In-depth evaluation of five top-level enterprise terminal security products

Author: Xiao Li, source: Security online, responsible editor: Zhang Shuai,

Terminal security has become a top priority in information security protection for enterprises. How can we ensure the security risks of Enterprise terminals in a region when viruses and Trojans run rampant, various major information security vendors have launched terminal security products. This article will help users understand terminal security products including Symantec and McAfee.

 

 

Every computer connected to the Internet must be protected by anti-virus software. The number and type of computer virus threats are increasing every year, and new virus variants are also emerging at an astonishing rate.

However, the threat to the desktop system comes not only from virus attacks, but also from Trojans and spyware that can be installed at any time. In addition, not all dangers come from the Internet: unprotected manufacturers' laptops may spread malicious programs directly inside the Enterprise, or some unhappy employees may use USB portable devices to steal company secrets. Security Applications must be able to protect the desktop system from internal and external threats.

As it is very important to protect the security of user equipment and terminal systems, I decided to test the five top-level enterprise terminal security products. These products include:

· Check point terminal security-Security Access Version (check pointendpoint security-Secure Access edition );

· McAfee Total Protection for endpoint 4.0 of McAfee, a security software vendor;

· Network terminal security and control developed by Sophos, an anti-virus software developer );

Symantec's Schmidt terminal protection 11 (Symantec Endpoint Protection 11 );

· Offline scan Client/Server Edition 8.0 Under Trend Micro ..

These five products have performed well in the author's test lab and can perfectly perform anti-virus and anti-spyware security duties. However, in addition to the effectiveness of virus and Trojan program protection, we also need to evaluate and consider them comprehensively through other factors. I will test their ease of management, performance of upgrades and customer management, and feedback on the running status of enterprise system security and health. I will also consider the operating system support, platform Product Support and other factors.

　　Check Point endpoint security-security access Edition

The endpoint security software security access edition developed by check point is a comprehensive set of user security services designed for Windows users. This package includes anti-virus software, Anti-Spyware software, desktop system firewall, NAC, program control, and a virtual private network customer package. Browser-based Management Console is simpler than McAfee's total protection product management process, but it is not as intuitive as Trend Micro's OfficeScan. The Report Engine of check point is very useful, but the information it provides must comply with the information without overload network security status.

I have installed endpoint security on a virtualized Windows Server 2003 server, so I have no trouble installing other related applications. The management platform of Endpoint Security runs Windows Server 2003 or check point secureplatform (Check Point uses the Linux version ). Unlike McAfee and Sophos, the endpoint security client can only support Windows 2000 Pro (SP4), Windows XP Pro (SP2), and Vista Enterprise Edition operating systems.

During peak running, the management platform of Endpoint Security consumes more than 350 MB of random memory (mostly used for network engines and tomcat), but has little impact on the central processor on the server. The client claims that the random storage memory consumption is about 102 MB, both during idle and manual scanning, and the central processor usage has also increased from 10% to about 55%. As I expected, endpoint security can smoothly detect, capture, and handle all virus threats.

In addition to the anti-spyware technology developed by check point, the Protection Engine of check point also applies anti-spyware and anti-virus technology authorized by Kaspersky Lab. This two-pronged approach uses signatures and heuristic methods to detect potential risks before the virus invades the system.

Unlike several other products, administrators must install the endpoint security client using traditional software distribution methods or shared locations. Drivers are not supported on the endpoint security dashboard. For enterprises that have run the Check Point firewall, the vendor provides users with an interesting method to install the client: in order to be able to use the Internet, the Administrator forces users to install the client.

Like the control layer provided by Check Point Protocol makers, each protocol is divided into a trust zone (Local Network) or a non-trust zone (Internet and all other networks ), provides different levels of data access for each protocol. The user firewall has preset rules, so that you can easily customize the rules to meet your needs. Application Software Control gives it departments control over programs. Each Protocol includes the "execution Settings" Check Point-speak for NAC.

The application software Access Engine allows or rejects the execution of client and server programs, making the system easy to manage. This whitelist service allows administrators to create logical groups for applications, such as browsers and email clients, to determine whether each program can be run. To restrict the running of the browser on the test client, you only need to add the special instructions to the browser group and then set them to deny access. I found that this operation is very simple and powerful.

According to the first impression, the Report Engine of check point is not rich enough and there is not enough report and graphic tools. However, through further observation, we found that compared with Symantec's terminal protection tool's information overload, check point's simplified report engine is a good change. Three major report categories-terminal monitoring, terminal activity, and infection history are carefully prepared to quickly view the status of each terminal. The detailed list of infection history records can be traced back to 2 weeks ago.

