Review: Symantec Endpoint Protection 12.1

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Symantec 's Endpoint Protection (SEP) 12.1 business anti-malware product, released July 6th, is the first of a new generation of security products that will be hitting the market over the coming months.

The threat landscape has changed radically since 2007, when the previous version of Symantec's endpoint security software was released, SEP 11. Back then it and most competing products relied heavily on frequently updated databases of virus signatures to spot malware when it arrived on a computer. With a total of just about 250,000 viruses to watch out for, this approach was practical and effective.

But in the last few years the rate of malware creation has increased dramatically: About 55,000 new ones appearing every day according to Symantec. Many of these are created using malware authoring kits which can generate thousands of variants of a single instance of malware -- each with a different signature.

The result is that any given virus may only be distributed to a handful of end user computers, and 75% of malware infects less than 50 machines.

No security software vendor can generate virus signatures at the rate of 55,000 per day, so protection based on creating virus signatures alone is no longer practical.

"Signature-based malware detection has been limping along on life support for years, yet vendors seem unwilling to aggressively invest in more-effective solutions, preferring to "tweak" the existing paradigm ," is how Gartner put it in a recent research note .

In fact, Symantec and other leading security software vendors have already moved on from relying exclusively on virus signatures in their consumer security products with the introduction of cloud-based "reputation" technology, and dynamic or behavioral protection which seeks to detect previously unseen malware by recognizing malicious behavior. But business security software is updated far less frequently than consumer security software (a new version is typically released every year) and it is only now that the technologies, proven in consumer products, are making their way into the latest generation of business editions.

What's new

SEP 12.1 includes cloud-based reputation technology in a feature the company calls Insight. Insight collects data from about 175 million endpoints -- mainly other Symantec customers -- and gives individual files a reputation score based on factors such as age, prevalence, source and behavior.

Malware variants may well be flagged as suspicious precisely because they are new and have not been widely reported by other endpoints, for example, and newly discovered sources of malware can be blocked. The Insight system also allows known "good" files to be white listed and skipped during security scans. This can improve machine-level performance by reducing scan overhead by up to 70%, Symantec claims.

Talking at a security conference earlier this year, Eugene Kaspersky, co-founder of security vendor Kaspersky Lab, said that cloud components like Insight are likely to have a significant impact on security products: "Malware that cloud systems can't detect is much harder to develop. That means the entrance ticket for cybercriminals is much higher, and junior cybercriminals can't get involved."

But cloud based protection is by no means perfect, and hackers are already finding ways to get around it, said Andreas Marx, CEO of Germany-based security testing company AV-Test . "They are definitely getting more tricky. For example, malware writers are trying to tune their malware files so that they are not detected by reputation systems, perhaps by infiltrating it onto well known websites so that it is downloaded from pages with good reputations."

The other significant consumer feature that has now been added to SEP 12.1 is Symantec Online Network for Advanced Response (SONAR), which provides dynamic or behavioral based protection. A version of this technology has been included in Symantec's Norton consumer security products since 2007, and is based on software developed by a company called WholeSecurity, which Symantec acquired.

SONAR spots possible malware by analyzing suspicious behavior such as connecting to a site and downloading files without opening a visible window.

How it rates

Given that all the major security vendors have very similar signature-based anti-malware engines, the big question is whether the inclusion of additional security technologies such as those in Insight and SONAR really make any difference.

A comparative review of six corporate endpoint security products commissioned by Symantec and carried out by AV-Test suggests that it does. It rated SEP 12.1 the best at blocking or removing malware in direct or "drive-by" downloads, with Symantec's product scoring 100 in the tests, compared to 74 for Sophos's competing product, 40 for Trend Micro's, 34 for Kaspersky's, 17 for Microsoft's and 10 for McAfee's.

"Symantec has been good at implementing good technology in its consumer products, where they have effectively been beta tested. Now they have become the first to implement the full suite of protection technologies into their enterprise products," said Marx. "The other vendors have been a bit slower."

The Small Business Edition of SEP 12.1 was also ranked first in performance tests when compared to similar products from ESET, Kaspersky, McAfee and Trend Micro. The tests were commissioned by Symantec and carried out by Australian testing company PassMark Software.

SEP 12.1's on-demand and scheduled scans took less than half the average time of all these products, suggesting that Symantec's Insight system may indeed may helpful at reducing scan times.

Jon Oltsik, a security analyst at Enterprise Strategy Group, believes that the inclusion of the full suite of protection technologies will be vital for all security vendors in the future.

"Endpoint security products should offer defense-in-depth (DID) capabilities for all types of threats. Progressive vendors are also using intelligence gathered from their install base and security intelligence to offer much more proactive protection. If your vendor is not doing this, there is a problem," he said in a blog posting.

AV-Test's Marx cautions that Symantec's strong test results may simply be attributable to the fact that EP 12.1 is the most recent product to be released, and therefore the most advanced.

"Trend Micro, Kaspersky and Symantec are all really on the same level when it comes to protecting users," he said. "Endpoint Protection 12.1 may be one of the best on the market at the moment because the others haven't yet implemented all the protections that are commonly in consumer products into their enterprise products yet. McAfee and Microsoft will also do their best to add new protection technologies to their products. Things could all change when they do become available in the coming months."

In the real world, SEP 12.1 has been deployed in organizations such as Varian Medical Systems , a California-based maker of medical devices and associated software. So far the company is using SEP 12.1 on almost 1400 Windows workstations, six Macs running OS X and 90 Windows servers; including 70 virtual servers. They replaced Symantec's previous SEP 11 product.

"We've certainly had less infections on our machines with the new software, and we've seen less infections arriving because they have been blocked by the reputation system," said David Nguyen, the Varian system administrator responsible for testing the software.

SONAR's behavioral protection is also working well. "[The] behavioral rules are very strict, so we have been able to just run it out of the box to prevent users installing toolbars or peer to peer software like Kazaa," he said.

The software blocked some in-house applications and remote access software from running, but Nguyen re-enabled them by creating exclusions for those products.

The quick "Active Scans" that Symantec now recommends as a best practice are much faster and less resource intensive than the full disk scans that were used with SEP 11 and which brought users' computers and virtual servers almost to a standstill, Nguyen said. "We don't hear any complaints from users anymore."

SEP 12.1 is available in a Small Business Edition for companies with up to 99 end users. A cloud-based version called Symantec Endpoint Protection.cloud for is available for up 250 users, and a full on-premise version is available as well for organizations with 100+ users.

The Small Business Edition includes antivirus and antispyware protection, firewall and intrusion detection/prevention, as well as Insight and SONAR and support for Mac OS X.

The cloud-based version offers the same features with a management system hosted in the cloud and accessed by a Web browser, while the full version has a locally run central management console as well as support for Linux-based endpoints, device and application blacklisting and support for network access control (NAC) and VMware, Citrix and Microsoft-based virtual environments.

MSRP for SEP 12.1 runs $31.80 to $54.18 per seat, per year; and SEP 12.1 Small Business Edition runs $23.65 to $36.74 per seat, per year.

Paul Rubens has written about business IT as a staff and freelance journalist for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.