Endpoint-Protection Products

Find the best security technology to thwart intruders on your network clients

John Green

December 22, 2008

14 Min Read
ITPro Today logo in a gray background | ITPro Today

Endpoint-protection products incorporate various technologies that monitor common ways in which intruders can compromise your computer system’s functioning and information privacy. Such products include antivirus software, anti-rootkit–scanning tools, client firewalls, and email scanners. (See the web-exclusive sidebar, “Types of Endpoint Protection Products, for a basic explanation of these product types.) I review a sampling of five endpoint-protection products that incorporate these features to help you get decide what will best protect your system.

ESET Smart Security Business Edition
ESET Smart Security Business Edition includes antispam and firewall features in addition to those found in the company’s flagship ESET NOD32 Antivirus. Smart Security Business Edition features remote administration, local update mirroring (which lets local systems get updates from local systems, reducing Internet traffic and the load on the vendor’s servers), and the ability to install the product on both servers and workstations protected by Smart Security.

Smart Security Business Edition comprises four installable components. Smart Security is the antivirus, antispam, and firewall client piece that protects servers and workstations. ESET Remote Access Server communicates with client systems, collecting status information and coordinating scan, update, and configuration requests. You can deploy one or a replicated hierarchy of remote access servers in various locations to suit your organizational structure. There’s a GUI console, ESET Remote Administrator Console, which Figure 1 shows, and finally, threat signature updates, which Smart Security systems can get directly from ESET company servers or from update mirrors that you can configure on Smart Security or Remote Access Server systems.

Smart Security stores configuration parameters in XML files that you create by using the ESET Configuration Editor. Although Smart Security’s components are highly configurable with dozens of parameters, the basic initial configuration pattern is simple.

I used the console to install Smart Security to Windows Vista and Windows XP systems. The console lets you browse the network, drag target systems to a list, select the appropriate installation configuration, and install. Updating a client configuration requires using the Configuration Editor to create or modify an XML configuration file. You apply the update to clients using an update task.

You can easily implement Smart Security’s user-defined groups. Each client can belong to several groups, and you can select a subset of systems to display via the console. Administrators can choose one of three ways to manage Smart Security’s firewall: automatic, based on ESET’s predefined rule set; interactive, in which you create a rule the first time you access a program or IP port; or policy-based, in which you configure the rule set to block undefined communications.

Likewise, you can configure three levels of action when Smart Security detects an infected file: Ask the user to choose an action, automatically take the action earmarked for that threat, or aggressively clean all infected files. Automatic actions don’t delete infected compressed archives that also contain uninfected files; the aggressive option does so.

Smart Security is easy to install and configure. Some users will appreciate the layered configuration approach capability, which lets you create configuration files that affect only part of the full feature set. The lack of named-policy–based configuration makes more work for the administrator, but ESET will tackle that need in an upcoming release. Smart Security Business Edition is the ticket if you’re looking for an easy setupand support for multiple locations.

McAfee Total Protection Service–Advanced
McAfee Total Protection Service–Advanced includes the features of the standard version of Total Protection Service (server and client antivirus, antispam, and client firewall components, McAfee SiteAdvisor, and Outlook client email scanning) and adds licensing to use McAfee Secure Messaging Service for Small Business, which provides additional antivirus protection and spam filtering. You can manage the service using McAfee’s SecurityCenter website, shown in Figure 2, which sends weekly reports and gives you configuration tools and on-demand accessto the status of your protected systems.

Protected clients communicate with the Network Operations Center to provide status information and download updates. A feature called Rumor Technology lets computers that lack a direct Internet connection get their updates from another Total Protection Service client. Designed particularly for small organizations or those without an IT infrastructure, this product offers an online tutorial that walks users through the client installation.

The McAfee Security Center status screen shows the number of clients running up-todate software and provides summaries of filtered email and license usage. Each client computer belongs to a nonhierarchical group, and each computer in a group takes on the configuration defined by the policy assigned to that set. The default policy performs on-access scanning for files (but not within archives), prompting users to action when it detects potential spyware, and lets users configure firewall rules. Total Protection Service automatically applies policy changes to every client in assigned groups at the next update interval.

