Introduction
This is the first half-year report of our Business Main-Test Series of 2025, containing the results of the Business Real-World Protection Test (March-June), Business Malware Protection Test (March), Business Performance Test (June), as well as the product descriptions.
Please note that the results of the Business Main-Test Series cannot be compared with the results of the Consumer Main-Test Series, as the tests are done at different times, with different sets, different settings, etc.
AV security software caters to businesses of all sizes and types. However, the suitability of a particular software solution varies depending on the scale of operations. Before selecting an appropriate software, it is crucial to understand the business environment in which it will be deployed, enabling informed decision-making.
Let’s focus on the smaller end of the market. These environments typically emerge from micro businesses where consumer-grade AV products might have sufficed. However, as the business expands beyond a few machines, the importance of AV management becomes evident. This is particularly critical when considering the potential business and reputational damage that can result from a significant, uncontained malware outbreak.
In the smaller SME segment, on-site IT managers or professionals are often absent. Instead, the responsibility of “computer maintenance” falls on an interested non-expert, usually a senior partner with other primary roles in the business. This model is commonly found in retail, accountancy, and legal professions. In such cases, it is essential to have a centralized overview of all computing assets and instant clarity regarding the protection status in a straightforward manner. If necessary, remediation can involve temporarily disconnecting a machine, transferring the user to a spare device, and waiting for an IT professional to arrive on-site for cleanup and integrity checks. While users may be kept informed about the status, managing the platform remains the responsibility of one or a few senior individuals within the organization. These decisions are often driven by the company’s overriding need for data confidentiality.
In larger organizations, having dedicated on-site IT specialists, including network security professionals, is expected. The Chief Technology Officer (CTO) in such organizations seeks straightforward, real-time statistics and a management overview that allows for detailed analysis of data to address emerging issues. Software installation engineers play a vital role in ensuring correct and appropriate deployment of the AV package on new machines. It is crucial to monitor and detect when machines become disconnected from the network to prevent the presence of rogue and unprotected devices on the LAN. Additionally, a help desk role serves as the first line of defense, responsible for monitoring and tracking malware activity and taking appropriate actions, such as initiating a wipe-and-restart process on compromised computers.
In this larger organizational structure with multiple layers, remediation and tracking become key tasks. Identifying a malware infection is only the beginning; effectively handling and tracing the infection back to its original point are essential functions in larger organizations. If weaknesses in network security and operational procedures cannot be clearly identified, the risk of future breaches remains high. To fulfil this role, comprehensive analysis and forensic tools are required, with a focus on understanding the timeline of an attack or infection originating from a compromised computer. However, presenting this information coherently is challenging, as it involves processing vast amounts of data and employing tools to filter, categorize, and highlight unfolding issues, often in real time.
Due to these significant differences, it is crucial to accurately assess the organization’s needs and risk profile to identify the appropriate security tool. Under-specifying can lead to breaches that are difficult to manage, while over-specifying results in a system so complex that it becomes challenging to deploy, use, and maintain effectively. The business becomes vulnerable to attacks due to the confusion and lack of compliance resulting from an overly complex system.
One crucial consideration for businesses is choosing between a cloud-based or server-based console. Cloud-based consoles are quick to set up and generally do not require additional configuration of client devices. On the other hand, server-based consoles require more initial setup work, including configuring clients and the company firewall. However, they provide the advantage of having the entire setup on the company’s premises and under the direct control of the administrator. For smaller businesses with limited IT staff, cloud-based consoles may be a more accessible option. It’s important to note that manufacturers often offer both cloud-based and server-based options for managing their products. The console types mentioned here refer specifically to the product used in our tests. It is recommended to consult the respective vendor to explore other console types that may be available.
Avast and VIPRE offer user-friendly cloud consoles that are well-suited for smaller businesses without dedicated IT staff. These solutions are also suitable for larger companies, allowing for business growth. G Data and K7 utilize server-based consoles that are straightforward for experienced Windows professionals and can be used by SMEs and beyond.
For businesses of the same size seeking cloud-based management solutions, Bitdefender, ESET, Kaspersky, ManageEngine, Microsoft, NetSecurity, Rapid7, SenseOn, and Sophos provide robust and comprehensive options.
At the larger end of the market, Cisco, CrowdStrike, Elastic, and Trellix offer exceptionally powerful tools. However, their suitability for your organization, both in its current state and future growth plans over the next five years, should be carefully planned. Seeking external expertise and consultancy is recommended during the planning and deployment stages, as these tools require significant training and ongoing support. Nonetheless, they offer capabilities that surpass those of smaller packages.
Tested Products
The following business products were tested under Microsoft Windows 11 64-bit:
In business environments, and with business products in general, it is usual for products to be configured by the system administrator, in accordance with vendor’s guidelines, and so we invited all vendors to configure their respective products.
Only a few vendors provide their products with optimal default settings which are ready to use, and did therefore not change any settings.
Please keep in mind that the results reached in the Enterprise Main-Test Series were only achieved by applying the respective product configurations described here. Any setting listed here as enabled might be disabled in your environment, and vice versa. This influences the protection rates, false alarm rates and system impact. The applied settings are used across all our Enterprise Tests over the year. That is to say, we do not allow a vendor to change settings depending on the test. Otherwise, vendors could e.g. configure their respective products for maximum protection in the protection tests (which would reduce performance and increase false alarms), and maximum speed in the performance tests (thus reducing protection and false alarms). Please note that some enterprise products have all their protection features disabled by default, so the admin has to configure the product to get any protection.
Below we have listed relevant deviations from default settings (i.e. setting changes applied by the vendors):
Avast: “Patch Management” and “VPN” features were not installed.
Bitdefender: “Sandbox Analyzer” (for Applications, Documents, Scripts, Archives and Emails) enabled. “Analysis mode” set to “Monitoring”. “Scan SSL” enabled for HTTP and RDP. “HyperDetect” and “Device Control” disabled. “Update ring” changed to “Fast ring”. “Web Traffic Scan” and “Email Traffic Scan” enabled for Incoming emails (POP3). “Ransomware Mitigation” enabled. “Process memory Scan” for “On-Access scanning” enabled. All “AMSI Command-Line Scanner” settings enabled for “Fileless Attack Protection”.
Cisco: “On Execute File and Process Scan” set to Active; “Exploit Prevention: Script Control” set to “Block”; “TETRA Deep Scan File” disabled; “Exclusions” set to “Microsoft Windows Default”; Engines “ETHOS” and “SPERO” disabled. “Exploit Prevention” set to “Aggressive”. “Submit Files for Malware Analysis” set to “Active”. “MaxScanFileSize” increased to 250 MB; “MaxArchiveScanFileSize” increased to 500MB.
CrowdStrike: everything enabled and set to maximum, i.e. “Extra Aggressive”. “On Write Script File Visibility” and “Unknown detection-related executable analysis” enabled. “On-demand Scans” and “Unknown executables analysis” disabled. “Early adopter sensor builds” enabled.
Elastic: MalwareScore (“windows.advanced.malware.threshold”) set to “aggressive”, and Rollback-SelfHealing (“windows.advanced.alerts.rollback.self_healing.enabled”) enabled. “Credential hardening” enabled.
ESET: Under “Protections” all “Detection responses” were set to “Aggressive”. “Detection of potentially unwanted programs” enabled.
G Data: “BEAST Behavior Monitoring” set to “Halt program and move to quarantine”. “BEAST Automatic Whitelisting” deactivated. “G DATA WebProtection” add-on for Google Chrome installed and activated. “Malware Information Initiative” enabled.
Kaspersky: “Adaptive Anomaly Control” disabled; “Detect other software that can be used by criminals to damage your computer or personal data” enabled.
