Endpoint security shootout: Five products compete to protect client systems

InfoWorld testing reveals key differences in platform support, security features, and reporting functions among Check Point, McAfee, Sophos, Symantec, and Trend Micro solutions

Every computer that connects to the Internet must have some form of anti-virus protection installed. The number and type of virus threats increase every year, with new ones appearing at an alarming rate. However, threats to the desktop are not limited to simple viruses, but often come as a coordinated attack via drive-by installation of malware and spyware. Further, not all threats are from the Internet: Unprotected vendor laptops can inject malicious programs directly into the enterprise, or malicious employees can siphon secrets to USB thumb drives. Security applications must be able to protect the desktop from both internal and external threats.

Because securing the client device – the endpoint, if you will – is so important, I decided to put five of the top enterprise endpoint security packages to the test. They include: Check Point Endpoint Security – Secure Access Edition; McAfee Total Protection for Endpoint 4.0; Sophos Endpoint Security and Control; Symantec Endpoint Protection 11; and Trend Micro OfficeScan Client/Server Edition 8.0.

All five products worked well in my test lab, performing their anti-virus and anti-spyware security duties flawlessly. However, there were other factors to consider in evaluating these products beyond the effectiveness of their virus and malware protection, as well as their other security services. I looked at how easy they are to administer, how straightforward it is to update and manage clients, and how well the systems report back the security health of the enterprise. I also considered OS support; some of the products support an array of platforms, whereas others are Windows-only.

Check Point Endpoint Security – Secure Access Edition
Endpoint Security - Secure Access Edition from Check Point is a good all-around package of client-security services for Windows users. The package includes anti-virus, anti-spyware, a desktop firewall, NAC, program control, and a VPN client bundled in a single agent. The browser-based management console is less cumbersome that McAfee Total Protection's, but it's also not as intuitive as that of Trend Micro OfficeScan. Check Point's reporting engine is very utilitarian but provides all of the information IT needs to keep up with the network's security status without information overload.

I installed Endpoint Security on a virtualized Windows Server 2003 server and had no trouble loading the associated applications. Endpoint Security's management platform runs on a Windows Server 2003 or Check Point SecurePlatform (Check Point's version of Linux). Unlike offerings from McAfee and Sophos, the Endpoint Security client supports only Windows 2000 Pro (SP4), Windows XP Pro (SP2), and Vista Enterprise.

Once up and running, the Endpoint Security management platform consumed more than 350MB of RAM (mostly in use by the included Web engine, Tomcat) but had minimal CPU impact on the server. The client claimed about 102MB of RAM, both at idle and during a manual scan, with a rise in CPU usage from about 0 percent to approximately 55 percent. As expected, Endpoint Security detected, caught, and handled all threats without fail.

Check Point's protection engine is based on anti-virus and anti-spyware technology licensed from Kaspersky Labs in addition to Check Point's own anti-spyware technology. This two-pronged approach uses both signatures and heuristics to detect potential threats before they land on the system.

Unlike with all of the other reviewed products in this roundup, admins must either install the Endpoint Security client via traditional software-distribution methods or from a shared location; there is no push support in the Endpoint Security Dashboard. For organizations already running a Check Point firewall, the vendor offers an interesting method for installing the client on captive portal users' systems: Admins can force users to install the client in order to gain access to the Internet.

I like the level of control offered by Check Point's policy editor. Each policy falls into either a trusted zone (that is, a local network) or an untrusted zone (the Internet and all other networks) and provides different levels of access for each. The client firewall comes with a decent set of predefined rules, and it's easy to customize inbound and outbound rules to meet your needs. The application control gives IT broad yet easily manageable control over programs. Each policy includes "enforcement settings," Check Point-speak for NAC, which worked well in my test scenarios.

The application permissions engine provides an easy-to-manage system for allowing or denying program execution on both clients and servers. This whitelisting service allows admins to create logical groups of applications, such as browsers and mail clients, and to determine whether each program is permitted to run. I could restrict which browsers my test clients could run by simply adding the specific executable to the Browsers group, then denying access. I find this to be very powerful yet easy to use.

At first glance, Check Point's reporting engine seems a bit sparse, as if reports and charts are missing. But upon further inspection, when compared to Symantec Endpoint Protection's information overload, Check Point's almost simplistic reporting engine is a nice change of pace. Three major groups of reports -- endpoint monitor, endpoint activity, and infection history -- break out nicely, allowing a quick and uncluttered view into each endpoint's status. Unfortunately, infection history detail goes back only 14 days.

Check Point's Endpoint Security – Secure Access Edition is a good mix of endpoint protection and flexibility. I like the granular control available in each policy definition, and the concept of trusted and untrusted zones doubles the security footprint. Unfortunately, client OS support is limited to Windows systems, and there is no push installation support in the product.

McAfee Total Protection for Endpoint 4.0
McAfee Total Protection for Endpoint bundles anti-virus, anti-spyware, host-intrusion prevention, and network access control. All of these systems are tied together with the management console, ePolicy Orchestrator (ePO) 4.0, which is a welcome upgrade from previous versions, featuring a completely retooled reporting engine that allows admins to create many different custom reports. Total Protection is not Windows-centric and provides protection for other popular operating systems.

