This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our Privacy and Data Protection Policy.
Accept

Business Security Test 2020 (March – June)

Date June 2020
Language English
Last Revision July 10th 2020

Containing Real-World Protection, Malware Protection and Performance Tests & Product Reviews


Release date 2020-07-15
Revision date 2020-07-10
Test Period March - June 2020
Number of Testcases 767 Real-World
1192 Malware Protection
Online with cloud connectivity checkbox-checked
Update allowed checkbox-checked
False Alarm Test included checkbox-checked
Platform/OS Microsoft Windows

Introduction

This is the first half-year report of our Business Main-Test Series of 2020, containing the results of the Business Real-World Protection Test (March-June), Business Malware Protection Test (March), Business Performance Test (May), as well as the Product Reviews.

Please note that the results of the Business Main-Test Series cannot be compared with the results of the Consumer Main-Test Series, as the tests are done at different times, with different sets, different settings, etc.

AV security software is available for all sizes and types of business. What fits well at the smaller end of the SME (small to medium enterprise) market is probably not going to be quite so appropriate to the larger corporates.

Before deciding on appropriate software to investigate, it is critical to understand the business environment in which it will be used, so that correct and informed choices can be made.

Let’s start at the smaller end of the marketplace. These are environments that have often grown out of micro businesses, where domestic-grade AV products might well have been appropriate. But as soon as you start to scale beyond a few machines, the role of AV management comes into sharp focus. This is especially true when you consider the business and reputational damage that could result from a significant, and uncontained/uncontrolled malware outbreak.

However, in the smaller end of the SME space, there is rarely an onsite IT manager or operative. Often the role of “looking after the computers” falls to an interested amateur, whose main role in the business is that of senior partner. This model is often found in retail, accountancy and legal professions. In this space, it is critical to have a managed overview of all the computing assets, and to have instant clarity about the status of the protection delivered in way that is clear and simple. Remediation can be done by taking a machine offline, moving the user to a spare device, and waiting for an IT professional to arrive on site to perform clean-up and integrity checking tasks. Although users might be informed of status, managing the platform is a task for one, or at most, a few, senior people within the organization, often driven by overriding needs for data confidentiality within the company.

In the larger organization, it is expected to have onsite specialist IT staff, and, at the bigger end, staff whose role is explicitly that of network security. Here, the CTO role will be looking for straightforward, but real-time statistics and a management overview which allows for drilling into the data to focus on problems when they arise. There will almost be an explicit role for the software installation engineers, responsible for ensuring the AV package is correctly and appropriately loaded and deployed onto new machines. Knowing when machines “drop off grid” is almost as important here, to ensure that there are no rogue, unprotected devices on the LAN. Finally, there will almost certainly be a help desk role, as a first-line defence, who will be responsible for monitoring and tracking malware activity, and escalating it appropriately. They might, for example, initiate a wipe-and-restart on a compromised computer.

Finally, in this larger, more layered hierarchy, there is a task of remediation and tracking. Knowing that you have a malware infection is just the start. Handling it, and being able to trace its infection route back to the original point of infection, is arguably the most important function in a larger organization. If a weakness in the network security and operational procedure design cannot be clearly identified, then it is likely that such a breach will occur again at some point in the future. For this role, comprehensive analysis and forensic tools are required, with a heavy emphasis on understanding the timeline of an attack or infection from a compromised computer. Providing this information in a coherent way is not easy – it requires the handling of huge amounts of data, and the tools to filter, categorize and highlight issues as they are unfolding, often in real time.

Because of these fundamental differences, it is critically important to identify the appropriate tool for the organization, and the risk profile it is exposed to. Under-specifying this will result in breaches that will be hard to manage. Over-specifying will result in a system of such complexity that no-one truly understands how to deploy, use and maintain it, and the business is then open to attack simply because of the fog of misunderstanding and lack of compliance.

A key point for some businesses will be whether to go for a cloud-based or a server-based console. The former is almost instantaneous to set up, and usually avoids any additional configuration of client devices. The latter will require more work by the administrator before everything is up and running, including configuring clients and the company firewall. However, it means that the entire setup is on the company’s own premises and under the administrator’s direct control. For smaller businesses with limited IT staff, cloud-based consoles might be an easier option. Please note that in a number of cases, manufacturers provide both cloud-based and server-based options for managing their products. References to console type here only relate to the specific product used in our tests. Please consult the respective vendor to see if other console types are available.

Avast, K7 and VIPRE offer easy-to-use cloud consoles that would be particularly suited to smaller businesses without full-time IT staff. These would all work well for larger companies too, and so allow the business to grow.

Fortinet, G Data and Kaspersky use server-based consoles that will prove very familiar and straightforward for experienced Windows professionals. They could be used by the SME sector upwards. Please note that Fortinet has an additional cloud-based console for its FortiEDR product. Kaspersky offer a cloud-based console as an alternative to the server-based product.

For businesses of the same size looking for cloud-based management solutions, Bitdefender, ESET, Microsoft, Panda and Sophos all offer strong and coherent solutions. Acronis, Cybereason, and VMware Carbon Black may require a little more learning, but would also be very appropriate for this category of business.

At the larger end of the market, Cisco, CrowdStrike, Elastic, FireEye and SparkCognition all offer exceptionally powerful tools. How well they will fit to your organization, both how it is today and how you intend to grow it over the next five years, needs to be carefully planned. There is clearly a role here for external expertise and consultancy, both in the planning and deployment stages, and all of them will require significant amounts of training and ongoing support. However, they offer a level of capability that is entirely different to the smaller packages. 

Tested Products

The following business products were tested under Microsoft Windows 10 1909 64-bit:

In business environments, and with business products in general, it is usual for products to be configured by the system administrator, in accordance with vendor’s guidelines, and so we invited all vendors to configure their respective products.

Only a few vendors provide their products with optimal default settings which are ready to use, and did therefore not change any settings. Cloud and PUA detection have been activated in all products. We currently do not include any PUA in our malware tests.

Please keep in mind that the results reached in the Enterprise Main-Test Series were only achieved by applying the respective product configurations described here. Any setting listed here as enabled might be disabled in your environment, and vice versa. This influences the protection rates, false alarm rates and system impact. The applied settings are used across all our Enterprise Tests over the year. That is to say, we do not allow a vendor to change settings depending on the test. Otherwise, vendors could e.g. configure their respective products for maximum protection in the protection tests (which would reduce performance and increase false alarms), and maximum speed in the performance tests (thus reducing protection and false alarms). Please not that some enterprise products have all their protection features disabled by default, so the admin has to configure the product to get any protection.

Below we have listed relevant deviations from default settings (i.e. setting changes applied by the vendors):

Bitdefender: “Sandbox Analyzer” and “Scan SSL” enabled; “HyperDetect”, “Device Sensor” and “EDR Sensor” disabled.

Cisco: everything enabled and set to Block.

CrowdStrike: everything enabled and set to maximum, i.e. “Extra Aggressive”. “Unknown Detection-Related Executables” and “Unknown Executables” disabled.

Cybereason: “Anti-Malware” enabled; “Signatures mode” set to “Disinfect”; “Behavioral document protection” enabled; “Artificial intelligence” set to “Aggressive”; “Exploit protection”, “PowerShell and .NET”, “Anti-Ransomware” and “App Control” enabled and set to “Prevent”; all “Collection features” enabled; “Scan archives on access” enabled.

Elastic: “Malware” and “Process Injection” protections enabled; “Blacklist”, “Credential Access”, “Exploit” and “Ransomware” protections, as well as all “Adversary Behaviors” disabled.

ESET: All “Real-Time & Machine Learning Protection” settings set to “Aggressive”.

FireEye: “Real-Time Indicator Detection” disabled, “Exploit Guard” and “Malware Protection” enabled.

Fortinet: All “AntiVirus Protection” settings enabled and set to “Block”. Additionally, “Anti-Exploit”, “Cloud Based Malware Detection”, “Advanced Heuristic”, “FortiGuard Analytics”, FortiSandbox’s “Sandbox Detection”, “Web Filter”, “Application Firewall”, “Detect and Block Exploits & Botnets” and “FortiEDR” were all enabled; “Exclude Files from Trusted Sources” for “Sandbox Detection” enabled.

G DATA: “Exploit Protection”, “Anti-Ransomware” and “BankGuard” enabled; “BEAST Behavior Monitoring” set to “Pause Program and Quarantine”.

Kaspersky: “Adaptive Anomaly Control” disabled.

Microsoft: Cloud protection level set to “High”, Cloud-delivered protection set to “Advanced”. Google Chrome extension “Windows Defender Browser Protection” installed and enabled.

Sophos: All options in “Active Adversary Mitigations” enabled. “Web Control” and “Protect against data loss” disabled.

SparkCognition: all “Policy Settings” and all “Attack Vectors” settings enabled and set to “Aggressive”.

VMware: policy set to “Advanced”.

Acronis, Avast, K7, Panda, VIPRE: default settings.

Information about additional third-party engines/signatures used by some of the products: Acronis, Cisco, Cybereason, FireEye, G DATA and VIPRE use the Bitdefender engine (in addition to their own protection features). VMware uses the Avira engine (in addition to their own protection features). G DATA’s OutbreakShield is based on Cyren.

We congratulate the vendors who are participating in the Business Main-Test Series for having their business products publicly tested by an independent lab, showing their commitment to improving their products, being transparent to their customers and having confidence in their product quality.

Test Procedure

The test series consists of three main parts:

The Real-World Protection Test mimics online malware attacks that a typical business user might encounter when surfing the Internet.

The Malware Protection Test considers a scenario in which the malware enters the test system via e.g. the local area network or removable device, rather than directly from the Internet.

The Performance Test looks at the impact each product has on the system’s performance, i.e. how much it slows down normal use of the PC while performing certain tasks.

In addition to each of the protection tests, a false-positives test is conducted, to check whether any products falsely identify legitimate software as harmful.

To complete the picture of each product’s capabilities, there is a user-interface review included in the report as well.

Some of the products in the test are clearly aimed at larger enterprises and organisations, while others are more applicable to smaller businesses. Please see each product’s review section for further details.

Kindly note that some of the included vendors provide more than one business product. In such cases, other products in the range may have a different type of management console (server-based as opposed to cloud-based, or vice-versa); they may also include additional features not included in the tested product, such as endpoint detection and response (EDR). Readers should not assume that the test results for one product in a vendor’s business range will necessarily be the same for another product from the same vendor.

Test Results

Real-World Protection Test (March-June)

The results below are based on a test set consisting of 767 test cases (such as malicious URLs), tested from the beginning of March 2020 till the end of June 2020.

  Blocked User dependent Compromised PROTECTION RATE
[Blocked % + (User dependent %)/2]*
False Alarms
Fortinet
767 100% 11
Panda 767 100% 27
Kaspersky 766 1 99.9% 0
Avast
766 1 99.9% 5
Microsoft 765 2 99.7% 8
ESET 764 3 99.6% 0
K7 764 3 99.6% 15
Bitdefender, G Data 763 4 99.5% 2
Sophos, VIPRE 763 4 99.5% 3
VMware 762 5 99.3% 2
Elastic
762 5 99.3%
41
Cisco
757 10 98.7%
1
SparkCognition
754 13 98.3%
0
Acronis
752 15 98.0%
0
Crowdstrike 747 20 97.4% 21
Cybereason 743 24 96.9% 20
FireEye
740 27 96.5%
1

 

Fortinet, K7, Cybereason, CrowdStrike, Panda and Elastic had above-average numbers of FPs in the Real-World Protection Test.


Malware Protection Test (March)

The following chart shows the results of the Business Malware Protection Test: 

False positive (false alarm) test with common business software

A false alarm test done with common business software was also performed. All tested products had zero false alarms on common business software. 

  Malware Protection Rate False Alarms on common business software
Cisco, K7, Microsoft, VMware
100% 0
Bitdefender, ESET, G Data, Panda 99.9% 0
Avast, Vipre 99.8% 0
CrowdStrike, Cybereason 99.7% 0
Elastic, FireEye 99.6% 0
Fortinet, Kaspersky 99.5% 0
Sophos 99.4% 0
Acronis 98.9% 0
SparkCognition* 92.7% 0

* A SparkCognition product issue was uncovered during the Malware Protection Test which led to some missed detections. The bug has now been fixed.

