When choosing the best endpoint protection for your company, in a very real sense, you are choosing a company to partner with to help manage your company’s security. You are trusting the company to provide you with the necessary technologies to protect your company, and you want assistance available when you require it. You also want the company to evolve alongside cybercrime technologies to provide new technologies in a timely manner. If you suffer a major security issue such as a targeted attack, loss of data or theft, you need to know that you can get one-on-one or even on-site help if needed. For these reviews, we looked at company reputation, years in business, customer base and market share, and malware detection scores. We also compiled information on what kind of endpoints each business security company can protect, the tools it provides for administrators, resource usage expectations and professional services offered. Using the information in these reviews, you can create a list of the top two or three companies to contact for additional information and a customized quote.
Targeted attacks on small businesses are increasing rapidly, as are fines and public-relations nightmares resulting from breaches and data losses. The best endpoint security provides multiple barriers against malware, network intrusions, data loss and theft. The most adept also provide technologies for managing employee-owned devices that often have access to corporate resources to further help administrators protect networks. When considering a new endpoint solution, consider the type and number of endpoints, how it is being hosted (cloud-based endpoint protection, hosted on-site or in a virtualized environment), what management tools are required (on-site, remote, mobile), performance expectations and professional support options.
The reviewed endpoint protection solutions were chosen from a range of global security companies that all have high malware detection scores and a proven ability to protect millions of endpoints. Most offer a range of deployment solutions software (with updates via the internet) or cloud-based business security hosted by the security company. Some technologies can be hosted in inter-company clouds or from a virtualized environment. Some also offer service provider options for those that want to partner with the security company to provide security to their own clients.
The size of your company does not matter when it comes to endpoint protection; many security companies offer solutions that can secure 10 or thousands of endpoints. To help you make your purchasing decision, read our articles about endpoint protection and reviews of the top security providers: Symantec, whose solution integrates with its award-winning backup technologies; Kaspersky, which provides everything businesses require to centrally manage endpoints as well as many administration tasks; and Sophos, which protects all endpoints – even Windows and Blackberry mobile phones.
Endpoint Protection Software: What to Look For
The best endpoint protection providers offer an efficient management console that can control all endpoints, software deployment and policy enforcement backed by a consistent, proven ability to protect your network from malware. Administrators should be able to use the software to easily manage their networks and to prevent data losses across a range of endpoints that include servers, workstations, gateways, exchange servers and storage devices. The best endpoint solutions create useful performance reports and can manage endpoints regardless of whether they are Windows-, Mac-, Linux- or Android-based.
The best management modules not only control the security software but also include tools to make admins' routine tasks easier to manage. The centralized management console should facilitate software deployment and provide control of remote workstations, tools for organizing profiles and the ability to create customized reports. Using top endpoint solutions, administrators should be able to configure report options, roll out updates, manage patches, detect new endpoints, and audit software and hardware. Most also include remote management tools so admins can instantly remediate issues as they arise, remotely or on site. Capable management tools set endpoint protection apart from standard antimalware software, which is not designed to manage business workstations. Endpoint solutions also enable managers to configure other security measures, such as locking down network access, configuring DLP tools and setting policies for employee-owned devices.
There are two parts to our security criteria. The first is what security features are included, and the second is their malware detection scores. Security features to look at include basic malware detection as well as features to help the admin secure the entire network – such as network access control, email security, gateway protection and remote workstation security. We also looked at a range of detection scores reported by third-party testing organizations. If the provider’s endpoint or business-specific versions have not been tested, we looked at the antivirus and security suite test scores, if available, to get a general idea how well the products may perform in real-world scenarios. In most cases, security companies use the same antimalware databases, heuristics and antivirus engines across a range of products. This year, we also considered the Android device protection scores.
Data Loss Protection (DLP)
We considered the tools available for preventing intentional or unintended data loss. The best endpoint solutions can stop employees from sending blocked files via email, instant chat or internet upload. Most also provide endpoint encryption, which will encrypt files so that even if a laptop or USB drive is stolen, the perpetrator cannot access the data on the device. Other advanced features include the ability to remotely locate laptops and wipe all information off the hard drives to halt potential data breaches. Some also now have the ability to protect corporate information located on employee-owned devices.
Security software's resource usage is a concern for many IT teams, especially those that manage networks with older operating systems and hardware. We looked at a wide range of third-party tests, and used our own tests, to determine a general rating for products' resource usage in comparison with that of other software. We rated each product's resource usage in relation to the industry average. For example, software with a score of +3 runs heavier than the industry average, while software with a score of -3 runs lighter than industry average. These are scores for software running using default settings. Of course, performance depends on many factors, including hardware, system specs and network health. In addition, admins can configure security suites to greatly reduce interference and resource usage.
For an additional charge, some companies offer premium, specialized services such as direct training and implementation support. Many top-tier security companies offer 24/7/365 support, on-site assistance and training, best-practice consultations, and access to a dedicated account manager. Targeted attacks and malware issues occur 24/7; therefore, security assistance needs to be alert and available at all times. The most popular companies also support active user forums that IT professionals frequent to provide or request assistance any time of the day regarding real-world use issues. In the forums, you can either search for your topic of interest or propose questions to the worldwide IT community and often receive quick, helpful answers.
Justifying the financial need for endpoint protection these days requires little effort, since one targeted attack can put a small organization out of business. One privacy violation, such as the loss or theft of patient data, can cost a company millions. Many companies that manage medical or financial records have no choice but to enforce strict policy management. Endpoint protection software can make enforcing policy, protecting assets and blocking malware as simple as possible while using of the fewest resources (human and hardware) necessary to manage the job well.
