If you work in IT, it is only a matter of time before you will be involved in a group trying to figure out which EPP (Endpoint Protection Product) security software to buy.
The trend today is to get away from signature based AntiVirus which is great at stopping last weeks viruses. Most companies want/need a Next Gen Anti Virus product like Carbon Black Defense, Invincia/Intercept X, or Cylance) because they are evaluating the BEHAVIOUR of the computer. For instance, it is a rare day that files should be in the process of encrypting so software like Carbon Black Defense will block any unauthorized encrypting.
I have gone through this process numerous times over the last 20 years and have developed the following evaluation grid to help me determine which AntiVirus (Defender, SCEP, Sophos, Trend, McAfee, Symantec…) or Next Gen AntiVirus (i.e. Cylance, Carbon Black, Trusteer, Invincia, Dell Secure…) you should choose.
There us much more to an anti-malware package than just the performance, or price, or management. All of these factors must be combined when making a decision. You can easily copy the table from below to an Excel sheet and add columns for each of the products you are considering. Some will fall off your list before you test just as a result failing some key aspect in this grid (i.e. cannot whitelist filenames).
All that being said, the most important thing you need to do with any security products is test it in a lab and then in a small production group BEFORE you go live. For testing in a lab we highly recommend you download todays zero day malware and run them against a test PC to see what is blocked and what is not.
There are always more options to evaluate than are shown on any list so add the extra items you care about (i.e. Personal Firewall, Full Disk Encryption, new features scheduled in the immediate future …)
|Hosted Management Console (SaaS)||vs On Prem Install|
|Initial Deployement Method||via .exe, .MSI, web based..|
|Update Deployment Method||via their console or do you have to push the updates|
|Initial Deployment Require Reboot||Yes or No|
|Client Updates Require Reboot||Yes or No|
|Frequency of Client Updates||Weekly, Monthly, Quarterly, random|
|Registered as the AntiVirus in Windows Security Center||Does it play nice with existing Anti Virus or does it replace it|
|Whitelisting Alerts||Keep block behaviour but stop sending alerts -not many can do this|
|Corproate Password Protection||Block reuse of corporate PW on Non-corporate websites|
|Injection Protection Memory Scrambling||Google ASLR|
|RTLO (Right To Left) Protection||Google RTLO attack|
|Cryptoware Blocking & Zero Days||They will all say YES, but you should download and run some zero day infection tests to confirm|
|Java Scanning||Shockingly, not all do check Java (i.e. Cylance and Dell)|
|Detect VSS Shadow Copy Deletion||Yes or No – almost all malware does this|
|DNS Firewall||Block URLs from known bad list – see www.d-zone.ca|
|Sand Boxing Apps in VM||Was very popular but caused many problems – most companies have droped this|
|Whitelisting Path’s||i.e. C:\dev-work\*|
|Whitelisting Path’s with Wild Cards||i.e. *\dev-grooup\dev-work\*|
|Whitelisting File Names||i.e. my-internal-app.exe|
|Deploy By Groups||i.e. Hostnames or IP Ranges|
|Can Desktop Agent Be Disabled By a Local Admin||Yes or No|
|Branded User Alerts||i.e. Company Logo and Call Helpdesk Text|
|Combined Admin Email Alerts||or do admins receive an email storm – causes IT staff to ignore email alerts|
|Desktop Performance Hit||All will SAY is is minimal – benchmark your testing|
|Lag Time Between OS Release and Support||i.e. After Win10 1803 was released in April – how long did it take so support it|
|Corporate PC Version||Yes or No|
|Corporate Server Version||Yes or No|
|Android Version||Yes or No|
|iOS Version||Yes or No|
|Home PC Version||Yes or No|
|Email Support Typical Response Time||30 mins, 4 hours, Next Day…?|
|Phone Support – 24 Hours||How Much Additional Cost|
|Phone Support – Local Business Hours||How Much Additional Cost|
|Aggressively Negotiated Price||$ ??? – Prices are VERY negotiable regardless of what a sales rep tells you|
|What was it called 3 years ago||There have been many mergers and acquisitions resulting in new names for old products (i.e. Invinica is now Sophos Intercept X, and Trusteer is now IBM)|
|Forester Overall Score||Check Forester Ratings and comments|
|Gartner Magic Quadrant Rating||Check Gartner Ratings and comments – search for EPP MAGIC QUADRANT|
Larry Flar · February 14, 2023 at 11:14 am
Very nice write-up on antivirus and ant-malware. I certainly love this site. Continue the good work!