Report comparativo soluzioni antivirus

Report comparativo soluzioni antivirus
Presented by
Endpoint Security for Enterprises
The enterprise security landscape
continues to change as companies
expand their conceptual models of
security. Whereas “security” once
meant anti-virus—and later evolved to
include capabilities
like firewalls, host
intrusion prevention,
and anti-spyware—
it’s now growing
broader again as a
new decade begins.
cently transfer confidential data—like
customers’ Social Security numbers—
out of the organization.
Of course, enterprise endpoint security
vendors are adapting to this changing
landscape, albeit in
different ways. Many
of the leading endpoint security players have, through
acquisitions, extended product lines with
separate products
that perform various
aspects of data protection. Many smaller companies have
sprung up to provide data loss prevention and device control products, too.
But these data-protection solutions can
be complex and intrusive. And given
the complexity of managing multiple
Security increasingly
demands that
companies control the
points at which data
enters and leaves their
trusted networks.
companies, and
those operating
under regulatory
and compliance mandates, know that
security increasingly demands they
control the points at which data enters
and leaves their trusted networks.
Companies are justifiably worried that
employees may knowingly or inno-
In This Review
•McAfee Total Protection for
Endpoint 8.7i (ePO 4.5)
•Sophos Endpoint Security and
Data Protection 9.0
•Symantec Endpoint Protection
•Trend Micro OfficeScan ClientServer Suite Advanced 10 SP1
products in an enterprise environment,
it’s natural that companies should
expect their chosen endpoint security
suites to provide the first line of data
How is data protection implemented
in practice? One approach is to control
access to removable devices, like USB
drives; another is to closely track files
and data that are being exchanged.
Installation & Configuration
Policies & Management
Data Protection
Visibility & Threat Awareness
Technical Support
Quick Summary
McAfee Total
Protection for
8.7i (ePO 4.5)
McAfee Total Protection
for Endpoint is complex
to set up and use.
Despite strong reporting
and policy management,
it provides only basic
device control and was
slow in our performance
Sophos Endpoint
Security and Data
Protection 9.0
Sophos Endpoint Security
and Data Protection 9.0
combines ease of use
with excellent
performance and very
good support. It’s the
only product in the
group to integrate data
loss prevention
capabilities, but the
default firewall settings
could have been more
effective out of the box.
Key: S – Poor SS – Fair SSS – Good SSSS – Very Good SSSSS – Excellent 1
Symantec Endpoint
Protection 11.0
Symantec Endpoint
Protection 11.0
delivered a solid
experience from the
start and provides
robust policy
management and
reporting. Tech support,
however, was very
Trend Micro
Client-Server Suite
Advanced 10 SP1
Trend Micro OfficeScan
Client-Server Suite
Advanced 10 (Service
Pack 1) has too many
confusing components,
making for difficult
installation and policy
management. Scan
speeds were good but
Trend Micro’s built-in
reporting is limited, and
tech support was poor.
Now that several vendors are providing
at least some of these functions within
their core packages, we’ve undertaken
to rate them in the context of a complete endpoint security solution.
For all this, of course, the fundamentals
of enterprise security haven’t disappeared: endpoint security products
must protect desktops, laptops, and
servers, in a way that’s easy to deploy and manage. What’s really new
is that some vendors are addressing
the expanding needs of customers by
integrating data protection into the
endpoint—building on traditional
anti-malware measures and providing
a more powerful tool set for today’s
security administrators.
What to Look For
Choosing an enterprise security product can be complex not just because
your enterprise itself is complex, but
because there are so many factors to
consider. Ultimately, though, the ideal
security suite provides this set of capabilities:
•Easy installation and configuration,
with the ability to install prerequisites
and synchronize with your existing
Active Directory infrastructure.
•Sensible policy management
organized by capability and task,
rather than following arbitrary
divisions in the product’s architecture,
with straightforward configuration
that simplifies things for the IT
administrator and is informed by
vendor intelligence e.g. sample policies
or pre-defined application lists or rules.
•Data protection capabilities to ensure
your PCs and network are secured not
just against malware, but also against
misappropriation of sensitive data.
Performance Spotlight
We also analyzed the impact of endpoint security programs
Trend Micro
On top of all this, the suite should be
cohesive and integrated so you don’t
have to manage a myriad of disparate
Our overall matrix provides a summary
of each product’s capabilities in these
areas, and individual product reviews
address each factor in further detail.
Time to Open Large PowerPoint File
Time to Perform On‐Demand Scan
•Responsive technical support that gets
you clear answers with minimal wait
times and limited gate-keeping.
