Round-up: Network endpoint security suites
Contents
Introduction
Data and computer system assets are fast becoming the lifeblood of modern interconnected business. However, an unwelcome consequence of this brave new world is that malicious hackers consider commercially sensitive information — personal details, bank account credentials and related data or underlying systems — fair game. Worse still, the bad guys actively target and routinely attack our business critical networks by using malicious software (malware) and freely available, easily usable hacking tools.
Typically, as part of a best practice information security strategy, an organisation will determine its unique appetite for risk and subsequently employ appropriate security controls to help prevent compromise of their valuable assets.
Anti-malware software is a universally deployed security control in medium to large enterprises. There are a myriad of vendors within the anti-malware space, thus selecting an appropriate solution for your business is not always simple. The way to measurably and reliably prove that a solution is appropriate for your organisation is to test it against predefined criteria that adequately and accurately reflect your individual requirements.
These criteria may vary, yet normally include one or more of the following factors: total cost of ownership over the full product life cycle, endpoint deployment options, compatibility with existing systems, administration and management issues, performance, functionality, and of course, malware protection capabilities. However, this review serves only as an introduction to enterprise anti-malware solutions, and is designed as a fair comparison of all products put under the test, not as an exhaustive evaluation of every product feature under all possible scenarios.
How we tested
System set-up: each anti-malware product was installed on a fully patched Microsoft Windows 2003 Server R2 SP2 platform. Once the server components were installed, each endpoint solution was deployed to a fully patched Microsoft Windows XP SP3 client host.
Anti-malware specifics: each anti-malware product was installed on separate identical hardware and software combinations. All products were updated at the same date and time using a standard internet connection. In this instance due to the nature of the tests, the internet was disabled and physically disconnected following the update process, ensuring that the products were universally frozen at a particular point. All products were completely isolated during testing to provide a level playing field and aligned with common real-world scenarios.
The malware test set was introduced to each product using standard ingress vectors, devices and protocols that included HTTP, SMTP/POP3, FTP, DVD and USB injection mechanisms to accurately represent real-world threats, thus reproducing the actual delivery methods used "in the wild". The samples used for testing consisted of the latest 100 verified live threats captured via the Enex Test Lab global honey-net in the week prior to testing. The most recent available threats were used in order to evaluate each solution's ability to detect and nullify current "in the wild" threats. The samples were all validated with automated behavioural analysis techniques, supported by standard manual inspection methods. The malware test set included current:
- Trojans
- Spyware
- Viruses
- Worms
- Exploits
- Polymorphic threats
- Malicious PDFs
- Hack tools
- Rogue/fake anti-malware suites
The ideal expected behaviour of each solution was to correctly identify all verified malicious samples and to neutralise each threat. In order to measure each solution's ability to correctly categorise benign files, Enex Test Lab supplemented the test set as follows:
- Office files
- PDFs
- Executables
- Compressed files
- Plain text files
Contents
Kaspersky Enterprise Space Security
Target market: enterprise organisations
Phone: 1300 762 833 or 03 9005 1669
Web: www.kaspersky.com/au
Kaspersky Enterprise Space Security is part of the Open Space security family. It incorporates a range of Kaspersky products that are managed from a central administration console known as the Kaspersky Administration Kit.
The server side installation is straightforward; it is achieved without the need for any additional prerequisites. The solution automatically installs its own instance of Microsoft SQL Server Express as part of the set-up process. The administration kit effectively fuses to the Microsoft Management Console (MMC) providing blended administration and configuration functionality. Remote product delivery is achieved through a deployment wizard, allowing administrators to push Kaspersky agents and products to additional client and server platforms. Kaspersky software delivery methods also allow the creation of set-up packages that can be manually installed to target endpoints.
Featured products:
- Kaspersky Anti-Virus for Windows Workstations
- Kaspersky Anti-Virus for Linux Workstations
- Kaspersky Anti-Virus for Windows Servers
- Kaspersky Anti-Virus for Linux File Servers
- Kaspersky Anti-Virus for Novell Netware
- Kaspersky Anti-Virus for Samba Server
- Kaspersky Anti-Virus for Microsoft Exchange
- Kaspersky Anti-Virus for Linux Mail Server
- Kaspersky Anti-Virus for Lotus/Domino
- Kaspersky Security for Microsoft Exchange Server 2003
- Kaspersky Security for Microsoft Exchange Server 2007
- Kaspersky Anti-Virus for Windows Servers Enterprise Edition
The product directly downloads any available update files from Kaspersky's internet resident servers to a local central repository, ready for internal endpoint delivery.
It is possible for administrators to edit client protection settings remotely, and if necessary, scan tasks can be initiated from the central administration console; a useful feature to invoke during a known malware outbreak.
(Credit: Enex Testlab)
(Credit: Enex Test Lab)
Verdict
Kaspersky performed admirably in the malware protection stakes, achieving joint first place in overall detection and neutralisation terms, with a score of 96 per cent. The product correctly identified 100 per cent of the benign files (zero false positives were recorded). In this instance, the samples that were not successfully identified stemmed from trojan and spyware categories.
The ease of installation paves the way for rapid multi-network deployment, and the Microsoft integrated administration console offers a useful feature set for effective centralised management.
| Overall rating | |
|---|---|
| The good |
|
| The bad |
|
| The bottom line | Kaspersky provides a good quality solution for protection from current "in the wild" threats. |
| Interoperability | Windows workstations: 98, 2000, XP, Vista, 7 Windows servers: NT-2008 Other: Linux and Novell support, central administration server |
| ROI | Good performance with an easy-to-use administration tool. |
| ROI score |
Contents
McAfee Total Protection for Endpoint
Target market: small to enterprise organisations
Phone: 1800 998 887
Web: www.mcafee.com/au
McAfee Total Protection for Endpoint is based on the company's well-known ePolicy Orchestrator (ePO). The solution can be used to administer a range of solutions from desktop antivirus to email server protection tools, and is aimed at small to enterprise organisations.
The ePO set-up wizard enables the straightforward installation of server-side components. As long as the minimum hardware and software requirements are met, the solution provides all further prerequisites integrated within a single installation package. Through the set-up wizard, administrators have the option of installing an Express version of Microsoft SQL Server (this is the default option and highly recommended). Alternatively, administrators can specify a different SQL instance, although it must be dedicated to McAfee's ePO server.
The following products are deployed during installation:
- VirusScan Enterprise
- AntiSpyware Enterprise
- Host Intrusion Prevention
- SiteAdvisor Enterprise Plus
- GroupShield
Once the solution is deployed to the target server, operations and administration actions are performed using a web management console. During the installation wizard a shortcut to this interface is placed on the local server desktop; however, this interface can be accessed from anywhere on the local network by providing the correct intranet address and log-in credentials.
As with most products of this class, updates can be downloaded to the central ePO server and distributed to endpoints across the local area network.
Deployment methods include a remote installation option that effectively pushes the product to endpoints via the network. Alternatively, it is delivered via a distribution package that allows an administrator to manually install the solution on each individual endpoint, using a variety of channels (eg, via DVD, CD, USB or web server).
Once endpoints have the protection agent installed, it is possible to create customisable groups; a useful feature to identify endpoints from different network areas, and for keeping track of infected machines in conjunction with security policies (eg, to lock down potentially rogue or compromised endpoints).
(Credit: Enex Test Lab)
(Credit: Enex Test Lab)
Verdict
McAfee achieved a detection and neutralisation rate of 87 per cent, flagging zero false positives in the process. In this particular instance, a range of malware sample types were not identified, stemming from trojan, rootkit, spyware and exploit categories. It is a suitable option for small and large enterprises alike.
| Overall rating | |
|---|---|
| The good |
|
| The bad |
|
| The bottom line | Excellent administration features and functionality, and combines ease of use with a good range of deployment options. |
| Interoperability | Windows workstations: 98, NT, 2000, XP, Vista, 7 Windows servers: NT-2008 Other: Novell support, central administration server |
| ROI | Strong feature set and management options with good general performance. |
| ROI score |
Contents
Symantec Endpoint Protection with Network Address Control
Target market: small to enterprise organisations
Phone: 1800 808 089
Web: www.symantec.com/en/au
This solution is aimed at all business sectors, regardless of size, and stems from the overarching Symantec Endpoint Protection range that also includes email server security controls.
The installation of the solution is easy and has no formal prerequisites. Methods of deployment include remote delivery via Microsoft-based network services or by compiling a set-up package for manual installation. The primary method of storing management information is an embedded database; however, Microsoft SQL Server integration is also supported. The product uses a Java-based administration tool called Symantec Endpoint Protection Manager. This tool is either installed on the local server alongside the Symantec Endpoint Protection solution or on a remote computer on the local network.
Software components installed during deployment include:
- Antivirus and anti-spyware
- Desktop firewall
- Intrusion Prevention System (IPS)
- Application control and device control
Client endpoints can be managed by assigning each one to a group and subsequently creating specific policies to suit an individual's needs. Administrators have the ability to prevent selected users from modifying an endpoint configuration; conversely, trusted users may be assigned full administrative privileges. Rogue endpoints that contravene policy can be automatically blocked from accessing the network. The product is feature-rich, allowing remote scans, updates and restarts.
(Credit: Enex Test Lab)
(Credit: Enex Test Lab)
Verdict
Symantec performed well in testing, ultimately achieving second place, with a score of 95 per cent in the malware detection and neutralisation category, while incurring zero false positives. The malware not identified included spyware, rootkit and exploit samples.
| Overall rating | |
|---|---|
| The good |
|
| The bad |
|
| The bottom line | Symantec Endpoint Protection benefits from a particularly smooth network deployment, a vast array of useful management features and has a good level of protection against current malware threats. |
| Interoperability | Windows workstations: 2000, XP, Vista, 7 Windows servers: 2000-2008 Other: Linux and Novell support, central administration server |
| ROI | A good result from a user-friendly solution. |
| ROI score |
Contents
F-Secure Policy Manager
Target market: medium to enterprise organisations
Phone: 02 8404 4192
Web: www.f-secure.com/en_AU
This solution is designed for integrating with a multi-platform network infrastructure on a medium to large scale.
The installation of the solution is not difficult and a Microsoft SQL Server 2005 Express Edition is automatically deployed as part of the set-up process. Once installation is complete, administrators can connect to the management interface using the F-Secure Policy Manager Console. This interface can be used from any endpoint on the local network after entering the correct log-in credentials.
Remote installation of endpoints is also an easily achieved task using the deployment wizards within the policy manager console. There is a useful auto-discovery feature that automatically detects machines on the local network. Administrators simply specify machines for remote product deployment and select the desired product for the defined network nodes. Alternatively, administrators can create manual set-up packages that once installed, seamlessly integrate with the central administration server.
Products include:
- F-Secure Policy Manager
- F-Secure Client Security
- F-Secure Anti-Virus for Workstations
- F-Secure Anti-Virus for Windows Servers
- F-Secure Anti-Virus for Citrix Servers
- F-Secure Anti-Virus for Microsoft Exchange
- F-Secure Spam Control
- F-Secure Internet Gatekeeper for Linux
The policy manager allows administrators to create a master policy for network endpoints — scanning options and firewall policies are good examples of available settings. An administrator may optionally allow users to control their own instance of the F-Secure protection solution.
(Credit: Enex Test Lab)
(Credit: Enex Test Lab)
Verdict
F-Secure achieved third place for the malware protection component, with a score of 93 per cent. No false positives were reported. Malware not identified stemmed from trojan, rootkit and exploit categories.
| Overall rating | |
|---|---|
| The good |
|
| The bad |
|
| The bottom line | This solution is ideally suited to an organisation that needs comprehensive, easily manageable malware protection across both Windows and Linux operating systems. |
| Interoperability | Windows workstations: 2000, XP, Vista, 7 Windows servers: 2003-2008 Other: central administration server |
| ROI | A worthy solution offering protection for a variety of platforms. |
| ROI score |
Contents
Sophos Endpoint Security and Data Protection
Target market: small to enterprise organisations
Phone: 02 9409 9100
Web: www.sophos.com
Sophos Endpoint Security and Data Protection represents a fusion between client operating system and resident data security.
This solution is easily installed and has no prerequisites. The product uses the Express version of Microsoft SQL Server as a data store. Sophos Enterprise Console allows administrators to rapidly deploy Sophos software across the network to endpoint targets.
Sophos Endpoint Security and Data Protection includes a useful application control feature which empowers administrators to create policies that either permit or deny use of a variety of preloaded, commonly installed programs and applications. This feature is particularly helpful to an organisation in the area of acceptable use policy enforcement, with the potential to reduce cyberslacking. For example, administrators are able to specify the users that are allowed access to instant messaging programs.
Software components included during installation:
- Enterprise Console
- Sophos Anti-Virus
- Sophos NAC
- Sophos Client Firewall
- Sophos Mobile Security
- Sophos SafeGuard Disk
- SafeGuard PrivateCrypto
The software can automatically download internet updates to a local central management server at a predefined time. Local network resident endpoints are able to subsequently download these updates by directly accessing the local Sophos server.
(Credit: Enex Test Lab)
(Credit: Enex Test Lab)
Verdict
Sophos accomplished equal first place for overall malware protection with a score of 96 per cent. No false positives were flagged. Trojan and exploit type samples were missed in this specific instance.
| Overall rating | |
|---|---|
| The good |
|
| The bad |
|
| The bottom line | The solution represents a good all rounder, seamlessly and effectively covering operating system, application level, and data protection categories |
| Interoperability | Windows workstations: 98, 2000, XP, Vista, 7 Windows servers: 2000-2008 Other: Mac support, central administration server |
| ROI | A good all rounder offering a range of useful features and functionality. |
| ROI score |
Contents
Microsoft Forefront Client Security
Target market: medium to enterprise organisations
Phone:13 20 58
Web: www.microsoft.com/forefront/en/us/default.aspx
Microsoft Forefront Client Security is specifically designed for securing endpoints in diverse business environments ranging from medium to large enterprise. There are multiple incarnations of Forefront available on the market; alternative versions feature Microsoft Exchange, Microsoft SharePoint and gateway protection capabilities.
The solution has a fair number of prerequisites to be met before the installation process can even begin. Forefront requires at least Microsoft SQL Server 2005 Standard Edition. It should also be noted that Microsoft SQL Server Express Edition will not work, as it does not contain the integration services module. Microsoft recommends that the solution is optimally deployed using a four-server network topology. However, it is possible to reduce the amount of servers required, although overall server performance may be impacted. Enex Test Lab installed the solution using a single server topology based on Microsoft documentation, mainly to ensure a level playing field with the other products under test. Once Forefront is installed, management operations are performed using an instance of the Microsoft Management Console.
Forefront Client Security is perhaps best deployed using the Windows Server Update Service (WSUS) in a large organisation with a high number of endpoints. However, it is also possible to opt for manual endpoint installations.
(Credit: Enex Test Lab)
(Credit: Enex Test Lab)
Verdict
Microsoft achieved an overall malware protection score of 88 per cent, with no false positives recorded. Trojan, spyware, rootkit and exploit samples were missed in this instance. This product was the most complicated to install of all products under test with a dazzling array of prerequisites.
| Overall rating | |
|---|---|
| The good |
|
| The bad |
|
| The bottom line | Particularly suited to larger enterprises that have access to the necessary engineering skills and computer resources. |
| Interoperability | Windows workstations: 2000, XP, Vista, 7 Windows servers: 2000-2008 Other: central administration server |
| ROI | An appropriate solution for integrating with Microsoft products and platforms. |
| ROI score |
Contents
Result analysis
The charts and general analysis shown in this section represent the test results based solely on a default configuration for each product under test.
It is necessary to highlight that many of the solutions have advanced levels of available protection over and above the default. Should higher levels of protection be configured it is entirely possible that the detection rates of the corresponding product would improve.
All tests were performed using the eThreatz automated malware testing system. An eThreatz test includes live "in the wild" malware captured from a global honey-net of real systems, not software-based virtual machines or system emulators. It is important to note that the test results in this particular instance are only a snapshot of malware protection at a single point in time. Rankings will likely change over the full life cycle of any given product.
Useful definitions
- False negative: a failure to identify a malware sample
- True positive: successfully identifying a malware sample
- False positive: a failure to identify a benign file
- True negative: successfully identifying a benign file
Rankings
- Kaspersky and Sophos: 96/100
- Symantec: 95/100
- F-Secure: 93/100
- Microsoft: 88/100
- McAfee: 87/100
Sample breakdown analysis
There were a total of 21 unique malware samples missed during the course of the testing. The overall results show that each malware sample introduced was identified at least once, by at least one vendor. The table below illustrates a breakdown of false negatives, listing each vendor that missed the corresponding sample:
| Sample ID | Type of malware threat | Vendors affected |
|---|---|---|
| 1 | Generic trojan | F-Secure, Kaspersky, McAfee, Microsoft, Sophos |
| 2 | Generic trojan | McAfee |
| 3 | Exploit | Microsoft, Sophos |
| 4 | Spyware | Symantec |
| 5 | Spyware | Kaspersky, McAfee, Microsoft, Symantec |
| 6 | Spyware | Kaspersky, McAfee, Microsoft |
| 7 | Trojan downloader | McAfee |
| 8 | Malicious packer | F-Secure |
| 9 | Exploit | F-Secure, McAfee, Microsoft, Symantec |
| 10 | Backdoor trojan | F-Secure, McAfee |
| 11 | Rootkit | F-Secure, McAfee, Microsoft, Symantec |
| 12 | Generic trojan | McAfee, Microsoft, Sophos |
| 13 | Trojan horse | F-Secure, Kaspersky, Microsoft |
| 14 | Exploit | McAfee, Microsoft, Symantec |
| 15 | Hacktool | McAfee |
| 16 | Exploit | F-Secure |
| 17 | Exploit | Microsoft |
| 18 | Exploit | McAfee, Microsoft |
| 19 | Trojan horse | McAfee |
| 20 | Trojan horse | Sophos |
| 21 | Trojan horse | Microsoft |
There were a total of 45 false negatives including non unique samples, below is a statistical chart displaying the frequency of unidentified malware by type:
Conclusion
Choosing an anti-malware solution for the medium to large enterprise can be a daunting task, there are multiple vendors with multiple products vying for your attention, and each one has a diverse spectrum of features and functionality. The key is to match the right product to your on-going organisational needs, and to remember that there will inevitably be a trade-off between requirements, for example, better performance may equal reduced effectiveness.
A major conclusion that can be drawn from this article (and on-going testing by the Enex TestLab over many years) is that there is a valid case for strategically deploying multiple anti-malware engines at the endpoint, the server and the network gateway. Such an approach, combined with other security controls, will ultimately provide the maximum protection against an ever-changing world of threats.