Antivirus EndPoint evaluation

I think the top 3 are the top 3 for a reason.

Symantec
McAfee
Kaspersky

I have mostly Symantec Endpoint Protection Cloud,

• I like the management console, and the scope of configuration of the policies.
• The app is lightweight
• With a bit of homework its easy to configure the protection around problematic apps
• More importantly it has meant that the amount of time I spend cleaning up a mess is next to non existent
• For sites where 3rd party software vendors keep turning off locally installed products I can lock it down to stop them in their tracks

Case in point the miner C was examined by Sophos so it has has the signature to prevent it but we need to be savvy that AV will not be a silver bullet, in fact there is none. You need to have end point security that does a host Intrusion prevention checks with layer of defence. One critical control is application whitelisting such as Applocker in Windows Pro and above.

Sophos InterceptX has that. It has the Cryptoguard too. Microsoft has EMET.

Other HIPS would be Symantec SEP. MalwareBytes antimalware, anti exploit and anti ransomware are worth consideration.

https://community.spiceworks.com/topic/209370-symantec-12-1-or-kaspersky-final-decision

I see more votes on Kaspersky on the link I posted......

@btan, Sophos has the signature for Miner C, it detects it, but it doesn't clean it, and it comes back again, and not once, but we got infected with it numerous times, and not only staff, admins were unhappy with it, we have to spend hours to clean it. So Sophos has proven to us that we shouldn't renew with them, we had same experience with Sophos in 4 different countries, all of them were unhappy.

Malwarebytes is a good option...but that was not able to stop or clean Miner C virus as well, and I agree with you that no antivirus is perfect.

Thanks for your suggestions :-)

No one product will suffice, a good rule of thump is to have a good utm, centralized antivirus scanning, proxy and individual antivirus on each device.

But the best medicine is to educate your users. With all that in place it takes one idiot clicking on a link in an email, from an unknown n sometimes known source to take down a network.

Lookout can centrally manage, backup and wipe devices remotely.

Yes Kaspersky is a candidate and its has tried and removed the miner though maynot necessary be the one that you are facing.
https://forum.kaspersky.com/index.php?showtopic=285355

We've used kaspersky and find it to be a fine product. I can recommend it. Having said that, we're moving to a different security model and are seriously looking at the Cisco AMP product. The cost, for us, is about the same as Kaspersky. AMP isn't as full-featured a product so it would depend on what features you need in an AV product. From an AV/AM perspective, my testing has showed that it functions about as well as Kaspersky and AMP has a great backend if you do get something in your environment to help you see where it came from and what it did and where it went in your environment.

One thing I did find from testing, and again just AV/AM, is that marrying it, or Kaspersky with MalwareBytes seriously improved my threat risk.  Now I did the testing outside of my normal environment, so in my real world, my users would not be able to get to most of these infected sites anyway, but it was enlightening how much protection MWB added to the equation.

As others have pointed out, security cannot just be a one horse shop.  We have email filter and web content filtering, a firewall and Intrusion detection and protection as well.

If you're an Office e 365 user and are running Windows 10, you might want to look into just using Windows defender along with ATP. This gives you some of the same features as AMP.

Kaspersky was rated best overall product by a security lab in england a year ago.

Hi Guys, thanks a lot for your inputs, I agree with the point that adding layers of security helps, we added malwarebytes along with Sophos, which improved a bit, not overall, as the base product (Sophos) was not good enough.

We are meeting with Trend Micro today, they are going to do a demonstration, I have run up a VM, have received full version of Kaspersky to trial (with the keys) will be doing same with trend micro.

Anyone have used Trend Micro? how does it compares with other AV products?

thanks.

Trend Micro is the other product I'd personally veer you away from, (but definitely hear out input of others as they may have had much better experiences than I). However, I would also take the time to do trials of Symantec and ESET.

Thanks, what is ESET?

ESET is an AV and security company based in Slovakia. https://www.eset.com/au/

Their endpoint and server protection security products are both pretty solid in my opinion. Occasional exceptions have to be defined at times, but not moreso than other products. They do have a mobile product, but I've never used it.

Hi all,

We have AV demonstration for trend micro, Kaspersky and Symantec, we have installed and trialing trend micro / Kaspersky, Symantec will start trialing it from tomorrow. Out of all 3 I liked Symantec, but I will wait for rest of the team members for their feedback.

I was trying to find comparison matrix for all 3 of them, in terms of features and overall reviews, couldn't find it. Does anyone have information on it?

thanks.

Thanks, report from NSSLABS is $2500 :-) anyone have a copy of it? or just a screenshot of results page.
It would be hard to justify budget for this report.....