If you are looking for a vote of confidence in Symantec’s ability to protect your company, according to Symantec its technology protects every Fortune 500 company. If their IT teams trust Symantec to secure their companies, it's a good bet that it can help you secure yours. In fact, the majority of Symantec’s sales are business products rather than consumer products like many of its competitors. In the past year, it has responded to the increase in targeted attacks on companies and introduced technologies to help protect companies from aggressive attacks that fly right past antivirus software. Symantec provides complete endpoint protection solutions with the ability to protect all types of endpoints, even employee-owned devices.
When we interviewed those in the IT industry about their choice for endpoint protection, they most often named Symantec as their choice. We asked them why they chose Symantec over other solutions, and the commonest response was compatibility. Symantec works well with their other business solutions – including, of course, Symantec’s backup technologies. This endpoint solution can be configured to tightly secure your company to satisfy even the strict compliance requirements mandatory in the medical and financial industries. Symantec supports a variety of platforms, including virtualized environments, and it offers cloud-based security options as well.
Symantec’s business products are not amped-up consumer versions. They are complete endpoint protection solutions that manage everything from gateway protection and email security to network control. Administrators can use them to control user activities, block devices, deploy software, back up servers, protect remote systems and secure mobile phones. There are also data loss prevention tools such as file encryption, file shredders, secure file transfers, file sharing control and remote wiping of devices. Considering that one lost or stolen unencrypted laptop with patient information on its hard drive can cost a medical firm over $1 million in fines whether the information is exploited or not, Symantec is well worth the investment.
The management control panel includes numerous tools to help administrators customize their security and mediate issues quickly. To facilitate speedy implementation of Symantec, it can recognize endpoints and push out client software remotely if desired. It can manage groups for quickly rolling out usage policies, updates and software. Symantec even provides patch management tools, and it works seamlessly with backup solutions. It can perform hardware and software audits, and schedule updates and installs. To help manage updates, it includes a tool Symantec calls the Group Update Provider (GUP), which can be used to manage updates using a dedicated server or PC. Admins can customize how they receive alerts and what types of alerts they want to see. Reactions to threat issues that incite an alert can also be configured to solve automatically so admins do not have to react to every single incident. Using Symantec admins can completely lock down their network if needed. It can block devices, downloads, network intrusions, network access, file sharing, website access, application use and more to help limit compliance violations or security breaches. It also includes advanced reporting options to help admins now exactly what is happening across their network so they can quickly identify risks and problem areas.
Symantec successfully identifies most malware, even zero-day threats, and it includes tools for combating targeted attacks that normally bypass standard security software. It performs well in third-party malware tests and provides few false alerts. It includes technologies for protecting all endpoints, including servers, Mac computers, mobile phones, mail servers, gateways, Linux systems and virtual machines. This is also one of the few endpoint security solutions that provides tools for securing the interaction between company networks and employee-owned mobile phones and devices.
This business security company responds quickly to its customer's security challenges. Likely in response to a rather messy security issue experienced by The New York Times in January 2013, security companies have rolled out technologies to combat targeted attacks. Symantec created technologies such as SONAR, Disarm and Symantec Insight to combat zero-day threats and aggressive attacks. SONAR examines more than 1,400 behaviors to identify malicious elements. Disarm protects at the messaging gateway to combat malware delivered in documents. This technology creates safe copies of email attachments so dangerous elements of emails do not make it to the recipient. Symantec Insight analyzes billions of links between users, files and websites to identify rapidly mutating threats. An additional layer of protection it provides is Symantec Critical System Protection. This tool allows admins to block unwanted or unknown activities to limit the opportunity of targeted attacks.
This endpoint protection solution provides the tools medical, financial and research-and-development teams need to secure their sensitive information. Symantec Data Loss Prevention includes basic and advanced tools for controlling data loss and monitoring file activities. Basic tools include file encryption, password protection, access control, file sharing control and laptop wiping. Advanced tools include the ability to manage user profiles, file usage monitoring, leakage alerts, complex reporting and risk reporting. It can also monitor emails downloaded to mobile devices, iPhone and iPad network communications, and interactions with online services such as Dropbox and Facebook. It provides tools suitable for satisfying the U.S. Health Insurance Portability and Accountability Act (HIPAA) and European Union Data Protection Directive.
Resource usage is less of a problem with modern systems with high-end specifications. But limiting interference with users is always desirable. In most third-party tests running using the default settings, Symantec performs without noticeable slowdowns. Of course Symantec, also provides numerous tools to administrators for controlling how Symantec solutions run. For example, it provides resource leveling for low-use scans and scheduled updates. It also includes a feature called Shared Insight Cache, which can share scan information across clients to eliminate redundant scanning of the same shared files. The client side of the software only requires a miniscule 64MB of memory to operate, so it will not interfere with employee production. If you do not have the resources to manage Symantec, a cloud-based version is available which greatly reduced IT team resource requirements and hardware expenses.
Your IT team likely often works 24-hour days, and so does Symantec. The company provides 24/7/365 service to customers and even on-site assistance if needed. Depending on your service plan, you can opt to have your own account manager and Symantec contact person as well as pre-sale and post-sale security consulting. Symantec provides online and professional training, as well as training support for helping companies educate their employees about proper security protocols. It supports numerous online forums for IT professionals to interact and provide support online with their peers. These forums are extremely active and a good place for quick configuration assistance.