ManageEngine: In the Ransomware Detection Settings, the Detection Policy was set to “Kill Process”, and the Detection Sensitivity was set to “Standard”. In the Next-Gen Antivirus section, the Detection Trigger “Enable On Write and Enable On DLL Load” was enabled, and the Detection Policy was set to “Kill & Quarantine”.
Microsoft: “CloudExtendedTimeOut” set to 50; “PuaProtection” enabled. “SubmitSamplesConsent” set to “SendAllSamples”. Google Chrome extension “Windows Defender Browser Protection” installed and enabled.
Rapid7: Under “On-Access Scanning”, the “Agent action” was set to “Disinfect”. “Data Encryption Attacks” was set to Block.
SenseOn: Under “Endpoint Protection”, the “Protection Level” was set to “Respond”. “Real Time Process Protection” was enabled, and the sensitivity set to “Medium”.
Sophos: “Threat Graph creation”, “Web Control” and “Event logging” disabled.
Trellix: “Trellix Endpoint Security Web Control” add-on for Google Chrome enabled. “Access Protection”, “Firewall” and “Exploit Prevention” disabled.
VIPRE: “IDS” enabled and set to “Block With Notify”. “Firewall” enabled. “Incompatible Software Handling” disabled.
K7, NetSecurity: default settings.
Information about additional third-party engines/signatures used by some of the products: Cisco, G Data, Rapid7, SenseOn and VIPRE use the Bitdefender engine (in addition to their own protection features).
The product might be known also as “Kaspersky Next EDR Foundation”.
The “ENS” version of Trellix in this test uses the erstwhile McAfee engine (now owned by Trellix), opposed to the “HX” version which uses the FireEye engine (McAfee Enterprise and FireEye were merged into Trellix in 2022).
We congratulate the vendors who are participating in the Business Main-Test Series for having their business products publicly tested by an independent lab, showing their commitment to improving their products, being transparent to their customers and having confidence in their product quality.
Test Procedure
The test series consists of three main parts:
The Real-World Protection Test mimics online malware attacks that a typical business user might encounter when surfing the Internet.
The Malware Protection Test considers a scenario in which the malware pre-exists on the disk or enters the test system via e.g. the local area network or removable device, rather than directly from the Internet.
In addition to each of the protection tests, a False-Positives Test is conducted, to check whether any products falsely identify legitimate software as harmful.
The Performance Test looks at the impact each product has on the system’s performance, i.e. how much it slows down normal use of the PC while performing certain tasks.
To complete the picture of each product’s key capabilities, there is a product description included in the report as well.
Some of the products in the test are clearly aimed at larger enterprises and organisations, while others are more applicable to smaller businesses. Please see each product’s review section for further details.
Kindly note that some of the included vendors provide more than one business product. In such cases, other products in the range may have a different type of management console (server-based as opposed to cloud-based, or vice-versa); they may also include additional features not included in the tested product, such as endpoint detection and response (EDR). Readers should not assume that the test results for one product in a vendor’s business range will necessarily be the same for another product from the same vendor.
For additional tests, please also have a look at the “Endpoint Prevention and Response (EPR) Tests” https://www.av-comparatives.org/enterprise/testmethod/endpoint-prevention-response-tests/ and “Advanced Threat Protection (ATP) Tests” https://www.av-comparatives.org/enterprise/testmethod/advanced-threat-protection-tests/
Test Results
Real-World Protection Test (March-June)
The results below are based on a test set consisting of 438 test cases (such as malicious URLs), tested from the beginning of March 2025 till the end of June 2025.
| |
Blocked |
User dependent |
Compromised |
PROTECTION RATE
[Blocked % + (User dependent %)/2]* |
False Alarms |
| Elastic |
438 |
– |
– |
100% |
17 |
| Bitdefender |
437 |
– |
1 |
99.8% |
1 |
| VIPRE |
435 |
– |
3 |
99.3% |
1 |
| Kaspersky |
435 |
– |
3 |
99.3% |
3 |
| Trellix |
434 |
1 |
3 |
99.2% |
22 |
| Avast |
434 |
– |
4 |
99.1% |
14 |
| Microsoft |
433 |
– |
5 |
98.9% |
5 |
| ESET |
432 |
– |
6 |
98.6% |
6 |
| CrowdStrike |
432 |
– |
6 |
98.6% |
14 |
| G Data |
431 |
– |
7 |
98.4% |
1 |
| K7 |
430 |
– |
8 |
98.2% |
23 |
| Sophos |
427 |
– |
11 |
97.5% |
7 |
| NetSecurity |
425 |
– |
13 |
97.0% |
17 |
| ManageEngine |
419 |
– |
19 |
95.7% |
6 |
| SenseOn |
416 |
– |
22 |
95.0% |
1 |
| Cisco |
415 |
– |
23 |
94.7% |
0 |
| Rapid7 |
411 |
– |
27 |
93.8% |
0 |
User-dependent cases are given half credit. For example, if a program blocks 80% by itself, and another 20% of cases are user-dependent, we give half credit for the 20%, i.e. 10%, so it gets 90% altogether.
Malware Protection Test (March)
The following chart shows the results of the Business Malware Protection Test:
False positive (false alarm) test with common business software
A false alarm test done with common business software was also performed. All tested products had zero false alarms on common business software.
| |
Malware Protection Rate |
False Alarms on common business software |
| Elastic, Kaspersky |
100% |
0 |
| Avast |
99.7% |
0 |
| Bitdefender, Cisco |
99.6% |
0 |
| ESET, G Data |
99.5% |
0 |
| VIPRE |
99.4% |
0 |
| CrowdStrike, Microsoft |
99.3% |
0 |
| Rapid7 |
99.1% |
0 |
| SenseOn |
99.0% |
0 |
| NetSecurity |
98.9% |
0 |
| Trellix |
98.4% |
0 |
| Sophos |
98.0% |
0 |
| K7 |
96.1% |
0 |
| ManageEngine |
91.5% |
0 |
In order to better evaluate the products’ detection accuracy and file detection capabilities (ability to distinguish benign files from malicious files), we also performed a false alarm test on non-business software and uncommon files. Results are shown in the tables below; the false alarms found were promptly fixed by the respective vendors. However, organisations which often use uncommon or non-business software, or their own self-developed software, might like to consider these results. Products are required to have an FP rate on non-business files below the Remarkably High threshold in order to be approved. This is to ensure that tested products do not achieve higher protection scores by using settings that might cause excessive levels of false positives.
| FP rate |
Number of FPs on
non-business software |
| Very low |
0 – 5 |
| Low |
6 – 15 |
| Medium/Average |
16 – 35 |
| High |
36 – 75 |
| Very high |
76 – 125 |
| Remarkably high |
> 125 |
| |
FP rate on non-business software |
| Bitdefender, ESET, G Data, K7, Kaspersky, VIPRE |
Very Low |
| Avast, Cisco, Microsoft, Rapid7 |
Low |
| Sophos, Trellix |
Medium/Average |
| CrowdStrike, Elastic, ManageEngine, SenseOn |
High |
| NetSecurity |
Very High |
| – |
Remarkably High |
These specific test results show the impact on system performance that a security product has, compared to the other tested security products. The reported data just gives an indication and is not necessarily applicable in all circumstances, as too many factors can play an additional part. The testers defined the categories Slow, Mediocre, Fast and Very Fast by consulting statistical methods and taking into consideration what would be noticed from the user’s perspective, or compared to the impact of the other security products. If some products are faster/slower than others in a single subtest, this is reflected in the results.
Overview of single AV-C performance scores
| Vendor |
File copying |
Archiving /
Unarchiving |
Installing Applications |
Launching Applications |
Downloading Files |
Browsing Webites |
| First Run |
Subsequent Run |
First Run |
Subsequent Run |
| Avast |
 |
|
|
|
|
|
 |
|
| Bitdefender |
|
|
 |
|
|
|
|
|
| Cisco |
|
|
|
|
|
|
|
|
| CrowdStrike |
|
|
|
|
|
|
|
|
| Elastic |
|
|
|
|
|
|
|
|
| ESET |
|
|
|
|
|
|
|
|
| G Data |
|
|
|
|
|
|
|
|
| K7 |
|
|
|
|
|
|
|
|
| Kaspersky |
|
|
|
|
|
|
|
|
| ManageEngine |
|
|
|
|
|
|
|
|
| Microsoft |
|
|
|
|
|
|
|
|
| NetSecurity |
|
|
|
|
|
|
|
|
| Rapid7 |
|
|
|
|
|
|
|
|
| SenseOn |
|
|
 |
|
|
|
|
|
| Sophos |
|
|
|
|
|
|
|
|
| Trellix |
|
|
|
|
|
|
|
|
| VIPRE |
|
|
|
|
|
|
|
|
| Key |
|
Slow |
|
Medicore |
|
Fast |
|
Very fast |
Procyon Tests
In order to provide an industry-recognized performance test, we used the UL Procyon® Benchmark-Suite testing suite (For more information, see https://benchmarks.ul.com/procyon/office-productivity-benchmark), in particular the Office Productivity Benchmark. Users using this benchmark (Procyon® is a registered trademark of UL Solutions) should take care to minimize all external factors that could affect the testing suite, and strictly follow at least the suggestions documented inside the manual, to get consistent and valid/useful results. Furthermore, the tests should be repeated several times to verify them. For more information about the various consumer scenarios tests included in the benchmark suite, please read the documentation on their website.
“No security software” is tested on a baseline system without any security software installed, which scores 100 points in the Procyon benchmark.
Baseline system: Intel Core i3 machine with 8GB RAM and SSD drive
Summarized results
Users should weight the various subtests according to their needs. We applied a scoring system to sum up the various results. Please note that for the File Copying and Launching Applications subtests, we noted separately the results for the first run and for subsequent runs. For the AV-C score, we took the rounded mean values of first and subsequent runs for File Copying, whilst for Launching Applications we considered only the subsequent runs. “Very fast” gets 15 points, “fast” gets 10 points, “mediocre” gets 5 points and “slow” gets 0 points. This leads to the following results:
| | AVC Score | Procyon Score | Impact Score |
| 1. | NetSecurity | 90 | 96.7 | 3.3 |
| 2. | ESET | 90 | 94.0 | 4.8 |
| 3. | Kaspersky | 85 | 96.1 | 8.9 |
| 4. | K7 | 85 | 95.6 | 9.4 |
| 5. | Microsoft | 80 | 96.2 | 13.8 |
| 6. | Avast | 85 | 91.0 | 14.0 |
| 7. | Cisco | 80 | 95.0 | 15.0 |
| 8. | G DATA | 80 | 86.4 | 23.6 |
| 9. | Elastic | 75 | 90.8 | 24.2 |
| 10. | ManageEngine | 75 | 90.4 | 24.6 |
| 11. | CrowdStrike | 70 | 93.8 | 26.2 |
| 12. | Bitdefender | 68 | 89.2 | 32.8 |
| 13. | VIPRE | 68 | 88.4 | 33.6 |
| 14. | Trellix | 68 | 88.0 | 34.0 |
| 15. | SenseOn | 58 | 93.6 | 38.4 |
| 16. | Rapid7 | 63 | 87.3 | 39.7 |
| 17. | Sophos | 65 | 85.2 | 39.8 |
|
Product Reviews
On the following pages, you will find product descriptions of the tested enterprise products. Please note that the product descriptions are based on information provided by vendors. For more detailed and current information, please visit the vendors’ websites.
Avast Ultimate Business Security includes a next-gen antivirus with online privacy tools and patch management automation software to help keep business devices, data, and applications updated and secure.
Key Features
Online Management Platform: Get real-time visibility of cyberthreats, comprehensive reporting, and administrative capabilities – right from your web browser. A cloud-based console lets you centrally manage your Avast Business security services and their subscriptions.
Next-gen Antivirus: Next-gen endpoint protection with File Shield, Web Shield, Mail Shield, real-time Behaviour Monitoring, and Cloud Sandbox help secure users’ devices against malware infections and zero-day threats.
Advanced Firewall: Monitor network traffic between your employees’ devices and the internet. Improve blocking of dangerous or superfluous data transmissions for better protection of your business against malicious data manipulation.
Ransomware Shield: Reinforce the protection of your sensitive data and other critical business documents against modification, deletion, or encryption by ransomware attacks. Choose which applications have permission to access your protected folders and block the rest.
Real Site: Real Site supports safer web browsing and banking by helping your employees avoid fake websites created to steal sensitive data such as usernames, passwords, and credit card details. It is designed to secure users against DNS (Domain Name System) hijacking.
Browser Shield: Secure your browser-stored passwords against theft. Prevent unwanted programs from accessing browser cookies to protect your personal and sensitive data.
VPN: Built-in personal VPN with no data limits encrypts your data traffic over the internet to help protect your employees’ data, making them also private when using public Wi-Fi networks, such as those in cafes or the airport.
USB Protection: Prevent employees from using unauthorized removable storage devices, including flash drives, external drives, and memory cards to avoid data theft, data loss, and malware infections.
Web Control: Create a safer, more productive business environment for you and your employees by controlling their access to potentially dangerous or non-work-related websites through web domain and content filtering.
Patch Management: Automatically fix vulnerabilities in Windows and third-party applications that are susceptible to cyberattacks by remotely patching devices, no matter where they are. Patch Management helps you distribute tested patches to hundreds of devices in minutes, with minimal impact on your network.
GravityZone Business Security Premium is designed to protect small to medium organizations, covering any number of file servers, desktops, laptops, physical or virtual machines. It is based on a layered next-gen endpoint protection platform with prevention, detection and blocking capabilities, using machine learning techniques, behavioural analysis, and continuous monitoring of running processes.
Key Features
Effortless Deployment: The GravityZone agent is designed for easy deployment across multiple systems, providing immediate protection without requiring reboots or extensive configuration.
Machine Learning Anti-Malware: Bitdefender’s machine learning models utilize 40,000 features and billions of file samples to predict and block advanced attacks effectively, improving malware detection accuracy while minimizing false positives.
Process Inspector: Operating in zero-trust mode, Process Inspector continuously monitors all processes in the system, detecting suspicious activities and anomalous behaviours. It effectively identifies unknown advanced malware, including ransomware, and takes remediation actions such as termination and undoing changes.
Advanced Anti-Exploit: This technology protects memory and vulnerable applications by detecting and blocking exploit techniques like API caller verification, stack pivot, and return-oriented-programming (ROP).
Integrated Risk Analytics: Evaluates endpoint risks continuously to identify and prioritize misconfigurations. Automates hardening actions and detects risky user behaviors, such as insecure logins and poor password practices.
Endpoint Control and Hardening: Policy-based controls include firewall management, USB scanning for device control, and web content filtering with URL categorization.
Anti-Phishing and Web Security Filtering: Real-time scanning of web traffic, including SSL, HTTP, and HTTPS, prevents the download of malware. Anti-phishing protection automatically blocks fraudulent web pages.
Response and Containment: GravityZone automatically blocks and contains threats, terminates malicious processes, and rolls back unauthorized changes.
Ransomware Protection: Bitdefender can detect new ransomware patterns, offering robust protection against evolving threats.
Automate Threat Remediation and Response: GravityZone neutralizes threats through actions such as process terminations, quarantine, removal, and rollback. Real-time threat information sharing with Bitdefender’s cloud-based threat intelligence service prevents similar attacks globally.
GravityZone Control Center: GravityZone Control Center is an integrated and centralized management console that can be cloud-hosted or deployed locally, providing comprehensive oversight and management of all security components.
Cisco Secure Endpoint Essentials is a comprehensive endpoint security solution that provides advanced protection, threat detection and response capabilities in a single agent that offers Endpoint Detection and Response and integrated Extended Detection and Response (XDR) capabilities.