In order to better evaluate the products’ detection accuracy and file detection capabilities (ability to distinguish good files from malicious files), we also performed a false alarm test on non-business software and uncommon files. This is provided mainly just as additional information, especially for organisations which often use uncommon non-business software or their own self-developed software. The results do not affect the overall test score or the Approved Business Product award. The false alarms found were promptly fixed by the respective vendors.  

FP rate
Number of FPs on
non-business software
Very low
0 - 5
Low
6 - 25
Medium
26 - 50
High
51 - 100
Very high
101 - 200
Remarkably high
> 200
  FP rate on non-business software
Acronis, Avast, Bitdefender, Cisco, ESET, Fortinet, G Data, Kaspersky, Sophos Very low
Cybereason, FireEye, SparkCognition, Microsoft Low
Elastic, Vipre, VMware Medium
K7, Panda High
CrowdStrike Very high
Remarkably high

 


Performance Test (May – June)

These specific test results show the impact on system performance that a security product has, compared to the other tested security products. The reported data just gives an indication and is not necessarily applicable in all circumstances, as too many factors can play an additional part. The testers defined the categories Slow, Mediocre, Fast and Very Fast by consulting statistical methods and taking into consideration what would be noticed from the user’s perspective, or compared to the impact of the other security products. If some products are faster/slower than others in a single subtest, this is reflected in the results.

Overview of single AV-C performance scores

Vendor File copying Archiving /
Unarchiving
Installing /
Uninstalling
Applications
Launching Applications Downloading Files Browsing Webites
First Run Subsequent Run First Run Subsequent Run
Acronis perf-level-fast perf-level-fast perf-level-veryfast perf-level-fast perf-level-fast perf-level-fast perf-level-veryfast perf-level-veryfast
Avast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-fast perf-level-veryfast
Bitdefender perf-level-fast perf-level-fast perf-level-veryfast perf-level-veryfast perf-level-fast perf-level-veryfast perf-level-veryfast perf-level-veryfast
Cisco perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-mediocre perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
CrowdStrike perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-fast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
Cybereason perf-level-fast perf-level-fast perf-level-veryfast perf-level-fast perf-level-mediocre perf-level-mediocre perf-level-veryfast perf-level-veryfast
Elastic perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
ESET perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
FireEye perf-level-mediocre perf-level-mediocre perf-level-fast perf-level-veryfast perf-level-fast perf-level-fast perf-level-veryfast perf-level-veryfast
Fortinet perf-level-fast perf-level-fast perf-level-fast perf-level-fast perf-level-mediocre perf-level-veryfast
G Data perf-level-mediocre perf-level-mediocre perf-level-veryfast perf-level-fast perf-level-fast perf-level-fast perf-level-fast perf-level-veryfast
K7 perf-level-fast perf-level-fast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
Kaspersky perf-level-veryfast perf-level-veryfast perf-level-mediocre perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
Microsoft perf-level-mediocre perf-level-mediocre perf-level-veryfast perf-level-fast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
Panda perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
Sophos perf-level-fast perf-level-fast perf-level-veryfast perf-level-mediocre perf-level-mediocre perf-level-veryfast perf-level-veryfast perf-level-veryfast
SparkCognition perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-fast perf-level-fast perf-level-fast perf-level-veryfast perf-level-veryfast
VIPRE perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-fast perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast
VMWare perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-mediocre perf-level-veryfast perf-level-veryfast perf-level-veryfast perf-level-veryfast

 

Key Slow perf-level-mediocre Medicore perf-level-fast Fast perf-level-veryfast Very fast

 

PC Mark Tests

In order to provide an industry-recognized performance test, we used the PC Mark 10 Professional Edition testing suite. Users using PC Mark 10 benchmark1 should take care to minimize all external factors that could affect the testing suite, and strictly follow at least the suggestions documented inside the PC Mark manual, to get consistent and valid/useful results. Furthermore, the tests should be repeated several times to verify them. For more information about the various consumer scenarios tests included in PC Mark, please read the whitepaper on their website.

“No security software” is tested on a baseline system without any security software installed, which scores 100 points in the PC Mark 10 benchmark.

Baseline system: Intel Core i3-6006U machine with 4GB RAM and SSD drive

1 PC Mark® is a registered trademark of Futuremark Corporation / UL.

Summarized results

Users should weight the various subtests according to their needs. We applied a scoring system to sum up the various results. Please note that for the File Copying and Launching Applications subtests, we noted separately the results for the first run and for subsequent runs. For the AV-C score, we took the rounded mean values of first and subsequent runs for File Copying, whilst for Launching Applications we considered only the subsequent runs. “Very fast” gets 15 points, “fast” gets 10 points, “mediocre” gets 5 points and “slow” gets 0 points. This leads to the following results:

AVC ScorePC Mark ScoreImpact Score
1.K79098.91.1
2.ESET9098.71.3
3.Elastic9098.61.4
4.Panda9096.33.7
5.Bitdefender8896.25.8
6.VIPRE8598.46.6
7.CrowdStrike8597.67.4
8.Avast8596.58.5
9.Kaspersky8097.912.1
10.SparkCognition8096.913.1
11.VMware8094.615.4
12.Microsoft7596.818.2
13.Sophos7595.119.9
14.Acronis7594.320.7
15.Cisco7593.421.6
16.Cybereason7096.623.4
17.FireEye7095.724.3
18.G DATA6595.329.7
19.Fortinet5092.547.5

Product Reviews

Bellow you will find user-interface reviews of all the tested products. These consider the experience of using the products in real life. Please note that the reviews do not take test results into consideration, so we kindly ask readers to look at both the review and the test results in order to get a complete picture of any product.

We would like to point out that business security products include a wealth of features and functionality, and describing all of them would be well beyond the scope of a review such as this. We endeavour to describe the main features of each product, as presented in the user interface, and to provide similar coverage for each product. Due to different numbers and types of features in the various products reviewed, some apparent inconsistencies may occur. For example, in a simpler product with fewer features, we may be able to describe a particular function in more detail relative to a more complex product with a greater range of features.

We first look at the type of product, i.e. whether the console is cloud based or server based, and what sort of devices/operating systems can be protected and managed.

The next section looks at installation and deployment of the product. For server-based products, we describe the process of getting the console installed on the server (this is obviously not applicable to cloud-based consoles). The next step – applicable to all products – is to deploy the management agent and endpoint protection software to the client PCs.

The review then moves on to ongoing use, i.e. day-to-day management tasks such as monitoring and maintenance that need to be carried out.

Finally, we take a look at the endpoint protection software installed on the client. Here we consider whether the endpoint user can perform any tasks such as scans and updates themselves, or whether such tasks are controlled exclusively by the administrator using the central management console.

Acronis Cyber Protect Cloud – Advanced Edition

Verdict

Acronis’ cloud-based management console stands out for its very clear and clean modern interface. All the management functionality is easily accessible via a single menu column on the left-hand side of the window. Individual pages have a simple, uncluttered view, which makes it easy to find the details. In many ways the console resembles a well-designed smartphone app, and would doubtless scale very well when used on the smaller screen of, say, a tablet. The product’s simplicity and clarity mean that it would be particularly well suited to smaller businesses and less-experienced administrators.

About the product

The Acronis Cyber Cloud platform provides a combined cybersecurity and data protection service. There is a variety of cloud-based services included, including backup, disaster recovery, and secure file-synchronisation, in addition to endpoint protection. This review considers only the malware protection features. There are clients for Windows and macOS workstations, Windows and Linux servers, plus Android and iOS mobile devices.

Getting up and running

Installing the client software is very simple. Just go to the Devices page and click the Add button, and select the appropriate installer from the list that then opens. This can be downloaded and run on the client device. You can also create .mst and .msi files for unattended installation. When the endpoint software has been installed, you have to assign a Protection Plan to the newly installed machine, in order to activate the antimalware service. We note that Windows Defender is not disabled by the setup wizard, so administrators may wish to do this manually or by policy.

Everyday management

Acronis Cyber Protect Cloud – Advanced Edition

The Devices page lists the devices on the network. Sub-pages allow you to filter the view, e.g. by managed and unmanaged machines. You can see device type and name, user account, and security status, amongst other things. The columns shown can be customised, so you can remove any you don’t need, and add e.g. IP address and operating system. Selecting a device or devices opens up a menu panel on the right, from which you can see the applied protection policy, apply patches, see machine details/logs/alerts, change group membership, or delete the device from the console.

Under Plans/Protection, you can see, create and edit the policies that control the anti-malware features of the platform. Again, an uncluttered menu pane slides out from the right with the appropriate details and controls. Amongst the functions that can be configured are real-time protection, network folder protection, action to be taken on malware discovery, ransomware, cryptomining process detection, scheduled scanning, exclusions, URL filtering, and how long to keep items in quarantine. You can configure vulnerability assessments and patch management, and there are even controls for scanning with Microsoft Windows Defender/Security Essentials too.

Under Anti-Malware Protection, the Quarantine page lists the names of malicious files that have been detected, along with the date quarantined and device name. You can add columns for the threat name and applicable protection plan from the page settings. A mini menu at the end of each entry lets you restore or delete the selected items. The Whitelist page displays any applications that have been found during backup scanning and categorised as safe. A backup scanning plan has to be created in order to enable automatic whitelist generation.

The Patches and Vulnerabilities pages under Software Management are populated if a vulnerability assessment has been created in a protection plan and run at least once.

The Reports page lists a number of topics for which reports can be generated, including Alerts, Detected threats, Discovered machines, Existing vulnerabilities and Patch management summary. Clicking on a report name opens up a details page for that item. The Alerts page, for example, contains panels showing 5 latest alerts, Active alerts summary, historical alerts summary, Active alerts details, and Alerts history. Coloured alert icons and doughnut charts serve to subtly highlight the most important items. As with other pages of the console, the columns in these panels can be customised.

Under Settings/Protection, you can set the schedule for protection definitions updates, and enable the remote connection function. The Agents page allows you to see the version of the endpoint agent installed on each client, and update this if necessary.

Windows endpoint protection software

Acronis Cyber Protect Cloud – Advanced Edition

The client software has a minimalist interface, which does not allow any users to interact with the malware protection service. The Stop all link in the screenshot above refers to the backup service – the protection service cannot be disabled here. If the user should inadvertently copy a malicious file to the system, Acronis will detect and quarantine it on access. Malware detections are silent, i.e. no alerts are shown. Exactly the same interface is used for client and server protection software.

Avast Business Antivirus Pro Plus

Verdict

Avast Business Antivirus Pro Plus is a strong cloud-based product ideal for small to medium-sized businesses. The UI is intuitive and clean, and the defaults are sensible for the smaller organisation. A non-technical user should not have any problems deploying this and keeping track of events. However, it still has grouping and profile capabilities to protect the larger estates. We liked the straightforward nature of the platform.

About the product

Avast Business Antivirus Pro Plus uses a cloud-based console to deploy, manage, and monitor the endpoint protection software on all devices. The product protects Windows clients, Windows servers and macOS devices. Windows client features include anti-spam, data shredding, a VPN, and data & identity protection. Exchange and SharePoint security are provided for Windows Server. A patch management feature is included for all Windows computers. However, automatic installation of patches requires a separate licence for Avast Business Patch Management.

Getting up and running

There is no server component to install because it is run from a cloud-based console. You create the account, apply appropriate licensing, and then add devices. Deployment can be carried out via remote push, downloading an installer package, or by sending a download link via email. The installer is offered in two sizes, both being very simple to use. There is a Light version, around 6MB in size, which is just a downloader. The full version is around 300 MB and can be run offline. The former is ideal for smaller networks, the latter is better for larger deployments to minimise internet traffic. The wizard offers to remove existing competitive AV products.

Everyday management

On the server console, there is a clear set of main menus down the left-hand side. These are: Dashboard, Notifications, Devices, Tasks, Patches, Policies, Reports, and Subscriptions. Help & Support and General Settings are found at the bottom. The default Dashboard page gives an overview of the installation and how it is running. You can see alerts on your devices, OS distribution, threat detection statistics, and patch management summaries.

