This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners: Simply the best."
Download it now to read this article plus other related content.
Sophos Endpoint Security
REVIEWED BY TOM LISTON
Price: $16,000 per annual subscription
Securing an enterprise against Internet threats is difficult enough without having to deploy and manage separate security applications for each emerging problem.
Sophos Endpoint Security provides a single enterprise-wide interface for deploying and managing Sophos Antivirus 6.0 and Sophos Client Firewall. In the meantime, the latest version of Sophos' antivirus tool has been bolstered with the ability to recognize and block the execution of spyware.
Intuitive and easy? We were able to scan our test network for assets, install, configure, and test Endpoint Security without consulting the documentation.
The one significant configuration shortcoming that Sophos should address is that there doesn't appear to be a way to hide the security app from users. While Endpoint Security monitors and alerts when client configuration deviates from policy, or if a user disables the product, it would be better to simply remove temptation.
Endpoint Security integrates with Cisco's Network Admission Control, providing the ability to exclude machines that don't meet corporate security policy.
Policy Management A-
Sophos has put a great deal of thought into Endpoint Security's management interface. Named policies can be created with fine-grained control over antivirus or firewall settings, and then applied to manually created or Active Directory-based groups of machines.
Subgroups can automatically inherit the policies of their parent group; moving one or more machines from one group to another is a simple drag-and-drop operation. You can view groups in two different ways: by policy, and policies by group--a good way to avoid mistakes editing rules.
The only drawback is that inherited policies are not new, editable controls--you have to create new rules for subgroups to modify them.
More information from SearchSecurity.com
Check out our Identity and Access Management Security School on demand, and take our Endpoint Security quiz.
Read up in endpoint security with this technical tip.
We tossed a wide range of older viruses at Antivirus 6.0 and, as expected, it was able to identify and block them. Sophos managed to identify five of seven newer viruses, for which some vendors had yet to release signatures, placing it squarely in the middle of the pack of other products tested against the same collection.
When tested against a collection of widely available spyware/adware, Sophos performed slightly above average, blocking the installation of 11 of 15 samples.
One problem seems to be that Sophos relies heavily on signatures; rewriting viruses that it previously identified caused it to fail to block copying of the executable. Additionally, when tested with a beta version of Spycar 2.0--test software that mimics spyware behavior--Sophos failed to block any spyware-like behavior. (Spycar was developed by the reviewer's company, Intel-guardians, and first applied in Information Security's May 2006 review of antispyware products.) Sophos was solidly above average, but didn't approach excellent.
The built-in reporting tools offer access to a wide variety of information; SmartViews, a filtering mechanism that allows you to choose to report on, for example, all desktop machines, is an intuitive tool for driving the various reporting mechanisms. However, this rather atypical approach might not suit enterprises that want consistency in their reporting tools.
Sophos Client Firewall and Antivirus 6.0 are capable products, and the powerful and easy-to-use management system makes for an attractive package.
Testing methodology: The test network consisted of a heterogeneous Windows/Linux environment running Active Directory. Endpoint Security was run from a Windows 2000 server. Viruses/spyware were introduced to the system by attempting to copy them from a shared directory on an unprotected system.
This was first published in October 2006