SOVLED: Next Generation AntiVirus – Signatureless Endpoint Protection Product Evaluation

Next Generation Endpoint Protection - Signatureless - Behavior BasedWe are constantly telling our customers that traditional anti-virus programs that rely mostly on ‘signatures’ from previous attacks will no longer keep a company safe.  Attackers are now sophisticated, well funded and often government controlled.  This means they rely less on exploiting known security holes and more on developing those holes.

A ‘zero day’ exploit is something that has been developed to take advantage of a security hole but has not been applied to other companies… yet.  It is natural to think that these ‘zero days’ are so rare, that attackers would only use them on the largest, juiciest targets (like banks and other governments), but that just is not the case.

Gartner Magic Quadrant Next Gen AVIf your company has more than 100 employees or more than $1 Million in sales (not that big), it should be running ‘Next Generation’ endpoint protection software.

These NextGen tools do not rely on what happened yesterday, the way old school antivirus does.  They are behavior based.  They consider the characteristics of each file and what it is doing.  Things like:

  • is the file digitally signed
  • is it from a region of the world with know issues (Russia, China…)
  • is it trying to obfuscate its name (hide behind a similar file name i.e. Word.EXE is not a Microsoft program, but WinWord.exe is)
  • is it transferring files outside company
  • is it talking to a command and control server outside of your company
  • is it trying to copy itself to other computers
  • is it trying to encrypting your hard disk
  • is it trying to launch other programs

Forester Wave Next Gen AV

and thousands of other parameters are what these Next Gen AV products consider.

We recently completed another review of several major Next Gen protection tools and the results are below.

Keep in mind that these companies frequently update their software and so these features and functions will change.  The intent of this grid is to simply give you a solid starting point to work from.

Also note that:

  1. we have a full review of Dell Endpoint Security Services Enterprise HERE
  2. we had considerable experience with Trusteer Apex (aka. IBM Trusteer) but that product ‘sort of’ was rolled into IBM BigFix and then IBM sold BigFix to a company we contacted but could not get information from

 

Product CarbonBlack Defense – Confer Crowdstrike Falcon w/Overwatch Cylance (Blackberry) Sophos Intercept X Malware Bytes 3.0
CarbonBlack Defense - Confer Crowdstrike Falcon Cylance - Blackberry Sophos Intercept X Malwarebytes Corporate For Business
URTech’s Initial Rating A A C A B
Magic Quadrant / Wave B B+ B- B+ B-
Behavior or File Chrctrstcs Behavior Behavior File Behavior
24×7 Phone Support Y Y Y Y Y – Optional
Win 10 1903 Support Y Y Y Y Y
Server 2019 Support Y Y Y Y Y
Web Admin (SaaS) Y Y Y Y Y
Path White-listing Y Y Y Y Y
Dual Wildcard White list Path Y Y – but check No Y Y
Remote Delete Files Y Partial Y No – Need EDR Y
Virus Total Linkage Y Y Y Y & Internal No
Can Disable Windows Action Center AV Registration  Gen Y but with Quarantine Y Y Checking
MD5 / SHA White-listing Y Y Y Y Y
Filename White-listing Y Checking N Y Y
Email Alert Bundling Y Y Y Y
Block Access To Web Mail Attachments N N N ADDITIONAL N
Agent Update Frequency / Year 2 Every 2 Weeks 2 > 4 / year Constant
Agent Update Require Reboot / Never N Rarely 1/yr? Rarely 1/yr?
Agent Update Process Console Console Console Console PDQ/SCCM
Mobile OS N Fall 2019 N Additional Separate Product
Disk Encryption N N N Y – Additional N
Agent Alerts / Y Y Y – Customization Y
Sand-boxing N N N Y Y
Must Replace AV N N N N N
PreExecution Scan / N Y Y Y
Performance Hit Low Low Low Low 20mb – .5% CPU
Kernel Mode Y Y Y Y Y
Server Agent Y Y N Separate Y – Policy
AD Password Reuse Block N N N N N
Keyboard Encryption N N N Checking N
Malicious Com Block N Partial N Partial Blacklist
AV File Inspection N N Just at Install N Y
Misc USB Tracking for data theft – Never had a single client data breach – Falcon Complete = Contract Workers inc AIG Insurance Up To $1M For Breaches $100K+ File Inspection Only – not behavior

Blackberry’s acquisition of Cylance brings future into question

Acquired Hitman Pro

Just signed large contract with Microsoft

Very positive – Solid progress in last 2 years

 

Leave a Reply