McAfee's Endpoint Protection Suite (EPS) relies on standard anti-virus technologies to protect Windows-based desktops, laptops, and servers. It is aimed at small to mid-sized and larger enterprises with between 100 and 1000 users, but can be used in even smaller organizations or scale to many thousands of users.

Signature-based virus protection is an area in which McAfee is highly experienced. Using EPS, your endpoints can download new signature files directly from McAfee, or you can host a proxy server which downloads the signatures and passes them on to endpoints over your local area network.

McAfee also operates a malware data-gathering network called McAfee Global Threat Intelligence (GTI,) which it uses to identify emerging threats as they break out around the world. In common with similar networks operated by the likes of Symantec, Trend Micro, and Kaspersky, GTI collects information about malware encountered by its sensors -- which include business and consumer endpoints using McAfee security software. The information is sent back to McAfee, which maintains a blacklist of malicious files. Endpoints check this blacklist before opening any file, offering protection against these malicious files within a few seconds of their first being encountered, well before a specific signature for the file has been developed. Administrators can configure the level of protection from blacklisted files; they can be blocked, quarantined, or downloaded.


Behavioral analysis also monitors the activities of files at run time, blocking or providing a warning when files attempt to carry out suspicious or unexpected actions on your computer -- such as modifying certain parts of the registry, altering core operating system components, or attempting to download other files. Sandboxing technology allows unknown applications to run in an isolated environment similar to a virtual machine, so that any actions they take can't affect the rest of the system.

Somewhat surprisingly, Endpoint Protection Suite does yet not leverage the DeepSAFE kernel monitoring technology that McAfee has developed with parent company Intel, which acquired McAfee for $7.7 billion in August 2010. DeepSAFE is a hardware-assisted security platform that operates below the operating system level, similar to a hypervisor, to protect against rootkits and other stealthy malware. DeepSAFE is currently offered only in McAfee's Deep Defender product.

Low Error Rate

According to independent anti-virus testing organization AV-Comparatives, Endpoint Protection Suite's strength is its low rate of false positives. That's a key feature in an enterprise environment, said the organization's co-founder, Peter Stelzhammer.

"Corporate administrators are looking for features like very few false positives because they can be as bad or worse than an infection in terms of the disruption they cause," Stelzhammer said. "The detection rate of McAfee is not at the top level, although it is still one of the better ones," he added.

In addition to its traditional malware detection capabilities, EPS lives up to its name as a protection suite by offering some useful extra components, including a firewall. Software firewalls tend to be of limited use as they can often be switched off by malware -- and the firewalls built in to the current generation of Microsoft operating systems are fairly good anyway -- but the EPS firewall goes a few steps further as it is able to communicate with McAfee's GTI and uses reputation information to make decisions about traffic that should be blocked based on other McAfee customers' experiences.

Endpoint Protection Suite also uses the GTI reputation network to provide protection against malicious "drive-by" attacks and other web security threats by warning users or blocking access when users attempt to access a known malicious web site.

The suite also includes a device control component that functions as a lightweight Data Loss Prevention (DLP) feature. It is designed to prevent certain types of critical data -- such as social security numbers or credit card details -- from being taken out of your organization on USB sticks, iPods, recordable CDs, DVDs, or Bluetooth devices. This enables you to monitor and control data transfers from protected desktops even if they are physically disconnected from the network. It's useful, and probably even covers some compliance angles (although McAfee recommends using a full-blown DLP solution for compliance purposes.)

The final part of the suite is the administrator management system, called McAfee ePolicy Orchestrator (ePO). This is a centralized console from where you can deploy EPS to endpoints; check that the software is installed, running and up to date; and create and deploy policies (such as specifying that suspect sites should be blocked rather than a warning displayed.) A key benefit of ePO is that it is the common management platform for all McAfee's security products. That means that you can use a single instance to manage EPS clients as well as desktops running half a dozen other McAfee products, or those using McAfee Software as a Service (SaaS) products. That extends to policies too: Policies set for one product will also apply to any other McAfee products or service in use in your organization.

Pricing for McAfee Endpoint Protection Suite (License + 1 Year of Maintenance): 100 users = $45.29 per user. 250 users = $39.63 per user.

Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.