[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Where to Place Your Anti-Malware: Endpoint, Network or Cloud?

Published on
3,795 Points
Last Modified:
Elad Menahem
Elad Menahem is the Head of Security Research at Cato Networks.

A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint anti-malware his company has been using is doing what it should.


Protection that follows the endpoint wherever it goes

Malware prevention and detection at the endpoint is a best practice every company should (and probably already does) follow. There are three main reasons to use endpoint agents:


  1. Endpoints tend to move and leave the network, so even if you run network-based anti-malware, your endpoints are protected only when connecting to the network.
  2. The way to infect the endpoint is not just via the network but also by plugging in a peripheral device (like a USB or camera) that the network doesn’t see.
  3. None of the anti-malware solutions protect against all threats, and since they get constant signatures updates (for new known vulnerabilities), it can address threats after infection.


The disadvantages of an anti-malware agent on the endpoint include:


  • The complexity involved with deployment
  • Updates (clients and signatures)
  • False positive investigation
  • Performance impact on the machine
  • Troubleshooting when it blocks legitimate business applications


In addition, most businesses use multiple platforms (different OSs, legacy solutions, services, appliances) that aren't supported by most anti-malware vendors.


Inspecting traffic in motion before it hits the target

The biggest advantage of network-based anti-malware is that it inspects the traffic while it is in motion, before it hits the endpoint that is the actual target - an in-depth best practice for defense.


Network anti-malware is always connected and usually gets automatic signatures updates, which makes it more reliable and secure. In addition, they are platform agnostic, as they see all traffic, so any platform on the network is protected.


The downsides of network-based anti-malware are that endpoints are only protected when connected to the network, and that it’s blind to peripheral devices.


Cloud-based Anti-Malware: the network advantages without the box constraints

When using on-premise network anti-malware solutions, it usually runs on an appliance that already inspects the business traffic (next generation firewall, UTM, secure web gateway).


Enabling the anti-malware capabilities on that box introduces two challenges:


  1. Capacity constraints: the anti-malware engine is a “heavy user” of computing and memory resources. This means that your appliance is now required to do a lot more processing on the same traffic load. The ability to grow (more users or traffic) is limited by the appliance capacity and can be extremely challenging if SSL traffic inspection is required.
  2. Continued maintenance: the appliances’ software needs to be upgraded and patched. This means network downtime, compatibility testing, IT investment and need for skilled resources. The impact is heavier in a multi-site environment.


Cloud-based anti-malware overcomes appliance limitations, as all business traffic is inspected via a managed service in the cloud, regardless of location. This eliminates the need to deploy and configure appliances at each location. A cloud-based service is elastic, and the vendor is responsible to scale it to address customer traffic needs. It is also the vendor’s responsibility to make sure the service is always up and running and has the latest updates, so the customers no longer need to maintain the solution for optimal performance and effectiveness. Also, mobile users can dynamically connect to the service on the go, so they are always protected even when they are away from corporate locations.


Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month