The best endpoint security suite is...

The best endpoint security suite is...

Summary: Wondering which endpoint security suite keeps your clients the most protected? Enex TestLab racks them all up and puts them through their paces.

SHARE:
TOPICS: Security, Malware
17

Malicious software (malware) plays a central role in the continuing power struggle between the attackers and defenders of our computer systems. Therefore it is crucial to independently test the capabilities of the security products we trust to defend us.

There are many methods and techniques to test these products, various levels of configuration that can be applied, and multiple areas of potential focus. This report concentrates on two main security technology areas: out-of-the-box anti-malware detection (specifically virus and spyware detection) and default desktop firewall protection.

How we tested

System set-up: each test machine ran a fully updated and patched version of Microsoft Windows XP Professional (Service Pack 3). Security suites were then installed and updated to use the latest software versions. The solutions were tested using the default settings to ensure a fair and comparable test.

Anti-malware: all products were installed on separate identical hardware and software combinations using only default protection settings. All products were updated at the same date and time using a standard internet connection. The internet was disabled and physically disconnected following the update process to ensure that the products were frozen at a particular point. All products were completely isolated during testing.

Malware test sets were introduced to each product using standard inbound vectors, devices and protocols that included HTTP, SMTP/POP3, FTP, DVD and USB injection mechanisms to accurately represent real-world threats. Each test set also contained malware-free samples.

Firewall: solutions were tested in several areas, focusing on commonly used programs and services that require network access (internal and external). An external system was configured with various tools to identify potentially open ports on each endpoint. It is important to note that in a real-world deployment setting it is recommended that internal endpoints be protected by a separate corporate firewall at the network gateway, in line with good security practice. This testing, however, removed this layer of security in order to measure the effectiveness of the protection afforded by each desktop firewall. Ideally, it is expected that each firewall solution should deny ICMP requests and show all ports as closed or appropriately filtered. This helps protect against common network mapping techniques and automated probes during any pre-attack reconnaissance phase.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Awesome Hi Tech!

    Wow! Hold onto these work experience kids that did this! Mind numbingly awesome tech and security work! Well done ZD. I wish this went on for another 10 pages at least. I just did not want this work to end!
    anonymous
  • AVG Internet Security Business Edition 9.0

    AVG introduced Internet Security Business Edition 9.0 in late October. Among it's enhancements is an improved firewall. http://www.avg.com/us-en/product-avg-internet-security-business-edition for more information. An optimization scan capability has been added, as well, which improves future scans by up to 50% .
    anonymous
  • Anti virus comparison story

    I can only go from my point of view - working in the field, hands on, every day, as a freelancer.

    I consistently get money from Nortons who I love. Without them I wouldnt make as much money getting rid of viruses from infected machines with up to date and working Nortons on it. In my tests, I have found the best to be Sophos simply because I image the C drives and when they viruses are all gone, take time to write the image to a spare drive and have Sophos trial installed, AVG 9 free installed on another machine and have recently tried Kaspersky. Kaspersky found the least of those 3 with Trend and many other antiviruses (over months on different machines) installed. AVG free consistently found all but about 4 viruses and Sophos found the most.

    Even with all THAT, absolutely NONE of them, updated and working, found ALL of them. Quite often, I have detected unknown viruses and submitted them to be told they were new, to various companies. Sorry, but your tests are really not "real time". If you want real tests, you really ought to find people like me who are in the trenches all day and late into the night, often and get US to test the antiviruses for you, periodically. The truth is that you need MORE than an antivirus program if you think you have an infection that your current one doesnt detect AND you need the knowledge to find and eradicate unknown viruses, too. You wont learn THAT in any course available
    anonymous
  • Feedback

    hey Eugene,

    please feel free to email me personally with any criticism about the article, happy to hear what we should do better.

    renai.lemay@zdnet.com.au

    Cheers,

    Renai LeMay
    News Editor
    ZDNet.com.au
    anonymous
  • Awesome

    Great article guys finally an impartial look at this field naming names! please keep it up. Ignore the manufacturer whinging here.
    anonymous
  • Easily pleased...

    You are easily pleased. Why not just go get some brochures or checkout the websites from the tested vendors. It's about the same level of information and detail. There's nothing here. Did you write this review?
    anonymous
  • Missed the point (and the detail)

    I think 'Easily pleased' has missed the point and the detail unfortunately. There are useful metrics and an impartial assessment of possible 'flaws' included that you obviously would not find in a vendor brochure, and no, I did not write the review (I simply read it thoroughly).
    anonymous
  • Copy from the product

    I agree with you. There's nothing here. May be Mr Ian just installed all these software and did a preview.

    No critical comment on the products ... it's just like the Gartner Magic Quadrant , every product is a magic ...
    anonymous
  • Not 17 years experience of testing

    Hi...please don't spoil the name of RMIT ...

    The content does not really reflect the 17 years of testing experience from RMIT ....
    anonymous
  • Easily pleased

    @Missed the point, who are you addressing? Sounds like the world. :p I repeat, you are easily pleased. Either that or you are an awesome troll and I commend you for sucking me in.
    anonymous
  • No One Following Links ?

    Are you guys nuts?

    "Malware test sets were introduced to each product using standard inbound vectors, devices and protocols that included HTTP, SMTP/POP3, FTP, DVD and USB injection mechanisms to accurately represent real-world threats. Each test set also contained malware-free samples" and then the results ; http://www.zdnet.com.au/reviews/software/security/soa/The-best-endpoint-security-suite-is-/0,139023452,339299322-13,00.htm
    AV vendors will not promote those in their brochures, well none I have seen !
    anonymous
  • Good Work ZDNet keep it up!

    Even if a lot of people see this as a brochure or just scratching the surface, at least the results can show which AV software really doesn't stack up. I'm guessing anyone using Trend Micro and reading this will change immediately (If they are not rebuilding due to too many trojans already).
    I think this is a great indicator for people that do not want to spend too much time reviewing the products themselves to have a quick over view, all in one place.
    ...and by all means if you diagree this is a great forum to express your views, so don't hold back, or start flaming. Just tell us how it is in YHO.
    Great job guys!
    anonymous
  • BTW - Malwarebytes.org

    Hi Guys,
    Does anyone have an opinion on malwarebytes.org? I've found that it can detect and repair toor kit viruses that other products don't pick up. So I run a scan with this tool once per month or so, just in case. I also run AVG as my everyday virus detector, and ZoneAlarm for the firewall.
    Any opinions on this setup?
    anonymous
  • versions

    Hi
    I guess you tested the previous workspace version of Kaspersky , regarding to screen shots you've used.
    anonymous
  • Performance stats? Footprints?

    One of the biggest metrics felt by users of anti-virus is how much it slows down their system and how much memory it takes up.

    Can you please add these and redetermine results.
    anonymous
  • I recently ran across some malware that my normal bag of tricks (Avast, Spybot S&D, and Sophos) didn't catch and take care of. This one allowed AV to run but would strip the definitions out so the software was blind then infected the AV itself. With the help of a Windows guru, we got malwarebytes installed and it found, and cleaned the PC. Problem solved! Great tool.
    Doug H.
  • Hi ZDnet,
    The testing you have conducted seems to have several flaws that could drastically effect the results;
    Firstly: by disconnecting the machines from the internet during the test you are disabling many protection features that are enabled by default in many of the products. If these test are real world tests then I am sure you agree in the real world the machine would be connected to the internet(the majority of the time) and if not then a large portion of your threat samples would never reach the machine through the "real world" protocols you used ie HTTP and SMTP/POP3.
    Secondly: Through the infection vectors USB and DVD that you tested, many products have the default capability to block programs from running automatically from these devices which in my experience is how threats are introduced, in these tests did the user actually have to find and click on the threat to execute it, and if so - is this "real world"?
    Thirdly: How was the test set found? How many times had it been used? and how fresh were the samples? I would imagine that this would impact how realistic the results are to the real-world user.

    I think for future tests you should look to provide a truly real world scenario that includes machines being connected to the internet throughout the test and that real live threats found on the internet during the test are used to determine how well products protect the user.

    Looking Forward to future real-world reviews
    greg_boyle@...