Key Features
Advanced Protection: Cisco Secure Endpoint uses a layered approach consisting of reputation, application, process and command monitoring, machine learning and behavioural analysis to detect and prevent advanced attacks.
Next-Generation Antivirus (NGAV): Preventative technologies to stop malware by leveraging file reputation, exploit prevention, script protections, and signature detection techniques to stop known and unknown threats.
Endpoint Detection and Response (EDR): Real-time visibility and control of endpoint activities to enable threat hunting and accelerate incident response.
Threat Intelligence: Cisco Talos Intelligence provides the latest threat intelligence to identify and prevent emerging threats.
Dynamic analysis: Produces detailed runtime insight and analysis, including the severity of behaviours, the original file name, screenshots of the malware executing, and packet captures.
Device Control: Visibility and control over USB mass storage devices.
Secure Endpoint: This prevents breaches, blocks malware at the point of entry, and continuously monitors and analyses file and process activity to rapidly detect, contain, and remediate threats that can evade front-line defences.
Prevention and Detection: Identify and stop threats before compromise. Reduce the attack surface with prevention techniques, risk-based vulnerability management, and posture assessments. Enable hunts for hidden threats, detect malware, and perform advanced investigations.
Rapid Response: The Cisco Secure portfolio provides automatic global outbreak control. Endpoint response ranging from file, application and network control to automated actions and isolation help automate endpoint triage and threat containment to reduce time to respond.
Extended Detection and Response (XDR): Reduce incident detection and response times with Cisco Extended Detection and Response (XDR). Built-in integration with the Cisco Secure portfolio and 3rd party solutions to provide a unified view to simplify and orchestrate incident response across your security control points, for a layered defence against threats.
Flexible Deployment and Simplified Management: The solution is easy to deploy, manage, and scale. It can be deployed on-premises or in the cloud, providing flexibility to meet different organizational needs.
Single Agent: Cisco Secure Endpoint Essentials combines Endpoint Prevention, Detection and Response in a single agent.
Management Console: The solution provides a centralized management console to manage and monitor endpoints and can be deployed on-premises or in the cloud.
Scalability: management console can scale to support businesses as they grow.
CrowdStrike Falcon Pro offers cloud-native capabilities through a lightweight agent and a centralized command center. In addition to threat protection, it provides investigative functions and threat intelligence for analysis and remediation of attacks. The solution is scalable, making it suitable for managing networks with thousands of devices.
Key Features
Easy to deploy: The Falcon agent is easy to deploy at scale, offering instant protection without the need for a reboot or tuning processes.
Advanced Threat Detection: Falcon Pro is designed to detect advanced and unknown threats, including fileless attacks, ransomware, adware, and potentially unwanted programs.
Full Attack Visibility: The solution provides attack visibility through a process tree. It unravels complete attack scenarios, enriches them with contextual threat intelligence, and maps adversary behaviours using MITRE ATT&CK® terminology.
Signatureless Approach: Falcon Pro does not rely on signatures, eliminating the need for daily virus definition updates. This reduces the administrative overhead and ensures protection against emerging threats.
Exploit Blocking: The solution proactively blocks the execution and spread of threats through unpatched vulnerabilities, preventing potential exploitation.
On-Write Quarantine: Falcon Pro detects and isolates malicious files as soon as they appear on a host, ensuring they are contained and unable to cause harm.
Custom Indicators of Attack (IOAs): Teams can utilize custom IOAs to create behaviour-based blocking rules tailored to their specific organizational needs, providing enhanced protection against targeted attacks.
Advanced Memory Scanning: Automated memory scans are performed using behavioural triggers to prevent fileless and memory-based attacks, such as ransomware and the use of dual-purpose tools like Cobalt Strike, earlier in the kill chain.
Quarantine Functionality: Blocked files are quarantined, allowing analysts to access and investigate them for deeper analysis and understanding of the threat landscape.
Script-Based Execution Monitoring: Falcon Pro inspects and blocks malicious office macros, preventing script-based attacks.
Incident Response Acceleration: The solution accelerates incident response workflows by offering automated, scripted, and manual response capabilities. This streamlines the incident management process and enables faster resolution.
Device Control: Falcon Pro includes Falcon Device Control, providing the visibility and control of USB device usage.
Firewall Management: Falcon Pro includes Falcon Firewall Management, delivering centralized host firewall management, making it easy to manage and enforce host firewall policies.
Built-in Threat Intelligence: Falcon Pro integrates comprehensive threat intelligence, strengthening detection capabilities and enhancing the efficiency of Security Operations Centers (SOCs). From automatic sandbox submissions of blocked files to actor profiles, analysts can gain valuable insights into threats and adversaries without exposing their local systems and network infrastructure.
Endpoint security from Elastic Security detects, investigates, and responds to threats across all native and third-party endpoints. Powered by AI-driven security analytics, it ingests data from all major operating systems, empowering your team with the insights needed for informed, data-centric decisions. Automated action plans further streamline response, minimizing downtime and bolstering your defences. This proactive approach empowers your team to counter emerging threats, safeguard critical data, and maintain operational continuity within today’s ever-evolving threat landscape. Seamless integration and robust capabilities, such as Attack Discovery, provide clear explanations for security alerts. This allows analysts to prioritize and address threats swiftly and effectively. Elastic Security integrates seamlessly with contemporary cybersecurity frameworks, leveraging the speed and extensibility of the Search AI platform, making it an essential tool for modern security teams.
Key Features
Extended and native protection: Elastic Security combines the power of native endpoint agents with the ability to integrate third-party data for a comprehensive view of your security posture.
AI-Driven threat detection with Search AI: Elastic Security’s revolutionary Search AI platform takes threat detection to the next level. It analyses endpoint behaviour, memory threats, and credential vulnerabilities with machine learning, but goes beyond simple alerts. Search AI sifts through massive amounts of data, uncovering hidden patterns and anomalies that indicate malicious activity, and enabling proactive threat discovery before damage occurs.
High-fidelity threat discovery: Gain deep visibility into your environment with minimal data collection overhead. Elastic Defend instruments process, file, and network data. Additionally, the seamless integration with OSQuery allows you to run custom queries directly on endpoints, providing even more granular insights for threat detection.
Rapid response and investigation: Elastic Security empowers your team to quickly analyse data across endpoints, visualize suspicious activity, and take immediate action. Remote response capabilities allow for swift mitigation of threats across your network.
Secure cloud workloads: Protect your cloud environments with real-time visibility and control. The lightweight eBPF-powered agent provides deep insights into your cloud infrastructure. Built-in detection rules and machine learning automatically identify cloud threats, while MITRE ATT&CK® aligned detections ensure rapid response.
View terminal sessions: Investigate incidents and accelerate digital forensics with the ability to view terminal sessions. This streamlines incident response and reduces your mean time to respond (MTTR).
Continuous monitoring: Maintain comprehensive security with continuous monitoring of user activity, network traffic, and custom security measures. Protect critical platforms like AWS, GCP, and Azure from data breaches, resource hijacking, and sabotage.
Empowered by Elastic Security Labs: Benefit from the expertise of Elastic Security Labs, a team of security researchers constantly refining threat detection capabilities and staying ahead of evolving cyberattacks. Their insights inform the development of Elastic Security, ensuring your protection remains at the forefront of the industry.
ESET PROTECT provides real-time visibility across all endpoints, ensuring users always in the know. Plus, comprehensive reporting and security management cover every operating system (OS). ESET PROTECT Platform is powered by ESET LiveSense®, ESET’s multi-layered technology that combines machine learning and ESET LiveGrid®, ESET’s global, cloud-based threat intelligence network. It’s security made simple and powerful.