Partnering with an advanced endpoint protection service is no longer optional. Targeted attacks are increasing even toward small organizations and one instance of data loss can put a small company out of business. Symantec supports a robust research-and-development team to create solutions for combating the newest and most cunning malware and cybercriminals to help companies keep their data, network and customers secure. Numerous IT teams utilize Symantec’s security, DLP and backup technologies for their reliability, compatibility and configuration options. We found their endpoint protection solutions to be well thought out, flexible and highly supportive.
When absolute security is mandatory, Kaspersky can help you seal up network gaps to completely protect critical data and endpoints. Not only do Kaspersky products consistently surpass competitors in antimalware tests, but Kaspersky engineers also create technologies to protect against data breaches, employee indiscretions, network hacks and stolen devices. Kaspersky Total Security for Business provides unrivaled internet security. It has technologies to protect all endpoints.
Kaspersky protects more than 250,000 corporate clients worldwide and has the resources to provide on-site assistance anywhere, if needed. Platinum support subscribers receive a dedicated technical support manager, 24/7/365 incident support and an onsite review. Kaspersky Labs provides a wide range of business products, including bundled versions for smaller companies with only a few endpoints to manage.
Some companies administer security casually. However, for other companies, especially those required to secure private medical or financial information, security is obligatory. Kaspersky is not the least complicated security product, but it does provide a high level of security and data loss protection (DLP). As with any security effort, you will have to weigh what you could possibly lose against the cost of the security. If your company must enforce strict privacy policies, one data breach could result in costly fines, which easily justifies the cost of implementing reliable security. Increasingly, products like Kaspersky Total Security are becoming not just protection against doomsday scenarios but necessary to enforce aggressive security against targeted attacks. In the month that we published this review alone, the retailer Target suffered a huge data breach compromising customer data; reports conducted in the U.K. reported that 93 percent of large organizations suffered a security break in 2013; and The Washington Post was hacked – again – compromising employee usernames and passwords. Kaspersky business products can prevent problems like these, arising from rogue applications and deliberate, targeted attacks.
The Kaspersky Security Center, which is the administration console module, can run on any Windows-based PC or server. The Security Center includes endpoint, mobile device and system management abilities. It provides admins with the tools to pre-emptively combat threats, security breaches, data loss and theft. It can manage policies for multiple platforms, including Windows, Mac and Linux machines. This Kaspersky business security can enhance your protection by also managing application, device and web control to lock down rogue applications, block device access to the network and restrict employees from accessing unsafe (or time-wasting) websites. It can even support BYOD security initiatives. Since many businesses allow employees to access corporate email and the company network using their own devices, this is a critical security need that is often missed. The security solution can manage mobile devices similarly to workstations, in that it can check for security software, push out updates and manage policies.
To assist managers with their other tasks, it includes system management tools. It can create hard-drive images and deploy images for migrations or setting up new workstations quickly. The Kaspersky Security Center can also run software audits, perform software installs (including third-party software) and provide vulnerability reports. It also includes patch management, which can manage Microsoft updates and Kaspersky patches. In addition to managing software licenses, it can monitor hardware devices. The tools provided by Kaspersky in the Security Center combine administrative tasks into one console to help administrators conduct their routine duties more efficiently.
Kaspersky continues to outperform the competition in antimalware tests. This security company is a global leader and persistently develops new tools for combating malware and cybercrime. In numerous AV-Test results, Kaspersky products outperform, and AV-Comparatives reports reliable performance. However, even Eugene Kaspersky himself states that in terms of corporate security, antivirus is a mere 10-15 percent of overall security. Kaspersky Endpoint Security for Business includes additional security features beyond simple internet security, including email scanning, spam blocking, application control, hardware audits, non-Kaspersky software audits, firewall control, Wi-Fi control, antiphishing, terminal and cluster server protection, remote PC security, and proxy server support. It protects all endpoints, including PCs, remote PCs, virtual technologies, file servers, gateways, smartphones, Macs, Linux-based devices and storage devices.
It is not just our opinion that Kaspersky provides capable and competitive business products. Dennis Technology labs named Kaspersky Endpoint Security for Business and Kaspersky Small Office Security number one for endpoint antivirus in 2013. Also in 2013, SC Magazine gave Kaspersky its Excellence Award for outstanding leadership and achievement in information security and recognized Kaspersky Lab Endpoint Security for Business in the “Best SME Security Solution” category. The company's founder and CEO, Eugene Kaspersky, has also received numerous leadership and “global thinker” accolades. Kaspersky is well respected in the global security industry.
Kaspersky endpoint protection is an excellent choice for those who need to lock down data for compliance requirements or to secure company assets. The features included can block users from sharing files via devices, email and online chat. If smartphones or laptops are lost or stolen, administrators can wipe the memory of critical data (even if the SIM card is changed). In addition, all files and folders stored on memory cards can be encrypted and password protected. Encryption can be managed by policy so that data can be secured automatically. Device controls can block employees from downloading or copying protected files to a USB drive, external drive, disc or other removable media. Device restrictions can even be scheduled to specific rules during a certain time of day. Policies can also apply to remote PCs and Macs to secure mobile workforces.
To meet the demand for BYOD protection. Kaspersky provides mobile security. For full control, like with company owned devices, it can manage applications and provide theft protection. One way it can support employee-owned devices is by containerization: It can set up secure containers to separate personal and corporate data. Kaspersky mobile security will manage encryption, limit application access to the container, manage data restrictions and perform remote trouble shooting. All mobile device management features are accessible via the Security Center.
