Endpoint security shootout: Five products compete to protect client systems
InfoWorld testing reveals key differences in platform support, security features, and reporting functions among Check Point, McAfee, Sophos, Symantec, and Trend Micro solutionsFollow @infoworld
The OfficeScan client will run on any version of Windows from 2000 to 2008, including 64-bit Vista. The OfficeScan Server requires Windows Server 2000 through Server 2003. Virtualized environments such as those from Microsoft, Citrix, and VMware are also supported. Unlike the products from McAfee, Sophos, and Symantec, Trend Micro's offering does not support non-Windows platforms.
The heart of any anti-virus system is its real-time protection. OfficeScan uses separate engines to inspect traffic for virus and spyware activity. Both engines use signature matching to detect the digital nasties, and unlike Symantec's and Sophos' respective products, OfficeScan does not have a behavioral detection engine for spotting zero-day attacks. A behavioral detection engine is in the works and should be available in the next major release.
During my tests, OfficeScan detected and blocked all of the viruses I threw at it, and it had little trouble picking out malware from a malicious overseas Web site. It processed the threats based on the policy in place, cleaning, quarantining, or deleting as prescribed. The real-time protection worked well in all my tests, and resource usage was very low: about 50 percent CPU usage and 55MB of RAM during an active scan.
The client firewall included in OfficeScan is solid if not flashy. Defining firewall settings entails defining a security policy, then assigning the policy to a user profile. The security policy dictates how the firewall will function, blocking all inbound and outbound traffic, blocking all inbound traffic, or allowing all traffic. Admins can add exceptions to each policy, for example, to allow remote connection to the desktop while denying all other inbound traffic. You can also define exceptions based on protocol, port, and IP address.
A step above the built-in OfficeScan client firewall is the Intrusion Defense Firewall (IDF) plug-in, available as a separate license from Trend Micro. IDF performs deep-packet inspection on all incoming and outgoing traffic and helps eliminate illegitimate network traffic. It is a full-featured stateful packet inspection engine that doesn't require additional RAM or add any noticeable latency on the network.
OfficeScan is the only package in this roundup that includes built-in support for Cisco NAC policies and agents. For those companies already deploying Cisco NAC, OfficeScan can directly integrate with your existing policy servers, providing network access control through the included Cisco Trust Agent.
The reporting engine is a weak area in OfficeScan, numbering a summary page in the management UI. To be fair, graphical representations of outbreaks and client connections are easy to read, as is the Update Status section showing signature and application versions. Unlike with McAfee ePolicy Orchestrator, admins cannot create customized reports or charts with OfficeScan.
Trend Micro's OfficeScan is a good all-around package for securing Windows-based clients. The management console suffers from some organizational problems, but access to all systems and policy objects is only a click or two away. Reporting is limited, but the tight integration with Cisco NAC is a definite plus.
I went into this review without any preconceived notions as to which product would fare the best, and I was pleasantly surprised to see that Sophos Endpoint Security and Control just edged out Symantec Endpoint Protection for top honors. The Sophos solution provides excellent client platform support and includes the core services to keep endpoints secure. At the same time, it's easy to use and administer. Its well-rounded reporting engine is key in garnering the top score in this roundup.