Key Features
Combines cybersecurity needs: ESET PROTECT Platform consolidates multiple cybersecurity capabilities, empowering customers to select the most effective tools for safeguarding their organization. It offers simplicity, scalability, tailored solutions, modularity, adaptability, and continuous innovation.
Protection across various platforms: ESET’s security solution covers Windows, Linux, and macOS, leaving no room for vulnerabilities. But that’s not all—we go beyond. Android and iOS devices are safeguarded under the same license, and your servers are also part of this all-in-one protective umbrella. It’s security without compromise.
Modern endpoint protection and comprehensive multi-layered defense: ESET PROTECT Entry leverages advanced, multi-layered technologies that surpass basic antivirus or antimalware solutions. It shields against ransomware, botnets, targeted attacks, data breaches, zero-day threats, fileless attacks, anti-phishing, and advanced persistent threats, ensuring robust protection for endpoints.
Accessible endpoint security: ESET’s endpoint security solution is available in 23 languages, making it the most accessible and easy-to-use option on the market. Whether you are in a bustling metropolis or a remote village, ESET’s global technology ensures you’re covered.
In-house security research and development: ESET’s teams not only develop products but also share elite know-how and intelligence through research. They pioneered investigations into the Sandworm group, leading to some of the most significant discoveries in cybersecurity. ESET’s discoveries, such as Industroyer, KrØØk, and Lojax, provide warning of threats on a global scale. Organizations can leverage this expertise by using ESET technology and solutions. ESET is also currently among the top 5 contributors and top 10 referenced sources in the MITRE Enterprise Matrix. This positions us as a valuable intelligence provider regarding tactics, techniques, and procedures (TTPs) exploited by diverse Advanced Persistent Threat (APT) groups. ESET’s research teams are widely recognized by leading technology media worldwide, reinforcing their authority and impact in the cybersecurity landscape.
Hyperlocal language support: Wherever you are on the globe, ESET provides support in your language. Both cloud and on-premises management consoles are available in 23 languages, ensuring a seamless experience for users worldwide.
Advanced remote management with one-click actions: Gain granular visibility into your IT environment. Monitor threats, track user activity, and manage quarantined items – all from a single, intuitive interface. Actions such as isolating the device from the network, creating an exclusion, or initiating a scan are available with a single click in the cloud-based or on-prem ESET PROTECT console.
Deep-dive insights into the network: ESET PROTECT Platform provides over 120 built-in reports and allows you to create custom reports from over 1000 data points.
Real-time alerts about incidents in your organization: Use pre-defined notifications or create your own. The notification system features a full “what you see is what you get” editor.
Effortless and quick installation: Deploy pre-configured live installers that automatically activate and connect your endpoints to the management console.
Ultra-light solution on your system: ESET PROTECT Entry boasts an ultra-light impact on system performance. Its cloud-powered, multilayered security ensures robust protection without slowing down your devices.
Cutting-edge cybersecurity: As a frontrunner in machine learning since the 1990s, ESET was the first to identify security threats via the UEFI (Unified Extensible Firmware Interface). It introduced the UEFI Scanner to combat these threats effectively. Additionally, ESET was among the first to provide ARM-specific protection, staying ahead of emerging risks.
Improved total cost of ownership (TCO): ESET PROTECT Platform enhances the TCO of security management. By streamlining processes and minimizing resource usage, it ensures efficient and cost-effective security administration.
G DATA Endpoint Protection Business is a long-standing product line that has developed from a static scanning engine only product into incorporating next generation scanning and heuristic technologies. These technologies help us detect and prevent malware even when normal scanning approaches fail.
Key Features
Privacy by design: G Data’s development only happens in Germany, which had very strict data privacy laws even before the GDPR, employing strict privacy by design and by default rules in the development of their software.
Online and offline protection: G Data’s products offer very strong offline and local protection by design. Protection modules work offline and do not require a cloud connection, although the cloud connection does improve detection against latest and unknown threats.
BehaviorStorage (BEAST) module: This module runs locally on the client and does not transmit user behaviour data into a cloud. BEAST is able to run completely independent of Internet connectivity and can still classify suspicious or malicious activity.
In house support: Support is not outsourced, being involved in the development processes which enables G Data to fix errors reported by customers.
MMC style admin: Allowing for easy use by Windows administrators.
K7 Security simplifies deployment and management, protecting client workstations and critical servers. The Centralised Management Server consolidates threats, implements endpoint security policies, and manages them with fewer IT resources. The web-based console handles K7 software installation on multiple endpoints, user group creation, policy enforcement, task scheduling, updates, and remote management of core capabilities such as Antivirus, Firewall, Application Control, and Web Content Filtering.
Key Features
Admin Console: The web-based interface enables complete security settings management, including client installation, group and policy management, task scheduling, updates, and control over Antivirus, Firewall, Application Control, Web Filtering, and Notifications.
Advanced Malware Detection and Remediation: The Host Intrusion Prevention System collates, analyses and triages various events to effectively detect and deal with malware. This feature deals with analysis of both pre-execution and runtime behaviour of monitored objects in the host.
Anti-Ransomware Protection: Monitors secured devices for ransomware, employing signature-less, behaviour-based detection mechanisms. K7 Ecosystem Threat Intelligence enhances protection against known and new ransomware variants. Real-time security defends against ransomware distribution through shared files and folders on the network.
K7 Device Control: This prevents USB and storage media infections by blocking unauthorized access to unknown devices. Host-level policies enforce device password access, file execution control, and on-demand/automatic device scanning.
K7 SafeSurf: This ensures secure online browsing by identifying and blocking malicious websites through URL analysis and cloud-based reputation services.
K7 Firewall / HIPS: The K7 Firewall, working with the integrated Host Intrusion Prevention System (HIPS), stealths system ports and protects against direct attacks. The Intrusion Detection System (IDS) blocks known malicious network-based exploits before processing.
System Security and Performance: K7 Security prioritizes system performance by utilizing a proprietary lean data-loading algorithm and ordering mechanism, minimizing RAM and CPU usage.
Web Categorisation: Web Categorization allows administrators to define website and content access for company devices, limiting access to unproductive or inappropriate sites.
Groups and Policies: Endpoint security is managed through groups and policies, controlling malware detection, and user settings. Default settings provide optimum security, and end-users are limited to updates and scans.
Application control: This enables automatic reporting and blocking of applications, including version-based blocking.
Fine control of administrative privileges: Administrative privileges can be fine-tuned with custom roles and group-based administration.
Scans: Options include Quick Scan, Full System Scan, and Vulnerability Scan, with patch links. Scans can be scheduled and deployed to desired endpoints.
Kaspersky Endpoint Security for Business is a next-gen endpoint security solution which can secure organizations against a wide range of threats, from BIOS-related to fileless threats. The solution provides crucial endpoint management and security tools to IT administrators and cybersecurity specialists in organizations of any size and type.
Key Features
Protect user data: Kaspersky Endpoint Security for Business protects all endpoints against widespread and emerging threats, thanks to Kaspersky technologies like behaviour-based protection from advanced threats including fileless ones, ML-based analysis, and specific protection against exploits, ransomware, miners and financial spyware. Recognizing threat behaviour patterns, allows for the neutralizing of unknown threats.
Proactive protection: Stops attacks before they start. System hardening by Adaptive Anomaly Control combines the simplicity of blocking rules with the smartness of automatic tuning, based on behaviour analysis.
Reduced attack surface: This is achieved by controlling what applications, websites and devices can interact with endpoints and users.
Complete ecosystem: Users can grow their IT security maturity. Automated response and analysis leverages integrations with EDR and SIEM solutions
Single solution for any platform: Security for every workstation, server and mobile device that carries user data, regardless of location and ownership.
Cross platform support: A single solution, working from a single console covers every OS in a mixed environment.
High levels of automation: Particularly for essential but routine tasks such as patching and OS deployment.
Remote management capabilities: Covering different scenarios, like setting up workstations in home offices or securing data with encryption options.
