Buyer's Guide

Endpoint security tools: A buyer's guide

A collection of articles that takes you from defining technology needs to purchasing options

Fundamentals of endpoint security: Antimalware protection in the enterprise

Expert Ed Tittel explains how endpoint antimalware protects end-user devices and the networks they connect to from malicious code.

Endpoint antimalware protection is a type of application that actively works to prevent malware from infecting a computer. In many such products, the security technology extends to virtual desktops and mobile devices, as well as workstations and laptops.

Common types of malware that affect computers and all kinds of mobile devices include viruses, Trojan horses, worms, spyware, rootkits and the like.

The term "endpoint" with "antimalware" usually implies a product is designed for use within an organization (versus individual consumer use on a one-off or household basis), which could mean a small business, branch office, midsize company, government agency or enterprise.

With hundreds of thousands of different kinds of malware in the wild, and with cyberattacks on the rise, one hyper-critical issue for organizations of any size is ensuring strong protection against malware. Plus, organizations that fall under the regulatory umbrella of laws like the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, or adhere to PCI DSS standards for accepting payment cards, must run antimalware software as a part of their compliance requirements.

The beauty of endpoint antimalware software suites

Endpoint protection must be able to prevent malware attacks, protect users (while exchanging emails, browsing the Web or connecting devices), and stop the proliferation of any attacks that manage to succeed. To meet those goals, today's endpoint antimalware suites provide layered protection in the form of robust antivirus functionality -- with the ability to shield against new or otherwise unknown threats, aka zero-day threats -- antispyware, email inbox protection, host-based firewall, data loss prevention, warnings when visiting websites that could pose safety risks, and much more.

The beauty of such antimalware suites is that a single package with multiple functionalities presents a cohesive defense between external malware and internal systems and data. This type of in-depth defense uses different methods to stop malware so an attempted attack or intrusion is unlikely to succeed simply by making its way through a single layer of protection. Plus, a suite is easier for IT to manage than a collection of different applications from different vendors.

Think of a computer or device with endpoint antimalware installed as a heavily fortified castle with thick walls, a moat, steel gates and drawbridges. Guards -- inside and out -- constantly watch for suspicious activity, ready to block or slay the "dragons."

Characteristic features of endpoint antimalware protection

Here are some typical features found in these kinds of software suites:

  • Antivirus: Malware writers go to great lengths to create malware that can avoid detection and resist removal. Today's antimalware products typically combine signature-based scanning with heuristics technology and cloud-based global threat intelligence to recognize and root out malware on systems and prevent infections in the first place. (Heuristics is the practice of identifying malware based on previous experience, observations of malware behavior and typical points of attack.) This combination of antivirus technologies is also effective against zero-day threats, which have historically posed major challenges to IT security teams.
  • Antispyware: A malicious spyware infection is probably easier to pick up than a common cold, and it's a major threat to protecting sensitive or confidential data. Antispyware software runs constantly in the background to block spyware installation, regardless of the source.
  • Data loss prevention (DLP): The technologies involved in DLP aim to protect data that leaves the security of the internal business network, whether it's via email messages, USB drives, on a laptop or mobile device, or uploaded to the cloud.
  • Desktop firewall: Although a network should always be protected by a firewall, having a second firewall running on the endpoint is another layer of defense against malware that finds any cracks in the armor.
  • Device control: Malware can infect a computer that isn't connected to a network or the Internet. Connecting a USB device to a computer or installing software from a CD or DVD always runs the risk of transferring an infected application to the target machine. Device control allows IT to restrict or block user access by setting and enforcing device access rules.
  • Email protection: This component of antimalware suites attempts to filter out phishing emails, spam and other messages that carry malicious or otherwise suspect content.
  • Website browsing protection: Also referred to as reputation technology, most antimalware suites consult some type of ratings database that indicates whether a website is safe to browse or not. With this type of protection in place, those websites that are indicated as not safe will not be opened. Users will receive warn-off messages instead.

In addition to the above features, some endpoint antimalware suites roll in intrusion detection and prevention functionality, application control and network access control. Some packages also perform patch assessment and management, in which system threats are assessed and the most critical patches are applied first, as well as vulnerability assessments and even full-disk encryption to protect stored data.

Deploying and managing endpoint antimalware products

Typically, endpoint antimalware products require an administrator to install a management console on a server to help manage clients, product licenses and logs.

This step also creates a database containing settings, privileges, events and security policies. An organization that's very large or has multiple sites may need to install additional management servers for performance reasons, as well as to replicate data. The next step is to install software (sometimes referred to as an "agent") on client computers and devices, either directly or across the network.

Regardless of the approach taken, clients must be configured for client software updates (automatic or pushed from the server) and virus definition updates, at a minimum.

Overall, endpoint antimalware protection is an important and necessary element in any organization's security infrastructure -- though it shouldn't be the only element organizations implement. Before diving in, IT managers and security specialists should assess their environments to determine what they need specifically to protect, and should look ahead three to five years at how their environment is expected to change.

It's also a good idea to research several highly rated endpoint antimalware packages to see how their features compare, determine which packages are most suitable to the organization's size and needs, and keep an eye on costs to get the best product for the budget.

Next Steps

Explore endpoint antivirus alternatives for malware protection

Learn about some of the emerging endpoint security technologies

This was last published in December 2014



Find more PRO+ content and other member only offers, here.

Buyer's Guide

Endpoint security tools: A buyer's guide



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: