2. Endpoint Buyers Guide
It takes more than antivirus to stop today’s advanced threats. Protecting corporate
assets requires a complete security solution that includes anti-malware, host-
based intrusion prevention (HIPS), web protection, patch assessment, application
and device control, network access control, data loss prevention, firewall and other
capabilities. In addition to complete protection you need a solution that’s easy
to install and manage, and that can grow with your needs—saving you time and
ensuring comprehensive protection for years to come. In short, you need an endpoint
protection solution.
Evaluating the many components that make up an endpoint security solution can
be overwhelming. This buyers guide is designed to help. We’ve provided you with
independent research and test results to help you determine your endpoint security
solution requirements and identify the vendor that best meets your needs.
We examine the top vendors according to market share and industry analysis:
Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendor’s solutions
are evaluated according to:
ÌÌProduct features and capabilities
ÌÌEffectiveness
ÌÌPerformance
ÌÌUsability
ÌÌData protection
ÌÌTechnical support
1
3. Endpoint Buyers Guide
Product Features and Capabilities
Basic endpoint security solutions include antivirus, anti-spyware, host-based intrusion
prevention and firewall technologies. More advanced endpoint solutions also include cloud-
based protection, device and application control, patch assessment, web productivity
filtering, network access control, data loss prevention and full-disk encryption. Even if
you don’t need these advanced capabilities today, your organization will likely need them
tomorrow, given the increasing complexity of security threats.
When it comes to independent reviews of endpoint solution features and availability, Sophos
and McAfee offer the most complete solutions and Sophos scores the best overall. See our
chart for at-a-glance information, and read the report summaries for more information on
test results by vendor.
Review Sophos Symantec McAfee Trend Micro Kaspersky Lab
Gartner EPP Magic Leaders Quadrant Leaders Quadrant Leaders Quadrant Leaders Quadrant Leaders Quadrant
Quadrant (Jan 2012)
Cascadia Labs Endpoint 4 stars 3.5 stars 2.5 stars 2.5 stars NA
Security for Enterprises
(Jan 2010)
AV-Comparatives Review of 5 stars NA 5 stars 4 stars 5 stars
IT Security Suites
(Nov 2010)
Enex TestLab Usability of Complete Partial Complete Partial Partial
Endpoint Security
(Sept 2011)
2
4. Endpoint Buyers Guide
Gartner Magic Quadrant for Endpoint Protection Platforms (January 2012)
Gartner’s 2011 endpoint security Magic Quadrant, a research tool that rates vendors on
completeness of vision and ability to execute, reviewed 17 vendors. Kaspersky Lab, McAfee,
Sophos, Symantec and Trend Micro were placed in the Leaders Quadrant.
According to Gartner,
“Leaders demonstrate balanced progress and effort in all execution and vision
categories.Their capabilities in advanced malware protection, data protection and/
or management features raise the competitive bar for all products in the market,
and they can change the course of the industry. A leading vendor isn’t a default
choice for every buyer, and clients should not assume that they must buy only from
vendors in the Leaders quadrant. Some clients believe that Leaders are spreading
their efforts too thinly and aren’t pursuing clients’ special needs.”
Cascadia Labs: Endpoint Security for Enterprises (January 2010)
Independent technology evaluator Cascadia Labs tested four top security providers in six
categories: installation, configuration, policies, management, visibility and threat awareness.
Sophos took top scores in performance, data protection and technical support, followed
closely by Symantec, which faltered on support. McAfee and Trend Micro received lower
marks for complexity.
AV-Comparatives Review of IT Security Suites (November 2010)
AV-Comparatives, a nonprofit testing organization, individually tested and provided an
overview of endpoint security solutions. The test evaluated 12 qualities or capabilities,
including ease of installation, Microsoft Active Directory support, user manual and database
support. Trend Micro didn’t perform as well as others in this test, receiving two and three
stars out of five in a number of categories, including ease of installation, default values and
database support. Sophos received a minimum of four stars in every category and five stars
in seven categories, including ease of installation, usability and management, spam, and
Microsoft Active Directory Support. McAfee earned five stars in eight categories but received
only two stars for its website. Kaspersky earned five stars in only five categories, and
Symantec didn’t participate in the report.
Enex TestLab Usability of Endpoint Security (September 2011)
Enex TestLab tested the various feature sets, compatibility and usability of endpoint
security products against five endpoints. Of the six products Enex TestLab evaluated, it
singled out McAfee and Sophos as enterprise-grade solutions largely due to their data loss
protection, device protection and full-disk encryption capabilities. Only these two vendors
had “complete” products, meaning they offer a complete endpoint solution whereas the
other products are missing features. In terms of usability, McAfee had the most involved and
lengthy installation processes, and Trend Micro followed closely behind. Kaspersky, Sophos
and Symantec offer more simplified installation procedures. Of the five vendors, Sophos
came out on top due to the integration of security capabilities in a single package, ease of
installation and deployment, and data protection capabilities.
3
5. Endpoint Buyers Guide
Effectiveness
The primary goal of an endpoint security solution is to prevent malware infection. “As the
anchor solution in EPP suites, the quality of the malware scan engine should be a major
consideration in any RFP,” according to Gartner. However, no antivirus engine can provide
100% protection—even against known threats. You should therefore also consider the
solution’s advanced features, such as behavior detection and HIPS capabilities. Also worth
noting is whether the solution leverages the cloud to deliver real-time signature updates.
Live protection from the cloud means protection against the latest threats with minimal
impact on network bandwidth.
Review Sophos Symantec McAfee Trend Micro Kaspersky Lab
VB100 (Oct 2010) 79.6% NA NA NA 85.5%
VB100 (Dec 2010) 84.2% NA Failed NA 84.4% / 88.3%
AV Test (Jan 2011) 96% / 99.74% 96% / 97.16% 80% / 91.38% 92% / 99.59% 92% / 98.83%
VB 100 (Feb 2011) 90.7% NA NA NA Failed
VB 100 (Jun 2011) 87.9% NA NA NA 94.3%
% represents: VB100 - percent of previously unseen malware detected. AV Test - percent of real infection vectors/prevalent malware detected
VB100: Windows Server 2003 (October 2010)
Virus Bulletin magazine independently tests antivirus products. According to the magazine,
“The VB100 award is granted to any product that passes the test criteria under test
conditions in the VB lab as part of the formal VB comparative review process.” Virus Bulletin
magazine evaluated the ability of 38 antivirus solutions to protect Windows Server 2003.
The recipients of this VB100 detected 100% of known viruses without generating any false
positives. Sophos and Kaspersky earned VB100 awards. VB100 also evaluates ability to
detect unknown viruses and gives a RAP (Reactive and Proactive) score. Sophos earned a
RAP score of 79.6% for Sophos Endpoint Security and Control 9.5. Kaspersky earned a RAP
score of 85.5% for Kaspersky Anti-Virus 8 for Windows Servers Enterprise Edition 8.0.0.495.
Symantec, McAfee and Trend Micro did not submit products to be tested.
VB100: Windows 7 Professional (December 2010)
In December 2010, Virus Bulletin magazine awarded the VB100 to antivirus solutions that
demonstrated an ability to protect Windows 7 Professional. Kaspersky submitted two
products for this evaluation, and both won a VB100. Kaspersky Antivirus 6 for Windows
6.0.4.1212a earned a RAP score of 84.4% while Kaspersky Internet Security 2011 11.0.2.556
earned a RAP score of 88.3%. Sophos earned a VB100 for Sophos Endpoint Security and
Control 9.5.4, with a RAP score of 84.2%. McAfee failed this test. Symantec and Trend Micro
did not participate.