When configured correctly, Kaspersky security solutions should run effectively without interrupting current business processes. Resource usage used to be more of a consideration before the current generation of computer hardware. Since fast processing speeds are now rather standard and with the additional ability to schedule when resource-intensive tasks occur, noticeable usage is negligible. Furthermore, Kaspersky products do not rely completely on in-house resources. Instead, they increasingly take advantage of the cloud-based Kaspersky Security Network, which allows the entire installed base of products to share information among itself and helps Kaspersky Labs quickly identify zero-day threats and shore up the entire community of users in short order. Managers can also decide how and when updates and patches roll out to further maximize resource.
Kaspersky offers online, on-site and remote assistance. Online assistance includes helpful documentation, user forums, user portals and user manuals. On-site services include deployment and migration assistance as well as training. Remote assistance includes six-month system health checks, implementation and setup assistance, and best-practices support.
If sophisticated yet simple-to-manage security is critical to protecting your company, Kaspersky can provide you with the tools to protect your endpoints from malware, data loss and theft. Kaspersky Labs, led by the tenacious Eugene Kaspersky, aggressively introduces technologies to combat emergent threats. Kaspersky engineers also understand that total security includes much more than antivirus software, and have bundled technologies into this package that protect against employee indiscretions, device theft, data sharing, network hacking and BYOD risks. Kaspersky Total Security for Business provides dependable protection and numerous tools for administrators to manage not only security assurance but also routine tasks.
Sophos operates out of dual headquarters located in Oxford, England and Boston, and it now protects 100,000 businesses and 100 million users in more than 150 countries. Sophos' roots are primarily in business security. For the purpose of this review, we selected a Sophos software product that includes a long list of endpoint-protection tools: Sophos Complete Security Suite. It includes internet security, application and device control, data protection, encryption tools, mobile protection, Exchange server protection and network access control. It can filter emails and web activity, utilizing either a virtual appliance or a hardware appliance.
Regardless of your company's size or the type of security it requires, Sophos provides a solution. Sophos Complete Security Suite provides endpoint protection for Unix, Linux, Exchange and SharePoint servers, as well as iPhone, iPad and Android mobile phones. It can also protect Windows, Apple and virtual machines through a single management console. The management console can manage policies, applications, devices, reports, logs, web filtering, network access, patch assessments, profiles, software deployment, firewalls and intrusion prevention.
Sophos also offers other security modules, including Unified Threat Management (UTM), which is called Sophos' “ultimate network security package.” UTM provides a high level of security via appliance options or utilizing Amazon Web Services to protect your virtual private cloud. It provides powerful management tools with complex reporting options, policy management, the ability to install VPN clients, remote office management and the ability to control all other Sophos modules. Additional modules include wireless, endpoint, web, web server, network and email protection. The Sophos Complete Security Suite is a capable collection of software, but Sophos does provide other options so you can customize your solutions.
In terms of actual third-party tests of Sophos' ability to protect against malware, it scores in the above-average range. In the latest AV-Test for Sophos endpoint security and control, Sophos recognized 94 percent of zero-day malware and 100 percent of known malware. These results are obtained by running the software in default modes; however, admins can configure the software to increase the level of security. AV-Test also tested Sophos Mobile Security, and it achieved a score of 99.9 percent in its ability to detect malware. Like other endpoints, managers can configure mobile device security options.
To help prevent data loss, Sophos provides a few encryption tools that can encrypt disks, folders, email attachments and files. Full disk encryption includes secure pre-boot authentication, password tools and recovery abilities. If you add the Sophos Email Appliance or Virtual Email Appliance, it will provide email encryption, data loss protection, antispam and antiphishing for the mail gateway. The software can lock and control mobile devices and email access, and remotely lock and wipe data from devices that have been lost or stolen.
Sophos offers numerous support services to help you configure the best solutions to suit your security needs, providing 24/7 English-language support as well as support in German, French, Spanish, Italian, Japanese and Tagalog to support global customers.
Sophos offers a broad range of protection for desktops, mobile devices, gateways and Exchange servers. It can manage complex compliance requirements as well as filtering by policy and appliance. Sophos can protect off-network laptops and PCs to manage remote or traveling workforces. Sophos Complete Security Suite can protect small organizations, or Sophos offers solutions to protect large networks or even private clouds.
Bitdefender develops award-winning antimalware software that consistently outperforms most competing software. This 12-year-old company protects millions of customers in more than 100 countries. Because of its continued dedication to security and innovative products, it is able to deliver competitive endpoint solutions for any size of business.
This internet security company provides a range of business products that include small-business bundles, virtualization security, Amazon Web Services security, standalone products, cloud-based endpoint protection and email security. This year we looked at GravityZone. This is one of Bitdefender’s newer enterprise solutions. It is suitable for enterprises and comprises three services: Security for Virtualized Environments, Security for Endpoints, and Security for Mobile Devices. The mobile security includes tools for securing employee-owned devices.
This endpoint protection solution performs remote installations, administers policies, creates reports and provides alerts for critical incidents. It can manage remote workstations and apply policies to unconnected PCs. It can scan emails, downloads and chat conversations for malware. It also includes a two-way configurable firewall. Administrators can control how employees interact with the internet by applying filters, blocking websites and controlling time spent online. In terms of endpoint and internet security, Bitdefender has it nailed.
Bitdefender products continually perform well in third-party tests and demonstrate their proven ability to identify and remove malware. This endpoint package includes antivirus, website blocking, heuristic technology (B-HAVE), a two-way firewall, email scanning, spam protection and antiphishing. It instantly alerts managers when security threats occur. If internet and email security are primary needs for your company, Bitdefender is capable of providing it. Bitdefender is one of the best at detecting and removing known, unknown and emergent threats.