 

Notifications collates all the main event information into one place. Malware detection notifications link through to the Virus Chest (quarantine) on the affected computer. The Notifications Settings panel is comprehensive. It allows you to set up how notifications will be handled across a wide range of scenarios. We particularly liked the “if not read then send email notification” which can be set to “instantly”, “batched end of week” or “never” for each setting. This offers a lot of control of how you are notified when an event occurs. You can ensure that you are not swamped with information that is not immediately relevant.

Avast Business Antivirus Pro Plus

The Devices tab (screenshot above) shows each device’s security status, group membership and policy, along with recent threats and other events. Helpful links are provided, for example Restart & scan for unresolved threats. You can group devices into groups, and apply settings and policy through that group.

Tasks is a powerful scheduler area. Here the administrator can create tasks to run particular events. For example, do a quick scan every day at 2pm. You can also use it to send a short message to your devices, to update the device and to shut it down too. It is a simple task management tool, but has useful capabilities for the small office and organisation.

The Patches page provides a very brief description of the feature, which is available to purchase as a separate component, along with a button marked Start Trial.

Policies allows you to create a settings template which is then applied to a group of devices. In here, you have access to all the control functionality for the device. So, you can determine that file scanning is on, the antispam service is running, the firewall must be applied, and so forth. From these templates, you can apply policies to devices. Separate policies can be configured for Windows workstations, Windows servers, and macOS devices.

At the time of writing (May 2020), Reports was marked as a “new” feature in the console menu column, though in fact it is an update of an existing feature. There are five different report categories: Executive Summary, Antivirus Threats Report, Patch Report, Device Report, and Tasks Report. You can click on any of these headings to see a graphical representation of recent activity. For example, Antivirus Threats Report shows a graph of malware items detected, quarantined, blocked, deleted or repaired over the last month. You can create reports on a weekly or monthly schedule, and view scheduled reports already created.

As you would expect, Subscriptions shows you the product licences you currently have, and how many of them you have used. There are also links that let you try or buy other versions of Avast Business Antivirus, and the Patch Management component.

Help & Support provides links to various support and documentation items, including a user guide for the console. This is clear, comprehensive and well indexed, though lacking in screenshots.

General Settings lets you change the system time zone, and enable Labs features. The latter is a preview of upcoming features that are “not entirely ready yet”. You can also create a local server for deployments and updates, and import the database of another Avast console.

Windows endpoint protection software

The Windows desktop protection software offers a wide range of capabilities, much like a normal end-user desktop solution. Users can run scans and updates. The central policies determine what they can change or adjust. By default, Windows Standard User Accounts can disable all protection features, and supress further warnings by clicking Ignore. This results in a misleading message, stating “You’re protected”, even though all protection components have been switched off. Protection will be automatically re-enabled when the computer is restarted. However, admins may want to prevent Standard Users from changing the settings, which can be done by enabling the password protection feature in the console.

Avast Business Antivirus Pro Plus

If the user should inadvertently copy a malicious file to the system, Avast will detect and quarantine it on access. An example alert is shown below. The user can start a scan of the PC, and see details of the threat.

Avast Business Antivirus Pro Plus

The GUI of the server protection software is identical to that of its desktop counterpart.

Bitdefender GravityZone Elite Security

Verdict

There is much to like in Bitdefender GravityZone Elite Security. The design of the management console is very clear. Relevant tasks are grouped together, and the initial walkthrough wizard makes deployment easy. We particularly liked the Dashboard functionality. The Policies feature gives a clear understanding of the rules applied to endpoints. One minor suggestion for improvement would be to clarify the process for setting scan exclusions.

About the product

Bitdefender GravityZone Elite Security uses a cloud-based console to manage endpoint protection software. Desktops and servers running Windows, macOS and Linux are all supported.

Getting up and running

Getting the main cloud console up and running is very simple: create the cloud account, log in and you have a working environment.

The first thing you see on login is the Essential Steps wizard. This is a four-step process to guide you on getting up and running as quickly as possible. Each panel has copious explanations to help explain what that step is achieving.

Step 1 is Install Protection, which allows you to install directly onto the computer you are working on. You can also email an installation link to remote users. Alternatively, you can use the Remote Installation capability to remotely install the endpoint client on network computers. To enable this, you need to install a “relay” computer, to act as the bridgehead.

Step 2 is to create the Security Policies to be used in your organisation. This allows you to define a pre-cooked set of operational requirements onto each target device, or group of devices.

Step 3 is to create appropriate User Accounts. These are administrative accounts for the management of the platform. The roles here can be Partner, Company Administrator, Network Administrator, Reporter and Custom. A Reporter might be e.g. a help-desk role, and can see reports of activity without being able to change users or the company structure.

Step 4 is Reporting, where it shows you how to create appropriate reports of activity on your network.

Having gone through these steps, you should have a deployed and managed network.

Everyday management

The console is particularly clear and clean. This helps make the product suitable for a smaller companies with limited IT support, as well as larger organisations. The main console has a menu structure down the left-hand side. The items are Dashboard, Incidents, Network, Risk Management, Policies, Reports, Quarantine, Accounts, Sandbox Analyzer and Configuration.

Dashboard gives you an instant overview of the installation and the performance of the clients. Each panel here is called a “Portlet”, and can be clicked on to drill into more information. There are three pages of Portlets in total. We particularly liked the way that the Portlets can be rearranged, added to, and laid out to your preferences. The strong capabilities of Dashboard mean that you can quickly and easily find the information you need.

Incidents allows you to review and investigate threats detected on the network.

Bitdefender GravityZone Elite Security

The main Network page shows you all the managed devices on your network, ordered into groups which you can create yourself (screenshot above). The Packages sub-page lets you configure deployment packages. On the Tasks sub-page you can create tasks such as scans and updates, which can be run once or multiple times on specified devices or groups.

The Risk Management page displays a breakdown of risks according to factors such as date, severity, and number of endpoints affected.

Policies is where you define the operational groups within your organisation, and then apply policies to them. There is a wealth of capability here. You can control the firewall functionality, application operation, and device access (e.g. blocking USB drives). You can set rules for Exchange Server too. We found that the process of setting scan exclusions here took a little getting used to. It would be helpful to separate the entry boxes for new exclusions from the table of existing exclusions, and to make clearer that the former are also drop-down lists.

Reports lets you build views of what is happening, by functional group or by task area.

Quarantine gives you an overview of all the malware that has been quarantined on the network, and the ability to choose what to do with those files.

Accounts lets you add and remove console users, and monitor the activities of the user accounts that have been set up.

Sandbox Analyzer provides a breakdown of unknown files that have been analysed by the sandbox feature, with a severity score from 0 (completely harmless) to 30 (clearly malicious).

The Configuration page lets you change settings for the console itself.

Clicking the bell icon in the top right-hand corner opens the Notifications panel. This displays a list of events such as logins and detections. Drilling into an item gives a clear description of what happened. We particularly liked the reporting of a malware outbreak. This informed us that “at least 28% from a total number of X endpoints were found infected with Y malware”. This makes it easy to separate out isolated incidents from a network-wide pandemic.

Windows endpoint protection software

The Windows desktop protection software is a simple application with a clean interface. It clearly shows what is going on, with details of updates carried out, modules enabled, and programs allowed through the firewall. The user interface allows the user to check for updates, and initiate quick, full or custom scans. Users can also view the program’s settings, but the default policy prevents any changes being made. You can easily change the user interface language from the System Tray menu.

Bitdefender GravityZone Elite Security

If the user should inadvertently copy a malicious file to the system, Bitdefender will detect and quarantine it on access. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

Bitdefender GravityZone Elite Security

The GUI of the server protection software is identical to that of its desktop counterpart.

Cisco Advanced Malware Protection for Endpoints

Verdict

Getting started with Cisco Advanced Malware Protection for Endpoints (AMP) is very straightforward. The console requires no setup, and deploying the client software is quick and easy. Clear and colourful charts summarise the most important information. Regarding more advanced monitoring and management, there is a lot of functionality available here. The console’s design makes the different features easy to access. However, unlocking the product’s full potential may take some time, depending on various factors like size and complexity of your environment, use cases and so on. For organisations with appropriate IT staff resources, it provides a wealth of features for monitoring, investigating and blocking security threats.

About the product

Cisco AMP provides malware protection for Windows, macOS, Linux, Android and Apple iOS devices. These are all managed from a cloud-based console.

Getting up and running

As the console is cloud-based, no installation is necessary. You just browse to the URL and log in. Installers for desktop systems can be found by clicking Management\Download Connector. You need to select Protect from the Group menu. The setup process is very quick and simple, and only takes a couple of clicks. We note that Windows Defender is not disabled automatically on Windows desktop systems when the Cisco endpoint software is installed. Administrators might like to do this themselves, either manually or by policy.

Everyday management

The cloud console is navigated from a single menu bar at the top of the page. The Dashboard page has a number of sub-pages accessible from a row of tabs at the top. Analysis, Outbreak Control, Management and Accounts are drop-down menus. Each has about 10 individual items.

 

The Dashboard sub-page of the Dashboard is shown in the screenshot above. There are a number of panels with coloured bar charts. These show Compromises, Quarantined Detections, Vulnerabilities, Significant Compromise Artifacts, and Compromise Event Types. The Inbox sub-page shows a compact, summarised version of the same thing. The Overview sub-page provides the most graphical overview of the state of the network, with coloured bar and doughnut charts showing compromises, threats, vulnerabilities, computers, network threats and file analysis. These provide a very clear summary of the most important information, and we wonder whether this might not be made the default page of the console. The Events sub-page lists recent detections.

Cisco Advanced Malware Protection for Endpoints

The Computers page, shown above, is accessed from the Management menu. It provides a row of statistics along the top, such as computers with faults or in need of updates. Below this is a list of individual devices, with a status summary for each one. You can mark a device for further attention by clicking its flag icon here. Clicking on the arrowhead icon for a device displays a detailed information panel. This shows information such as OS version, connector version, definitions version, internal and external IP addresses, and date and time last seen. The device list can be narrowed by OS type, using the tabs at the top. You can also filter the device list using various details. These include specific OS version, group, or definitions status, by clicking on Filters at the top.

The Management menu contains a number of other standard features. There are Groups, Policies, Exclusions, and deployment options. There is also a Quick Start guide, in the form of a video explaining the product’s features and usage. In the Analysis menu you can find features for investigating attacks. Events shows a list of threats encountered by protected devices. These include access to risky websites, malicious file downloads, and attempts to quarantine suspected malware. Clicking on an item displays more details, such as the IP address and port of the threat website, and the hash of the malicious file. If you right-click a file’s hash here, you can take action against the threat. Options include blacklisting the file, and Investigate in Cisco Threat Response. This opens a separate console, which provides additional analysis data. Cisco tell us that this includes information from third-party security services as well as their own.

You can drill down into a file’s details on the File Analysis page. This shows you the specific behavioural indicators for detecting a file as malicious. To see which legitimate programs have been involved in malware encounters, take a look at the Threat Root Cause page. A coloured pie chart shows you the distribution of malware encountered by specific applications, such as chrome.exe or explorer.exe. On the Prevalence page, the number of devices affected by a particular threat is shown. Under Vulnerable Software, programs with known vulnerabilities are listed. There is also CVE-ID and CVSS info to help identify and resolve the problem. Reports provides a very detailed weekly report. This covers numerous items such as threats, compromises and vulnerabilities. These are illustrated with coloured bar and doughnut charts. Finally, the Indicators page lets you search for Cloud IOCs. You can access the page from Analysis\Indicators on the main menu. Each indicator includes a brief description along with information about the tactics and techniques employed based on the Mitre ATT&CK knowledge base. Tactics represent the objective of an attack, such as executing malware or exfiltrating confidential information. Techniques are the methods attackers use to achieve the objectives or what they gain.

The Outbreak Control menu provides options for blocking or whitelisting specific applications and IP addresses. There are also custom detection options. These let you block the installation of any program you consider to be harmful or unwanted anywhere on the network. You can also run IOC (indicator of compromise) scans.