I successfully used the browser/URL method to install Total Protection Service to Windows Vista and Windows XP systems. You can also add antivirus, firewall, and browser protection and choose a policy group for the system to join.

McAfee TPS–Advanced is easy to operate and manage. I recommend it for users who want centrally managed endpoint protection without the fuss of setting up a managementinfrastructure.

Sophos Endpoint Security and Control 8
Sophos Endpoint Security and Control 8 comprises the Sophos Antivirus engine, Sophos Client firewall, and Sophos Network Access Control (NAC). The Sophos Enterprise Console, which Figure 3 shows, and the Sophos NAC Console provide centralized endpoint management.

Continue on Page 2

Endpoint Security and Control is the only product in this review that incorporates NAC features such as access to USB-based devices. It’s also the only product that lacks built-in email monitoring and spam detection, although you can buy the product bundled with Sophos Email Security and Control. The product also requires a Windows Server OS and Microsoft SQL Server to support its console-management features.

I installed the Enterprise Console on a Windows Server 2003 system with Microsoft SQL Server Desktop Engine (MSDE) in place. A wizard helped me configure the EM Library, which lets you subscribe to, download, and maintain files of updates for Sophos. To distribute the client-update load, organizations with several locations can install the EM Library component on other servers or create a remote network share to hold update files for remote clients. Next, I installed NAC Manager on the management server. The NAC features incorporated with the product include endpoint assessment and quarantine.

From the Enterprise Console, you can add client software for Windows 2000 and later computers after you ensure that the client meets certain prerequisites. You can also run the installation package directly on the client without using the Enterprise Console UI or Endpoint Security server.

Sophos uses policies and named groups to facilitate endpoint management. Policies define how Endpoint Security and Control behaves on managed clients. You need to customize the product’s default policies. The default antivirus policy performs onaccess scanning but takes no action when it detects a threat. The default firewall policy blocks all traffic; thus, the first task after installing the client firewall on a system is to create a firewall policy. To apply a policy, you drag and drop it on the appropriate groups.

The product has three predefined NAC policies: default and managed for Sophos agent-based clients and unmanaged for guest systems. You can and should edit the managed and default policies, but the unmanaged policy is fixed.

Endpoint Security and Control is easy to install and manage. Its antivirus component supports a broad set of platforms, and the policy-based design automatically keeps client systems up-to-date as policies change. The console-initiated installation feature works well when you can configure target client systems to meet the access prerequisites. The integrated NAC assessment, remediation, and enforcement protection is a real plus, helping you know when client systems comply with policies and limit network access of noncompliant systems. This product can serve you well, particularly if the NAC features or antivirus support for non-Microsoft systems are important to your organization.

Symantec Endpoint Protection 11.0
Symantec Endpoint Protection 11.0 incorporates antivirus and antispyware components, such as rootkit protection, antispam, firewall, intrusion detection and prevention, USB data-device control, and application control measures. The product includes a management server application, Endpoint Protection Manager, which tracks and coordinates the activities of managed clients and uses either an included database or SQL Server. Symantec Endpoint Protection Console is a Java client application supported by Microsoft IIS on Endpoint Protection Manager.

I installed Endpoint Protection Manager on a Windows 2003 system configured with IIS and used the migration and deployment wizard to deploy the product on the management server. The wizard created a deployment package and ran it on the client. Because the migration and deployment wizard is available only from the management server’s start menu, the push-deployment feature isn’t accessible when you work from a remote console. I completed my testing by running the console on an XP Professional x64 Edition system. The console is attractive and easy to navigate, although I found its performance sluggish compared with a typical Windows GUI.

Each client is a member of a group, and within each group you can define one or more network locations, such as LAN and Home, and can assign configuration policies to each location within a group. You can also divide a group into several administrative domains for distributed management. The location membership can be dynamic within Symantec Endpoint Protection. As you define a location within a group, you can define a characteristic (e.g., an IP address range or VPN client in use) that causes Endpoint Protection to dynamically assign the client to that location and automatically reconfigure the client with the policy for that location.