4
6. Endpoint Buyers Guide
AV-Test (January 2011)
The AV-Test, conducted by The Independent IT-Security Institute, evaluates the ability of top
endpoint security solutions to block real infection vectors and prevalent malware. Sophos
outperformed the other vendors in both categories, blocking 96% of real infection vectors
and 99.74% of prevalent malware. Symantec also performed well by blocking 96% of real
infection vectors, followed by Trend Micro and Kaspersky each at 92%, and McAfee at
80%. Trend Micro blocked 99.59% of prevalent malware, followed by Kaspersky at 98.83%,
Symantec at 97.16% and McAfee at 91.38%.
VB100: Linux Ubuntu (February 2011)
This round of comparative antivirus tests by Virus Bulletin magazine focused on Linux
Ubuntu. Much like the tests that Virus Bulletin conducts on other operating system
platforms, it awards the VB100 title only to products capable of detecting all in-the-wild
viruses on both on-demand and on-access modes without experiencing any false positives.
Due to the limited support for Linux from other security vendors, Sophos and Kaspersky Labs
were the only two large security vendors whose products were tested. Kaspersky submitted
two products and failed both tests. Sophos had an average detection rate of 90.7% and
received the VB100 for its antivirus.
VB100: Windows Server 2008 R2 (June 2011)
The June 2011 round of comparative antivirus tests focused on Windows Server 2008 R2.
Kaspersky Small Office Security earned a VB100 with a RAP test score of 94.3%. Sophos
Endpoint Security and Control also earned a VB100 with a RAP test score of 87.9%.
Symantec, McAfee and Trend Micro did not submit solutions for testing.
5
7. Endpoint Buyers Guide
Performance
Performance measures how a security solution impacts user experience and the number
of help desk calls. Ideally, users won’t experience slowdown when a security solution is
scanning their system: during scheduled scans, at boot up or when opening a file.
This should still be the case on a loaded or low-memory system. Strong security
performance can improve IT efficiency and end-user productivity.
Review Sophos Symantec McAfee Trend Micro Kaspersky Lab
Cascadia Labs: Endpoint High scan speeds Solid performance Slow scan speeds Solid performance NA
Security for Enterprises
(Jan 2010)
AV-Comparatives Scanning 2nd 7th 13th 19th 16th
Speeds Test (Dec 2010)
AV-Comparatives PC Fastest vendor tested 14th fastest 10th fastest Came in last at 15th fastest
Mark Tests (Dec 2010) vendor tested vendor tested 20th place vendor tested
Cascadia Labs Report: Endpoint Security for Enterprises (January 2010)
Cascadia’s tests looked at the time required to perform both an on-access and on-demand
scan, and the time required to open a large PowerPoint file. Additionally, the test looked
at the time of scan in a low-memory environment. The tests found Sophos had high scan
speeds for both on-access and on-demand scans, and “disappointingly slow” McAfee results
across the board. Sophos and Trend Micro both did well in low-memory situations, and
Symantec performed solidly overall. Kaspersky was not included in the test.
AV-Comparatives Scanning Speeds Test (December 2010)
This test of 20 antivirus providers measured performance based on six common user tasks
and applied a scoring system to sum the various results. AV-Comparatives awarded Sophos
an Advanced+ rating for excellent performance scores. Sophos tied for second place with an
overall score of 180. Symantec came in at seventh with a score of 177; McAfee came in at
thirteenth with a score of 172; Kaspersky came in at sixteenth with a score of 160; and Trend
Micro came in second-to-last with a score of 143. As part of its tests, AV-Comparatives ran
each endpoint solution on an older system to see if its protection modules loaded before
malware in the start-up folder could execute. Sophos was one of only two providers to pass
the test and whose product launched a scanner early enough to catch malware before it
executed.