When we added the EICAR test “virus” to the startup folder,
Sophos and Symantec successfully detected and blocked
its execution during the boot process. McAfee and Trend
Micro, though, both missed the test virus and allowed it to
execute. Neither Trend nor McAfee enable their on-access
scanning capabilities until after the machine completes
booting, which makes boot up faster but leaves a potential
window of opportunity for malware to infect a machine.
This inconsistency made it impractical to do any meaningful
comparison as it is difficult for us to accurately determine
when we could really consider a reboot complete.
We first tested performance in a best-case scenario, on
desktop machines with 2GB of RAM and no other applications running. Then, to simulate more heavily loaded systems running multiple applications, we depleted memory
so that only 256MB remained. Trend Micro and Sophos
were affected relatively little by the reduction in memory, as
the charts below illustrate.
Time to Perform On‐Access Scan
•Good performance so your users
maintain their productivity.
on system reboot time. In general, we found that the endpoint security software packages added 20 to 60 seconds
to the time required to shut down and restart a system. We
did not include this data in our performance charts, though,
because we found a fundamental inconsistency in how
products behaved after they rebooted.
Performance remains an important consideration in choosing a security suite: Products that impose too much overhead can slow down users, reducing their productivity and
leading to frustration. Our testing demonstrated significant
differences in the performance costs products impose on
users, with Sophos being fastest overall, Symantec and
Trend Micro turning in good results, and McAfee disappointingly slow.
•Visibility and threat reporting
capabilities that let you know your
enterprise is protected, rapidly take
action when it isn’t, and get clear
indications of compromised
endpoints so you can take
appropriate action.
Time required (lower results are better)
Additional time required in low‐memory condition
The Suites We Reviewed
We tested the latest versions of the
four leading enterprise endpoint security products, as indicated by Gartner’s
2009 Magic Quadrant for the category,
from McAfee, Sophos, Symantec, and
Trend Micro targeted at midsize and
large enterprises.
McAfee Total Protection for
Endpoint 8.7i (ePO 4.5) is all about
control. If you take the time to master
its complex interface, it can provide
you with deep control over detailed
security settings. But installation and
configuration and policy management
are challenging, and the client was the
slowest we tested.
Sophos Endpoint Security and Data
Protection 9.0 is the one package
that truly combines malware and data
protection. It earned high ratings in all
categories. It stands out for its simplicity, speed and the most extensive
device control and data loss prevention capabilities. It lacks the granular
reporting capabilities some administrators will demand, however, and the
firewall requires a little customizing
before deployment.
Symantec Endpoint Protection 11.0
is a solid product all-around, with good
ratings in most categories. It lacks integrated data loss prevention, and our
experience with Symantec technical
support was below average.
Trend Micro OfficeScan ClientServer Suite Advanced 10
Service Pack 1 is a confusing tangle of
products in its current state. The core
OfficeScan product by itself is capable,
but adding components for reporting,
server protection, and other features
not included in OfficeScan makes the
suite unwieldy to manage.
Our Findings
To determine which products best
meet the security needs of enterprises,
we evaluated them on six key criteria:
installation and configuration; policies
and management; data protection; vis-
ibility and threat management; performance; and technical support.
Installation and configuration may
be a one-time affair, but it sets the
tone for administrators’ ongoing
relationship with the product. We find
that products that are complex and
confusing to install are often difficult to
manage on an ongoing basis.
Sophos Endpoint Security and Data
Protection 9.0 had
both the fastest
overall average
setup time and
fewest overall steps.
Symantec also fared
well. In comparison
to Symantec and
Sophos, McAfee
Total Protection for
Endpoint proved to be complicated,
requiring longer to install than any
other product. Trend Micro’s Office­
Scan suite was ultimately complex and
confusing even though the base product is relatively simple. Trend Micro’s
own technical support staff struggled
to give us clear answers to questions
about server protection and the intrusion prevention firewall.
and Trend Micro each have standalone
point products for data loss prevention functions that must be separately
purchased, set up, and maintained. All
of the products we looked at include
some form of device control, but some
were more full-featured than others;
McAfee, for one, doesn’t include the
device control necessary for implementing realistic and effective security
policies in this area.
Visibility and
threat awareness
encompasses dashboards, reporting,
and alerting tools,
as well as the products’ behavior when
they detect threats
on clients. Since no
product can realistically be 100% effective in blocking
every security threat, many companies
take the position that machines must
be re-imaged once any malicious activity is detected. Therefore, we focused
our analysis not on raw threat detection effectiveness but on the qualitative indicators that products provide
to help administrators stay abreast of
individual threats and the overall protection status of their networks.
Sophos Endpoint Security
and Data Protection 9.0
is the one package that
truly combines malware
and data protection.
