Antimalware tools and techniques security pros need right now
A comprehensive collection of articles, videos and more, hand-picked by our editors
Choosing an endpoint antimalware protection product is no easy task. Ample research can help steer organizations toward the right decision, however, saving time and money in the long run. Read on for an overview of key factors to be considered, along with tips for streamlining the evaluation process, when looking to deploy endpoint security protection.
Evaluation criteria for endpoint antimalware protection products
Here are a few common criteria for evaluating endpoint antimalware products:
Platform coverage: Does the proposed product support the operating systems (OS) and versions running on all endpoints, such as Windows, Macintosh and/or Linux? Consider mobile devices too, which are typically iOS, Android, Windows Phone, BlackBerry OS or Symbian. Because most antimalware suites have a server component, ensure the product supports servers currently in use as well, along with any email and messaging platforms.
Feature set: Is the proposed product comprehensive? Does it provide all features the organization requires to provide layered protection? Often-required features include antivirus/antispyware protection, data-loss prevention, desktop firewall, device control, email protection, intrusion detection/prevention, support for virtual environments and website browsing protection. Each organization will require some or all of those items, and perhaps others such as data encryption, mobile device management (MDM), application control (whitelisting) and network access control. The key is to select a product that's the right size (best fit) for the environment today, while anticipating the endpoint security needs for the next few years.
Performance: This criterion includes detection rates, mainly for antivirus/antispyware, as well as system performance. In fact, performance is often cited by systems and network administrators as one of the most important factors to consider when deploying endpoint protection, and many admins eventually switch to a different antimalware protection products after finding out that their current product doesn't perform as expected. For example, an organization whose selection is based mainly on high detection rates for the antivirus/antispyware component may find computing resources required for scanning reduces system performance excessively, thereby delivering a poor end-user experience.
Here are some questions to consider regarding detection rates and performance:
- What is the average malware detection rate of the proposed product?
- How quickly does the vendor typically provide a new signature after a zero-day threat is discovered?
- How much memory is required for a default configuration?
- How much memory is required when all desired features are fully enabled?
- How much of the CPU resources are consumed for a default configuration?
- How much of the CPU resources are consumed for when all desired features are fully enabled?
- How much storage space is required for a typical installation?
It's important to remember that no single antimalware product is going to protect an environment against every threat. While researching products, keep track of a few free or low-cost products to run intermittently to catch malware that the primary product may have missed.
Manageability: This criterion involves system configuration requirements and usability of the management console. For each endpoint security product, what are the system configuration requirements? For example, which server operating systems does it support? And what are the general features of the management console? Does the console show status for all endpoints? Does the console provide pertinent details about endpoints, such as the last time a scan was run, the last update, items quarantined and so on? Can it push updates automatically, run remote diagnostics and send email or text alerts to admins? Be sure to check the types of reports that are available as well.
Price: Typically, endpoint protection products are purchased as licenses per user or per endpoint, often in 1-year, 2-year or 3-year increments. Vendors typically offer volume discounts for larger environments. License costs vary, but are usually $30 to $60 each, depending on the vendor and number of licenses purchased.
Legacy equipment can affect the cost of a product. If an organization runs a lot of legacy endpoints that are not supported by the product, determine whether a second product is needed for legacy devices as well as the average cost to replace legacy equipment (if that's part of the upgrade plan anyway). Other costs to consider are server costs, if upgrades or replacements are needed, installation time and effort and integration costs, if applicable.
Support: The level of support offered by a vendor can easily be a deciding factor between two antimalware protection products if all other criteria are met. Although a comprehensive product that's working properly shouldn't require a lot of tech support calls, initial setup can require a good deal of assistance (especially for smaller organizations), and a malware infection often results in at least one point of contact with the vendor.
Research answers to the following support questions:
- Does the endpoint antimalware vendor provide 24x7x365 telephone access to support engineers?
- How quickly does the vendor state it will respond to a call?
- Can the vendor provide remote, hands-on support?
- Are software updates and upgrades downloadable?
- Are software updates and upgrades part of the licensing fee?
- Are complete and detailed software manuals available?
- Does the vendor have a detailed online knowledge base that's easy to search?
- How many people may contact tech support for assistance? Some vendors offer contracts in which multiple employees are approved contacts.
- Is training available? Is it included in the licensing fee or is there a separate charge?
- Is support provided in non-English languages?
Tips for researching endpoint security products
The first step in the evaluation process is to create a matrix that lists each criterion and possible antimalware products, along with URLs of websites visited. For example, create a spreadsheet with criterion in the left column and each product under consideration listed across the first row. Create a separate tab to record URLs.
As research is gathered from various vendor sites, fill in the matrix as completely as possible. For smaller environments, creating one large spreadsheet with all URLs listed after the matrix might be the best approach. For midsize and larger environments, it might be best to create a separate tab for each criterion.
Be sure to search TechTarget sites for antimalware reviews and browse forums on other tech community sites. Find out what other network administrators have to say about specific products. In this part of the research process, look for trends rather than focus on specific comments. Everyone has an opinion; there will be conflicting information from different people regarding the same products. Remember that a product can run nearly flawlessly in one environment but experience problems in another because no two environments are exactly the same.
While perusing tech community forums, also note the comments regarding the number of times an administrator had to contact a vendor for support. This can reveal how well a product detects and/or removes malware automatically, as well as indicate usability and performance.
Regarding detection rates, browse independent software testing and rating websites such as AV Comparatives and the Virus Bulletin. They provide unbiased statistics and reviews of the most popular software packages.
Testing a proposed endpoint security product
Part of the research process should include testing products on the shortlist. Administrators highly recommend installing full software trials on test machines to find out how the software will actually perform on an organization's network. If trial software isn't available, contact the vendor directly to find out why. It probably won't be possible to test an actual malware infection (and organizations shouldn't seek one just to test the software), but the testing process provides a feel for how well the management capabilities work, the impact on system resources and other parts of the enterprise infrastructure. For example, an EICAR test file is available that lets an organization safely test the effectiveness of antimalware software, but it doesn't mimic real-world malware or zero-day threats.
In a nutshell, research the products as thoroughly as possible and pick two or three products that appear to be the best fit, especially with regards to feature set, performance, price and support. Then, you can map evaluation criteria to certain types of user environments, user scenarios and specific endpoint antimalware products to decide what is best for your organization.
After antimalware: Moving toward endpoint antivirus alternatives
Keeping pace with emerging endpoint security technologies