Review: Microsoft System Center 2012 Endpoint Protection
While Microsoft System Center 2012 Endpoint Protection offers deployment and management convenience, its anti-malware engine is weak in comparison to competitors.
You may not have heard of Microsoft's System Center 2012 Endpoint Protection anti-virus product, most likely because until October 2011 it was known as Microsoft Forefront Endpoint Protection 2010.
The name change is significant because Forefront is Microsoft's enterprise security product brand, but Microsoft now considers anti-virus to be a part of systems management. Endpoint Protection is now one of the components included in both the Standard and Data Center editions of its System Center 2012 management suite, and Microsoft has attempted to integrate Endpoint Protection with System Center Configuration Manager to make anti-virus protection easier to deploy and manage.
The Good: Centralization
The thinking behind offering the product through Microsoft System Center 2012 is that endpoint protection becomes just another application to centrally deploy and manage, rather than needing to run an enterprise endpoint protection vendor's management console to deploy and manage anti-virus measures. "The convergence of client management and security eliminates the expense of purchasing and maintaining separate solutions," Microsoft explained. "The shared infrastructure also provides the enterprise-scale performance of Configuration Manager, making deployment and configuration faster and easier for even the largest organizations."
Peter Firstbrook, an analyst at Gartner, says that that bringing endpoint protection into System Center makes sense. "You can deploy security separately from monitoring a device, but patching and configuring has security implications so the two roles are intertwined."
The Bad: Anti-Malware Capability
Although the move is a good idea in principle, Firstbrook says the results have been disappointing. "There is no new functionality, and the integration has not been done that well. Some things can be managed from System Center, but other things, like the firewall, can't."
Making Endpoint Protection a part of System Center is a risky move by Microsoft, because it effectively rules out any company that chooses not to use System Center as a management platform. But even for companies that do choose to implement System Center, Endpoint Protection may not necessarily be the best choice. Despite the benefits of having endpoint protection integrated into Microsoft's management platform, the protection it offers is not that impressive.
To understand why not, it's important to realize what it is that Microsoft is offering. "System Center 2012 Endpoint Protection uses the same industry-leading anti-malware engine as Microsoft Security Essentials" is how Microsoft puts it.
But "industry-leading" is a debatable claim. Microsoft Security Essentials' anti-malware engine is fairly basic, despite having been updated in May 2012. It scores poorly in terms of detecting new malware.
A test conducted by AV-Comparatives found Microsoft performed worst out of the 15 anti-virus products under scrutiny in terms of detecting new and prevalent viruses. It caught just 93.1 percent of the samples tested, compared to 99.3 percent for Kaspersky and 98.6 percent for McAfee. "A good file detection rate is still one of the most important, deterministic and reliable features of an anti-virus product," said AV Comparatives' Peter Stelzhammer.
One reason for Microsoft's poor detection rates may stem from the fact that it is constrained in what it can do compared to other vendors, according to Simon Edwards, technical director of Dennis Technology Labs. "While other vendors use undocumented features of the operating system, Microsoft is constrained from using these features because if it did use them it would have to document and support them. So for that reason it is at a technical disadvantage," he explained.
But Gartner's Firstbrook believes poor detection rates are due to the fact that Microsoft's anti-malware engine is just too basic. "Other engines from the likes of Kaspersky, McAfee or Trend Micro employ URL filtering and other pre-filters to block malware coming on to the system before using behavioral protection and signature files. But Microsoft employs no pre-filters, and its signatures are simply not up to snuff. The result is that the protection it can offer is not that great."
He pointed out Microsoft's poor signature-based detection could be mitigated to an extent if endpoints were kept up-to-date and patched through System Center Configuration Manager. But System Center only patches Microsoft software, doing nothing to ensure common applications such as Adobe Flash are updated to remove vulnerabilities.
A Final Point: False Positives
While detection rates are important, they are not the only significant thing to measure. False positives - where an AV product identifies an innocent file as malware - can be far more disruptive and costly to a large enterprise. False positives can make files unavailable to end users, and if the file is a common one then the AV software may report wrongly that hundreds or thousands of machines are infected.
Microsoft's anti-virus engine scores very well when it comes to false positives. In tests with the same group of products, Microsoft came out best, producing zero false positives, compared to nine from Kaspersky and 428 for Webroot.
"A product that is successful at detecting a high percentage of malicious files but suffers from false alarms may not be necessarily better than a product which detects less malicious files but which generates less false alarms," Stelzhammer concluded.
To use Endpoint Protection in System Center 2012, it is necessary to buy an Endpoint Protection subscription for each device that runs a non-server OS. Microsoft currently charges around $22 per endpoint per year for a two year subscription.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.