Windows endpoint protection software

The Windows desktop protection software has a very simple GUI, which allows users to run scans and view the logs. Both of these functions open in separate, larger windows. Users can also view settings, but by default these are locked down. Users have a choice of scans they can run. Options are Flash Scan (running processes), Custom Scan, Full Scan and Rootkit Scan.

 

Cisco Advanced Malware Protection for Endpoints

If the user should inadvertently copy a malicious file to the system, Cisco will detect and quarantine it on access. By default, detection is silent, i.e. no alert is shown to the user. However, the endpoint software can be configured by policy to show notifications.

The GUI of the server protection software is identical to that of its desktop counterpart.

CrowdStrike Falcon Pro

About the product

CrowdStrike Falcon Pro is a security package for business networks. Details of the management console described here are applicable to all supported operating systems (macOS, Windows and Linux). Falcon allows you to proactively look for malicious activities and adversaries (nation state, eCrime, or hacktivist actors). The cloud-based management console can be run from the cloud on any modern browser.

Verdict

CrowdStrike Falcon Pro is a very comprehensive platform. It provides not only AV services within an organisation, but also a comprehensive set of detection and analysis services. We note that CrowdStrike Falcon is available as a fully managed service for organisations that desire a more hands-off solution to endpoint protection. Otherwise, it is aimed at the larger organisation, and is not really a “fit and forget” product. Basic everyday monitoring and management tasks are simple enough, even with minimal understanding of its operations. However, the product’s capabilities are sufficiently deep that making some investment of time for learning is worthwhile to realize maximum value. CrowdStrike tell us that learning modules are available on-line or via external consultancy.

Getting up and running

The management infrastructure comes pre-packaged for you in a cloud console and requires no on-premises equipment – only a modern browser. Deployment of the client “sensor” (agent) is quite simple here. It relies on the download of the installation package appropriate to the target platform. On Windows, you can use an automatic sensor deployment like Windows System Center Configuration Manager. Once installed, the Falcon Sensor is almost invisible to the end user. Docker support allows the installation of the Falcon agent on hosts running Docker.

Deployment across an organisation will take planning and appropriate tools. This includes preparation for the appropriate layers of policy to be applied to users. Once this work has been done, deployment should be quite straightforward.

Everyday management

The management console is based in a web browser, as you would expect from a cloud-based solution. Two-factor authentication is required to log in, and support for single sign-on solutions is available. There is a menu of buttons down the left-hand side, and this menu can be expanded by clicking on the Falcon icon at the top left. The major items are Activity, Investigate, Hosts, Configuration, Dashboards, Discover, Intelligence, Users, and Support.

Activity is the first place to start work once the platform is up and running. There is a strong dashboard here, with the most important items brought into view. Good graphics show detections by scenario over the last 30 days, and you can click through here into the Detections submenu to view more detail. You get a strong reporting infrastructure, with a good choice of filter options presented front and centre here. You can also examine quarantined files and real-time response sessions here too.

The Investigate menu takes you into a comprehensive search facility. This covers hosts, hashes, users, IP addresses, domain and event searching. This is aimed at locating specific issues across the network estate in the recent history. The default is 24 hours, pre-set filters are provided up to 60 days, and customization options are available.

CrowdStrike Falcon Pro

The Hosts/Host Management page, shown above, lists all the device installations, by version and platform. It provides immediate understanding of which devices are offline or disconnected. From here, you can go to the Sensor Download menu and download sensor installations for all the platforms.

The Configuration menu is the heart of the policy driven process within CrowdStrike Falcon. From here, you create policy definitions which cover all aspects of the AV and prevention processes of the platform. And then you apply that process to groups of installations. You can have different policies for Windows, Mac and Linux clients here too.

The Dashboards menu gives access to the executive summary view of the estate. There are detailed graphics for detections by scenario and severity, and identifications of the top 10 users, hosts and files with most detections. This is just the tip of a very deep iceberg, allowing for comprehensive analysis of what is happening. You can search by almost anything, and use this to discover what has happened on the network during an outbreak. This includes where something entered, how it attempted to execute, what processes it used, and how it was contained. Getting through this is not for the fainthearted, but it cannot be denied that you have very powerful set of audit and analysis tools here.

The Discover menu allows you to discover devices, users and applications on the network. You can search by application inventory, asset, MAC address, accounts and other app/process-based inventory. You can also review user account information including domain accounts, local accounts and their password reset status.

The Intelligence menu takes you into an overview of the current landscape threat as perceived by CrowdStrike. This can be categorised by different factors. Examples include geographical origin of threat, target industry, target country, and motivation (espionage/criminal/Hactivist and destruction). Each threat is detailed by these parameters. Clicking View Profile on the threat takes you to a comprehensive analysis and explanation of that specific threat. This is a comprehensive resource, which is unusual and most welcome.

The User menu allows you to create the usual user profiles for administrators and other activities within the platform. There are pre-built roles already created for Endpoint Manager, Event Viewer, Administrator, Analyst, Investigator, Real Time Responder, and others. You can map these roles onto existing internal working structures, or to custom-build new roles as required.

The CrowdStrike Store allows you to extend the capabilities of the Falcon platform with a host of ready-to-go partner apps and add-ons.

Endpoint protection software

On the end-user client, the default setting is to have the client completely invisible to the user. No alerts or user interface are shown. In our test, we found that malware copied to the test system was immediately detected and deleted on access.

Cybereason Defense Platform Enterprise

Verdict

Cybereason’s management console is easily navigated from a single menu. We were impressed with the clear, well-illustrated way in which information is laid out, particularly the Malops Inbox and Malops detail pages. Amongst other advantages, this would make the console very comfortable to use on a tablet. The ultra-simple and fast client deployment process means that even inexperienced administrators would have no difficulty getting the product up and running. We noted that the product’s real-time protection is highly sensitive, and detected malware instantly in our functionality test.

About the product

Cybereason Defense Platform Enterprise uses a cloud-based console to manage endpoint protection software for Windows, macOS, Linux, Android and iOS devices.

About the product

Cybereason Defense Platform Enterprise uses a cloud-based console to manage endpoint protection software for Windows, macOS, Linux, Android and iOS devices.

Getting up and running

The endpoint agent can be installed by downloading the setup file from the console and running it. There is a Download Cybereason Installers button on the System\Overview page of the console. A slide-out menu lets you choose one of four OS versions: Windows, macOS, Linux or Linux Ubuntu. Once the installer file has been downloaded and executed, setup takes a single click, and completes in seconds.

Everyday management

The console is navigated from the menu in the top left-hand corner. The default Discovery board, shown in the screenshot above, shows “Malops” (malicious operations) in columns, according to type. The blue dots represent a malicious or suspicious activity. The size of the dot represents the number of the affected machines, and the shade of colour refers to the activity time (as explained in the panel on the right-hand side of the console). If  you click on a dot, a pop-up box displays the name of the file/process, the nature of the threat (e.g. malicious code injection), along with the date and time of the action, and the affected device. Clicking on the pop-up opens the details page for that threat, with an abundance of information about the Malop in question. This includes the device, user, file hash, incoming and outgoing connections to and from the process, and a timeline. This information is laid out in very clear diagrams, which provide an at-a-glance summary of the threat. This strikes us a remarkably effective way of communicating the important information quickly and easily. Actions that can be taken from the details page include Investigate, Isolate and Respond.

The Malop inbox shows a list of detected malicious operations in chronological order. Information for each item includes an identifier (file/process name), detection module, and affected devices, along with date and time. This is laid out in spacious rows, making it easy to read the information. Different view options let you sort the Malops by activity type, root cause, or affected device. Clicking on one of the Malops opens its details page, as described in the paragraph above.

Malware alerts shows items that “need your attention”. These are given names like “vaultfile12009845677446252183.vol”, based on the system’s internal quarantine naming process. For each item, there are Investigate and Exclude buttons.

The Investigation page allows you to create customised hunts, using criteria such as machine, user, process, connection, network interface and registry entry. There are also pre-built queries, such as Files downloaded from Chrome and Child processes of Explorer.

On the Security profile page, you can adjust reputation criteria, create custom rules for detection and behavioural whitelisting, and manage machine isolation exceptions.

The main System page has a number of sub-pages. These are Overview, Sensors, Policies management and Detection servers. The default Overview page is divided into 5 panels. The Sensors panel provides a doughnut chart of the status of installed devices, with a traffic-light colour-coding system for Enabled, Suspended and Service Error states. A simple bar graph completes the picture by showing the proportion of up-to-date clients. The other panels show details of the management server, alerts, services and performance, with the latter displaying a graph of the processing rate over time.

The System\Sensors page is shown below. It displays a list of protected devices, with details such as sensor version, OS type, IP address and component status. The details columns can be customised, letting you add a variety of items like CPU usage, memory usage and OS version. You can select a device or devices and perform tasks from the Actions menu, such as update, restart, set policy and start a system scan. A panel at the top of the page allows you to filter a long list of devices by sensor status, data collection, OS, update status, app control status and ransomware-protection status.

Cybereason Defense Platform Enterprise

The System\Policies management page lets you create and edit policies for the endpoint software. For each policy, there is a configuration page with a left-hand menu column. Items are Anti-Malware, Exploit protection, PowerShell and .NET, Anti-Ransomware, App Control, Endpoint controls, Collection features, and Endpoint UI Settings. Each item opens the relevant configuration page, with neatly laid-out controls for the individual sub-components. System\Detection servers lets you add and edit the details of the sites and servers that manage the protection software.

The Settings menu item lets you configure items such as notifications, authentication, and password policy. The product’s support services can be accessed by clicking Support, as you would expect.

Windows endpoint protection software

There is a minimalist interface to the endpoint protection software. This consists of a System Tray icon, which shows a concise status display when right-clicked:

Cybereason Defense Platform Enterprise

If a user should inadvertently copy a malicious program to their system, Cybereason will instantly detect and delete it. A sample alert is shown below:

Cybereason Defense Platform Enterprise

The interface of the server protection software is identical to that of its client counterpart.

Elastic Endpoint Security

Verdict

Elastic Endpoint Security is aimed at larger organizations that require prevention and EDR capabilities. Deploying it will require some planning and training, meaning that it is not a solution that you can just install and forget about. However, for larger organisations with suitable resources, it provides a comprehensive range of features.

About the product

Elastic Endpoint Security provides prevention, detection and response measures. It has threat-hunting capabilities aimed at stopping targeted attacks. The management console can be run from the cloud on any modern browser. On-premises deployment is also an option. Elastic Endpoint Security supports Windows, Linux, Mac, and Solaris clients and servers.

Getting up and running

We used Elastic Endpoint Security’s cloud-based infrastructure. This simply requires you to browse to the URL and log in to the management console. Deployment of the client “sensor” (agent) can be done in one of two ways: “in-band” and “out-of-band”.

In-band is currently only for Windows. The administrator installs the sensor directly onto Windows clients or servers from the Elastic Endpoint Security management console.  The administrator can scan the network for unmonitored endpoints and install the sensor after entering credentials for that endpoint.

Out-of-band is supported for all operating systems.  Out-of-band installation lets you deploy the sensor using a management tool such as Microsoft System Centre Configuration Manager. You can also install manually after downloading an installation package from the Administration/Sensor page.

The installer is transferred by the administrator to an endpoint and run from an elevated command-prompt window. You have to use specific command-line syntax (in the documentation) to do this. Double-clicking the .exe file simply deletes it.

Everyday management

The management console has six menu choices on the left-hand side. Dashboard gives an overview of the status of the entire estate of client devices, and reports how many alerts are in play at any one time. It also displays top alerts, exploits, malware and file-less alerts, allowing for a comprehensive view of what is happening. Each of these can be clicked through to drill into more information.

Elastic Endpoint Security

The Endpoints page (shown above) gives a view of all the managed clients. You can select and sort by name, IP address, OS version, policy applied, sensor version, alerts and groups. From here, you can choose a range of endpoints and then run tasks on them. These include applying a new policy, deploying/upgrading/uninstalling/deleting endpoints, and configuring a response when threats are encountered.

Alerts takes you into the heart of the platform. Here you get a list of current event types such as malicious file execution prevention or file detection. The catalogue of events can be sorted and categorised by event type, assignee, OS, IP address, hostname and date.