Policies and management addresses
how each product handles establishing protection policies. Sophos and
Symantec were a pleasure to use in this
regard, with clear and logical interfaces. McAfee had many granular options
available but they were often nested
many layers down into the interface.
Trend Micro OfficeScan policy management made sense but was less flexible
than other products and didn’t have
centralized management for its server
protection product.
Data protection rates integrated
device control and data loss prevention capabilities. Sophos stood out as
the only product in our roundup to
include true real-time data monitoring capabilities. This feature enables
an administrator to configure policies
to identify sensitive data in files being
used by employees. Symantec, McAfee,
McAfee, Sophos, and Symantec all
posted strong results in this area,
though for different reasons. McAfee’s
dashboard is excellent, allowing extensive customization and providing
actionable information about out-ofcompliance endpoints. Sophos has a
clear dashboard and, not surprisingly,
better visibility into device and data
breaches; for example, the dashboard
includes a filter view to instantly find
out-of-date endpoints so there’s no
need to run a report to get to the
detail for such essential information.
Symantec offered monitors and reports
that gave useful information and access to logs that could provide great
detail when necessary.
In contrast, Trend Micro doesn’t include reporting in its basic OfficeScan
Total installation and configuration steps and time to complete Add a scheduled scan Enable scanning of potentially unwanted applications Create read‐only access for removable storage Add an exception for particular device classes (e.g., encrypted USB keys) Block access to application View out‐of‐date endpoints Send e‐mail when virus detected View users/workstations overridden by application control rules View users/workstations blocked by device control rules View users/workstations that have overridden data loss prevention rules McAfee
Trend Micro
166 steps, 5 hours 9 93 steps, 2.5 hours 7 123 steps, 3.5 hours 9 107 steps, 3 hours* 6 7 7 5 6 Feature unavailable† 4 Feature unavailable† 8 Feature unavailable† 4 7 Feature unavailable† 10 7 (add to dashboard) 13 5 0 (on dashboard) 7 12 0 (on dashboard) 8 Feature unavailable 0 (on dashboard) Feature unavailable 7 0 (on dashboard) 5 Feature unavailable Feature unavailable 0 (on dashboard) 5 Feature unavailable Feature unavailable 0 (on dashboard) Feature unavailable Feature unavailable Lower numbers are better, as they indicate number of steps to complete a task. The number of steps assumes that e‐mail server has already been configured. *—Includes steps to protect client endpoints, but not to install the ServerProtect component on servers. †—While product has device control, this particular feature is not available. suite; it requires a separate component,
Control Manager, to produce
even prepackaged reports. Trend Micro
was further hobbled by having multiple components—each with its own
administration interface—and a design
that lends itself more to monitoring
log files and less to action.
Performance is important, too, since
you don’t want user productivity to
be unduly impacted by their security
software. (See the “Performance Spotlight” sidebar.) Sophos was faster than
the Symantec, McAfee and Trend Micro
products we tested, and particularly
excelled in low-memory situations simulating desktops in active use. Trend
Micro followed close behind, Symantec provided serviceable performance
while McAfee was much slower than
the other products across the board.
Technical support is an important
aspect of the enterprise security suite,
since deploying and managing these
products in heterogeneous enterprise
environments often involves surprises.
All the companies in the review offer
phone, e-mail, and Web support 24
hours a day, 7 days a week in their basic support plan, which is what we evaluated. (Premium support is available
for an additional cost.) We found that
Sophos’ technical support stood out
for its minimal gate-keeping and clear
answers for most questions. McAfee’s
support was also good; Symantec and
Trend Micro were less responsive and
Overall Ratings
In the final analysis, each product we
looked had different strengths and
weaknesses. Only one delivered solid
marks across our full battery tests:
Sophos Endpoint Security and Data
Protection 9.0.
Sophos excelled on setup, configuration, and management and delivered
the fastest performance and best
technical support experience. Combine
this with meaningful data protection
and you have a product that delivers
superior protection and has the potential to reduce expenditure on security
products and recurring management
costs too.
Symantec Endpoint Protection offered
good setup, management, and reporting features and a solid product overall
but weaker performance and technical
support must be considered; McAfee
and Trend Micro both delivered only
fair results overall mostly due to their
Included Support Level
Average Wait Time (min)
Average Escalation Time (min)
Total Non-value-adding Time (min)
Easy Questions Answered by Tier 1
Difficult Questions Answered by Tier 1
Trend Micro
Mon-Fri 8am-8pm EST
Installation and
to help administrators wade through
the many settings.
