SOLVED: How To Evaluate AntiVirus and Next Gen Malware Defense EndPoint Protection Products

gartner-epp-comparisonIf you work in IT, it is only a matter of time before you will be involved in a group trying to figure out which EPP (Endpoint Protection Product) security software to buy.

The trend today is to get away from signature based AntiVirus which is great at stopping last weeks viruses.  Most companies want/need a Next Gen Anti Virus product like Carbon Black Defense, Invincia/Intercept X, or Cylance) because they are evaluating the BEHAVIOUR of the computer.  For instance, it is a rare day that files should be in the process of encrypting so software like Carbon Black Defense will block any unauthorized encrypting.

I have gone through this process numerous times over the last 20 years and have developed the following evaluation grid to help me determine which AntiVirus (Defender, SCEP, Sophos, Trend, McAfee, Symantec…) or Next Gen AntiVirus (i.e. Cylance, Carbon Black, Trusteer, Invincia, Dell Secure…) you should choose.

Gartner-Magic-Quadrant-for-Endpoint-Protection-Platforms-2018There us much more to an anti-malware package than just the performance, or price, or management.  All of these factors must be combined when making a decision.  You can easily copy the table from below to an Excel sheet and add columns for each of the products you are considering.  Some will fall off your list before you test just as a result failing some key aspect in this grid (i.e. cannot whitelist filenames).

All that being said, the most important thing you need to do with any security products is test it in a lab and then in a small production group BEFORE you go live.  For testing in a lab we highly recommend you download todays zero day malware and run them against a test PC to see what is blocked and what is not.

There are always more options to evaluate than are shown on any list so add the extra items you care about (i.e. Personal Firewall, Full Disk Encryption, new features scheduled in the immediate future …)

 

Feature

Explanation

Hosted Management Console (SaaS) vs On Prem Install
Initial Deployement Method via .exe, .MSI, web based..
Update Deployment Method via their console or do you have to push the updates
Initial Deployment Require Reboot Yes or No
Client Updates Require Reboot Yes or No
Frequency of Client Updates Weekly, Monthly, Quarterly, random
Registered as the AntiVirus in Windows Security Center Does it play nice with existing Anti Virus or does it replace it
Whitelisting Alerts Keep block behaviour but stop sending alerts -not many can do this
Corproate Password Protection Block reuse of corporate PW on Non-corporate websites
Injection Protection Memory Scrambling Google ASLR
RTLO (Right To Left) Protection Google RTLO attack
Cryptoware Blocking & Zero Days They will all say YES, but you should download and run some zero day infection tests to confirm
Java Scanning Shockingly, not all do check Java (i.e. Cylance and Dell)
Detect VSS Shadow Copy Deletion Yes or No – almost all malware does this
DNS Firewall Block URLs from known bad list – see www.d-zone.ca
Sand Boxing Apps in VM Was very popular but caused many problems – most companies have droped this
Whitelisting Path’s i.e. C:\dev-work\*
Whitelisting Path’s with Wild Cards i.e. *\dev-grooup\dev-work\*
Whitelisting File Names i.e. my-internal-app.exe
Deploy By Groups i.e. Hostnames or IP Ranges
Can Desktop Agent Be Disabled By a Local Admin Yes or No
Branded User Alerts i.e. Company Logo and Call Helpdesk Text
Combined Admin Email Alerts or do admins receive an email storm – causes IT staff to ignore email alerts
Desktop Performance Hit All will SAY is is minimal – benchmark your testing
Lag Time Between OS Release and Support i.e. After Win10  1803 was released in April – how long did it take so support it
Corporate PC Version Yes or No
Corporate Server Version Yes or No
Android Version Yes or No
iOS Version Yes or No
Home PC Version Yes or No
Email Support Typical Response Time 30 mins, 4 hours, Next Day…?
Phone Support – 24 Hours How Much Additional Cost
Phone Support – Local Business Hours How Much Additional Cost
Aggressively Negotiated Price $ ??? – Prices are VERY negotiable regardless of what a sales rep tells you
What was it called 3 years ago There have been many mergers and acquisitions resulting in new names for old products (i.e. Invinica is now Sophos Intercept X, and Trusteer is now IBM)
Forester Overall Score Check Forester Ratings and comments
Gartner Magic Quadrant Rating Check Gartner Ratings and comments – search for EPP MAGIC QUADRANT
Comments
Useful Links

 

Share This With Your Friends Now:
Facebooktwittergoogle_plusredditpinterestlinkedin

Leave a Reply

Your email address will not be published.

Name *
Email *
Website