If you click on an event, it takes you to the Alert Details page for that event. Here you can see much more detail about the event, where it started, what it has done and the analysis of the malware, if appropriate. Here you can choose Take Action, whereby the options include Download Alert, Resolve, Dismiss, Start Investigation, Isolate Host, Download File, Delete File and Whitelist Items.

Of particular interest here is the Start Investigation feature which lets you create a “Hunt”. A Hunt can cover multiple information sources, e.g. firewall rules, drivers, network, persistence, process, registry, media, or system configuration. It allows you to search the network for information relevant to your enquiry. A key component here is the “Ask Artemis” feature, which is a natural-language query engine. You can simply type in a question, and Artemis will attempt to resolve it.

The Investigations menu item shows a list of ongoing investigations, who is assigned to them, which endpoints are involved, and so forth. This is very important for understanding how the current analysis is progressing.

Reporting provides a simple overview of alert types and endpoints in graphical form.

Finally, the Administration menu item gives access to the Policy Settings, Users, Sensors, Alerts, Whitelist and Platform features. The Policy Settings page lets you define policy for events such as privilege escalation, process injection, and credential access. As an example, you can choose what policy to apply when malware is executed. Do you detect or prevent it? Do you allow self-injection or detect DLL injection and so forth? This is a level of power and control that goes significantly beyond normal antivirus.

Windows endpoint protection software

The Windows desktop protection software is essentially invisible to the user. If the user should inadvertently copy a  malicious file to the system, Elastic will detect and quarantine it on access. An example alert is shown below. This takes the form of a banner running across the screen. The user cannot take any action, other than to close the alert.

Elastic Endpoint Security

The GUI of the server protection software is identical to that of its desktop counterpart.

ESET Endpoint Protection Advanced Cloud with ESET Cloud Administrator

Verdict

The ESET Endpoint Protection Advanced Cloud package is very well suited to the SME market. ESET have made it very flexible and scalable. It is simple enough for a company of 25 users, but also sophisticated enough to cope with larger networks. You can get the console operational in no time, and its simple menu structure makes it very easy to navigate. We found the interface very intuitive, and were able to deploy and manage the client software without any difficulty. The ability to customise different elements of the console is very welcome. We also noticed that the console is very responsive when it comes to showing alerts. Overall, it provides a very attractive option for small to medium-sized businesses.

About the product

As its name suggests, ESET Endpoint Protection Advanced Cloud includes a cloud-based management console. There is endpoint protection software for Windows clients, Windows file servers, and macOS clients. For the Windows and macOS clients, you get the choice of Endpoint Antivirus or Endpoint Security; the latter includes a web control feature and ESET’s Network Protection module. The licence also allows you to install unmanaged protection for Linux and Android devices.

Getting up and running

As the console is cloud-based, there is no installation required. You just open the URL and enter your credentials. When you log on for the first time, you can choose the location (country) of the datacentre to be used. There is also a recommendation to set up two-factor authentication, but this is optional. Next, the startup wizard invites you to create installation packages. Naturally, you can cancel this and come back to the task later. After the wizard has been completed, a tutorial runs. This is very short and simple, and points out the main areas of the console interface.

To install the client software, you first need to create installation packages on the Installers page. This just requires you to select a product. You can enable or disable the PUA detection and ESET Live Grid feedback options, or get the wizard to prompt for these during installation. Language, Group and Policy can also be specified. Once you have made an installer, you can send it to users by email directly from the console. Alternatively, you can download it and distribute it via network share or removable device, or use the mass deployment tool. When you run the installer on a target computer, the setup wizard lets you choose the interface language. Otherwise there are no choices to make, and installation completes with a couple of clicks. It is also possible to install the ESET Management Agent via a Microsoft Active Directory or System Center Configuration Manager script, and then push the endpoint software from the console. This choice of deployment methods means that the product would work well for both smaller and larger networks.

Everyday management

You can find all the main functions of the console in a single menu column on the left-hand side. The console opens on the Dashboard/Computers page, shown in the screenshot above. This provides an at-a-glance overview of the network, in the form of colour-coded doughnut charts. You can see the security status of the network, along with details of any problems and rogue computers. The time of last connection and last update are also shown, as is the distribution of different operating systems. You can easily get more details for any item just by clicking on its graphic. Similar links to details and solutions are provided throughout the console. The panels of the dashboard are very customisable. You can move them around, resize them, and change the chart type, among other things. Other tabs on the Dashboard page let you zoom in on antivirus or firewall threats, ESET applications, and incidents.

ESET Endpoint Protection Advanced Cloud with ESET Cloud Administrator

The Computers page is shown above. It gives you an overview of all the managed devices on the network; you can click on a computer’s entry to get more detailed information about that device. This includes a detailed hardware inventory, amongst other things. You can also organise computers into groups, and carry out tasks such as scans and updates. There are some pre-configured dynamic groups, for example Computers with outdated operating system. These make it easy to find all the devices that need your attention.

The Detections page shows information about all threats encountered by all managed devices on the network. You can click on the entry for any threat to get details such as file hash, source URL and detection mechanism.

Reports provides a wide range of preconfigured scenarios such as Active Threats and Last Scan. Running a report on one of these is as simple as clicking its tile on the page. You can also create your own report scenarios if you want. Reports can be scheduled, and you can specify the language.

Tasks allows you to take a wide variety of actions on individual devices or groups. These include running scans, product installations and updates. You can also run OS-related tasks, such as installing Windows Updates and restarting the operating system.

Policies has a convenient list of preconfigured policies that you can apply. These include different security levels, device control options, and how much of the user interface to show to users. You can also create your own custom policies if you want.

Computer Users allows you to create users, add contact details, and link them to devices.

On the Quarantine page, you can see all quarantined files, along with useful details such as the hash, detection type (Trojan, PUA, test file), and number of computers affected.

The Exclusions page shows files/paths that have been excluded from detection/scanning, and provides instructions for creating such exclusions.

Notifications lets you receive email notifications for a number of different scenarios. These include threats being detected, and endpoint software being out of date. These are very simple to set up and edit. You just have to select the scenario(s), enter an email address, and enable the notification.

Finally, the Status Overview page provides a brief overview of important status items, divided into the categories Licences, Computers, Products, Invalid Objects and Questions. The Invalid Objects section advises of e.g. policies that refer to out-of-date installers. Questions points out any issues that cannot be resolved automatically, and require the attention of the administrator.

Windows endpoint protection client

ESET Endpoint Protection Advanced Cloud with ESET Cloud Administrator

By default, users can access a fully-featured endpoint protection client. This has very similar functionality to a consumer antivirus program. The GUI is a model of simple and clean design. All the features are easily accessible from a single menu on the left-hand side of the window. Users can run updates and scans, and see logs and quarantined files. However, Windows Standard Users cannot disable protection or restore items from quarantine. If you want, you can set a policy from the console to disable the GUI on any device or group; in this case, no interface will be visible to the user.

If the user should inadvertently copy a malicious file to the system, ESET will detect and quarantine the malware on access. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

ESET Endpoint Protection Advanced Cloud with ESET Cloud Administrator

The GUI of the server protection software is very similar to its desktop counterpart. However, additional system information is provided on the home page. The Log Files feature also has its own entry in the menu column.

ESET Endpoint Protection Advanced Cloud with ESET Cloud Administrator
FireEye Endpoint Security

Verdict

FireEye Endpoint Security is a highly powerful platform. It includes signature-based, behavioural and machine-learning engines. A core strength is in the acquisition of data from the agent for analysis and subsequent decision-making process. This allows the admin to hunt down and investigate any threats that might bypass initial detection.

This deep insight enables analysis and response across the largest of enterprises. There is however a significant entry cost in terms of training. This is required for both the initial configuration and ongoing operations. To get the most out of FireEye Endpoint Security, security operations teams should have some knowledge of investigations. Alternatively, FireEye can assist with their Managed Defence practice. However, it should deliver a level of insight and operational management which is at the bleeding edge.

About the product

FireEye Endpoint Security provides endpoint protection with detection and response. There is a cloud-based management console. The product is designed to handle the largest of organizations, with support for up to 100,000 endpoints per appliance. There are agents available for Windows clients and servers, macOS, and various Linux distributions.

Getting up and running

The cloud console requires no significant installation. Client installers can be downloaded from the Admin menu/Agent Versions page, and deployed onto the client machines.

The management console is quite different from a conventional centralised AV product. The emphasis is on detection and response. This involves acquisition of data from clients, analysis of it, and then responding appropriately.

The platform has an extremely powerful and extensive set of information gathering tools. These allow you to build comprehensive queries of almost any type. These are then dispatched to the clients. Analysing this information is the core of the server product.

You could treat FireEye as a straightforward AV package, allowing the engines to process malware as it is found. However, the real strength comes in the analysis and containment capabilities.

There is little work required to configure the platform once the agents are deployed. Of course, you can build custom policies if you wish. But it is likely that global default settings will be the bedrock of the deployment.

There isn’t much in the way of handholding in the initial setup process for the smaller organisation. Clearly the product is aimed at the more professional, larger organisation. It also assumes there will be training and consultancy for deployment.

Everyday management

FireEye Endpoint Security

The management console is not a tool to be dipped into occasionally. Unlocking its huge power needs considerable understanding of what the platform offers and how to achieve it. There is little handholding here. The product is aimed squarely at the large corporate space, where training and consultancy will be provided. From that point of view, this is not a product for the SME space.

Firstly, you need to understand what FireEye is trying to achieve. It relies on threat detection, plus data gathering and analysis. The emphasis here is solidly on information acquisition, analysis and reporting. This allows the administrator to gather information from a wide array of client machines. The information can then be processed, allowing you to take actions based upon it.

There is a basic front-page overview of the status of the deployed agents. This allows you to drill down into more detail. As an ongoing view, this is probably sufficient. The power comes once you drill into the Hosts, Enterprise Search, Acquisitions and Rules sections. The essential component here is building search routines to find what you are looking for. You can request containment of the device. This locks out the user whilst informing them of the centralised management control. You can then to dig through what is happening. This ability to lock out a device is a key component of the handling of a widespread malware event.

It should not be underestimated how much technical and systems knowledge is required to get the best from this. This is not a criticism. Indeed, for a hard-core IT administrator, it is a great strength to have access to this level of query and analysis of the network.

Windows endpoint protection software

The Windows desktop protection software displays a System Tray icon, from which a program window can be opened. This lets you see the event log and quarantined items.

FireEye Endpoint Security

If the user should inadvertently copy a malicious file to their system, FireEye will detect and quarantine it on access. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

FireEye Endpoint Security
Fortinet FortiClient with EMS, FortiSandbox and FortiEDR

Verdict

The Fortinet Enterprise Management Server package is a strong product. It is probably aimed at larger organisations. It is straightforward to deploy, but would benefit from more handholding for the smaller organisation. There is some welcome graphical reporting, but more help could be given to dig through the status of the network. The day-to-day operation would benefit from training time to get the most out of the product.

About the product

The server-based console is called FortiClient Endpoint Management Server (EMS), and the client is called FortiClient. The console requires a Windows Server OS (2008 R2) or later. There is endpoint protection software for Windows clients and servers, Mac OS X and Linux. Please note that as well as anti-malware functions, the product includes other features such as telemetry and secure remote access. These are not covered by this review, however.

Getting up and running

EMS is a local server-based product. Installing the management console is very simple and requires almost no user interaction, although you may have to restart the server during installation. The console functionality can be accessed from the desktop shortcut (dedicated window), or a web browser. Once up and running, there are some tasks you need to perform before the client can be deployed. The real-time protection feature of the endpoint protection software is disabled in the default policy. However, it is very simple to switch it on under Endpoint Profiles/Default.

You can then deploy the client to the desktop. Under Manage Installers/Deployment Packages you can create an installer with a specific program version and patch version. A URL to the server’s repository is then displayed, which you can use to download the installer to client machines. Setup is very quick and easy, and the client connects to the management server automatically. On the server side, there are good reports for devices discovered that are not part of the management structure, and it is easy to remediate this. There is a clear and clean view of the status of the network through the Dashboard/FortiClient Status view.