Installing and conData Protection
figuring McAfee
McAfee Total Protection doesn’t
Total Protection is
include data protection to the extent
a challenging afthat other products do—at least, not
fair. You first must
without buying additional products.
install the prereqThe suite comes with no integrated
uisite Microsoft
data loss prevention capabilities, and
SQL Server datawhat device access control it has is
base, then install
comparatively difficult to set up.
McAfee’s ePO
(ePolicy OrchesMcAfee does offer sophisticated aptrator) platform,
plication control, including the abilthen “check in”
ity to block the creation or hooking
individual packages for anti-virus, of applications. As McAfee says in its
documentation, companies must apply
anti-spyware, and
this capability with care, as it can lead
so on. It doesn’t
McAfee’s dashboards are easy to configure, with different monitors or even
help that McAfee’s to users being blocked when attemptmultiple pages of monitors.
ing to use unknown but legitimate
documentation is
complexity. McAfee also suffered
light on practical,
from poor performance and a lack of
how-to information, though it does
included data protection capabilities.
For device control, McAfee has limited
provide context by explaining why
Trend Micro makes reporting a chore
built-in capabilities. It provides only
things are done.
and struggles with multiple disconAutoRun blocking, and we found that
nected components.
preventing AutoRun on USB devices
Policies and Management
was more difficult than in the other
The complexity continues when it
products we tested. Also, while you can
comes to managing policies. McAfee’s
McAfee Total Protection for
fundamental difEndpoint 8.7i (ePO 4.5)
ficulty is that it
The latest version of McAfee’s enterorganizes capabiliprise security suite, like its predecesties based on the
sors, suffers from all-around complexMcAfee compoity and poor usability. Administrators
nent that happens
who want intensive control over every
to provide them,
last detail of their endpoint protection
rather than in any
may prefer it, but other products we
sort of intuitive
tested provide a more approachable
grouping by funcset of capabilities for most businesses.
tion. McAfee’s policy management is
McAfee took longer than any other
more complex than
product to install and configure—
most—the benefit
about 5 hours—and McAfee’s policy
of this approach
management features make adminisbeing that McAfee
trators jump through hoops to acoffers highly
complish even basic tasks. The product granular control
was the slowest we tested on every test over policies and McAfee’s 11 anti-virus policies make it challenging to find the settings you’re
but one, and by a wide margin. The
over what features looking for.
upside: If you can master its complexusers can see and
ity, McAfee Total Protection provides
change in their
create a custom rule to block write acdetailed control over client policies and clients. McAfee also offers sensible decess to a specific drive, we found that it
a slick, customizable dashboard that
fault policies and in some cases, other
was easy to defeat by simply assigning
lets you take corrective action quickly.
sample policies, such as its “Typical
a different drive letter.
Corporate Environment” firewall policy,
Visibility and Threat Management
McAfee’s reporting and alert tools are
powerful, and its dashboard is eyecatching, but here again administrators
may find themselves struggling with
complexity. An appealing feature of
the dashboard is that it lets you take
direct action on information, providing
a fast path to correct a problem. For
example, if an endpoint is out of compliance, you can immediately deploy
a new agent or signature update. The
dashboard also does offer a large number of charts that you can display on as
many different tabs as you desire. But
this flexibility comes at a price: Finding
the right monitor can be time consuming, often forcing administrators to
navigate through a large collection of
queries organized by product component rather than functional area.
McAfee Total Protection can send any
of more than 100 predefined reports,
or custom reports, at hourly, daily,
weekly, or monthly intervals. You can
add any of more than 200 threat
events to a report, and add filters to
narrow results to specific groups or
systems, but sending reports automatically is a cumbersome process. You
can’t, for example, create an ad-hoc
report and then simply schedule it for
repeated sending; instead, you must
visit a different part of the interface.
On the client, McAfee’s signaturebased and behavioral protections are
augmented by its SiteAdvisor capability, which provides blocking of Web
sites that McAfee has assessed as risky.
As with Trend Micro’s Smart Protection Network, browser-based blocking
provides an additional layer of security
while browsing.
If you’re looking for a product that
won’t slow your users down, then
McAfee isn’t for you. McAfee turned
in the slowest performance results of
any product we tested. In most cases it
was dead last in our tests, and its performance in low-memory conditions
(simulating use on a loaded system)
was especially
We found we
needed to consult
McAfee’s manual
more frequently
than with other
products. When it
came time to contact live technical
support, we had
to endure long
wait times and a
painful authorization process on
each call. That
The Sophos home page shows everything the administrator needs to see in
said, our expericlear, easy-to-use sections.
ence overall was
positive; representatives successfully
Installation and Configuration
answered all the questions we posed.