Centralization: Integrated single-screen management, either at the user’s perimeter or in the cloud.
Futureproofing: Upgrading is seamless, allowing users to move through the tiers. The fully scalable solution is ready to support thousands of managed devices as companies grow.
Flexibility: Users can choose their preferred deployment option: in the cloud, on-premises, air gapped and in hybrid deployments. Then they can allocate different levels of security systems access to different team members with granular role-based access control (RBAC).
ManageEngine Endpoint Central with Malware Protection delivers comprehensive endpoint security through a single, lightweight agent. It offers 360-degree visibility and centralized control over all endpoint activities, scaling seamlessly as your business grows. The solution is easy to deploy and supports both on-premises and cloud environments.
Key features:
Next-Gen Antivirus: Provides end-to-end malware detection covering everything from files to memory, with both behaviour patterns and anomalies used for analysis. It leverages ML-based behavioural detection to identify unknown and fileless malware and uses signature-based detection for known variants. It employs a multi-layered detection approach to effectively identify a broad spectrum of malware. This includes advanced memory scanning to uncover memory-resident threats and evasive code execution, exploit detection to defend against zero-day attacks and vulnerability exploitation, and on-demand and file-write scans for comprehensive file analysis. In the event of malware infiltration, infected endpoints are automatically quarantined to prevent further spread, and complete malware removal ensures full system recovery.
Ransomware protection: Employs behavioural detection without relying on frequent definition updates. Reconstruct the complete attack timeline by tracing the malware process tree using MITRE ATT&CK® technique identifiers and indicators of compromise to uncover attacker tactics, techniques, and procedures and gain insights into the entry point, lateral movement, and overall impact. In the event of ransomware encryption, Endpoint Central offers single-click data recovery using Windows VSS backup, ensuring business continuity.
Comprehensive patching: Patch servers, laptops, and workstations across multiple OSs from a single console. Automatically scan for missing patches and deploy updates for over 850 apps, including third-party software. Maintain complete control over patch compliance with real-time analytics and audits.
Device control: Stay vigilant over peripheral device activity on your network with support for 15+ device types. Regulate the entry of peripheral devices into your enterprise by curating a trusted device list and blocking all others. When necessary, set a duration to provide temporary access for devices not in the trusted device list. Monitor file activity through file shadowing and tracing to prevent insider threats and plug-in-based attacks.
Vulnerability detection and remediation: Continuously scan endpoints in real time for vulnerabilities, detect and mitigate zero-day threats, enforce compliance with standards like CIS benchmarks, isolate non-compliant devices, and audit your network for risky software and open ports.
Data loss prevention (DLP): Define what constitutes sensitive data for your business, scan endpoints for sensitive data, and continuously monitor the movement of sensitive data across your network. Block unauthorized transfers of sensitive data across the cloud, email, peripheral devices, browsers, clipboards, and more.
Browser security: Create a secure enterprise browsing experience without requiring a dedicated enterprise browser. Gain granular control over any browser by managing everything from blocking malicious extensions and unauthorized websites to regulating web downloads. Enforce strict security policies to prevent code injection and other malicious attacks.
App control and privilege management: Ensure that only enterprise-approved apps are installed on business devices, block unauthorized app installations, and provide on-demand, time-limited access to apps when required. Revoke unnecessary local admin rights and manage user privileges to prevent privilege escalation-based cyberattacks.
BitLocker encryption: Encrypt every device that connects to your network, regardless of the TPM status, using advanced encryption methods. Maintain complete control over the life cycle of recovery keys, including automated periodic rotations.
Microsoft Defender Antivirus is pre-installed on Windows 10/11 systems. In business environments, it can be managed e.g. with Microsoft Defender for Endpoint’s P1 plan. It combines machine learning models trained on cloud-scale data and behaviour-based detection to protect in real-time against malware and malicious activity.
Key Features
Defender for Endpoint’s P1 plan allows security teams to do the following:
Eliminate blind spots in their environment: Discover unmanaged and unauthorized endpoints and network devices. Secure these assets using integrated workflows.
Block sophisticated threats and malware: Examples include novel polymorphic and metamorphic malware, and fileless and file-based threats. With cloud-delivered, next-generation protection, analysts benefit from near-instant detection and blocking of these threats.
Apply manual response actions: Security teams can act on devices or files when threats are detected, such as quarantining them.
Harness attack surface reduction capabilities: Harden devices, prevent zero-day attacks, and take granular control over endpoint access and behaviours. These capabilities include rules, ransomware mitigation, device control, web protection, network protection, network firewall, and application control.
Access unified security tools and centralized management: The Microsoft Defender portal provides security teams access to unified security tools and centralized management. This can be used to monitor and respond to alerts of potential threats and can go beyond protecting endpoints to securing across identities, data, apps, and infrastructure. Security administrators can use role-based access control from the Microsoft Defender customizable portal to manage which users have access to which assets.
Customize the experience for what matters to your organization: The landing page provides a customizable view that shows at-risk devices, threats detected, alerts/incidents and actionable information depending on which Microsoft Defender capabilities the organization is using. Examples of what you can see:
- Incidents & alerts: Displays incidents created in response to alerts triggered by detected threats across devices
- Action center: This lists remediation actions taken. Analysts can see details like investigation package collection, antivirus scan, app restriction, and device isolation.
- Reports section: This section includes reports that show threats and their status.
Device Inventory: A list of the devices in the user’s network that triggered alerts. This shows domain, risk level, OS platform, and other details for easy identification of devices most at risk.
NetSecurity ThreatResponder® Platform is an AI-powered and cloud-native cyber resilient endpoint platform for protecting enterprise computer endpoints from advanced cyber-attacks and data breaches, detecting security vulnerabilities, and conducting legally defensible remote forensics investigations at scale. ThreatResponder enables enterprises to predict, stop, and investigate cyber-attacks, data breaches, and insider threats launched by sophisticated nation-state adversaries or insider threat actors. ThreatResponder offers the following capabilities and use cases, including: attacks prediction and prevention; access control; remediation; data loss prevention; data recovery; forensics investigations; storage control; endpoint threat protection; regulatory compliance; incident response; malware analysis; user behaviour analytics; identity threat protection; threat intelligence; host isolation; geo blocking; whitelisting; blacklisting; zero trust enforcement; vulnerability detection; MITRE ATT@CK mapping; NIST CSF implementation; threat hunting; and more.
Key Features
Threat Intelligence and Analytics: Enriches threat data and provides situational awareness.
Real-time Threat Detection and Response: Detects and neutralizes both external and insider threats with real-time monitoring and incident response capabilities.
Single-Pane-of-Glass Management: Offers a unified interface for managing all aspects of cybersecurity operations and gaining real-time insight into threat and vulnerability landscapes
User Behaviour Analytics: Provides insights into user activities, including who is doing what, where, when, why, and how. User behaviour includes user activities as well as how much data a user, process, or application has received or sent
Live Forensics and Incident Response: Performs live incident response and forensics investigation on remote systems.
Data and Forensics Analytics: Detects and neutralizes threats and performs advanced forensic investigations. Perform legally defensible forensics investigations at scale on live systems or “dead” drives.
Cost Savings and Compliance: Prevents costly cyber-attacks and helps gain compliance, reducing the cost of security operations.
Situational Awareness and Informed Decisions: Provides situational awareness to quickly make informed decisions.
Enhanced Shareholder Value and Reputation Protection: Protects intellectual property and maintains a competitive advantage, preserving the organization’s reputation and image.
Boost Efficiency and Productivity: Enhances the efficiency and productivity of the security team and end-users.
Rapid7 InsightIDR’s NGAV combines behavioural detections with a signature-based antivirus engine to monitor and block malicious activity. It is focused on disrupting the evasive behaviours ransomware, and other forms of malware, use – preventing both known and unknown attacks before they start.