Check Point's terminal security-Secure Access Version is a perfect combination of terminal protection and flexibility. I really appreciate the refined control under the definition of each protocol. The concept of trust zone and non-trust zone has been doubled in terms of security. It is mandatory that the client operating system support is limited to the Windows operating system. This product does not include other installation support.

 

 

 

McAfee-McAfee Total Protection for endpoint 4.0

McAfee Total Protection for endpoint 4.0 binds anti-virus, anti-spyware, primary intrusion protection, and network access control. The functions used in these systems are bound to ePolicy Orchestrator (EPO) 4.0 in the Management Console. This console was upgraded in a previous version and features a fully restructured report engine, it helps administrators create many customized reports. Total protection not only supports Windows operating systems, but also provides protection for other commonly used operating systems.

When I first came into contact with McAfee's terminal to fully protect the total protection for endpoint, I had an early release of the installation version that uses Cecil B. deMille is proud to be confused about script compilation. Fortunately, the installation version is just a simple installation program. Unlike the special requirements of other database engines, this program is directly installed. When the installation is complete, the system runs directly, waiting for the user to log on to various function packages and download various upgrade programs.

I like the support of total protection for different operating systems very much. On EPO, you can go to all 32-bit Windows platforms (including NT 4.0 with SP6a), 64-bit Windows systems, and Novell Netware, Linux, Mac OS X, Citrix MetaFrame 1.8, and XP tablet PCs for Protocol configuration and management. I found that, like Sophos and Symantec products, the ability to manage different enterprise system versions on a single console is greatly improved.

Unlike check point endpoint security, total protection provides two methods for configuring EPO, I can select a system from the lost & found group to pull the EPO directly to my test system and click the deploy agent button. EPO can also be synchronized with Microsoft's Microsoft Active Directory to automatically add the new system to the list. The EPO can continuously monitor the local network of unknown systems, simplifying unprotected System Identification and upgrade processes.

Assigning and defining security protocols in EPO is not as intuitive as other product packages. Although EPO provides access by group, user, system, protocol, and other types, it is difficult to see the distribution of protocols.

McAfee Total Protection for endpoint is like what its name implies: absolute protection for the client. VirusScan Enterprise and McAfee Anti-Spyware provide two scanning methods to provide real-time on-demand virus and anonymous program protection for the client. Whether dealing with problematic websites or infected files, total protection is outstanding in identifying and capturing system risks.

Total Protection uses a single scanning engine. Scan only 37% MB of random memory as needed. The average usage of the central processor is 100%, and the peak value can reach. Host Intrusion Prevention provides application blocking, client firewalls, and common IPS problems such as buffer overflow and known program loading. Like Trend Micro's intrusion protection firewall, IT departments can use the total protection product to create various rules based on traffic types and definitions. The application blocking support is also good, but it does not have the configuration refinement function in the Check Point product. The Administrator has limitations on the licensing and blocking options for each defined application.

The report module is a highlight of McAfee Total Protection. With the release of EPO, the report service needs to be reorganized to allow administrators to create custom reports and associate the reports to the console for easy monitoring. In fact, EPO allows administrators to create multiple modules based on group-related reports. The number of reports defined in advance is amazing. I can quickly and conveniently create new reports under different templates.

Total Protection is a comprehensive terminal security package. The author believes that the enhanced report function in EPO is very powerful, and the virus and Trojan scan of a single engine run well. However, the system support of the expansion platform is suitable for most large enterprises. The biggest problem is that it is very difficult to see your own protocol, and you cannot know how the protocol is allocated to each group or client.

 

 

 

Sophos endpoint security and control)

Sophos's terminal security and control suite integrates virus and anti-spyware protection, Client Firewall, application software control, Master intrusion protection, and network access control. In addition, this intuitive browser management platform also performs well.

The enterprise-level console for installing Sophos on Windows Server 2003 virtualization testing platform is very smooth. Like Trend Micro's OfficeScan, the server resources used are not large. You only need MB of random memory to log on to the console using IE browser. During the installation process, I chose to install MSDE on the server. The administrator can choose one of them to use the existing Microsoft SQL Server.

Configuring the Sophos client to a user's desktop is a process promoted from the enterprise-level console. Find new computers allows the Administrator to select whether to import the computer list from the activation directory or perform a network scan in the network base or IP address list. I chose to enable directory import. I did not encounter any problems when installing the entire client to the test system.

Endpoint security not only protects Windows operating systems, but also supports Mac, Linux, UNIX, Netware, and OpenVMS systems. Supports a wide range of platforms, including 32-bit and 64-bit systems. The administrator can manage and monitor all clients on the Sophos Enterprise Console. Like products related to Trend Micro and Symantec, Sophos also uses virtual environments as part of the support suite.

Sophos is also favored by system administrators for its ability to uninstall any third-party anti-virus programs installed on users' desktops. One of my target systems includes Terminal client suits from other vendors, and Sophos can completely uninstall the suits before they are installed.

Enterprise Security and control is a comprehensive set of products integrating various security services. It allows administrators to tailor the security requirements to meet internal and external security requirements. Real-time anti-virus and anti-spyware probes share the same engine and virus/Trojan program definition. The terminal can generate an MD5 hash code for each scanned file. If the hash code remains unchanged during subsequent scans, Sophos will skip this file scan to save the use of the central processor.

Behavioral genotyping is a supplement to Sophos's signature-based detection methods. This action engine checks the latent malicious traffic in the existing definition to help administrators block new or unknown attacks. An attack is a variant of a known virus. At least most of the viruses are like this. Sophos will detect and block it. I have successfully captured and handled every threat set for endpoint security. This is expected.

Sophos application control allows administrators to create a whitelist of approvers: you can block special applications or entire groups, such as remote management tools. In addition to application control, Sophos also blocks users from accessing local storage devices, wireless connections (such as Wi-Fi and infrared transmission ), even if information and files are shared with the application to cut off the source of data leakage.

Network access control is managed through an independent browser UI from the Enterprise Console. The predefined protocol allows the NAC system to run quickly. A wide range of configuration options mean that the administrator can create a system that meets any situation.

The Administrator will spend a lot of time on the Enterprise Console, which is different from McAfee's EPO. The console is very simple to operate, and the graphical interface provides an intuitive network status report. The report engine also performs well. You can click the detected object in the warning report to view details about the threat.

Sophos's enterprise security and control product suite is indeed impressive. The management console provides comprehensive enterprise health reports. The Quick closure of protocols makes access to special protocols faster and more convenient. I believe that using a single console to manage multiple enterprise systems will be favored by most users.

 

 

 

Symantec terminal protection 11 (Symantec Endpoint Protection 11)

As one of the world's most well-known anti-virus software vendors, Symantec also launched its latest product Symantec terminal protection 11 (Symantec Endpoint Protection 11, SEP ). The SEP software integrates multiple functions such as anti-virus, anti-spyware, firewall, intrusion defense, application and Device Control to provide comprehensive security protection for clients and servers. Centralized management console-the terminal Protection Manager provides an all-in-one management tool for administrators. The report engine contains a large amount of information, but you must know how to discover them.

When installing SEP on my Windows 2003 Server testing platform, there is a problem due to insufficient space. Therefore, make sure that your master server has enough resources: it consumes about MB of storage space between the database engine of the SEP software and other core services. Endpoint Protection is the only Management Console product in which Java code is compiled from the test product. On the client side, random memory is not required. It only requires 10 MB of idle space. During full system scanning, the system space is less than 55 MB, and the central processor utilization is about 28%.

Symantec Endpoint Protection uses the configuration compressed package that the Administrator welcomes. If your enterprise has a suitable standard software distribution system, you simply need to allocate executable installation packages to unprotected systems or allow individuals to install them from shared folders. Symantec Endpoint Protection can also import enterprise groups by activating directories to better manage clients.

Like McAfee and Sophos, Symantec Endpoint Protection not only supports 32-bit and 64-bit Windows operating systems, but also supports 32-bit and 64-bit Linux, novell Open Enterprise Server and VMWare ESX. Unlike Sophos, Symantec Endpoint Protection does not currently support Mac operating systems.

The core of Endpoint Protection is the anti-virus and anti-spyware detection engine. Symantec Endpoint Protection uses a single protection technology that includes multiple scan engines to detect and scan viruses and Trojans. Symantec Endpoint Protection intercepts and sends them to the scanning engine when they are not copied or created.

Similar to Sophos's behavioral genotyping, Symantec's truscan proactive threat protects clients from unknown risks by monitoring program intent. Truscan can detect and record the detected latent spam instances to facilitate administrator inspection. Truscan can also monitor suspicious business operations and remotely control application software. administrators can record, ignore, terminate, or isolate these programs.

The firewall engine in Symantec Endpoint Protection is first-class and provides excellent security control for protocols, ports, and applications. The default firewall rule settings are detailed. The convenient firewall rule compressed package pump helps the Administrator create any additional custom rules as needed. The intrusion protection engine is complementary to the Client Firewall, but unlike the check box, it cannot be customized.

Application Control in Symantec Endpoint Protection is not as intuitive as the Check Point endpoint security product interface. The rule creator has a large scope and allows the proxy to check different situations, such as registration access, sending process attempt, and terminating process attempt. The application control rule creator uses a meeting-type compressed package to allow administrators to create rules. Currently, the rule engine is very powerful, but not very intuitive. It takes the Administrator time to learn how to use the application control rule engine.