AV-Comparatives PC Mark Tests (December 2010)
AV-Comparatives carried out a performance test using PC Mark Vantage Professional Edition
1.0.2 testing suite from FutureMark. The test consisted of several subtests that judged the
speed of file copying, archiving/unarchiving, encoding/transcoding, installing/uninstalling,
downloading, and launching applications. PC Mark used a scoring system to sum the results
of the subtests. With a PC Mark score of 97, Sophos performed the best, second only to a
computer with no antivirus installed. McAfee earned a score of 92, Symantec’s score was 91,
Kaspersky’s score was 90 and Trend Micro came in behind every other vendor tested with a
score of 83.
6
8. Endpoint Buyers Guide
Usability
Usability, which includes installation, configuration, policies and management, impacts the
time you spend on day-to-day security tasks. IT teams need a solution that’s straightforward,
with single-console management, easy implementation, a simple user interface and the
ability to make changes easily. Policies should be flexible, but not too complex so they don’t
confuse or overwhelm. For usability we will review three reports from Cascadia Labs, AV-
Comparatives and Enex TestLab. Read the report summaries and see the at-a-glance tables
for more information.
According to Gartner,
“Reporting capabilities are a significant differentiator of EPP solutions and can make
a significant difference in the administration overhead. Buyers should consider both
‘point-in-time’ reporting as well as ‘real time’ dashboard capabilities.”
Cascadia Labs: Endpoint Security for Enterprises (January 2010)
Cascadia Labs’ in-depth usability report counted the number of hours involved in installation
and configuration, and gave a star rating for ease of management. It also counted the
number of clicks and hours required for basic tasks. Sophos had the fewest number of clicks
and hours needed for installation and configuration. McAfee required the highest, with five
hours and 166 steps necessary to set up the system. Cascadia didn’t include Kaspersky in
this assessment.
In both installation/configuration and day-to-day management, Sophos required the fewest
steps and the least amount of time, while McAfee required the most. Below we examine
each usability component—installation and configuration, policies and management, and
visibility—in more detail.
Installation and Configuration: Steps and time—This test counted the total number of steps
and time required to complete installation tasks. Sophos had the fastest set up time with the
fewest number of steps, with Trend Micro next, then Symantec, followed by McAfee, which
took twice as long as Sophos to set up.
Policies and Management—Cascadia’s report also examined available policies and
management, ranking vendors by simplicity and ease of use. It looked at details such as how
many windows the interface uses, and how policies are created and arranged. Cascadia gave
both Sophos and Symantec a high four-star rating for clear interfaces, and gave Trend Micro
the lowest ranking—two stars for non-centralized management.
According to the report’s authors,
“Sophos keeps everything in one location, so unlike with the Trend and McAfee
products you don’t need to go to multiple places in the interface or bring up
additional menus.”
Visibility: Clicks to view—This report also studied the visibility a solution offers into the
overall security system, and the user’s level of threat awareness, which can enhance
transparency and ease of use. A dashboard should be clear and require few clicks to access
critical information and common actions (e.g., sending an email when a virus is detected).
7
9. Endpoint Buyers Guide
In some cases, solutions don’t offer the full range of features, such as Trend Micro, which
only lets you see out-of-date endpoints. Sophos and Symantec both include a complete
range of dashboard options, leading the pack for this section, with Sophos requiring
the fewest clicks for the most tasks. McAfee follows in third place with some included
functionality, and Trend Micro falls in last place with limited capabilities.
Cascadia Labs: Endpoint Security for Enterprises (Jan 2010)
Review: Sophos Symantec McAfee Trend Micro Kaspersky Lab
Installation and configuration: 93 steps 123 steps 166 steps 107 steps NA
Steps and time 2.5 hours 3.5 hours 5 hours 3 hours NA
Policies and Management 4 stars 4 stars 3 stars 2 stars NA
Visibility: Clicks to view Sophos Symantec McAfee Trend Micro Kaspersky Lab
Out-of-date endpoint 0 0 7 0 NA
Send email on virus detection 7 8 13 NA NA
Application-controlled users 0 5 7 NA NA
Device-controlled users 0 5 NA NA NA
DLP-controlled users 0 NA NA NA NA
AV-Comparatives Review of IT Security Suites (October 2010)
In its Review of IT Security Suites, AV-Comparatives evaluates products’ usability and
management (one score), and ease of installation. McAfee and Sophos earned five stars out
of five for ease of installation. Kaspersky earned four stars and Trend Micro earned three. All
four vendors earned five stars for usability and management. Symantec wasn’t included in
the evaluation.