We found Sophos’ installation and
configuration on the whole to be
remarkably uncomplicated for an
It takes a long time to install and to
enterprise security product, though
master the control of McAfee Total
like many suites its default firewall
Protection, but administrators that
configuration requires some tuning.
have the time to fine-tune and want
For those with mixed environments,
granular control over every aspect of
administrators will appreciate that
client policy may find McAfee Total
Sophos includes Windows, Mac, Unix,
Protection an appealing option. Both
and Linux endpoint support in its base
the Sophos and Symantec products are license. Sophos automatically installs
faster and manage to do a better job
the database required for the manageof packaging enterprise security capament server, and provides wizards that
bilities in a way that’s easy to underinclude compelling features, such as
stand and manage.
single-click import of an existing Active
Directory structure. If you already have
another security suite installed, Sophos
Sophos Endpoint Security and
includes the capability to uninstall and
Data Protection 9.0
replace it.
The new version 9.0 of Sophos’ endpoint security suite has the best
One challenge we encountered when
installation experience, policy mandeploying Sophos is that its default
agement, and threat visibility of any
firewall configuration stops common
product in this review. And on data
applications, including Internet Exprotection, Sophos stands out for its
plorer and Windows Remote Desktop
comprehensive, simple, and completely access. To deploy the firewall effectiveintegrated approach that includes
ly, you should expect to spend some
data loss prevention. It’s all rounded
time running it in interactive mode and
out by fast performance and excellent
customizing it to fit your environment.
technical support, making the Sophos
Endpoint Security and Data Protection
Sophos’ clearly organized interface
an appealing choice for organizations
means administrators shouldn’t need
of all sizes.
to refer to the Sophos documentation
approach, taking
the burden off
the administrator
to keep on top of
the ever-changing
details of applications that they
might want to
control the use of.
On the downside,
if an application
is not on Sophos’
extensive list,
there is no way to
add it manually;
instead, a request
to the Sophos
technicians must
be submitted.
Sophos includes a new report manager that is easier to use than previous
Sophos handles
intrusion prevenoften. For potentially complex tasks,
such as first-time installation, upgrades, tion (HIPS) and data loss prevention
in the same way with clear benefits to
or removal of competing software
products, Sophos offers PDF documen- organizations that have limited security-focused resources and expertise.
tation that we found easy to follow.
Policies and Management
Sophos’ Windows-based interface
makes setting up groups and policies
simple and transparent. The product
uses multiple policies—but a manageable five, in contrast with McAfee’s 11,
and with fewer tabs on each. Sophos
keeps everything in one window, so
unlike with the Trend and McAfee
products you don’t need to go to multiple places in the interface or bring up
additional menus. And unique among
products in this review, Sophos allows
you to create policies in the policies
panel and then drag and drop to apply
them to any given group in the groups
For controlling application use in a
company, Sophos takes a different approach than the other vendors. SophosLabs technicians maintain a large list
of applications that is automatically
updated. The product lets you select
categories or individual applications
to be blocked, so that blocking works
even if the path or name of the application is changed. This is a useful
Data Protection
Sophos’ data protection capabilities
are unsurpassed among the products
in this review. They include data loss
prevention, which lets an administrator
create policies to identify sensitive data
being copied onto removable storage, sent via e-mail or otherwise being
transferred. Sophos make the process
of identifying sensitive data simple by
providing a constantly updated library
of content definitions designed to
locate Social Security numbers, credit
or debit card numbers, and other types
of personally identifiable information.
Pre-defined rules reduce the learning
curve and time required to manage
this capability. In addition, administrators can create their own custom
patterns which could be used to detect
document markers or other intellectual
property traits.
There are a few rough edges. For
example, to monitor files copied onto
USB keys the Sophos solution intercepts Windows Explorer file copies but
blocks files being written direct to the
USB from within an application. When
a data loss prevention rule is triggered,
the product can block the transfer
entirely, request end user confirmation, or allow the transfer—logging the
attempt regardless of the action taken.
An administrator can review logs or
quickly scan activities using the event
viewer, and if he notices a blocked
activity that should be allowed in the
future can make that change on the
Sophos also includes device control
with granular restrictions for specific
devices. The device control includes
the ability to log and to add exemptions. In addition, the product provides
the ability to block access to online
storage sites (e.g., Mozy), remoteaccess services (e.g., GotoMyPC) and
mobile synchronization software (e.g.,
ActiveSync)—data loss channels that
may not be covered by traditional data
loss prevention solutions.
Visibility and Threat Management
Sophos’ easy-to-use dashboard provides instant visibility into the areas
administrators will care about on a
daily basis—for example, policy exceptions, out-of-date computers, and
computers that have generated threat
alerts. When we tested Sophos against
Web-borne exploits, its HIPS (Host
Intrusion Prevention System) alerts
often detected activity that would alert
administrators that action is required.
The new Sophos release also includes
a much-improved reports manager,
which makes it easier to create reports,
as well as schedule and deliver them in
different formats.
Setting up alerts is quick and easy.
Also, when a problem is detected on
an endpoint, Sophos includes links on
its dashboard to navigate to the appropriate tab for fixing it. The product provides a useful set of reporting
On performance, Sophos was fastest
chines. Its mana myriad of client deployment options,
agement interface such as creating installation packages
is sophisticated
and deploying using Symantec’s Altiris
yet comprehenmanagement application. Our chosen
sible. The suite
approach, pushing agents to clients,
offers sensible
was a little tricky, though: push installadefault settings
tion requires either client configuration
that provide
or manual Group Policy changes docureasonable
mented only in Symantec’s knowledge
protection, while
base, not the administrators’ guide
making instalwhere you might look first.
lation easy. And
Symantec includes Policies and Management
device control for
Administrators will find a clean intera large range of
face for setting policies and managing
endpoints. Symantec chooses reasonthe granularity of
able default settings that will satisfy
its controls isn’t
many administrators and, like McAfee,
as extensive as a
includes a number of sample policies
typical enterprise
that you can learn from and adapt to
The Symantec Home screen shows a clear representation of the overall security administrator
your own needs. Symantec’s policy
status for the domain.
might need. We
management interface is organized in
and the clear leader, placing first or
encountered only a couple of shorta logical fashion. Symantec’s interface
second on every test. Sophos’ perforcomings: Our experiences with basic
also includes a list of recent changes in
mance remained strong under memory Symantec technical support were frusa pane, a capability we found helpful.
constraints that simulate typical everytrating, and we found some operations
day use of a system. In this scenario,
in the management interface awkward. For application control, Symantec
its on-access scan time increased just 3
percent, and its on-demand scan time
Installation and
by 19 percent, far better than other
Symantec Endpoint Protection
Technical Support
11.0 delivered
Sophos’ technical support was very
a good experigood—the best of any we experienced ence from the
in this review. We encountered short
outset. Thorough,
wait times, had no problems with gate- easy-to-follow
keepers (as we did with other compadocumentation
nies), and quickly got answers to our
starts things off
on the right foot,
preparing you
with a higher-level
Sophos Endpoint Security and Data
understanding of
Protection 9.0 is a well-rounded prodhow the product
uct that is fast, easy to use, and whose
works so you
With Symantec Endpoint Protection, searching for unmanaged computers not
extensive built-in application control
can make more in- in the domain requires entering the administrator password and scanning an
and data loss prevention capabilities
formed decisions IP address range.
requires that you use pattern matching
set it apart from competitors.
later. Symantec automatically installs
against process names—flexible, but
the required database server, though
you will need to install Microsoft IIS on also time consuming for an administrator and practically speaking unlikely to
Symantec Endpoint Protection
the management server.
be effectively maintained day to day.
Symantec Endpoint Protection 11.0
Synchronizing with Active Directory is
Data Protection
provides a solid, effective solution for
straightforward, though not as easy as
Symantec’s device control covers a
protecting corporate endpoint maSophos’ single-click import. We found
broad range of device classes, including USB devices, floppy drives, tape
drives, CD/DVD drives, printers, and
generic Bluetooth devices. Attempts to
access blocked devices can be logged
(and reported on).
process for sending reports and alerts
is simple and straightforward, and its
alert system is complete and easy to
use with effective dampers (throttles)
for noisy alerts. But reports are only
available in HTML format.
Symantec includes data loss prevention
capabilities, focused on logging rather
than actual prevention. Symantec logs
files copied to devices, but cannot detect prohibited content within files and
prevent those files from being copied
at all. It’s possible to restrict all drives
to read-only access in the application
control section of the interface. The
fact that this option is located under
application control is one example of
how Symantec’s interface can occasionally be non-intuitive.
Symantec similarly provides a large
variety of alerts, with many filters that
parallel those in its reports. Custom
reports are also easy to set up.
Visibility and Threat Reporting
Symantec’s dashboard is nicely organized and makes it easy to stay abreast
of endpoint protection status and recent threat detections. Particularly appealing is Symantec’s general overview
of your enterprise, showing a red “X”
if action is required or a green checkmark if all is well. If there’s a problem,
Symantec links to the details, but
doesn’t go as far as McAfee or Sophos
to make it immediately correctable.