Key Features
Ransomware Prevention: Patented, pre-emptive technology provides dedicated ransomware prevention engines that reinforce at each stage of an attack to strengthen defences and minimize exposure – monitoring and blocking malicious activity.
Single Unified Agent: Consolidate vulnerability management, detection, response, and NGAV with a single, lightweight agent.
Password & Tamper Protection: Prevent malware, malicious activities, and bad actors from tampering with critical functionality of the agent, ensuring protection continues unharmed.
Threat Response: Contextualized data, expert guidance, and automation enable confident action against threats, regardless of where they initiative.
Next-Gen SIEM & XDR: Detection-centric SIEM, with extended detection and response capabilities, focuses on pinpointing and eliminating threats.
Complete Environment Visibility: Connect, enrich, and synthesize expansive security telemetry across the modern environment as efficiently as possible.
Built-in Threat Intelligence: Access a wide range of intelligence as a result of meticulous research (e.g. Project Lorelei, Project Sonar, etc.), vast open-source communities (e.g. Velociraptor, Metasploit, etc.), security forums (e.g. AttackerKB, Discuss, etc.), industry expertise (e.g. Recog, Vulnerability Disclosures, etc.) and our external threat intel (e.g. Threat Command) to provide actionable data for sophisticated detection and response.
EPP complements SenseOn’s platform to deliver full protection, visibility of threats, and deception across an entire organisation’s infrastructure. Combined with SenseOn’s patented AI triangulation, it provides cost-effective endpoint protection, next-gen antivirus, and antimalware without compromising on quality – all into one consolidated platform.
Key Features
Advanced on-access: Automatically scans files upon access to determine if they are malicious, ensuring continuous protection.
Quarantine: Quarantine malicious files to prevent ransomware attacks and mitigate their impact – with options for automated or human-in-the-loop response.
Behavioural analysis: Accurately detect anomalies and zero-day attacks through machine learning algorithms and behavioural analytics.
Anti-tampering: Equip your organisation with robust safeguards to detect unauthorised changes to the agent, ensuring the reliability and integrity of SenseOn against adversarial activities.
Application protection: Guard against memory overflow attacks, injection notifications, malicious behaviours, or process group alerting that exploit processes in memory.
Ransomware protection: Proactively detect and prevent ransomware infections before they can encrypt your data or disrupt your operations by applying restrictive access control to sensitive locations.
Swift deployment: No need to wait for months to hit the ground running. SenseOn’s security architecture deploys through a single piece of software within minutes.
Compatibility with existing infrastructure: SenseOn supports a variety of endpoints, servers, and network devices, ensuring seamless integration with your current IT environment. SenseOn’s API enables ingestion of alerts from other tools to streamline analyst workflow. Even better, these sources are correlated and analysed in parallel in real-time, ensuring customers understand the full context of alerts.
User-friendly platform: With limited IT resources in mind, SenseOn’s platform is easy to deploy, configure, and manage. SenseOn’s support team is on hand 24/7 to provide human assistance.
Sophos Intercept X Advanced is an endpoint security solution designed to minimize the attack surface and prevent attacks. It combines multiple technologies, including anti-exploit, anti-ransomware, deep learning AI, and control technology to detect and block threats before they can impact users’ systems.
Key Features
Stop Unknown Threats: Intercept X utilizes deep learning AI to identify and block malware that hasn’t been seen before. It analyses file attributes to detect threats without relying on signatures.
Block Ransomware: Intercept X incorporates anti-ransomware capabilities that identify and block the encryption processes used in ransomware attacks. Encrypted files can be rolled back to a safe state, minimizing the potential impact.
Prevent Exploits: The anti-exploit technology in Intercept X prevents attackers from leveraging exploit techniques to compromise devices, steal credentials, and distribute malware. This protection extends to file-less attacks and zero-day exploits.
Reduce the Attack Surface: Users have control over the apps and devices allowed to run in their environment. Intercept X enables blocking of malicious websites and potentially unwanted apps (PUAs).
Synchronized Security: Sophos solutions work together seamlessly. For instance, Intercept X and Sophos Firewall share data to isolate compromised devices during cleanup, restoring network access once the threat is neutralized, all without requiring admin intervention.
Straightforward Management: Intercept X is managed through Sophos Central, the cloud-based management platform for all Sophos solutions. This centralized management approach simplifies deployment, configuration, and management, including remote working setups.
AI and Expert Powered Data: Intercept X combines the power of deep learning AI with the expertise of Sophos Labs cybersecurity professionals to provide robust protection and accurate threat detection.
Trellix Endpoint Security (ENS) is a comprehensive security solution designed for enterprise networks of all sizes. The ePolicy Orchestrator management console offers flexible options, including both cloud-based and on-premises consoles, for efficient management of the endpoint protection software.
Key Features
Customizable Dashboard: The dashboard and reporting can be tailored to display relevant endpoint status information for each user.
Deployment Flexibility: The console offers a variety of deployment options, including cloud-based, on-premises hosting, and Amazon hosting.
Management Console: The ePolicy Orchestrator console is easily accessed through the primary navigation menu located at the top left of the main dashboard. It provides access to different sections and pages, such as Dashboard, Reporting, Policy Management, Automation, and Software and Systems Administration. Integration of additional components like DLP, Mobile Security, and Insights Threat Intelligence and EDR is also available.
ML Protect: Through machine learning classification, threats are detected in real time, and behaviour classification continually evolves to identify future attacks. Endpoints are restored to the last known good state, preventing infections and reducing administrative burdens.
Adaptive Scanning: The system intelligently skips scanning trusted processes and gives priority to suspicious processes and applications during scanning.
Endpoint Client Deployment: Client agent packages can be created on the Product Deployment page. The installer file can be distributed via a web link, manually executed, or deployed through a systems management product. After installation, the agent downloads the necessary protection engine before full protection becomes active. The client interface displays the installed and enabled protection components.
Web Control: This feature ensures safe browsing by providing web protection and filtering for endpoints.
Hostile network attack blocking: The integrated firewall utilizes reputation scores based on GTI to safeguard endpoints against botnets, DDoS attacks, advanced persistent threats, and suspicious web connections. During system startup, the firewall only allows outbound traffic, providing protection when endpoints are not connected to the corporate network.
Antimalware protection: Trellix protects, detects, and corrects malware quickly with an antimalware engine that works across multiple devices and operating systems.
VIPRE Endpoint Detection & Response (EDR) provides comprehensive endpoint protection with next-gen antivirus (NGAV) and EDR features combined into a seamless platform. Designed to automatically block the vast majority of threats, and to provide for quick and efficient containment and investigation of potential threats, VIPRE provides everything you need to keep your endpoints and users safe.
Key Features
Detailed endpoint and network protection: This includes a full IDS, DNS Protection, and browser exploit prevention. The core NGAV components scan for and remove any latent malware, and behavioural process monitoring ensures that apps and users behave. The EDR layer on top of these core components orchestrates response to zero-day and persistent threats that can’t be immediately identified as malicious, but that represent a possible threat.
Supports investigation: EDR bundles in endpoint vulnerability scanning, raw event telemetry, and detailed root cause analysis. VIPRE Endpoint Detection & Response (EDR) includes access to cloud-based malware analysis sandboxes to investigate suspicious files and URLs, with detailed results presented right in the console. It also includes a simple method to isolate endpoints that are misbehaving, to prevent attack spread and give you time to understand what is happening on the endpoint.
Remediate threats on endpoints: EDR will help patch vulnerable applications automatically and provides for integrated remote access to the endpoint to clean up files, processes, registry keys, and more. Any files corrupted by zero-day ransomware will be restored. Any security gaps identified by your investigation can be closed quickly.
Single Interface: VIPRE EDR combines all these tools into a clean, easy to use interface that helps speed response times and reduce confusion. Mobile responders can access everything from their smartphones, avoiding the expense, annoyance, and delays of having to rush into the office. And with transparent delegated access via VIPRE Site Manager, MSPs, MSSPs, and MDR providers can assist in incident response and investigation with zero friction.