Symantec Endpoint Protection's report engine is also favored by users with its user-friendly interface. There is a lot of information available for administrators, but the report engine generates a lot of information, it may be difficult to find the information you want. In future versions, I hope to see interactive reports. For example, I can create charts for attacked desktops, but all the information is in the list. I can analyze the system under attack based on the list and then perform a detailed analysis.

Symantec's Symantec Endpoint Protection is a comprehensive security suite. Its only defect lies in its report engine. Anti-Virus/anti-spyware protection is very reliable, and the wide variety of operating systems supported by software is also its advantage. Client firewalls are the best to run, but application protection management is cumbersome.

 

 

 

Trend Micro's OfficeScan Client/Server version 8.0 (Trend Micro OfficeScan Client/Server Edition 8.0)

Trend Micro's OfficeScan Client/Server Edition 8.0 binds all the necessary protection services to a platform that is easy to install and configure. The OfficeScan software includes security features such as anti-virus, anti-spyware protection, firewall, intrusion prevention and detection, and network risk security. It also integrates Cisco network access and control 2.0. Administrators can centrally manage offline scan in their browsers. In addition, this software can detect multiple user domains.

It takes 45 minutes to install OfficeScan On the author's virtual testing platform. The server resource usage is not large. The RAM memory required by the Management Console (including the use of IE) is less than 100 MB. Unlike McAfee's ePolicy Orchestrator, Trend Micro's OfficeScan console is very convenient to manipulate, and the interface is quite intuitive. The administrator can connect to the OfficeScan server over the network or install the Client Engine through the Management UI.

The OfficeScan Client can run on any version from Windows 2008 to Windows, including a 64-bit Vista operating system. The OfficeScan server supports Windows Server 2000 to Windows Server 2003 operating systems, and also supports virtualization environments such as Microsoft, Citrix, and VMWare. Unlike McAfee, Sophos, and Symantec, Trend Micro products cannot support non-Windows operating platforms.

The core of the anti-virus system of this product is its real-time protection capability. The OfficeScan software uses two independent engines to detect the dynamics of viruses and spyware respectively. The two engines adopt the signature matching principle to detect digital risks. Unlike some products of Symantec and Sophos, OfficeScan does not have a behavior detection engine for Attack Detection Points. The behavior detection engine is currently under development and is expected to be released in the next version.

In my tests, OfficeScan detected and blocked all the viruses set by the author, but encountered a small problem in intercepting trojans from malicious overseas websites. This software can handle risks based on protocols, clean up, isolate, or delete viruses. Real-time protection has been well used in my tests, with low resource usage: the CPU utilization is about 50%, and the ram memory occupied during activation scanning is 55 MB.

The Client Firewall included in OfficeScan is genuine. To define the firewall settings, you must define the security protocol and then assign the protocol to the user terminal. The Security Protocol specifies the functions to be executed by the firewall, blocks internal and external traffic, blocks all internal traffic, or permits all traffic. Administrators can add protocol content. For example, they can run Remote Desktop Connection when rejecting all internal traffic. You can also redefine the protocol, port, and it address.

The embedded 0officescan Client Firewall is an intrusion prevention firewall plug-in provided by Trend Micro separately in the form of independent license authorization. The intrusion prevention firewall can perform in-depth packaging detection on all inbound and outbound data traffic to help administrators eliminate illegal network traffic. Intrusion Prevention firewall is also a fully functional packaging detection engine. It does not require additional RAM memory, nor will it add any noticeable latency on the network.

OfficeScan is the only security product that includes support for the embedded Cisco NAC protocol. For enterprises that have configured Cisco NAC, OfficeScan can directly integrate it into the customer's existing protocol server and provide network access control through the existing Cisco Trust Agent.

The report engine is a weakness of offline scan. The graphical display of client connection is convenient and intuitive, and easy to read. The update status displays the signature and application version. Unlike McAfee's ePolicy Orchestrator, Administrators cannot use OfficeScan to create custom reports or images.

Trend Micro's OfficeScan is a good comprehensive security protection package for Windows users. Some interface problems exist in the Management Console, but access to all systems and protocols can be completed with only one click. The report function is limited, but the close combination with Cisco NAC is indeed an additional highlight.

　　Summary

Through tests and experiences of these five security products, I was pleasantly surprised to find that Sophos endpoint security and control surpassed Symantec's Endpoint Protection to the top. Sophos's solution provides excellent client platform support, including core services that can ensure terminal security. At the same time, it is easy for administrators to operate. The comprehensive report engine has the highest score in the comparison between the five products.