ignore, terminate, or quarantine these programs.
The firewall engine built into SEP is first rate and provides a very fine level of control over protocols, ports, and applications. The default firewall rule set is very detailed, providing a secure out-of-the-box configuration. A handy firewall rule wizard helps admins create any additional custom rules as necessary. The intrusion-prevention engine complements the client firewall, but other than a couple of check boxes, it doesn't allow for any real customization.
Application control in SEP is not nearly as intuitive as that of Check Point Endpoint Security. The rule builder is very extensive, allowing the agent to check for many different conditions, such as Registry access, launch process attempt, and terminate process attempt. The application control rule builder would benefit from an interview-based wizard to walk admins through the rule-creation process. The current rule engine is powerful, but it's not very intuitive, making it cumbersome to use. Admins who take the time to learn the application-control rules engine will find it more than capable of locking down not only applications but the behavior of devices, such as USB drives.
SEP's reporting engine could also welcome a user-friendliness makeover. There is a wealth of information available to the admin, but because the report engine generates so much information, finding what you're looking for can be difficult. In a future version, I would like to see interactive reports. For example, I was able to create a chart of attacked PCs, but all that was reported was the group and number of attacks. I'd like to be able to drill down into the chart to see which systems were attacked for further analysis.
Overall, Symantec Endpoint Protection is a good all-around security package. Its only real weakness is its reporting engine. The anti-virus/anti-spyware protection is solid, and I like that wider range of operating systems supported. The client firewall is one of the best going, but the application protection is a bit of a management chore.
Trend Micro OfficeScan Client/Server Edition 8.0
Trend Micro's OfficeScan Client/Server Edition 8.0 bundles all of the required protection services into a platform that's easy to install and deploy. OfficeScan includes anti-virus and anti-spyware protection, firewall, intrusion prevention and detection, Web-threat security, and integration with Cisco Network Access and Control 2.0. Admins centrally manage OfficeScan via their browser, and the product is capable of overseeing multiple domains.
Installing OfficeScan took about 45 minutes on my virtual test bed. Server resources were light, requiring less than 100MB of RAM with the management console open (including Internet Explorer usage). The console was easy to handle and fairly intuitive to navigate, unlike McAfee's ePolicy Orchestrator. Admins can install the client engine either through a Web link to the OfficeScan server or via push from the management UI.