While Bitdefender excels at internet security, it lacks a few features you need to protect data completely. We could not find tools in the admin manager to lock down file sharing, encrypt files or shred deleted files. However, it can provide secure SSL transfers. If you choose this endpoint protection software, you will want to take advantage of the file-securing tools that Windows provides to secure files.
This software does have the ability to scan files transferred by USB device, disc and email; however, we could not discover tools for blocking file sharing. For example, if an employee absentmindedly or intentionally saved a copy of a critical file to a USB drive or an online storage site, Bitdefender would not block the action, and that information could leave the building and be shared or stolen. However, you can create a rule to block information shared by email using the software's filtering rules. The software also includes identity control tools via rules, which you have to configure. These rules can lock down information such as credit card numbers, names and Social Security numbers.
Bitdefender tends to turn out a range of usage scores from exceptionally fast to average. In our lab, our client-side computers (Windows 7 64-bit / 4GB RAM) did not experience a noticeable slowdown. Updates can be delivered hourly, as Bitdefender releases them, or to decrease usage annoyances, updates can be scheduled for low-use times only. File-server security updates and other endpoint security software updates are also available hourly and may need to be scheduled. The central management console can configure whether the end user needs to react to issues. The least amount of management on the client side usually helps lower irritation and increase adoption rates. Admins can help decrease Bitdefender's resource usage by configuring scans to skip known secure files and websites.
The business security company provides a wide range of standard business support as well as value-added professional services. Standard support includes telephone support by certified team members, online guides, email support, training videos and forums. Value-added professional services include deployment assistance, remote or on-site deployment assistance, and Bitdefender certification training. Services are provided by Bitdefender team members or, in some areas, by local partners.
Bitdefender internet security products hold numerous top positions in our security reviews because they continue to outperform the competition. GravityZone utilizes the same dependable antimalware technology that all Bitdefender products do. In addition to basic antimalware, it also provides innovative technologies for secure cloud computing, virtualization and BYOD. This endpoint security is scalable to thousands of endpoints, and it is ideal for those looking to roll out their security in a virtualized environment.
McAfee Endpoint Protection Suite
McAfee's endpoint protection suites include the ability to manage in-house, remote, virtual and mobile endpoints. The company also offers an endpoint suite for managing Macs. To protect mobile endpoints such as laptops, McAfee provides full disk encryption so that even the information on stolen and lost laptops is secure.
Although you will need to consult the complete list of compatible endpoints for specifics, the software works with Windows-based PCs, Windows servers, Mac computers, VMware, Microsoft Exchange, Lotus Domino, SQL Servers and FreeBSD platforms. McAfee provides a full range of business products; for the purpose of this review, we looked at the Endpoint Protection Suite software version. The company also provides suites specifically created for financial services, health care companies and the public sector.
The ePolicy Orchestrator (ePO), which is the McAfee administration console, can manage most common endpoints, such as workstations, virtual machines, file servers, exchange servers, tablets, mobile phones, clustered servers and employee-owned devices. The McAfee endpoint security suite provides administrators with the ePO, which can control endpoint security, as well as data loss prevention (DLP) tools. From the control console, managers can deploy security software, control devices, manage policies, run reports, push global updates and manage issues. To help administrators save time, the ePO can import active directory containers, detect new endpoints, save permission groups, duplicate tasks, create dashboards and configure automated responses. Security updates can also be throttled to conserve resources when deploying updates.
A few features we looked for, which are not necessarily security related but would help admins secure data, include backup tools. ePO does not manage scheduled backups, so that has to be handled via another method. The software does not perform hardware or (non-McAfee) software audits to log outdated versions, which may introduce security risks. In addition, admins cannot remotely wipe the drives of stolen laptops. McAfee encrypts disks to protect compromised data instead.
To ensure that it has created the correct endpoint package for your business, McAfee offers professional consulting to not only help you select software, but also to assist you with creating policies to best protect your business. The company's professional services also include classroom training on advanced topics, emergency onsite assistance, onsite consultations and a dedicated account manager. McAfee offers support plans ranging from standard business to resident enterprise support.
McAfee provides configurable endpoint protection for all types of endpoints and can manage strict compliance policies that medical, financial and government agencies are required to enforce. The ePO can manage a large volume of endpoints, run complex queries and streamline IT tasks. If your company enforces strict web usage policies and is large enough to have a Windows server to run the admin console, McAfee will be proficient at controlling your endpoint security.
ESET Endpoint Security
ESET's configuration options reduce scan time so it does not unduly interfere with users' workflow, and its agile heuristics technology produces few false positives. ESET has been in the security business for more than 25 years, starting out with the company's well-known NOD32. In 2012, AV-Comparatives named ESET as an Approved Corporate Product. Also in 2012, SC Magazine's readers gave ESET the Reader Trust Award for being the “Best Anti-Malware Management” solution. ESET protects more than 100 million endpoints in 180 countries.
The ESET Remote Administrator can run on any Windows PC or server. It remotely manages Windows, Macs and Linux devices; MS Access; MSSQL servers; MySQL, Oracle and VMware technologies; and mobile devices. It also works with server-side System Health Validator (SHV) plugins and client-side System Health Agents for compliance reporting. It can manage policies and groups, and it has tools that help admins create policies. It monitors all incidents and sends critical alerts via email through the notification manager. The control console can regulate updates and perform rollbacks to previous virus-signature sets if necessary.