Creating users for the management console is fairly easy. A user can be assigned granular permissions. These include creation, update and deleting of various settings, and the abilities to manage endpoints. Finally, you can assign permissions for policy management here too. So, you can create a relatively fine-grained set of permissions here for various administrative levels.

There isn’t much in the way of handholding in the initial setup process for the smaller company. Clearly the product is aimed at larger organisations, with training and consultancy provided.

Everyday management

The Enterprise Management Server console has a fairly clear UI. It definitely benefits from a larger screen. There is a single menu down the left-hand side. Clicking an item here populates the right-hand side of the window. The Dashboard/FortiClient Status page provides a graphical overview of the platform and client status. You can click through from the items to get more data, but it is not always clear what detail has been uncovered. For example, taking our “2 infected endpoints”, we click through and get a view of the two devices. But again, there is little here to tell me what is actually wrong with these devices. More clarity here would help when dealing with problems and outbreaks.

The Vulnerability Scan page has an interesting set of “traffic light” views. These go from green (low) through yellow (medium) to orange (high) and red (critical). Underneath this is a set of buttons selecting what is being reported. For example, operating system, browser, MS Office and Services are shown. Moving the mouse over these buttons causes a graphical refresh of the traffic lights. However, it is not clear what the data means until you actually click on a button. This is a useful interface that is slightly compromised by its implementation.

Fortinet FortiClient with EMS, FortiSandbox and FortiEDR

The Endpoints page (shown above) allows you to look at the status of all endpoints. There is an attempt to be graphical here, but some of the icons could be clearer in their meaning.

Endpoint Profiles lets you build up the policy to be pushed to a user’s computer. It is quite straightforward and obvious what needs to be done here. There is a Basic/Advanced view button which is helpful if you want to dig into the details, or stay with a more simplified view.

Finally, Administration and System Settings allow control of the underlying settings of the platform.

It is fairly straightforward to get reports of what is happening, and initiate scans or remedial actions as required. The UI is quite well designed, but would benefit from some final polish to make it more obvious. A stronger splitting of setup from day-to-day and from system administration would help too.

Windows endpoint protection software

The Windows desktop protection software provides a program window with status information. Users can run scans, but not change any settings.

Fortinet FortiClient with EMS, FortiSandbox and FortiEDR

If a user should inadvertently copy a malicious file to the system, FortiClient will detect and quarantine it on access. An example alert is shown below. The user cannot take any action, other than to close the alert.

Fortinet FortiClient with EMS, FortiSandbox and FortiEDR

The GUI of the server protection software is identical to that of its desktop counterpart.

FortiEDR

The FortiEDR component of the package has a separate, cloud-based management console.

Fortinet FortiClient with EMS, FortiSandbox and FortiEDR

The Dashboard page, shown above, provides a graphical overview of threats and suspicious processes.

Event Viewer, shown below, gives details of such processes, and allows you to take action by e.g. investigating or deleting them. Other pages include Threat Hunting; Communication Control (applications and policies); Security Settings (security policies and automated incident response); Inventory (collectors, IoT and system components) and Administration (licensing, organizations, users etc.).

Fortinet FortiClient with EMS, FortiSandbox and FortiEDR
G DATA AntiVirus Business

Verdict

G DATA AntiVirus Business provides a sophisticated, server-based management console. It could be used to manage larger networks with multiple servers. It offers a wide range of functions, in a design similar to the Microsoft Management Console in Windows. It may appear slightly dated, and a little exploration may be needed to find all the functions. Nonetheless, professional system administrators should have no difficulty finding their way around it. There is some scope for customising the types of information displayed, which we liked. The endpoint protection software has a minimalist interface. However, admins can let users carry out simple everyday tasks such as updates and scans.

About the product

G Data uses a server-based console to manage endpoint protection software for Windows, Linux, Mac, iOS and Android devices.

Getting up and running

G Data provide a single installer package which you can use to set up both the management console and the endpoint protection software. The console installation wizard lets you use an existing SQL Server installation if you have one. Alternatively, it can install SQL Server 2014 Express along with the management software. Installation is very quick and simple. We note that you may need to adjust Windows Firewall settings on the server and clients to enable communication between them, however. When the console is first used, a deployment wizard runs, allowing you to push the endpoint software to clients over the network. Alternatively, you can run the installer on individual client devices. To connect the client to the server, just need to enter the latter’s IP address.

Everyday management

The panel in the top left-hand corner of the console displays the management server(s) in use. Here you can switch between different servers if you have more than one. For each server, the default Dashboard page of the console, shown above, provides a graphical display of 4 important status items. The first is the status of individual components, indicating what proportion of devices are correctly configured. Then there is the share of devices that have connected to the console recently. You can also see which clients have had the most detected threats. Finally, there is a timeline of important events.

G DATA AntiVirus Business

The Overview tab of the Clients page, shown above, displays a list of managed devices. You can see information such as status, definitions used, client version and operating system. The columns are customisable. Thus, you could also display the last active user, and various network items such as IP address and DNS server. From the row of buttons along the top, you can run various tasks. These include installing or uninstalling client software, updating the definitions and software, and deleting devices. The Software button on the top toolbar provides a detailed inventory of programs installed on the client device(s). Hardware shows basic system details such as CPU, RAM, and free storage space.

The Client settings pages lets you configure some options such as automatic signature and program updates. You can also allow users a degree of interaction with the endpoint software on their PCs. For example, you could let them run scans and/or display the local quarantine.

As you would expect, the Tasks page lets you see the status of any tasks, such as installation, that you have set up. Logs provides a detailed list of relevant events. These include malware detections, updates, and settings changes. Statistics lists the status of individual protection components, such as Email Protection and Anti-Ransomware.

In the bottom left-hand corner of the console are a number of shortcuts to specific pages. The Security page lists malware detections. Details provided are status, date and time, affected device, file name, threat name, and location. Info displays information relating to the anti-spam functionality. The Signatures page shows configuration options for definition updates. You can also run an update with a single click here. Program checks whether the management console itself is the latest available version.

Windows endpoint protection software

By default, the endpoint protection client has a minimalist user interface. There is a System Tray icon. This lets you run an update, and display details of the program version and current signatures. As mentioned above, you can change settings from the console to allow users to run scans, if you want. This adds a variety of scan options to the System Tray menu. It also adds a Scan for viruses (G Data Antivirus) item to Windows Explorer’s right-click context menu. If a user should inadvertently copy a malicious file to their system, G Data will detect and quarantine it on access. A sample alert is shown below:

G DATA AntiVirus Business

The interface and options for the server protection software are exactly the same as for the client.

K7 Cloud Endpoint Security

Verdict

K7 Cloud Endpoint Security is designed for enterprises of all sizes, but its ease of use makes it particularly suitable for smaller businesses and less-experienced administrators. It is very quick and straightforward to set up, due to the cloud-based console and very simple installation process. The management console is very easy to navigate, and the endpoint client lets users carry out scans and updates very simply. One minor suggestion for improvement would be a means of selecting multiple devices at once on the Devices page. However, overall it is very straightforward and intuitive to use.

About the product

K7 Cloud Endpoint Security uses a cloud-based administration console to manage endpoint protection software for Windows clients and servers.

Getting up and running

As the console is cloud-based, no installation is necessary. When you log on for the first time, a help page is displayed, with concise explanations of the features and how to use them.  Deploying endpoint protection software is almost as simple. All you need to do is go to the Settings page and download an installation package, then run this. The setup wizard is very simple, with no choices to be made. Thus, you can install the client with just a couple of clicks.

Everyday management

All the console’s functionality can be accessed from a single menu strip at the top of the window. When you log in, the console opens on the Dashboard page, which shows an overview of the system status. There are various detail panels, showing detected threats, blocked websites, violations of hardware policy, vulnerabilities detected, device security status, numbers of devices running specific Windows versions, and a timeline of threats discovered. There is a link from the Device Security Status panel to the Protected Devices page, so you can get more details just by clicking on it.

The Groups page of the console lists device groups you have created. There are links to the policy applied to each group, and a list of tasks you can apply to all group members.

The Devices page, shown in the screenshot below, lists individual computers on the network. The links in the Actions column let you view a computer’s details, uninstall Endpoint Security, or  change its group. For the latter two tasks, means of selecting multiple devices at once would be helpful.  Currently you can only select one device at a time.

K7 Cloud Endpoint Security

From the Application Control page, you can regulate which applications are allowed to run or access the LAN/Internet. This can be done very simply by selecting an application from the list, and selecting Block from Running, Block Internet Access or Block Network Access from the drop-down list. You can add an application not already on the list using its MD5 hash value. We note that a file’s MD5 hash could potentially be spoofed, and suggest that SHA256 would be more secure.

The Policies page lets you control settings for the endpoint software. These are conveniently ordered into groups such as Anti-Virus, Behaviour Protection, Firewall, Web Filtering and Device Control.

Under Actions you can create tasks to run on individual computers or groups. Available tasks include a variety of scans and a client update.

The Settings page lets you download installation packages for the endpoint protection software, and configure email notifications.

Reports page provides a very simple means of running reports on items such as detected threats, and vulnerabilities, websites blocked, and scan results.

Windows endpoint protection software

The Windows desktop protection software has a window with a component status display. This lets users run definition updates and a wide variety of scans. However, no settings are accessible to the user by default. This can be changed by the administrator in the policy, if so desired.

K7 Cloud Endpoint Security

Should the user inadvertently try to copy malware to the system, K7 will detect it on access, and delete it. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

K7 Cloud Endpoint Security

The GUI of the server protection software is identical to that of its desktop counterpart.

Kaspersky Endpoint Security for Business (KESB) - Select

Verdict

Kaspersky Endpoint Security for Business (KESB) Select is a tier of Kaspersky’s Endpoint Security for Business product line. It is a powerful and sophisticated product, aimed at medium-sized businesses and larger enterprises. There is very good cross-platform support, and the web-based console provides a wealth of functionality. The menu structure is straightforward. However, some learning time would be required to make the most of it.

About the product

Kaspersky Endpoint Security for Business Select provides server-based management tools. It supports management of endpoint software for Windows PCs and servers, Linux tablets, PCs and servers, and macOS. There is also support for Android and iOS mobile devices. Users can choose between a modern web-based console and a legacy MMC-based console. We have looked at the web-based console (shown in the screenshot above) in this review.

Getting up and running

Installing the management console is a straightforward process for an experienced administrator. An SQL database is required, which could be the free Microsoft SQL Server Express. You can use Windows credentials to log in to the console if you want. When you first run the web-based console, an optional brief tutorial is shown. This highlights the most important functions, and provides a brief description of each. Next, the Quick Start Wizard takes you through initial configuration. This includes defining the type of computers to be protected (server/workstation) and operating systems. Finally, the Protection Deployment Wizard lets you set up remote push software installation. This is a very neat and simple process. You can also install clients manually (there are three different methods of doing this).

Everyday management

The console functions are arranged in two menu bars across the top of the page. The upper menu bar shows the main functionality areas. These are Monitoring & Reporting, Devices, Users & Roles, Discovery & Deployment, and Operations. The lower menu bar provides access to the sub-pages of each major menu item. In some cases, the items on the lower menu bar open drop-down lists of further items.

The Monitoring and Reporting\Dashboard page provides a graphical overview of important items. These include protection status, new devices, plus details of threats and infected devices. Please see the screenshot above. The Reports page lets you run a wide variety of reports, on topics such as protection status, deployment, updates and threats. These can be easily accessed from a preconfigured list.

On the Notifications page, there is a list of recent alerts. You can filter these by topic, such as deployment, devices or protection.

The Devices tab, Managed Devices page lists managed computers, along with the status of major components. You can filter the list using criteria such as status, real-time protection or last connection time. The list is customisable, and so you can add additional criteria like operating system or network details. By selecting individual devices, you can run tasks on them. These include installation, deinstallation, or changing group membership.

Kaspersky Endpoint Security for Business (KESB) - Select

The Policies and Profiles page lets you create and apply new configuration policies. Device Selections provides advanced filtering options for selecting clients.

Under Users & Roles, you can see a list of predefined console users, along with Windows local and domain accounts for the Windows computers on the network. These can be assigned one of 16 different management roles for the console, allowing very granular access.