When I first received Total Protection for Endpoint, I had a prerelease installation package that required following a convoluted script that would make Cecil B. DeMille proud. Fortunately, the shipping install package was a single setup program that does all the heavy lifting for admins. Other than specifying the database engine to use (it included MSDE), installation was relatively straightforward. Upon the setup's completion, my system was up and running, ready for me to check in the various packages and download all available updates.

I really like the breadth of OS support found in Total Protection. From ePO, you can deploy and manage policies on all 32-bit Windows platforms (including NT 4.0 with SP6a) and 64-bit Windows systems, as well as Novell NetWare, Linux, Mac OS X, Citrix MetaFrame 1.8, and XP Tablet PCs. As with the Sophos and Symantec products, I found that being able to manage a heterogeneous enterprise from a single console was a big plus.

Total Protection provides a couple of methods for deploying the ePO agent to unprotected desktops. Unlike with Check Point Endpoint Security, I can push the agent out to my test systems from ePolicy Orchestrator by selecting systems in the Lost & Found group and clicking the Deploy Agent button. ePO also synchronizes with Microsoft Active Directory, automatically adding any new systems added to AD. ePO constantly monitors the local network for unknown systems, making it easy to identify and update unprotected machines.

Assigning and defining security policies in ePO aren't nearly as intuitive as in other packages. Although ePO provides access to groups, users, systems, policies, and more, it suffers from a bit of drop-down box overload. It's difficult to see at a glance how policies are assigned and which ones are enabled on a per-client and per-group basis.

McAfee Total Protection for Endpoint comes pretty close to being exactly what its name says: absolute protection for clients. VirusScan Enterprise and McAfee Anti-Spyware deliver two flavors of scans, providing excellent real-time, on-demand protection from viruses and other potentially unwanted programs using a mix of signatures and heuristics. Total Protection didn't have any trouble identifying and trapping threats, whether from a questionable Web site or an infected file.

Total Protection uses a single scanning engine, allowing for a slightly smaller (80MB of RAM) footprint while in use. An on-demand scan consumed about 100MB of RAM and averaged 37 percent CPU usage with peaks to 100 percent.

Helping to lock down the desktop, Host Intrusion Prevention (HIP) provides application blocking, a client firewall, and general IPS rules such as buffer overflow and known application exploits. As with Trend Micro's Intrusion Defense Firewall, IT can create various rules with Total Protection as to what type of traffic is allowed or denied, both to and from a client. The application-blocking support is good, but it does not provide the same granular level of configuration found in Check Point's offering. Admins are limited to basic Allow and Block selections for each defined application.

The reporting module is where McAfee Total Protection shines. With this release of ePO, the reporting and dashboard services receive a major retooling, allowing admins to create custom reports and attach them to a dashboard for easy monitoring. In fact, ePO allows admins to create multiple dashboards for grouping related reports. The number of predefined reports is staggering, and I really like that I could quickly and easily create new exports in a variety of formats.

Total Protection is a solid, well-rounded endpoint security package that fires on all cylinders. I like the enhanced reporting capabilities in ePO, and the single-engine virus and malware scanner works very well. Moreover, the expanded platform support fits in nicely with most large organizations. My biggest complaint is that it's hard to easily see my policies and how they're assigned to each group or individual client.

Sophos Endpoint Security and Control
Sophos Endpoint Security and Control offers a tight mix of virus and spyware protection, along with client firewall, application control, host intrusion protection, and network access control. Furthermore, its intuitive browser-based management platform works well.

I had no trouble installing Sophos' Enterprise Console on my Windows Server 2003 virtual test bed. Like Trend Micro's OfficeScan, server resources were pleasingly light, requiring only about 100MB of RAM when logged into the console using Internet Explorer. During installation, I chose to have Sophos install MSDE on my server. Alternatively, admins can elect to use an existing Microsoft SQL server.

Deploying the Sophos client to users' PCs is a push process from the Enterprise Console. The Find New Computers wizard lets admins choose between importing a list of computers from Active Directory or performing a network scan based on network (NetBIOS name) or IP address range. I used the Active Directory method and had no problems installing the full client to my test machines.

Endpoint Security provides protection for not only Windows machines, but also Mac, Linux, Unix, NetWare, and OpenVMS systems. The list of supported platforms is extensive and includes both 32- and 64-bit platforms. Best of all, admins can manage and monitor all flavors of clients from a single Sophos Enterprise Console. Like Trend Micro's and Symantec's respective products, Sophos includes virtual environments as part of the supported package.

One feature that busy admins will appreciate is Sophos' ability to uninstall any third-party anti-virus programs already present on users' PC. One of my target systems came with another vendor's endpoint client package, and Sophos cleanly removed it prior to installing the new package.

Enterprise Security and Control is exactly what its names suggests: a full suite of security services blended together to allow administrators to tailor both inbound and outbound security. The real-time anti-virus and anti-spyware detectors share the same engine and the same virus/malware definitions. Endpoint generates an MD5 hash of each scanned file. If, on subsequent scans, the hash is unchanged, then Sophos skips scanning the file, saving CPU cycles.

Complementing the signature-based detection is what Sophos calls Behavioral Genotyping. This behavioral engine checks potentially malicious traffic against existing definitions in order to help stop new or unknown attacks. As long as the attack is a variant of an existing virus -- and most viruses are -- Sophos will detect it and block it. Each threat I threw at Endpoint Security was caught and handled according to my security policy. No surprises here.

1 2 Page 1
Page 1 of 2
How to choose a low-code development platform