This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
Trend Micro and Symantec came next in our exploit testing. Neither identified nor blocked a single client exploit. Trend Micro support personnel indicated that the HIPS protection it licensed from Third Brigade (as well as the protections offered by other vendors) is often configured by default to look for browser exploits only on TCP ports 80 and 8080. Again, independent of our scoring, we tweaked our test to verify this claim, and Trend Micro did detect our attacks on those ports. Administrators can add lists of additional ports for browser and other HTTP-related defenses. Ideally, an admin would configure the endpoint security suite so it monitored for HTTP and HTTPS attacks on all ports allowed out through the enterprise's network firewall. In many organizations, unfortunately, the number of ports allowed outbound are rather high and change on a regular basis, making this synchronization of network firewall and endpoint security tool difficult.
Both Trend Micro and Symantec detected and blocked all of our services exploits, but neither detected our zero-day attack.
CA fared worst of the seven products in this series of tests, failing on most. It didn't detect or block any of the client exploits with its default security policy. Although not part of the scoring, we experimented with its "Restrictive Policy," which did block all of the exploits, but also prevented
| Firefox from accessing the network.
The next set of results were, if anything, poorer, as it did not alert or block our services exploits, even when we applied Restrictive Policy.
The one success was that CA detected and blocked our zero-day exploit under default policy.
This was first published in November 2007