AV-Comparatives Review of IT Security Suites (Oct 2010)
Review: Sophos Symantec McAfee Trend Micro Kaspersky Lab
Usability and management 5 stars NA 5 stars 5 stars 5 stars
(one score)
Ease of installation 5 stars NA 5 stars 3 stars 4 stars
8
10. Endpoint Buyers Guide
Enex TestLab Usability of Endpoint Security (September 2011)
Enex TestLab evaluated Kaspersky, McAfee, Sophos, Symantec and Trend Micro’s ease
of use. It counted the number of steps required to complete various scenarios. McAfee
and Trend Micro had the most involved and lengthy installations. McAfee came in first or
second as requiring the most steps to complete a given task. For example, specific device
management tasks required a total of 69 steps from McAfee while Symantec (which came
in second for this group of tasks) required 64 and Trend Micro (on the low end in this case)
required 13. Overall, Sophos was considered the easiest to use and was recognized for its
streamlined dashboard.
Enex TestLab Usability of Endpoint Security (Sept 2011)
Review: Sophos Symantec McAfee Trend Micro Kaspersky Lab
Server install 30 steps 43 steps 133 steps 59 steps 18 steps
Endpoint deployment 35 steps 34 steps 81 steps 92 steps 41 steps
Role-based administration 74 steps 176 steps 109 steps 123 steps 56 steps
Maintain protection 28 steps 52 steps 62 steps 37 steps 67 steps
Policy management 49 steps 62 steps 49 steps 38 steps 63 steps
Device management 38 steps 64 steps 69 steps 13 steps 19 steps
Reporting 26 steps 40 steps 61 steps 11 steps 65 steps
9
11. Endpoint Buyers Guide
Data Protection
Data protection technology is becoming increasingly important in today’s distributed work
environment. Introducing encryption and content awareness to the business makes users
more aware of how they handle sensitive data, and impresses upon them the importance
of data protection. Having encryption and data loss prevention (DLP) incorporated in an
endpoint security solution offers a number of benefits, including simplified management and
cost savings.
McAfee, Sophos, Symantec and Trend Micro all offer described content detection (for
example, Social Security numbers), predefined dictionaries and weightings to specific words.
However, Sophos is the only vendor to provide these DLP capabilities integrated into a single
endpoint agent. Trend Micro offers an optional hosted DLP agent as part of its Endpoint
Security Platform. McAfee and Symantec use separate agents and licenses to provide host
DLP capabilities. Kaspersky Lab does not have a DLP offering. And, Sophos and McAfee
provide encryption capabilities in their endpoint protection, while the others do not.
Review Sophos Symantec McAfee Trend Micro Kaspersky Lab
Cascadia Labs: Endpoint Full range of Few DLP options Still fewer DLP options Still fewer DLP options NA
Security for Enterprises DLP options
(Jan 2010)
Enex TestLab Usability Data protection and No data protection; Data protection and No data protection; Data protection
of Endpoint Security encryption capabilities No encryption encryption capabilities no encryption and encryption for
(Sept 2011) smartphones
Cascadia Labs: Endpoint Security for Enterprises (January 2010)
The comprehensive Cascadia Labs report, Endpoint Security for Enterprises (January
2010), examined how security vendors deliver DLP with endpoint security. Cascadia Labs
studied each vendor to determine how many clicks are required to create read-only access
for removable media, and also to implement exception policies for certain devices. And it
measured how quickly an IT manager can block access to a particular dangerous application.