Discovery & Deployment includes various features for discovering unmanaged devices on the network, and deploying software to them. The Quick Start Wizard can be rerun from here. The Device Selections page lets you find devices in pre-configured groups. Examples include Databases are outdated and Devices with Critical status.

Amongst other things, the Operations tab provides an overview of licensing, repositories, and the quarantine functions. The Backup feature actually appears to be a standard quarantine function. Malware that had been detected on client PCs was found here. However, there is a separate Quarantine feature, which was empty after our test. The Kaspersky online knowledge base explains the functions of these two items: https://help.kaspersky.com/KSC/11/en-US/12429.htm

Windows endpoint protection software

The Windows desktop protection application is evidently designed for central management by IT staff, rather than local management by the end user. Consequently, under default settings, users can view settings, but not change them. The program window is essentially a comprehensive status display. It shows security status and detection statistics for the different technologies involved. These include machine learning, cloud analysis, and behavioural analysis. As in the console, the Backup feature is part of the quarantine functionality. We note that users can run manual scans of both local and remote drives, folders or files by means of the context menu in Windows Explorer.

Kaspersky Endpoint Security for Business (KESB) - Select

If the user should inadvertently copy a malicious file to the system, Kaspersky Endpoint Security will detect and quarantine it on access. No alert is shown on the desktop system. The GUI of the server protection software is identical to that of the client.

Microsoft Defender ATP’s Antivirus for Business with Intune

Verdict

The Intune cloud console has a very clean, modern design. It is very easy to navigate using the single menu bar on the left-hand side. The Live Tiles on the Dashboard page provide a good overview of the security situation. The integrated links mean that the admin can easily find more information, and take the necessary action. The management agent can easily be deployed manually in smaller companies. You can also deploy via Group Policy, for larger enterprises. Intune can be used to manage thousands of devices. Its intuitive, easy-to-navigate interface make it an excellent choice.

About the product

Intune is a cloud-based service. It provides companies with security management for their devices, apps and data. Platforms covered are Windows Desktop, Windows Mobile, macOS, iOS and Android. This review covers the use of Microsoft Intune to manage Windows’ out-of-box antivirus and security features. Please note that a dual management interface is available. In this review, we have covered the Classic interface, shown above.

Getting up and running

As the management console is cloud based, no installation is necessary. A management agent has to be deployed to the clients. After this, you can monitor and control them from the console. The agent is easily found under Admin/Client Software Download. You can install it manually on the client with just a couple of clicks. For larger networks, the admin can use Group Policy to deploy the software automatically.

In the case of Windows 10 and Windows 8.1 clients, Microsoft’s antivirus client is already incorporated into the operating system. No further software installation is required. With Windows 7 PCs, however, the antivirus client is not pre-installed, but is available as an update. If the Intune management agent is installed on a Windows 7 client without AV protection, the Microsoft AV client update will be installed automatically.

Everyday management

The Intune console is navigated using a very neat, clean menu column on the left-hand side. The Dashboard (home) page displays the status of different components using Live Tiles. The Endpoint Protection tile shows the number of devices with resolved and unresolved malware detections. These are displayed graphically as colour-coded bar charts. Other tiles provide information on Warnings/Critical Alerts, and Device Health. Clicking on an element within a tile, such as Warnings, opens the relevant details page for the item concerned.

Under Groups\Devices, you can see managed computers. There are details such as operating system and date & time of last update. The Protection page provides a more detailed overview of malware detections, device status and most frequently detected malware. There is also a list of all malware items that have been detected in the network. Alerts displays details of all security-related warnings, including reports any of failed client software deployments.

Endpoint protection software

The precise nature of the Windows desktop protection software GUI is dependent on the version of Windows installed on the PC. Recent Windows 10 clients (Builds 1809, 1903 and 1909) have the Windows Defender Security Center interface. This is shown below:

Microsoft Defender ATP’s Antivirus for Business with Intune

Older versions of Windows, including Windows 7 and 8.1, use the same GUI as Microsoft Security Essentials. This is similar to that of a typical consumer antivirus program. All variants allow the user to update malware definitions, and run full, quick, custom and context-menu scans.

Malware is detected on file copy, and quarantined. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

Microsoft Defender ATP’s Antivirus for Business with Intune

The GUI of the server protection software is essentially the same as its desktop counterpart. However, the components Account protection, Device performance & health and Family options are not included in Windows Server.

Panda Endpoint Protection Plus on Aether

Verdict

Panda Endpoint Protection Plus on Aether is a very strong product. It is powerful enough for larger organisations, but simple enough for smaller businesses too. It is very easy to set up, as it requires no on-site server. There is an excellent, very clean and useful administrative console. This has a clear installation and deployment workflow. We were particularly impressed with the clean and obvious design of the user interface, and the speed at which it could be mastered.

About the product

This is a cloud-console managed system. There are device clients for Windows/Linux servers, Windows/Linux/macOS PCs, and Android mobile devices. The desktop client software has a simple interface, which allows users to run updates and various scans. It is suitable for organisations of all sizes.

Getting up and running

The product is managed from a cloud-based console, which requires no installation. Deployment is carried out using the Add Computers button on the Computers page. You can download the installer directly, or click on Send by email. This opens an email message with a link for download and installation. This works for Windows, Linux, macOSand Android. The user clicks on the provided link to install the client, and this is then automatically licensed. Either installation method lets you pre-allocate the client to a management group.

Everyday management

Protection status and threat detection history are provided on the Status tab/Security page, which opens by default. There are excellent graphics for detected threats. These include offline computers, outdated protection, and blocked URLs here. This provides a solid daily overview of issues. We particularly liked it because it provides a headline view of the status, but allows you to click through for more detailed information. For example, clicking on the main Protection Status graphic takes you to the Computers page. The console’s quarantine function is accessed by clicking on Threats detected by the antivirus.

The Status tab includes a left-hand menu column, from which you can open additional status pages.

Web access and spam shows categories of website, such webmail, games and business, which users have accessed. Licenses is self-explanatory. A section called My Lists provides simple but useful overviews of different aspects of the network. There are links for hardware and software of managed computers, lists of unprotected workstations and servers, and threats detected by AV. This list is customisable, and a number of other categories can be added. These include computer protection status, and web access by computer.

The Computers tab, shown below, lists computers on the network. You can filter by various criteria, including OS, hardware and installed software. You can also display computers by management group.

Panda Endpoint Protection Plus on Aether

This page shows all the protected computers and mobile devices. It is very clearly laid out, and shows essential information. A Windows-like folder tree on the left lets you show devices by group.

Using the Settings tab/Users page, you can create console users and assign them full control or read-only access. The Settings/Security page lets you define separate security policies for computers and Android mobile devices. Under Settings/My Alerts you can set up email notifications for various items. These include malware and phishing detections, unlicensed/unmanaged/unprotected/unlicensed computers, and installation errors. Other settings pages let you manage updates and proxy servers etc.

Finally, the Tasks tab can be used to set up scheduled scans.

Windows endpoint protection software

The Windows desktop protection software allows access to solid end-user capabilities like Full Scan, Critical Areas Scan and Custom Scan. The user can force a synchronisation of the updates from the System Tray menu. However, there is no access to any settings.

Panda Endpoint Protection Plus on Aether

If a user should inadvertently copy a malicious file to their system, Panda will detect and quarantine it on access. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

Panda Endpoint Protection Plus on Aether

The GUI of the server protection software is identical to that of its desktop counterpart.

Sophos Intercept X Advanced

Verdict

There is a lot of power and capability here, and the design of the management console is clean and well laid out. Most of the product works in a clear and consistent way. For a reasonably experienced system administrator, it is straightforward to implement, deploy and manage. For new system admins, the scope of functionality available in the console may make essential AV management tasks a little slower to find.

About the product

Sophos Intercept X Advanced uses a cloud console (Sophos Central) to manage Windows clients and servers, Linux servers, and macOS clients. Intercept X uses neural network analysis of malware. It provides protection from ransomware and exploits, along with additional browser security. There are also investigative and removal capabilities.

Getting up and running

The product is wholly managed from a cloud-based console. Licenses are applied to this, and then can be handed out to client computers. Installing the client is very straightforward. You can download the installation package and install from that, or push it out through your chosen management interface.

Devices can be assigned to groups (as you would expect), and inherit centrally defined policy. Users are automatically created in Sophos Central when they use a Sophos-protected device. They can also be imported via CSV, and synched via an Active Directory application. A user account is also used to control access to the Sophos management facilities. A user can be classified as User, SuperAdmin, Admin, Help Desk and Read-only here. This allows a layered configuration of management of the Sophos platform. There is a range of capabilities which can be applied to policy. These include web URL blocking, peripheral control and management of application execution.

Everyday management

The Sophos Central Dashboard view is quite straightforward. It has a clean, uncluttered user interface, offering an overview of all the systems and protection capabilities. Here you can see how many endpoints are active, the most recent alerts, and statistics on the web URL access management.

The Alerts item gives you a list of all the alerts which have occurred. You can sort by Description, Count and Actions.

Logs and Reports shows a collection of default reports. A notable report here is Policy Violators. This shows those users who have tried to access blocked websites most often.

The Global Settings page does what you would expect. People provides a user-centric view of the network, letting you see all the devices assigned to a particular user, and all the activity associated with these.

Devices shows the managed devices on the network. These are separated into three different pages: Computers, Mobile Devices, Servers, as shown below:

Sophos Intercept X Advanced

Endpoint Protection takes you to another set of user interface and menus. This also has pages for Dashboard, Logs and Reports, People and Computers menu items. Here you can also configure policies, settings and download endpoint installation packages.

Windows Endpoint Protection Software

The Windows desktop protection software has a GUI with a comprehensive status display. It also allows users to carry out scan tasks. The Status tab displays the overall security status, and provides summaries of recent threat types. The Events tab lists recent malware detections. Users can run a full system scan from the Scan button on the Status page. Alternatively, they can right-click a file, folder or drive in Windows Explorer, and click Scan with Sophos Anti-Virus in the context menu.

Sophos Intercept X Advanced

If a user should inadvertently copy a malicious file to their system, Sophos will detect and quarantine it on-access . An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

Sophos Intercept X Advanced

The GUI of the server protection software is identical to that of its desktop counterpart.

SparkCognition DeepArmor Endpoint Protection Platform

Verdict

SparkCognition DeepArmor Endpoint Protection Platform (EPP) is very straightforward to set up. The console is cloud based, and the deployment process is simple. The management console has a very clean design that avoids overwhelming the admin. Getting the most out of the product would doubtless take some time, but the user interface makes this process as easy as possible.

About the product

SparkCognition uses a cloud-based console to manage the endpoint protection software. There are clients for Windows, Mac and Linux systems.

Getting up and running

The console does not require any installation, as it is cloud-based. Deployment of endpoint protection software is similar for all platforms. You just download the appropriate installer from the Deployment page of the console, and run it on the respective client device. This is a very straightforward process. You can install Windows clients using System Centre Configuration Manager or PowerShell.

Everyday management

When you log in to the console, you will see the Alerts Dashboard (screenshot above). This provides a summary of recent threats. The Devices Dashboard displays a device-centred overview. This shows you the total number of devices on your network, group membership, devices at risk, device connection status, and distribution of different endpoint agent versions. The title text for each dashboard panel is a link to more details. For example, clicking Medium Risk Devices shows you a list of devices with that status.

SparkCognition DeepArmor Endpoint Protection Platform

On the Devices page, you can see individual computers on your network. You can display these as tiles, as shown above, or as a simple list. By selecting a device or devices, you can run scans, change group membership, or remove from the console. It is possible to filter the devices displayed by using drop-down lists at the top of the page. You can filter by device group, device status, device risk, device platform or device version.

The Alerts page shows recent alerts, along with details. These include the file name of the malware, how it was detected, detection name, “confidence” (probability that the file really is malicious), name of affected device, time of detection, action taken or required, and file hash. Sub-tabs of each file’s details page show all detections of the file across the network (Occurrences). Clicking on an entry provides further details in a separate page. The Take Action button here provides the options Remote Remediate, Remote Restore, and External Remediate. These allow the admin to take immediate action.

The Administration menu includes the submenus Users, Security Policies, Device Groups, Global Lists, Audit Logs and Reporting. Users lets you add, edit and remove console administrators, who can be assigned varying levels of access (Admin, Manager or Auditor). Under Security Policies you can assign preconfigured settings to individual devices or groups. You can manage the latter from the Device Groups page. You can create whitelists of files and certificates, and file blacklists, under Global Lists. A list of admin logins and logouts can be found under Audit Logs. The Reporting page lets you create reports for specific groups or all devices. You can choose the time period covered by the report, and who will receive it.

On the Deployment page you can find installers for Window, macOS, and various different Linux distributions. Finally, Subscription shows you the total number of device licences available and used, and the validity period.

Windows endpoint protection software

The endpoint protection client has a GUI, but does not allow users to take any action. The Notification page (bell icon) lists the most recent threats discovered. The Protection page shows the configuration options for protection components, but these are deactivated by default.

SparkCognition DeepArmor Endpoint Protection Platform

In our test, we found that malware copied to the test system was not detected on access. However, when executed, it was detected and quarantined on access. An example alert is shown below. The user cannot take any action, and the alert closes after a few seconds.

SparkCognition DeepArmor Endpoint Protection Platform

The GUI of the server protection software is identical to that of its desktop counterpart.

VIPRE Endpoint Security Cloud

Verdict

This product impresses with clear design, simple operational processes and strong reporting features. Even a less-experienced user could deploy the agent and manage the network. The product shows what clear thinking and good deployment flow can bring. There is strong reporting and an obvious process for day-to-day operation.

About the product

VIPRE Endpoint Security Cloud uses a cloud-based console to manage Windows and macOS clients and Windows servers. VIPRE Endpoint Security is the client that runs on the desktop. VIPRE tell us that the cloud service runs on the Amazon AWS cloud, and that this brings efficiency, scalability and growth.

Getting up and running

Access to the web portal is straightforward via a standard username/password login combination (two-factor authentication is also available). The user interface immediately impresses with its clean and clear design. The first page you see has a Getting Started area. This covers deploying of agents, creation of users and the setting of appropriate policies. The next section deals with more advanced post-setup topics. These include Dashboard, Devices, Exclusions, Notifications and Reports. A link on the Getting Started page takes you to the Deploy Agents page of the console. From here you can download installers for the endpoint software, or use the email function to send links to users. We note that when a new version of the agent installer is made available, the page displays a note to that effect. You can either approve the new version for all devices, or try it out on a few test machines first.

Everyday management

Once you have deployed the endpoint software to your devices, the menus on the left-hand side come into play. From the top, the Monitor section covers Dashboard which is a straightforward view of the status of all the clients. It is obvious which ones need attention, what the device and threat count is, and the version numbering of the devices deployed.

Quarantine gives a strong overview of the quarantine actions over the past week. You can easily extend the reporting-time window using obvious choices such as “Last 24 hours”, “Last 3 days” and so forth. The reporting is clear and clean, showing what devices have had issues, and with which malware sources.

Reports lets you dig into the data in a more detailed fashion, for example by client, by malware, by action taken, by policy definition. All of these are clear and clean, but more designed to be used through the web console. You can set up notifications and reports to be sent through the System menu.

VIPRE Endpoint Security Cloud

The next section is Manage, which covers Devices (shown above). This displays which devices are in play, and their operational status. For any device or group, you can assign policy, run a scan, update the definitions, reboot the device, or delete the agent.

Policies lets you control how the clients are allowed to operate, and the security policies that they will deploy. There is a wide range of customisation here, but the Default Enterprise settings will probably be appropriate for most users. Here you can allow users to interact with the VIPRE client. For example, you can allow them to scan items via a right click, or force USB devices to be scanned on insertion.

Exclusions allows you to create exclusion lists of files, paths, folders and so forth that are excluded from scanning. This might, for example, include some shared space that is managed in a different way from normal storage.

Finally, the Setup area covers system settings and all the main defaults of the platform. Deploy Agents allows you to download an agent installer package, to create a policy installer, and to invite users via email. Profile lets you enable two-factor authentication.

The web console impresses both from the initial setup and deployment through to the ongoing management. The defaults are sensible, the screens clear and clean, and it is obvious what it is reporting and how healthy the clients are. It is simple to get clients to do centrally managed tasks, and the configuration of policy is easy too. Creating users is simple, and they can have the role of Admin or Analyst. The latter might be appropriate for, say, a help desk operative.

It is simple to create ongoing reports, and you don’t need to specify a mail server to send it through – this is provided for you. We would say the platform is appropriate for any size of company, from a small business with a few seats, through to a much larger organisation. The UI of the management console was always responsive under testing. It is built to cope with thousands of desktops and large numbers of events.

Windows endpoint protection software

The Windows desktop protection software is very similar to a consumer antivirus program. By default, users can run scans and updates, and view quarantine. However, they cannot not change settings or restore quarantined items. Admins can give users increased or reduced functionality, by means of changing the applicable policy from the console.

VIPRE Endpoint Security Cloud

If a user should inadvertently copy a malicious file to their system, VIPRE will detect and quarantine it on access. An example alert is shown below. The user cannot take any actions, other than to close the alert.

VIPRE Endpoint Security Cloud

The GUI of the server protection software is identical to that of its desktop counterpart.

VMware Carbon Black Cloud

Verdict

The manufacturers have clearly put a lot of thought into making Carbon Black Cloud intuitive to use. The design principle of the console is to show essential information without overwhelming the admin. You can drill down to get more details when you want. We found it very straightforward to see what actions were necessary, and to carry these out. Despite the simplicity of the design, the package provides a high degree of functionality. This makes it suitable for both larger and smaller businesses.

About the product

Carbon Black Cloud uses a cloud-based console to manage endpoint security software. There is support for Windows, macOS and Linux clients, and Windows Servers.

Getting up and running

The Carbon Black Cloud console is cloud based, so no installation is required. You just log on with your credentials and the console is ready to use.

You can install endpoints from the Sensor Options menu on the Endpoints page. There are two main options here, downloading the installer, or sending an installation link to users via email. Both are very quick and straightforward. The installation wizard is simple, only requiring you to accept the licence agreement and enter a vendor-provided code. Once setup has completed, the device will show up on the Endpoints page of the console.

Everyday management

All the main functionality of the console is found in a single menu column on the left-hand side of the page. This makes it very easy to navigate. The Dashboard page shows you an overview of threats, displayed in panels. These are Attacks stopped, Potentially Suspicious Activity, Attack Stages, Attacks by Vector, Top Alerted Devices, and Top Alerted Applications. There is also an Endpoint Health panel, which lets you see if you need to take action on any devices. The Getting Started panel shows the status of common tasks, such as adding console administrators.

The Alerts page shows you a list of threats encountered in chronological order. You can investigate any individual threat in more detail from here.

On the Investigate page, you can see a chronological list of events on any particular device. This allows you to monitor network connections and program executions, and build up a detailed picture of security-related events.

Enforce is home to the Policies page (amongst other things). Various configuration options for the endpoint protection software can be configured here. We found it very easy to create, edit and apply a new policy to specific endpoints. Policy changes take effect on applicable devices as soon as you log in to them. Malware Removal is also found under the Enforce sub-menu. Here you can see a list of quarantined malicious items, which you can e.g. investigate, delete or blacklist/whitelist. Malware is removed very quickly once you have given the command to delete it.

VMware Carbon Black Cloud

The Endpoints page, shown above, provides an overview of devices on the network. Details are kept to a very manageable level (status, details of the OS and sensor version, policies and last check-in time), but you can easily get more information about an individual device just by clicking on its name. This will show take you to that device’s Investigate page. A search box lets you search for a specific client in a larger network.

The Settings menu item lets you configure options for the console/system as a whole. These include Users and Notifications.

Windows endpoint protection software

The Windows desktop protection software has a minimalist interface. You can display a list of the most recent blocked threats, by right-clicking the System Tray icon. Users cannot change any settings or run any tasks.

VMware Carbon Black Cloud

If the user should inadvertently copy a malicious file to their system, Carbon Black will detect it on access, and quarantine it in situ. Should the user then try to execute the file, an alert like the one below will be shown. The user cannot take any action, and the alert closes after a few seconds.

VMware Carbon Black Cloud

The GUI of the server protection software is identical to that of its desktop counterpart.

Verdict

The manufacturers have clearly put a lot of thought into making Carbon Black Cloud intuitive to use. The design principle of the console is to show essential information without overwhelming the admin. You can drill down to get more details when you want. We found it very straightforward to see what actions were necessary, and to carry these out. Despite the simplicity of the design, the package provides a high degree of functionality. This makes it suitable for both larger and smaller businesses.

About the product

Carbon Black Cloud uses a cloud-based console to manage endpoint security software. There is support for Windows, macOS and Linux clients, and Windows Servers.

Getting up and running

The Carbon Black Cloud console is cloud based, so no installation is required. You just log on with your credentials and the console is ready to use.

You can install endpoints from the Sensor Options menu on the Endpoints page. There are two main options here, downloading the installer, or sending an installation link to users via email. Both are very quick and straightforward. The installation wizard is simple, only requiring you to accept the licence agreement and enter a vendor-provided code. Once setup has completed, the device will show up on the Endpoints page of the console.

Everyday management

All the main functionality of the console is found in a single menu column on the left-hand side of the page. This makes it very easy to navigate. The Dashboard page shows you an overview of threats, displayed in panels. These are Attacks stopped, Potentially Suspicious Activity, Attack Stages, Attacks by Vector, Top Alerted Devices, and Top Alerted Applications. There is also an Endpoint Health panel, which lets you see if you need to take action on any devices. The Getting Started panel shows the status of common tasks, such as adding console administrators.

The Alerts page shows you a list of threats encountered in chronological order. You can investigate any individual threat in more detail from here.

On the Investigate page, you can see a chronological list of events on any particular device. This allows you to monitor network connections and program executions, and build up a detailed picture of security-related events.

Enforce is home to the Policies page (amongst other things). Various configuration options for the endpoint protection software can be configured here. We found it very easy to create, edit and apply a new policy to specific endpoints. Policy changes take effect on applicable devices as soon as you log in to them. Malware Removal is also found under the Enforce sub-menu. Here you can see a list of quarantined malicious items, which you can e.g. investigate, delete or blacklist/whitelist. Malware is removed very quickly once you have given the command to delete it.

VMware Carbon Black Cloud

Award levels reached in this Business Security Tests and Review

As in previous years, we are giving our “Approved Business Product” award to qualifying products. As we are conducting two tests for business products per year, separate awards will be given to qualifying products in July (for March-June tests), and December (for August-November tests).

To be certified in July 2020 as an “Approved Business Product” by AV-Comparatives, the tested products must score at least 90% in the Malware Protection Test with zero false alarms on common business software, and at least 90% in the overall Real-World Protection Test (i.e. over the course of four months), with less than one hundred false alarms on any clean software/websites (and with zero false alarms on common business software). Tested products must also avoid major performance issues (impact score must be below 40) and have fixed all reported bugs in order to gain certification.

We congratulate the vendors shown below, whose products met the certification criteria, and are thus given the AV-Comparatives Approved Business Security Product Award for July 2020.

Although Fortinet achieved very good malware protection scores, it unfortunately did not reach all the requirements for the July 2020 Approved Award. This was due to significant performance impact on low-end hardware. We hope to see these issues resolved in the second round of testing this year (results of which are due in December 2020). The Performance Test in the second half of the year is always performed on high-end hardware.

APPROVED
AcronisAPPROVED
AvastAPPROVED
BitdefenderAPPROVED
CiscoAPPROVED
CrowdStrikeAPPROVED
CybereasonAPPROVED
ElasticAPPROVED
ESETAPPROVED
FireEyeAPPROVED
FortinetNOT APPROVED
G DATAAPPROVED
K7APPROVED
KasperskyAPPROVED
MicrosoftAPPROVED
PandaAPPROVED
SophosAPPROVED
SparkCognitionAPPROVED
VIPREAPPROVED
VMwareAPPROVED

Copyright and Disclaimer

This publication is Copyright © 2020 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.

For more information about AV-Comparatives and the testing methodologies, please visit our website.

AV-Comparatives
(July 2020)