Reports are easily located under the
reports tab; there’s no need to search
through names that don’t seem to
relate to what you’re looking for, and
it’s easy to pick from a broad range
of predefined reports, which allow for
fine granularity (such as filtering by OS,
protocol, severity, site, domain, and so
Symantec’s threat detection and reporting is generally strong. Although
it did not provide URL-level blocking
to prevent loading of compromised
pages in the first place, when we tested
it with a selection of drive-by downloads, it often relocated dropped files
before exploit code could actually
execute them. And even in some cases
where execution occurred, Symantec
squelched the bulk of the exploit. Its
Although an improvement on previous versions, Symantec’s speed is not
a strength, and it returned average
results overall. It had relatively strong
performance for on-access scans when
opening files or copying large folders, but its performance deteriorated
in low-memory
conditions designed to simulate
everyday user
activity—an area
where Sophos
On the whole, Symantec Endpoint
Security 11.0 is a well-rounded and capable product that will appeal to many
enterprise buyers – that said, buyers
need to consider the shortcomings in
performance and technical support.
Trend Micro OfficeScan ClientServer Suite Advanced 10 SP1
Trend Micro OfficeScan, by itself, offers a simple way to manage desktop
and laptop endpoints. But when you
expand OfficeScan to manage the
diverse array of endpoints using its full
complement of components, the Trend
OfficeScan Suite becomes a tangled
web of complexity.
We found Symantec’s technical support to
be frustrating
and not up to an
adequate standard for busy and
technically skilled
enterprise administrators. The
company ultiTrend Micro’s dashboard shows a lot of information in a single Web-based
mately succeeded console.
in answering our
The OfficeScan client is speedy, and its
questions, but first we had to spend a
use of Trend Micro’s Smart Protection
long time on hold on most calls, and
Network helps protect against today’s
then Symantec engaged in aggressive
Web threats by blocking malicious
gate-keeping: The first representaURLs known to Trend Micro before
tive often couldn’t answer even basic
the malicious content is delivered to
questions, and it took us a while to get
the endpoint computer. To deliver
access to a more knowledgeable repadequate protection, however, the
resentative. Finding Web support for a
Office­Scan suite requires ancillary
specific product is also tricky because
components for firewall and behavof Symantec’s large product selection.
ioral protection, reporting, and server
protection—a confusing proposition
that will test the patience of many
Installation and Configuration
The full OfficeScan installation with
all of its components is an involved
process—more so than a simple record
management is performed through
OfficeScan domains (which are distinct
from Active Directory domains), but
all computers within an OfficeScan
domain are in a single pool—there’s no
hierarchy—so administrators won’t be
able to organize
computers in flexible and logical
Reporting in the Trend Micro OfficeScan Console is limited to one on-screen
compliance report that can’t be sent by e-mail or exported to a file.
As in installation,
Trend Micro’s
component model
adds complexity to management because it
lacks sufficient
integration. The
new Intrusion
Defense Firewall
must be managed
separately. For
server protection, Trend Micro
offers ServerProtect, which is not
managed at all
of steps and elapsed time adequately
indicates. The product’s component
model allows for add-ons from Trend
Micro or partners, but for administrators concerned with initial deployment,
it just adds conceptual complexity.
Some of the product’s components,
such as ServerProtect for server endpoints, require separate installation.
A reporting component is not part of
Office­Scan, requiring yet another piece
of software to specify and install in
most environments.
through OfficeScan.
To add to this complexity, Trend Micro
is changing its firewall strategy, transitioning from the native OfficeScan firewall to the Intrusion Defense Firewall—
a completely different product. Even
Trend Micro’s own technical support
found it challenging to provide clear
insight to our firewall-related questions.
Visibility and Threat Management
Policies and Management
Trend Micro’s policy management
doesn’t feel fully developed. Policy
Data Protection
Trend Micro includes device control
but no data loss prevention. Setting up
a policy is easy and requires little navigation of the interface: just select from
a few drop-down options. Trend Micro
supports fewer classes of devices than
other products we tested, but offers a
broad set of options to control each
class of device—restricting it to readonly, read-and-execute, and so on.
Trend Micro has a useful and wellorganized dashboard that shows status
of software and signature updates.
But it provides very few alerts—just
detection of virus or malware, virus or
malware detected and not cleaned,
and outbreak. The product’s interface
emphasizes events and log information rather than task-oriented goals; we
found it insufficient to give a comprehensive view of an enterprise’s protection status. It also lacks reporting; if
you want reporting, you need to install
a separate product, Trend Micro Control Manager, on a separate server. We
installed Control Manager and found
it to be little more than a log analysis
A strong aspect of Trend Micro’s threat
management is its extensive use of
URL-based blocking capabilities on
clients in addition to traditional filebased blocking. During Web browsing, Office­Scan contacts Trend Micro’s
Smart Protection Network, a Web
reputation database of potentially malicious URLs. Trend Micro also added
behavioral monitoring in OfficeScan 10
Service Pack 1.