Supports investigation: EDR bundles in endpoint vulnerability scanning, raw event telemetry, and detailed root cause analysis. VIPRE Endpoint Detection & Response (EDR) includes access to cloud-based malware analysis sandboxes to investigate suspicious files and URLs, with detailed results presented right in the console including Remote Browser Isolation feature for further website investigation. It also includes a simple method to isolate endpoints that are misbehaving, to prevent attack spread and give you time to understand what is happening on the endpoint.
Zero Trust features in endpoint security can be effective in controlled environments like kiosks, where interactions are limited and predictable. However, for everyday workstations, the administrative burden, performance issues, and user disruptions often outweigh the benefits.
In recent years, Zero Trust has become a key principle in endpoint security, aiming to eliminate the implicit trust granted to users or devices within a network. Every request is treated as untrustworthy until verified, enhancing protection against insider threats and lateral movement. Several enterprise products now include some form of Zero Trust features, such as application control, network segmentation, identity verification, etc. However, implementing these features—especially in dynamic environments like workstations—presents challenges. Continuous verification processes can introduce performance overhead, affecting user experience and daily operations if not carefully managed.
Zero Trust and Workstations: Too Much Overhead for Everyday Use
On workstations, where employees perform dynamic tasks and frequently install software, implementing Zero Trust can introduce significant challenges. Frequent changes in usage patterns make training lengthy and complex, even with cloud-based assistance. Moreover, the highly restrictive nature of Zero Trust can lead to excessive alerts and blocks during normal operations. The constant need for authorization, even for legitimate tasks, interrupts workflows, frustrates users, and burdens IT teams with the continuous task of approving or denying activities. In addition to this, features like continuous verification and real-time checks may negatively affect system performance, causing slower response times and reducing overall productivity. As a result, maintaining such a system is resource-intensive, with diminishing returns in terms of improved security. The overall user experience and operational efficiency are significantly impacted, making Zero Trust features impractical for most workstation environments. This is why these features are often disabled by default.
Zero Trust and Kiosk Computers: A Suitable Match
Kiosk computers, often used in public settings or tightly controlled environments, are designed for limited interaction, with users restricted from installing software or making system changes. In such cases, Zero Trust can be particularly beneficial. Its restrictive approach suits the limited and predictable usage patterns of kiosks—nothing is installed, executed, or modified without explicit authorization. This minimizes the attack surface while maintaining a high level of security with minimal user friction.
Since kiosks operate in a highly predictable and stable manner, the learning phase of Zero Trust systems is less burdensome. Administrators can pre-approve the necessary applications and workflows, resulting in fewer alerts and reduced maintenance requirements. As a result, Zero Trust can effectively enhance kiosk security by preventing unauthorized actions with minimal ongoing adjustments.
Where Zero Trust Makes Sense
Given these challenges, most organizations find Zero Trust more suitable for specialized systems like kiosks, while it is often disabled on workstations. Therefore, it’s crucial to assess the performance and security efficacy of endpoint protection products under “normal” conditions—without Zero Trust enabled. This helps determine the true value of the security solution for day-to-day operations, where a balance between security and usability is essential.
Built-in Windows Protections: Easier Alternatives
Windows 10 and 11 Pro editions offer built-in security features that can achieve similar levels of protection with significantly less complexity than Zero Trust models. Key features include:
- Attack Surface Reduction (ASR) Rules: ASR rules help reduce the attack surface by blocking potentially malicious behaviours, such as preventing Office macros from executing content downloaded from the web, blocking executable files running from email attachments, and more. These rules are flexible and can be tailored to different risk profiles, allowing for fine-grained control without overwhelming users with alerts.
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
- Controlled Folder Access: This feature protects critical system files and user data by preventing unauthorized applications from making changes. It’s particularly effective against ransomware and other malware that targets sensitive data.
- AppLocker: Another valuable feature in Windows, AppLocker allows administrators to control which applications and files users can run. By creating policies that restrict unauthorized executables, scripts, and installers, AppLocker helps reduce exposure to malicious software. AppLocker is particularly useful in environments where maintaining tight control over executable permissions is crucial, offering a more straightforward alternative to Zero Trust for controlling application execution.
Collectively, these built-in features can provide strong protection, especially when configured correctly, making them viable alternatives to more expensive and operationally demanding Zero Trust implementations.
Key ASR Rules and Effectiveness
One of the most powerful sets of these features is Microsoft Defender’s Attack Surface Reduction (ASR) rules. These rules are configurable controls that block or limit specific behaviours often associated with malware and other malicious activities.
ASR Rules Examples
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion: This rule prevents new or low-reputation executables from running, reducing the risk of zero-day attacks or novel malware. It assesses whether an executable is widely used, has been around long enough, or is from a known trusted source before allowing it to execute.
- Block Office applications from creating child processes: Many attacks exploit Office applications (like Word or Excel) to launch malicious scripts or executables.
- Block executable content from email and webmail clients: This rule blocks users from running executable files or scripts directly from email attachments or web-based email clients, a frequent entry point for malware.
- Block Office applications from injecting code into other processes: Some sophisticated attacks involve injecting malicious code into trusted processes, making them harder to detect.
- Use advanced protection against credential theft: Credential-stealing malware is a serious threat, and this rule blocks unauthorized processes from accessing sensitive credential stores or memory locations where authentication data is held.
- Block untrusted and unsigned processes that run from USB: Removable media like USB drives can introduce malware into networks. This prevents untrusted and unsigned software from launching directly from USB devices, reducing exposure to risks.
Conclusion
Zero Trust features in endpoint security products can be highly effective in environments like kiosks, where interactions are limited and predictable. However, for workstations used in everyday operations, the administrative burden, performance degradation, and user disruptions it introduces often make it impractical. While a very strict Zero Trust approach could potentially block 100% of malware, it would also overwhelm users and administrators with excessive false positives and maintenance requirements, making it less practical for day-to-day use.
Organizations should carefully evaluate whether the increased security provided by Zero Trust justifies the impact on productivity and maintenance. Using a reliable product that can block most attacks with minimal false positives, as verified by independent evaluations by organizations like AV-Comparatives, even without applying Zero Trust features, is ultimately more cost-effective and flexible across different environments. Built-in Windows security features such as ASR rules, AppLocker, and Controlled Folder Access offer strong protection with less complexity, providing cost-effective, easier-to-manage alternatives that deliver robust security.
By taking a balanced approach, organizations can secure their endpoints effectively while minimizing the operational challenges associated with Zero Trust deployments.
AV-Comparatives provides a separate certification test for OT (Operational Technology) and ZT (Zero Trust) solutions. Vendors interested in this certification are encouraged to contact us.
Award levels reached in this Business Security Tests and Review
As in previous years, we are giving our “Approved Business Product” award to qualifying products. As we are conducting two tests for business products per year, separate awards will be given to qualifying products in July (for March-June tests), and December (for August-November tests).
To be certified in July 2025 as an “Approved Business Product” by AV-Comparatives, the tested products must score at least 90% in the Malware Protection Test, with zero false alarms on common business software, and an FP rate on non-business files below the Remarkably High threshold. Additionally, products must score at least 90% in the overall Real-World Protection Test (i.e. over the course of four months), with less than fifty false alarms on any clean software/websites, and zero false alarms on common business software. Tested products must also avoid major performance issues (impact score must be below 40) and have fixed all reported bugs in order to gain certification.
We congratulate the vendors shown below, whose products met the certification criteria, and are thus given the AV-Comparatives Approved Business Security Product Award for July 2025:
Copyright and Disclaimer
This publication is Copyright © 2025 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.
For more information about AV-Comparatives and the testing methodologies, please visit our website.
AV-Comparatives
(July 2025)