The product uses six classes of policies: antivirus/antispyware, firewall, intrusion prevention, application and device control, LiveUpdate, and Centralized Exceptions. As I clicked through the policy menu, I was impressed by the variety of configuration options Symantec Endpoint Protection supports. A padlock icon next to most configurable choices lets you determine whether the client system user can alter a particular option. You edit firewall rules from the screen shown in Figure 4. Editing rules is a bit clumsy because you need to select an option from the right-click menu for each field within the rule.

Symantec Endpoint Protection includes these predefined report types: audit, application and device control, compliance, computer status, network threat protection, risk, scan, and system. You can save on-demand reports in .mht format, or you can schedule reports to be emailed to you.

I found Symantec Endpoint Protection’s features set complete and simple to learn. Although I was somewhat frustrated with the console’s slow response at times, although the console itself was easy to navigate. I recommend Symantec Endpoint Protection to large organizations with many locations or a mobile workforce that can benefit from the product’s granular configurability.

AVG Internet Security Network Edition 8.0
AVG Internet Security Network Edition combines the antivirus, antispyware, client firewall, email scanning, and web browsing protection found in AVG Internet Security 8.0 with server-based deployment and client-management features. The product provides heuristic and signature-based antivirus scanning, email scanning that supports Outlook and standard SMTP and POP3 clients, and rootkit scanning.

Continue on Page 3

The AVG administrative server has two roles: DataCenter performs all administrative and monitoring activities, and UpdateProxy downloads and distributes updates to managed clients. I installed the admin server on a Windows 2003 system with the default Firebird database, which AVG says can support installations of up to 150 endpoints. You can also opt to use a SQL Server or Oracle 10G database for larger installations.

You use the AVG Network Installer Wizard to set up the AVG endpoint-protection components on network-attached systems. The AVG Admin Console, which Figure 5 shows, is the product’s primary administrative interface. I also installed the console and the UpdateProxy role on an XP system.

The admin server includes web-based status reporting accessed at a custom port. A graphic reports feature lets you schedule or generate information from the DataCenter role’s database with any of seven predefined report templates.

The Network Installer Wizard is your primary tool for AVG installation-related tasks. You use Creation of AVG Installation Script mode to create installation packages to run from a USB drive or network share. Remote Network Installation mode installs AVG to network-attached workstations.

The console supports full remote operations, including running the Remote Installation Wizard, and has a customizable interface. In the stations node you can create named groups to organize and manage AVG client systems, which assume the configuration you define in each group’s shared settings or policies. AVG offers many configurable options for user modification that you can allow or prohibit. Firewall policies are separate from the shared settings that arrange the other components of AVG. You can create several distinct firewall policies and assign one per group.

AVG 8.0 has a nice feature set and is relatively simple to implement. The lack of named shared settings for nonfirewall components makes it a little harder to configure those components when you have many groups, but the ability to control which settings you want to enforce on the client and which the user can control is useful. On the downside, AVG provides email notifications for just 10 events and only rudimentary reporting. Also, the remote installation features didn’t work well for Vista systems in my test, but direct installation worked, and the console was able to push the configuration out. I recommend Internet Security Network Edition for midsized organizations that are familiar with and like AVG products.

A Tough Choice
I rated all but one of the products I reviewed four diamonds. (AVG Internet Security Network Edition has configuration management and deployment weaknesses that earned it just three diamonds.) ESET Smart Security is a good choice for its ease of implementation and layered XML-based configuration. McAfee Total Protection Service would suite small organizations with limited IT resources. Sophos Endpoint Security shines for its endpoint-assessment NAC feature. And large organizations will appreciate Symantec Endpoint Protection’s configurability and extensie reporting. All things being equal (which they rarely are), Endpoint Protection earned Editor’s Choice as the best balanced product.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like