Trend Micro’s performance was unremarkable and mixed—consistently
better than McAfee but not usually
as good as the overall performance
leader, Sophos. Trend Micro’s performance in low-memory on-access and
on-demand scans (simulating a large
number of open applications) held
up well to its performance with full
Technical Support
Our experience with Trend Micro’s
technical support was only fair. Wait
times were long, but once we reached
a representative, he or she was able to
answer questions effectively and escalate issues quickly when necessary.
We found that some of the confusion
in Trend Micro’s product positioning
leaked through to its technical-support
staff. In our calls, we received conflicting answers about which of Trend
Micro’s two firewall products—Intrusion Defense Firewall or the native
ServerProtect—was recommended.
(We ultimately used Intrusion Defense
The complexity and poor integration of
Trend Micro’s suite, along with limited
built-in reporting and inconsistent
tech support, makes it a less than ideal
choice for most enterprises. Companies
that have the patience to work with
such a cumbersome product infrastructure will see solid performance and
good URL-based Web-threat blocking,
but adding all the components to the
mix ultimately invites difficulty which is
not ideal when you are trying to build
a strong threat defense for your business.
How We Tested
Cascadia Labs aims to test products in
meaningful, comparable, and reproducible ways. For areas such as technical support that invariably involve
subjective judgments, we base those
judgments on data we collect as impartially and objectively as possible.
At the time of our testing, companies were beginning to roll out their
patches for Windows Server 2008 R2
and for Windows 7, so we didn’t test
products specifically on either of these
platforms. All products were tested
using Windows Server 2008 servers
and Microsoft Windows XP SP2 client
Installation, Configuration, and
Administration Tasks
To quantify the ease or difficulty of
installing and configuring a product,
and then using various capabilities
on an ongoing basis, Cascadia Labs
counts the numbers of steps required
for a knowledgeable administrator to
successfully complete various specific
usage scenarios. We consider a single
“step” to be any of the following:
•Browsing or navigating to and
opening an application or snap-in
•Opening the management console
•Clicking a button
•Entering data in a form field
•Selecting a checkbox or radio button
•Choosing an item from a menu (one
step for each menu level)
•Responding to a dialog box
•Selecting an item from a pop-up menu
For performance testing, we automated specific tasks to ensure repeatable
results and accurate timings, and we
configured policies to ensure results
are comparable between products.
Typically, this meant enabling exceptions for our automation tools and
leaving most other settings at their
defaults. We ran each individual test
at least three times, restarting from
a clean installation each time, and
averaged the results. We computed
the overall performance ranking by
totaling each product’s results for our
on-access scan, on-demand scan, open
PowerPoint file, and reboot-time tests.
On-Access Scan: Time to copy and
paste a very large folder of non-archive
file types, including Windows system
files, documents, spreadsheets, pictures, PDFs, movies, and music files.
Our on-access tests did not include
compressed or archive files.
On-Demand Scan: Time to complete
a full system scan of an uninfected
computer with default scan settings,
but in all cases configuring products
to scan all files and scan archives. For
on-demand, full-system scans, we
scanned only the local hard drive and
enabled scanning within compressed
and archive files.
Open Large File: Time to open a PowerPoint file (8.7 MB PowerPoint photo
album), demonstrating the day-to-day
performance impact incurred by onaccess scanning components.
We also repeated each test in a lowmemory condition where machines
were reconfigured with only 256 MB of
total system RAM, simulating a typical
desktop system running large numbers
of applications simultaneously. Again,
we ran each of these tests at least three
times and averaged the results.
For these performance tests, Cascadia
Labs used a set of identically configured Dell desktop PCs with Intel Core
2 Duo E4500 2.2-GHz processors, 2 GB
RAM, 160 GB hard disk, and Microsoft
Windows XP Professional Service Pack
Technical Support
During the course of our testing, Cascadia Labs made several calls to each
company’s technical-support staff with
the explicit goal of evaluating their
troubleshooting capabilities. We played
the role of a typical IT staff member
with no special perks. We recorded
length of wait time before a vendor
answered our call; how long it took to
get what we needed once on the call
and whether the first representative
was able to answer our queries; and
how well tech-support personnel were
able to answer more difficult questions. We also noted whether the first
representative was able to answer our
questions or whether escalation was
Independent evaluations of technology products
Contact: [email protected]
This comparative review, conducted independently by Cascadia Labs in December 2009, was sponsored by Sophos.
Cascadia Labs aims to provide objective, impartial analysis of each product based on hands-on testing in its security lab.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF