The best endpoint security suite is...

Malicious software (malware) plays a central role in the continuing power struggle between the attackers and defenders of our computer systems. Therefore it is crucial to independently test the capabilities of the security products we trust to defend us.

There are many methods and techniques to test these products, various levels of configuration that can be applied, and multiple areas of potential focus. This report concentrates on two main security technology areas: out-of-the-box anti-malware detection (specifically virus and spyware detection) and default desktop firewall protection.

How we tested

System set-up: each test machine ran a fully updated and patched version of Microsoft Windows XP Professional (Service Pack 3). Security suites were then installed and updated to use the latest software versions. The solutions were tested using the default settings to ensure a fair and comparable test.

Anti-malware: all products were installed on separate identical hardware and software combinations using only default protection settings. All products were updated at the same date and time using a standard internet connection. The internet was disabled and physically disconnected following the update process to ensure that the products were frozen at a particular point. All products were completely isolated during testing.

Malware test sets were introduced to each product using standard inbound vectors, devices and protocols that included HTTP, SMTP/POP3, FTP, DVD and USB injection mechanisms to accurately represent real-world threats. Each test set also contained malware-free samples.

Firewall: solutions were tested in several areas, focusing on commonly used programs and services that require network access (internal and external). An external system was configured with various tools to identify potentially open ports on each endpoint. It is important to note that in a real-world deployment setting it is recommended that internal endpoints be protected by a separate corporate firewall at the network gateway, in line with good security practice. This testing, however, removed this layer of security in order to measure the effectiveness of the protection afforded by each desktop firewall. Ideally, it is expected that each firewall solution should deny ICMP requests and show all ports as closed or appropriately filtered. This helps protect against common network mapping techniques and automated probes during any pre-attack reconnaissance phase.

Kaspersky Work Space Security

Target market: small- to medium-sized organisations
Price (including GST): AU$382.80 for 10 workstations a year
Phone: 1300 762 833 or 03 9005 1669
Web: www.kaspersky.com/au/

Kaspersky Work Space Security is the foundation of Kaspersky's Open Space protection range. It is an ideal solution for securing workstations in a small-sized business and has a good set of tools and technologies to protect users from everyday threats. While this product primarily protects Windows workstations, protection for Windows server and Linux platforms are also available. System requirements for Windows-based machines: 300MB available HDD space and CD-ROM drive (for installing the program from CD).

A trial version of this solution is available on the Kaspersky website and is approximately 60MB in size.

Default setting and features/option

This product can be deployed to a number of endpoints individually and can be managed with a central server component — the Kaspersky Administration Kit. This server component allows administrators to organise and monitor the array of protection capabilities this product has; covering Windows- and Linux-based systems, mobile phone platforms, mail servers and internet gateways. The solution caused zero complications during the installation process and by default offers a high standard of anti-malware protection in the areas tested. It is also worthy to note that there is a firewall set-up wizard which allows users to specify which applications are permitted network access. However, as Enex TestLab performed this test using default settings, all default rules remained unchanged.

Verdict

The solution offered a good level of default anti-malware protection, only missing 1.25 per cent of the combined test sets. The firewall did seem to put up a fight when it came to detecting open ports and services, but over a sustained scan time it was possible to detect services running on higher-end TCP ports.

(Credit: Enex TestLab)

McAfee Total Protection for Endpoint

Target market: small to enterprise organisations
Price (including GST): AU$1941.5 for 11 licences
Phone: 1800 998 887
Web: www.mcafee.com/au/

McAfee Total Protection for Endpoint is a Windows server-based solution specifically designed to protect servers and workstations. The solution is compatible with systems running Windows NT 4.0 to Windows Vista, which means it requires very low system specifications in which to operate. McAfee does recommend, however, that workstations have 128MB of RAM and servers have 256MB. This solution also caters for various Novell, Lotus Domino and Exchange servers. McAfee Total Protection for Endpoint can be deployed in small- to enterprise-sized network environments. This package is available to download as an evaluation which can be upgraded to the full version with a purchased licence key. The installation package size is approximately 620MB.

Default setting and features/option

The central administration console, named ePolicy Orchestrator (ePO), must be installed on a Windows Server platform prior to the engagement of any workstation deployments. Once ePO has been installed administrators can then begin remote network deployments to the network endpoints.

Administrators should be aware that when deploying this solution on a Windows XP or Vista system the Windows firewall must be disabled in order for ePO to initialise the McAfee product installation. McAfee host intrusion and prevention portion of the solution handles the firewall and other intrusion prevention technologies. By default this feature is disabled, but administrators can enable this feature from within the ePO GUI. This product's antivirus features are automatically configured to a high level of protection and these settings can be customised if required.

Verdict

The solution performed very well across virus and spyware categories, scoring an overall 99 per cent detection rate. The firewall protected the machine from external mapping attempts, and also effectively performed firewall actions for applications requesting external network access.

(Credit: Enex TestLab)

Trend Micro Worry-Free Business Security

Target market: small to enterprise organisations
Price (including GST): AU$188.75 for five licences
Phone: 1800 653 870
Web: www.trendmicro.com.au

Trend Micro's Worry-Free Business Security (WFBS) is a comprehensive package offering a wide range of security technologies. This solution is compatible with Windows workstations running Windows XP to Vista and Windows servers 2000 to 2008.

There are currently three versions of this solution: Standard, Advanced and Hosted. The scope of this review tests only antivirus and firewall, so the standard edition was more than adequate. Overall, the central installation is 580MB and can be downloaded as a trial from the vendor website. WFBS is aimed at organisations ranging from small to enterprise levels.

Default setting and features/option

In order to manage and administer protection to clients it is necessary to install a management console to the core underlying system. After a straightforward installation of the server components WFBS is ready. Administrators should be aware that this product requires some fine-tuning in order to make all the features available. This includes permitting use of the desktop firewall, IDS, Wi-Fi Advisor and URL filtering components.

Verdict

Overall, this solution scored 83 per cent in malware detection — a figure that would improve by enabling a higher level of protection than the default. The firewall has a basic set of rules which need to be refined in order to further enhance the default level of protection provided.

(Credit: Enex TestLab)

Symantec Endpoint Protection

Target market: small to enterprise organisations
Price (including GST): AU$799.95 for 10 licences
Phone: 1800 680 026
Web: www.symantec.com/en/au/

Symantec Endpoint Protection is designed to protect Windows- and Linux-based workstations, laptops and servers. This solution caters for small- to enterprise-sized organisations and comes complete with an administration console for deploying and managing endpoints.

There are free trial downloads available directly from Symantec's website. The package is approximately 490MB in size.

Default setting and features/option

For the purpose of these tests, the server components were not installed as the product advantageously allows a single unmanaged client installation. There is a range of firewall features not enabled by default. If enabled, however, they should protect the client from a wide range of network attacks. The solution offers a good level of antivirus protection by default.

Verdict

Overall, in terms of default malware detection, the solution came in at joint third place with a combined detection rate of 98.75 per cent. The solution could benefit from an enhanced firewall protection level default, yet can easily be configured to provide such protection if required.

(Credit: Enex TestLab)

F-Secure Client Security

Target market: small to large organisations
Price (including GST): AU$768 for 10 users
Phone: 02 8404 4192
Web: www.f-secure.com/en_AU/

F-Secure Client Security is specifically designed for Windows workstations. Aimed at small to large businesses, Client Security offers a broad range of protection against the latest security threats.

The package can be downloaded directly from the vendor website and a 30-day free trial is available. The solution can be downloaded as a single client installer, which is around 60MB in size. Alternatively, the solution can be deployed via a central administration console, but within the scope of this review it was unnecessary to do this.

Default setting and features/option

Installing the solution on a single workstation was simple, intuitive and caused zero problems. F-Secure Client Security is preconfigured with a good set of security rules designed to cater to the needs of most organisations. The firewall intrusion protection system contains preloaded signatures that are able to successfully detect common forms of malicious network traffic by default.

Verdict

The solution had a combined detection rate of 97.75 per cent, which places the solution above average in the current comparison stakes. The firewall denies ICMP requests and blocks access to most service ports by default.

(Credit: Enex TestLab)

Sophos Computer Security SBE 4.0

Target market: small- to medium-sized organisations
Price (including GST): AU$917.50 for 10 licences
Phone: 02 9409 9100
Web: www.sophos.com

Sophos Computer Security SBE 4.0 is a small business package for both Mac- and Windows-based platforms. The solution is comprised of an arsenal of technologies for mitigating internet security threats.

A limited trial can be downloaded directly from the Sophos website. The windows version for a single client installer is around 62MB in size.

Default setting and features/option

A quick and easy installation, yet administrators should note that the client firewall component must be specified for installation within the default set-up wizard. Once installed, Sophos runs preconfigured with a high standard of firewall protection. The product has an easy-to-use and highly configurable user management interface.

Verdict

Sophos did satisfactorily in both areas tested. Overall, it performed very well in malware tests with a total combined detection rate of 99 per cent. The firewall kept the host well hidden on the network.

(Credit: Enex TestLab)

Checkpoint ZoneAlarm Internet Security Professional

Target market: home
Price (including GST): AU$49.95
Phone: 03 9761 0242
Web: www.zonealarm.com.au

ZoneAlarm Internet Security Suite (ZAISS) is a home solution offering a variety of defences to safeguard against internet-born threats. The solution is compatible with desktop distributions of Windows ranging from XP through to 7. ZAISS installs on standard Windows-based systems.

A 15-day free trial of the solution is available. The whole package is around 110MB in size and downloadable from the vendor website.

Default setting and features/option

The installation of this solution is very easy, providing the target computer meets the minimum requirements. The solution is preconfigured to a respectable level of default protection. As a default setting, the program control portion of the firewall is configured to auto-learn. However, auto-learn is considered less secure as the firewall does not screen all programs in this mode.

Verdict

Overall, the solution performed well, based on the default anti-malware protection level with both test sets, obtaining a combined detection rate of 97.5 per cent. The auto-learn feature is useful for minimising the amount of user interaction with the solution, but could potentially result in an unwanted application or service being permitted external network access.

(Credit: Enex TestLab)

ESET Smart Security Home Edition

Target market: small to large organisations
Price (including GST): AU$575 for 10 licenses
Phone: 07 3325 2999
Web: www.eset.com.au

ESET Smart Security Home Edition offers effective technologies for nullifying web-based threats. This solution is compatible with Windows systems, although there are also variants of the product available for Linux-based systems and also mobile protection for smartphones. ESET Smart Security requires minimal system resources, so it will work on older workstations.

The installation package is fairly small in comparison to other solutions and is downloadable as a 40MB installer. A trial version of the solution can be obtained via the website after submitting a valid email address.

Default setting and features/option

This solution can be purchased as a business edition where it inherits all the features from the home solution, but also includes a remote administration tool. Features on offer include a desktop firewall, antivirus, anti-spyware, anti-spam protection and a system rescue facility.

Verdict

Overall, an above average solution in terms of default malware detection. The solution performed considerably better than its competitors in spyware detection, yet was somewhat letdown in virus tests — a fact reflected in the combined detection rate of 97.5 per cent. The firewall has a good level of external to internal protection, successfully keeping the host and its service ports hidden from remote machines on the network.

(Credit: Enex TestLab)

Alwil Avast! Professional Edition

Target market: small business
Price (including GST): AU$64.09 per licence
Phone: 1300 BIZAID (1300 249 243)
Web: www.avast.com.au

Avast! Professional Edition is a small business solution focusing on securing Windows platforms. This solution is capable of running on platforms as old as Windows 95. It is also compatible with more up-to-date distributions of Windows XP and above supporting both 32- and 64-bit architectures.

Avast offers a fully functional 60-day trial which is available online as a 40MB package. The program itself requires 20MB, the remainder reserved for the virus recovery database file and its index.

Default setting and features/option

The solution is deployable on a single client computer basis if required, which should particularly benefit users and administrators in a small business environment. It has a bold, clean user management interface that helps to ensure a no-nonsense approach to user interactions. The interface is comparable to early MP3 jukebox software which focused on simplicity and usability.

Verdict

Overall, the solution came in at joint first place for combined malware detection scoring 99.5 per cent in a default configuration. The solution advertises that it has a lightweight firewall, but this does not compete with the other solutions under test as it seems to only filter a handful of UDP ports.

(Credit: Enex TestLab)

AVG Internet Security Network Edition

Target market: small- to medium-sized organisations
Price (including GST): AU$199.99 for two licences
Phone: 03 9581 0800
Web: www.avg.com.au

AVG Internet Security Network Edition is specifically designed to protect Windows workstations and file servers. Aimed at small business, AVG affords protection for Windows systems from Windows 2000 to 7 on 32- and 64-bit platforms. In comparison to others, this solution has fairly medium specified system requirements.

The product is approximately 100MB in size and is available for download as a 30-day 10-node trial.

Default setting and features/option

The solution has an administration kit that allows it to be deployed and managed remotely across a network. For the purposes of this review, however, it was only necessary to install the solution on a single client computer. The set-up was simple. Once installed it launches a first-run wizard, which allows users to tailor the solution's basic functionality. It is worth noting that the firewall functionality appears somewhat limited, at best.

Verdict

AVG scored a combined detection rate of 98.25 per cent, which places the solution in the top four in terms of default malware detection. While this solution does not appear to offer a firewall that can be adequately compared to the other products under test, it does allow its users to lock down system processes to prevent external connections.

(Credit: Enex TestLab)

Avira SmallBusiness Suite

Target market: small- to medium-sized organisations
Price (including GST): AU$799.00 for 10 licences
Phone: 1300 369 694
Web: www.avira.com

Avira SmallBusiness suite offers a range of antivirus solutions on a variety of platforms. For this review, Enex TestLab focused on the Avira AntiVir Professional for Windows.

Aimed at the small business market, the solution is downloadable as a 30-day free trial via the Avira website. The package comes as a server-to-client deployable solution and is around 360MB in size.

Default setting and features/option

The solution can be deployed remotely from the Avira security management centre. Alternatively, the Avira AntiVir Professional (Windows) package can be manually installed via standard removable media. Once installed a configuration wizard starts, enabling the user to customise the solution set-up (Enex TestLab used the configuration wizard to specify default options in this instance).

Verdict

The solution came in at joint first place using the combined test suite, scoring 99.5 per cent in a default configuration. The security suite does not have a personal firewall, so it was not compared to the other security suites under test in this area.

(Credit: Enex TestLab)

Results

The graphs below show the test results based solely on a default configuration for each product under test.

It is important to consider that many of the solutions have higher levels of available protection over and above the default. Should higher levels of protection be configured it is entirely possible that the detection rates of the corresponding product would improve.

Interestingly, no false positives (mistakenly identifying a safe file as a virus) were found during the tests, and so these have been omitted from the graphs. False negatives (failing to pick up a virus), True Positives (correctly identifying a virus) and True Negative (correctly determining a safe file) results have been included.

All tests were performed using the eThreatz automated malware testing system. An eThreatz test includes live malware continuously harvested from a range of global independent honeypots and honeynets maintained by Enex TestLab.

Overall detection rate was determined as the sum of the true positive results for both virus and spyware test, divided by the number of known true positives in the system (400).

And the winner is...

While it was very close, this year we find we have three to recommend: Sophos, Kaspersky and Symantec. Which one you choose will be highly dependent on how your business is structured, your software budget and how many employees you have — not to mention which ones have the best server-side management tools. But that's a subject for another feature — from a pure endpoint security perspective, any of the above three should keep you well protected.