Maybe try out Google for this
"EPP Enterprise Comparative Report - NSS Labs", as best effort

Hi All,
I have been asked to submit a report for 3 AVs, trend Micro, Symantec and Kaspersky, now in report I am planning to include AVs comparison, scalability, maintenance, cost and issues / resolutions that will have when uninstalling old AV.
anyone has done any similar report?
Can you please share some ideas on what are the main differences in these 3, means all 3 pretty much do similar things, what things I should high light as a difference?

Go to the source for each antivirus you are looking at. The companies knows their product best, after you have gathered your required data hit up a few forums for people talking about their experiences with these products, then finally you want some bias/unbias comparison of all three you can find that on the internet.

From all that info gathered you can put together your own presentation and draw your own conclusion to which product you want to introduce to your company... If you ask us you're definitely getting a bias opinion cause not all of us have used those in every conceivable capacity.

I understand not everyone would have used or evaluated those 3, I am just asking what experiences does experts have using any of these products (Pros / Cons), and for me I value opinions of experts here rather then public forums.

thanks.

My $.02 - If you are changing check out cylance.

sorry we have to select one from 3 i listed.
thanks

Guys, just wanted to share with you final sales pitch from Trend Micro.
TrendMicro.docx

thanks for sharing, it is still back to basic on what is need to vs good to have. One area that it did not mentioned is device control though it has appl control. The former meant to restrict the usage of external media and enforce policy over it on top of Windows GPO  native measures

The Symantec EP CLoud allows locking of USB

Symantec doesn't inform or look for vulnerabilities for Microsoft updates, where as Trend Micro and Kaspersky do.
Does anyone of you know how Symantec AV looks for Microsoft update vulnerabilities or for computers which have missed out critical or security updates?

And does Cisco AMP can replace EndPoint?  I thought its an extra layer of protection. It cant replace AVs.
Food of thoughts?

The common lookout is for CVE vulnerabilities instead of product specific patch. Vendor will have more of portal to see the advisories..

E.g. Symantec has informational Security Center portal instead https://www.symantec.com/security_response/ 
For customers, they go through the DeepSight Threat Management System, another portal.

@Leo - Will be good to hear if you have any other further inputs or queries so as to close this question

I will close of question in 3 days. I will upload the report I am working on, so experts can review .
thanks.

Hi guys,

 I have attached the document for what I worked on, kindly review and share thoughts if you have time, and then I will close of this question.
 thanks for everyone for sharing there knowledge and experience.
 I have removed Costings as it was confidential.
 But Trend micro was the cheapest...and then it was Symantec and then Kaspersky.
EndPoint-Selection1.docx

thanks for that, I will add these points in the report.

Guys what will be best  way to deploy new AV to all workstations / servers across the network?

For me the best way to deploy on a domain is via Group Policy.

With Sym AV cloud I download the MSI, then publish it to the machines.  They appear in the management console within a few mins.  As machines are fired back up (say when an employee comes back from leave, the machine is hit with the App.  I also like that if I have a need to rebuild a machine its one less thing I need to attend to.

We are replacing sophos with kaspersky...anyone did a similar rollout? Project plan and...risks...dependencies?

We have to install kaspersky in 3 different countries...and is there a way we can have one console and can look at all alerts etc from one central  console?

You probably has to rely on a decentralise security centre in each countries. They will deploy the client package and report back status to a central SC or a SIEM that can give you a whole sitpic.

https://www.kaspersky.com/small-to-medium-business-security/security-center

How can i delete the quarantined files across 1000 computers for Sophos?
Thanks

Hi Guys,
Would disabling the Sophos and installing Kaspersky will work? reason why I am asking because we are on a deadline and I don't think will able uninstall on all the machines (Manually uninstalling Sophos on around 1000 computers, as there is no automated script to remove Sophos)

Possibly if you disable the Sophos services.

In the services menu you can look through all the services and any that start with Sophos can be disabled to limit the functions of the Sophos AV.

https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/10616/how-do-i-temporarily-stop-sophos

Minimally the on access has to disable.

Thanks, on that link it says after running the script to stop Sophos "you'll get a notification from the taskbar icon" is there a way for it to not appear? just thinking staff will start to panic whenever they will see notifications keep pooping up from there taskbar.

Sophos may not allow turning off all the notification but still worth try, at most do some education pitch then
https://community.sophos.com/kb/en-us/113287
There is registry to turn off the balloon tips but also requires testing since it stated on older OS
https://support.microsoft.com/en-us/help/307729

We have Carbon Black which can run with other AV products. It has been very effective for us and their support has been very good.

For author advice

Thanks, Leo.!