Sophos is one of the leading corporate endpoint security vendors, and its Endpoint security product line is aimed at SMEs with as few as 10 users up to 500 or more -- the only prerequisite is that someone in the organization must be able to manage and configure it.

What makes the company unusual is that, uniquely amongst its main competitors -- McAfee, Symantec, Trend Micro and Kaspersky, Sophos concentrates its efforts on the business market and has no consumer antivirus offerings at all.

One result of this is the Sophos name is far less well known outside corporate IT circles than these other four security vendors. But there other potential implications, as well.


Andreas Marx, CEO of Germany-based security testing company AV-Test said that security vendors tend to introduce new features into their consumer products well before the same features are introduced into their business offerings, allowing time for any problems to be ironed out. These vendors also use the large installed base of their consumer products as "sensors" that collect information about new viruses and send it back to the vendor for analysis. Ultimately, this information may be used to create new antivirus signatures or to flag a particular web site as untrustworthy.

But Jonathan Shaw, a product manager at Sophos, denies that the lack of a consumer offering may put Sophos at a disadvantage.

"In terms of testing new features, just because they have been validated by consumers doesn't mean they will work for businesses. That's because a business's network is very different from a consumer's home Internet connection."

Features that make heavy use of Internet connectivity could play havoc in a business environment with hundreds of endpoints using the same LAN and WAN connection, for example. Shaw also rejects that a lack of consumer sensors is a weakness for Sophos.

"You can be exposed to quite different types and sources of malware as a consumer than as a business. For example, infected porn websites aren't so relevant to businesses," he said. "That means that having a big consumer base doesn't give you a much bigger source of relevant data. I don't think there is a significant level of difference."

Aside from a strictly business-only approach, Sophos' philosophy also involves making its Endpoint security product as simple as possible for end users. "We don't let them make decisions as we don't feel they will generally have the expertise to make them. The administrator has a centralized view of everything that is going on, so if an item is detected and blocked, the admin will see it and decide to allow it if they want," Shaw explained.

The product's core functionality is antivirus protection and Sophos employs the usual range of techniques to achieve this: virus signatures for individual specimens as well as whole families of malware, behavioral monitoring and a reputation based system.

Consistent with Sophos "keep it simple" philosophy, the product's behavioral monitoring aims to involve the end user as little as possible.

"We think that we can work out the heuristics better than end users, so we create various (behavior) rules which are distributed to our customers -- things like what registry keys are being modified, or what data is being saved. This results in very few false positives, and most things that are detected will turn out to be zero-day malware that should be blocked," said Shaw. False positives -- perhaps due to internal business applications -- can be unblocked by administrators, he added.

Sophos' reputation system is called Live Protection, and like most such systems it maintains a database of known malicious files and URLs that are automatically blocked. "Basically, if something looks dodgy, we can check to see if we have come across the item in question before," he explained.

Perhaps because of its English heritage (Sophos is jointly headquartered in rural Oxfordshire as well as in Massachusetts) the company seems strangely reticent to talk about its strengths. But Peter Dietsch, a senior support engineer at Brooklands College near London, has no such qualms.

Dietsch was responsible for rolling out Sophos' Endpoint protection to around 5,000 computers after the college's previous anti-malware product failed to prevent the Conficker worm from infecting thousands of its desktops, servers and laptops.

"I decided to test Sophos' software after a recommendation, and it cleared Conficker off my machine," said Dietsch. "We then rolled the product out onto all our machines including virtual and physical servers and it has been fantastic . It got rid of the thousands of cases of Conficker on our machines straight away, as well as finding more viruses that our previous vendor's product also missed."

He said that many of the college's computers are "legacy machines" that need replacing, but they run the Sophos client software without problems. "The footprint is actually very small, and we have seen no degradation of performance, even during updates."

The Endpoint client also includes a client firewall, and a device control component that gives administrators control over the use of USB memory sticks, removable drives, CD drives and wireless networking protocols including Wi-Fi, Bluetooth and infra-red connectivity. Usage policies provide administrators with a degree of flexibility so that, for example, they can allow senior managers to use encrypted USB keys while blocking the use of USB keys by all other users.

Pricing: Sophos Endpoint for 200 to 499 users is $18 per user/per year.

Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.