The report found that only Sophos provides integrated DLP in its platform, with a full range
of options for blocking application access, adding read-only access for removable storage
and creating device class exceptions. Symantec follows Sophos with a few options available,
while McAfee and Trend Micro trail them both.
Enex TestLab Usability of Endpoint Security (September 2011)
Enex TestLab examined the features found in six endpoint security products and determined
that McAfee and Sophos offer the most comprehensive endpoint security suites, designating
them as the only enterprise-grade solutions in the report. As the only two solutions to offer
full-disk encryption, McAfee and Sophos provide the most complete data protection. Sophos
offers the added benefit of providing DLP capabilities without adding complexity to its solution.
10
12. Endpoint Buyers Guide
Technical Support
You can hope you’ll never need tech support for your endpoint security solution, but it should
be a key part of any vendor’s product. Tech support requirements are fairly straightforward:
a vendor that offers 24/7 local language support, with knowledgeable engineers answering
the phone and short wait times (if you have to wait at all). Of the five vendors we are looking
at here, only Sophos’ support has been independently audited and approved by SCP. Its 24/7,
follow-the-sun support operations (UK, U.S., Australia) are SCP certified.
Cascadia Labs: Endpoint Security for Enterprises (January 2010)
The Cascadia Labs report, Endpoint Security for Enterprises (Jan. 2010), studied endpoint
security technical support and awarded Sophos four stars, McAfee three, and Symantec
and Trend Micro two stars each for overall tech support. Only Trend Micro doesn’t offer
24/7 tech support. Cascadia called each vendor’s tech support line and experienced the
fastest response time with Sophos (two minute wait time) and the slowest response time
with McAfee (22-minute wait time). Cascadia Labs also determined whether easy questions
were answered by Tier 1 and whether difficult questions were answered by Tier 1. All of the
vendors answered easy questions, but only Sophos and McAfee answered difficult questions
by Tier 1.
Review Sophos Symantec McAfee Trend Micro Kaspersky Lab
Overall rating Four Stars Two Stars Three Stars Two Stars NA
Time on hold (minutes) 2 22 22 16 NA
Answered easy Yes Yes Yes Yes NA
questions by Tier 1
Answered difficult Yes No Yes No NA
questions by Tier 1
Hours of operation 24/7 24/7 24/7 Mon – Fri, NA
8 a.m. to 8 p.m. EST
11
13. Endpoint Buyers Guide
Summary
Endpoint security at its best is complete and simple. It protects your organization from
threats and data loss across all platforms from a single management console. Finding the
right solution may seem daunting, but ask the right questions and look at the research to find
the vendor that can serve your company best. This quick look at the major vendors sums up
how each fared in third party tests in each of the areas evaluated.
Sophos Symantec McAfee Trend Micro Kaspersky Lab
Overall Best Better Better Good Good
Features & Capabilities Best Good Better Good Good
Effectiveness Best Better Good Good Good
Performance Best Better Good Good Good
Usability Best Best Good Better Better
Data Protection Best Better Good Good Not reviewed
Technical Support Best Good Better Good Not reviewed
Evaluating Endpoint Protection: Questions to Ask
Endpoint security solutions claim many different features. To learn if a product satisfies your
minimum required capabilities, start by asking vendors the following questions:
1. Is it easy to implement?
2. Is it easy to manage with a single console?
3. Does it support all of your platforms?
4. Does it offer all of the features required for complete security?
5. Does it offer localized support?
6. What impact will it have on end users?
7. Does it include data protection?
8. Can it ensure compliance?
9. Does it include expert support in the local language?
10. Does it include free upgrades?
11. Does it protect against malware?
12. Does it improve IT efficiency?
13. Does it improve end-user flexibility and productivity?
14. Does it provide web protection where ever your users are?
15. Does it include patch assessment?
12