ESET uses ThreatSense heuristic malware detection technology to identify threats. It includes technologies for detecting zero-day as well as known threats. ESET software successfully passed all VB100 tests, and it scores well with AV-Test. Android mobile security tests also score high. In addition to basic malware detection, admins can configure the solution to increase security levels by managing policies, locking down file sharing, securing their network, filtering emails and blocking website access.
To help control data loss, admins can manage firewalls, file downloads, encrypted data transfers, applications and mobile devices. Numerous medical and financial companies use ESET to help them meet strict compliance requirements. Admins can control how files download, run and are opened, and transferred files are protected with AES encryption. Devices such as DVDs, CDs and thumb drives can be restricted from connecting to the network.
Although ESET may not be a readily recognized name in the consumer market, it's well known in the IT world. Security products that slow down computers' processors are the bane of many security managers, which in turn angers end users and, in many cases, customers. IT managers report that they see immediate improvement in speed and performance after installing ESET. Experienced IT admins can configure the software to minimize the impact on resources.
Besides speed, ease of use is the benefit IT managers most report. Some even report that they have been able to install the administrator software and begin to deploy client licenses within an hour. ESET provides tools for removing previously installed security software to ready the endpoints for ESET quickly. To help companies make the most of their ESET solution, ESET provides professional consulting, auditing, training and Health Check services. ESET or its trained partners also provide on-site assistance if needed.
Numerous IT consultants and professionals prefer ESET Endpoint Security. It provides dependable performance and uses fewer resources than many of its competitors. ESET runs almost invisibly on the client side, yet provides timely and useful reports to administrators. The ESET Remote Administrator can manage nearly all types of endpoints remotely, including a mixture of PCs, servers and Macs. This security company has more than 25 years of experience and provides a broad range of professional services to help customers secure critical endpoints and manage data efficiently and affordably. However, it has yet to add cloud-based services.
Microsoft System Center 2012 R2
Microsoft System Center 2012 R2, formerly Forefront Endpoint Protection 2010, includes an operation, configuration, data-protection, service and virtual-machine manager, as well as advanced endpoint protection. It provides a single, integrated platform for managing policies, endpoints, software deployment, data-loss prevention and internet security. It can easily utilize existing client infrastructure and is compatible with all Windows operating systems, as well as other server software such as Unix and Linux operating systems. The latest version also includes management tools and security for Macs, Windows phones, Apple iOS and Android devices.
Microsoft documentation recommends this solution to businesses that need to protect 10 or more endpoints. To help keep costs in check, licenses are only required for the number of endpoints managed, and you do not have to purchase additional system center licenses for management servers or SQL server technology. Datacenter edition licenses start out at about $1,300, which covers two VMs per license. Standard edition licenses are $3,607 and protect unlimited VMs per license. The cost is between $20 and $120 for two-year client licenses.
Endpoint protection is just one part of the System Center, which also includes data-protection managers, a unified installer and a virtual machine manager to complete an end-to-end data and security solution. The endpoint protection manager deploys and configures endpoint protection, manages firewall settings, configures antimalware policies, updates antivirus definitions, manages email alerts and creates reports. It manages security protocols such as blocking incoming connections, suspicious downloads and rootkit exploits; monitors spyware; and manages network profiles.
As with most Microsoft corporate solutions, this one is complex and comprehensive. If you are required to enforce strict compliance policies such as those required in the medical, financial and legal industries, Microsoft can manage it. It has strong tools for protecting against data loss, including encryption tools and the ability to remotely wipe the drives of lost or stolen devices. The Data Protection Manager protects files as well as disks and tapes, and it includes recovery tools for SQL servers, Exchange servers, SharePoint, virtual servers and file servers, as well as laptops and PCs. It can even perform bare-metal recoveries.
The proverbial Achilles' heel of this product, like many Microsoft security products, is the Microsoft Essentials (MSE) virus engine. MSE continues to fall behind other security products in malware detection. The most recent AV-Test for System Endpoint Protection related that this Microsoft product only detected 68 percent of zero-day malware and 92 percent of known malware. The other versions do not fare that much better. In most tests, testers use MSE or Windows Defender as the baseline, since many who use Windows add proprietary security software. However, using the Configuration Manager, admins can set security policies to increase their security.
How easy this endpoint protection is to install, deploy and configure depends on the experience of your IT team. If you have a seasoned team, the learning curve is only moderate and they will appreciate how much the software does. However, if your team is inexperienced or managed by, say, the business owner or someone with numerous roles, Microsoft System Center 2012 may take a bit of time to deploy, and basic IT terms and practices will need to be mastered. Although Microsoft recommends this product for those who need to manage 10 or more endpoints, there are solutions available that are much easier for small businesses with limited IT resources to adopt. Or, Microsoft also offers Windows Intune, a cloud-based management solution for managing endpoints, policies, inventory, uploads and more.
If you choose this endpoint protection product, Microsoft provides a full range of professional services that include training, security consulting and on-site assistance. Microsoft tools will help you map solutions, test architecture scenarios and define initiatives. Self-service support includes the TechCenter, the Microsoft Library, Solution Accelerators, TechNet Edge and support forums.
Microsoft System Center 2012 R2 provides effective tools for protecting data and managing endpoints. It is a good solution for businesses required to enforce strict compliance polices and lock down remote, mobile or virtual workstations. It is scalable to protect thousands of endpoints, including servers, PCs, laptops, mobile devices, Macs and virtual technologies. Before you decide whether this solution is applicable to your company, consider your IT resources, the level of protection you require and the number of endpoints you have to manage. System Center is best suited for experienced IT teams in larger organizations.
F-Secure Business Suite
The F-Secure Business Suite includes most modules that businesses need to secure networks, including client, server, email and gateway security. F-Secure consumer products consistently test well in third-party antimalware tests, earning F-Secure Internet Security 2011 the Product of the Year Award from AV-Comparatives in 2011. The company's business security products use the same internet security technology to protect clients. This Helsinki security company offers software and hosted (SaaS) business security products. To match the focus of the other products in our endpoint protection comparison, we evaluated F-Secure Business Suite software.
The F-Secure Business Suite Includes:
- Client Security
- Antivirus for Workstations
- Linux Security Client Edition
- Server Security
- Linux Server Security
- Internet Gatekeeper for Linux
- Email and Server Security
- Policy Manager
The Policy Manager is the centralized control module that manages all security licenses, policies, reports and compliance issues. The Policy Manager server can run from most Windows and Linux servers, and the Policy Manager console can run on most Windows-based PCs and servers or Linux-based servers. This security suite also includes a web-reporting tool that can create enterprise-wide reports using a web-based interface. The update server and agent can be configured to automatically update virus and spyware definitions using minimal resources, or updates can be distributed by an F-Secure disc or voluntarily pulled from the F-Secure website.
The business suite includes full endpoint security licenses for clients, workstations, Linux clients, servers, Linux servers, emails servers and Linux gateways. F-Secure performs well in third-party antimalware tests. In fact, in numerous third-party tests F-Secure proved to be able to detect 100 percent of the malware test samples. The client-side security version includes web-browsing protection, email scanning, anti-rootkit technology, device protection, antispyware and virus scanning. When laptops are connected to the network, they are quarantined until they are deemed secure. Workstation antivirus security licenses run a bit lighter but include antivirus, antispyware and a host-based intrusion prevention system (HIPS). Server versions protect Windows, Citrix, Microsoft Exchange and Linux servers.
To protect from intentional or accidental data loss, administrators can lock down file transfers by user and control how devices such as USB drives may interact with the network. Admins can also limit which files can be attached and shared via email. F-Secure can encrypt transferred files. We did not see a tool for wiping the drives of lost or stolen laptops, so if you use F-Secure to protect laptops, the files should be encrypted and password protected to limit data loss.
F-Secure products are simple to use and run relatively light. One missing feature, however, is a tool for removing previously installed security software before you install F-Secure. Like most security software, you have to uninstall competing products before installing a new one; if you have to manage thousands of computers, this can be a major undertaking. Many of the top endpoint protection companies provide tools for removing other software, which can save IT resources a significant amount of time. F-Secure does include other convenience features, though, such as the ability to detect new endpoints, interact with the active directory, manage geographically dispersed endpoints and assign polices by groups.
If you need assistance with F-Secure Business Suite, you can purchase one of three support service packages. Standard support includes telephone and email support. Silver support includes priority telephone and email support plus one checkup call from an account representative. Gold support includes 24/7 telephone and email support, a dedicated technical account manager and one on-site visit per year. Silver and Gold support accounts also include discounted or free antivirus or Internet Security Suite licenses for employees, which can help increase security if members of your team work at home from time to time.
F-Secure provides exceptional internet security with proven performance scores. Most versions run lean and require little interaction on the part of the end users. The F-Secure Business Suite covers the basics in terms of what most companies require for endpoint protection. However, internet security is only one part of overall endpoint security. F-Secure may not have everything necessary if you deal with strict compliance issues in regards to protecting patient or client data. For example, if you type "compliance" into the search tool provided with the Policy Manager user manual, it produces zero results, which reflects the lack of emphasizes on compliance issues. F-Secure Business Suite cannot wipe the drives of lost laptops and does not have the ability to manage mobile phones. If you simply require internet security and some data loss protection, F-Secure will work well for you. If you have strict compliance issues or a mobile workforce, you may want to consider another endpoint solution.
Panda Security for Business
Panda Security continues to develop new technologies for combating malware, and it is one of the first security companies to provide cloud-based protection. Panda Security has a wide range of security products for consumers and business that include both software and cloud-based solutions. To fit the parameters of this set of reviews, we looked at Panda Security for Business, which is an on-premise endpoint protection package that includes Panda AdminSecure, Security for Desktops, Security for File Servers and Security for Commandline modules.
Panda AdminSecure can manage endpoints such as servers, PCs, gateways and laptops. This particular security solution from Panda does not include admin tools for mobile phones or Macs. AdminSecure can deploy, install and configure security for any endpoint it manages and includes tools for removing previously installed security software before installing Panda. It includes a centralized quarantine so admins can manage potential security threats and removes new, unknown threats using a tool called SmartClean2. It is compatible with the Microsoft's Active Directory, or you can deploy the software with tools such as Tivoli. To help reduce slow-down, Panda can manage incremental updates that are unnoticeable to the end user.
Endpoint solutions are a bit different to test because they include more than internet security, so their antivirus and security suite scores are not necessarily indicative of their business security performance. Endpoint protection also encompasses data loss protection (DLP), policy management and intranet/network security. We could not find a few of the DLP tools we looked for. Part of business security is protecting company information that may be leaked by employees transferring files, stolen laptops, unencrypted file sharing and such. Panda for Business does not include file shredders for completely deleting files, backup tools for saving data from loss due to hardware failure or tools to remotely wipe stolen laptops. Although there are other applications that can do this for you, it is convenient to have them controlled via one administrator's console. Panda cloud-based solutions have tools for wiping data from laptops.
In terms of compatibility, this line of products will run on most Windows operating systems. The administration console works with Windows operating systems including XP, Vista and 7, as well as Windows Server Enterprise 2003 and Windows Server 2008. The desktop client runs on Windows machines as well as Fedora Core, Red Hate Enterprise, Ubuntu, Debain and Mandriva Linux-based OSs. Panda Security for File Servers and Panda Security for Commandline works with Windows Servers as well as a handful of Linux-based servers.
Panda provides a comprehensive line of business products that include cloud-based solutions, protection for Exchange servers, on-premise appliances and protection for Domino servers. The package we looked at, Panda Security for Business, is an on-premise solution that can protect servers and PCs. Panda continues to develop new technologies and especially touts the benefits of its cloud-based solutions, which are scalable to match the needs of large enterprises. Panda related to us that they have customers who use the cloud-based solution to manage more than 75K endpoints. We noticed that the cloud-based endpoint protection tools appear to be more comprehensive than the software version and cost less to implement. Although your specific security needs are unique, we suggest considering Panda's cloud-based solutions, which appear more advanced than their software.
Avast Endpoint Protection Suite Plus
Avast currently protects nearly 170 million devices daily worldwide, mostly for its consumer products. Compared to the larger security companies, Avast is rather small with just over 200 employees, but its products continue to test well in antimalware tests and its market share has exceeded 24 percent, according to Opswat Incorporated. Avast Endpoint Protection Suite provides a web-based console to manage up to 200 users or an application-based console that can manage 30,000 or more endpoints. Avast Endpoint Protection Suite Plus can manage Windows endpoints such as workstations, servers, SQL servers, Exchange servers and SharePoint servers. Avast offers suites in two versions; we looked at the Plus version because it includes email server protection, antispam and firewall protection.
The first missing feature you may notice is that Avast management consoles do not provide security for Linux-based devices. However, if your network is populated with Window-based machines, that detail is inconsequential. The size of your network determines which management console is most suitable. The web-based small office version is designed for up to 200 endpoints and is intended to be navigable by less experienced IT teams. The enterprise administration module can manage networks of any size and is suitable for advanced IT administrators. Both versions can remotely install software and updates, create reports and manage the security software. However, the enterprise console easily manages complex hierarchies, secures notebook connections and supports advanced reporting.
Data loss prevention (DLP) tools are limited. Primarily, Avast is capable of securely managing incoming data but has few tools for limiting outgoing data transfers. It scans downloads, monitors P2P transfers, controls downloads received via IM and scans email attachments. However, we found few profile tools that limit what employees can send as attachments, or accidently or intentionally "leak" out of the network. Avast can secure notebooks' interactions with the network, but we did not see tools for protecting data located on stolen or lost laptops, or mobile phones.
Avast internet security products require moderate computer resources. You many notice a bit of a slow down when you implement them, but nothing like what you may have experienced with some notorious resource-tasking security software. The small business management console is simple to use and can easily manage updates and remote deployment. However, larger companies will need to allocate resources during deployment to remove previously installed security software; Avast does not provide tools for automatically performing that task. Avast does provide tools to help admins to set up their endpoint scenarios, though, such as the ability to detect devices using the active directly, and it will automatically detect new endpoints. It is also easy to create groups and apply group permissions.
Avast Endpoint Protection Suite provides above-average internet security, only uses moderate resources and has management consoles that are simple to use. Avast endpoint protection is compatible with all Windows-based systems and rolls out updates frequently but lightly. However, if your company needs to tightly lockdown data sharing or if your network includes Linux-based devices, you will want to consider another endpoint protection company.
AVG Internet Security Business
AVG provides dependable protection against internet and email-delivered threats. AVG Technologies' products consistently earn above-average performance scores, and most are simple to use. The AVG Internet Security Business Edition includes tools for securing workstations, Exchange servers, email servers and remote workstations. This edition is affordably priced, and you can easily purchase two to 200 licenses online.
This endpoint security solution is most fitting for smaller organizations looking to centralize the management of their internet security. However, it not a suitable choice for those looking for advanced data loss protection or the ability to secure Windows machines and Apple devices or mobile phones from one console. In terms of centralized management, AVG can easily deploy software, scan for compliance, manage firewalls, schedule scans, apply global changes and run reports. AVG security software can easily be deployed directly or by using a script. It does not have tools specifically for backing up storage devices, but it can monitor backup schedules.
In terms of protection, AVG scans emails, files, downloaded files and IM downloads, but it is most suitable for companies that allow their employees open access to the internet. AVG is capable of blocking dangerous sites and phishing ploys; however, it does not have tools for advanced black/white listing or web usage control. AVG Internet Security Business Edition, for the most part, is just a few steps up from having to manage a bunch of individual licenses without a central console. This version has a central console and the ability to protect servers, but it does not include advanced endpoint control or DLP tools. Because this software does not include advanced DLP tools, it would not be appropriate for organizations that have strict compliance requirements, such as those in the financial, medical or legal industries.
AVG performs well in regards to internet security. On average, its products score above and on par with its competitors. AVG's business version includes firewall control, link scanning, and antivirus, antispam and spyware protection. The client-side scans run lightly or in smart mode so that they do not interrupt employees' work.
Although you can find this product in a general search for endpoint protection, we think it is mostly applicable to smaller organizations without strict compliance policies. It excels at providing centrally managed internet security but has few tools for locking down data sharing or encrypting disks. If you are looking for an affordable, easy-to-use tool for managing internet security in-house, AVG Internet Security Business Edition is fitting. However, if you need to enforce strict compliance policies across a broad range of devices, you may want to consider a product capable of that functionality.