symantec endpoint security

Tough question If ease of manageability and trusted brand name is what matters most then Symantec is one of the good options available. As a product it's not bad, but of late the quality of detection and repair has left a lot of room for improvement.

Every vendor will give you the same sales pitch about VB100 awards, etc as to why their product is better than the rest, but the real test is when you use it in a real environment. If your core network perimeter and policies are sound then Symantec is a good option. Endpoint has good management, reporting and deployment features; though not as good as McAfee’s ; Symantec’s MR3 release of Endpoint fixed a lot of performance issues and bugs that affected previous versions (so make sure you only use MR3 or above), but Symantec’s quality of detection of viruses is not as good as it used to be. Of late; although I use Symantec at work I have switched to Kaspersky on my personal laptops simply because Symantec Endpoint was not detecting new and even relatively new threats in real-time, and I kept having to do manual ‘clean ups’ and submit sample of what I found to them to Symantec to create virus signatures for these infections. For some reason I find that Symantec endpoint’s schedule scanner does better at detecting threats than it’s real-time scanner (they use multiple ‘scan engines’); when perhaps they both should be equally as good at detecting threats especially in real-time.

The real test on how effective your antivirus is; is when you run a trusted 3rd party scanner on the same machine to see what your current product ‘missed’. People tend to stick to a brand they know; but overall the more focused smaller security vendors such as Kaspersky and E-Set are showing better detection results than the more conventional mainstream choices such as Symantec, McAfee and Trend Micro.

Good luck with your decision whichever way you go; and if I were you I would first test the shortlisted products you are considering before making your decision.

I agree with you in some points. but Kaspersky is getting more resouces to do itz day to day operation. and even there is memory issue in vista when we copying a huge file like 15 GB (user data)…

thats why i am not interest about the Kaspersky.

From my point of view, I've always approached it this way. Get one AV product for your workstations and another for your servers. That way, if one doesn't catch it, the other should.
Another alternative is to have two AV's running on your workstation, although sometimes that can get complicated to set up.

CdtDelta

CdtDelta Thats quite good idea..

I have to agree that the current considered best practice is multiple AV-products, usually spread over the network infrastructure. The main vectors for malware in the current day and age are web browsing and e-mail, disk carried malware is much less common, but still a threat.

A good network design is to have scanners at the perimeter - on the mail realys and firewall - scanning passing traffic. There are ways of doing this part for free ( Lookup Snort Inline/ClamAV integration and MimeDefang for example, I believe that Squid can do it as well ) as well as many commercial implementations - incidentally, if you have a _BIG_ budget, MessageLabs are excellent …

Then, as said, you should have differing AV on servers and desktops. There are other products that integrate with other aspects that you may have in your infrastructure, such as Exchange ( note that at this point there are issues with AV and Sharepoint - it breaks … See Micro$oft site for more details - they sell a solution of course … )

The most important thing though is to keep your signatures up-to-date. Your implementation can be rendered completely useless by a highly prolific new virus if you aren't current in your signature sets.

If you are paranoid about zero day attacks, you can do some traffic analysis on your network, and at least you could possibly identify anomalous behaviour that might indicate a malware attack (again Snort can do this sort of thing, as can a few commercial implementations - it can be quite useful to identify other network issues as well … )

Good Luck -)

Incidentally http//www.scmagazineuk.com/Symantec-Endpoint-Protection/Review/2591/ gives 4 stars out of 5

Today's magazine ( just opened it ) gives five stars to

AVG Internet Security Network Edition 8.0
ESET Smart Security Business
FSecure Client Security 8

With the FSecure listed as the best buy …

Malinda, CdtDelta's suggestion is considered (or should be considered if it isn't) industry best practice, and should be followed if you are truly trying to layer your security.

Beware that Symantec's products give mixed results between editions. For example, there was a time when the home edition would detect malware that the corporate version would not. Don't know if the inconsistencies have been fixed or not, but don't let your impression of detection from one edition carry over to another. The home edition is a resource hog, but the endpoint edition is not. Why is that? It concerns me that Symantec has pandered to the corporate clowns whose biggest concern is that "Microsoft Outlook doesn't launch as fast as it used to," or, "Symantec is utilizing 50% of my processor."

Another thing to keep in mind is that you are using this as an endpoint security tool, meaning that it is supposed to work like an early warning system protecting your business from the ignorant mistakes (in most cases) of its employees. My personal experiences with that product…

…I can install some well-known hacker tools and Symantec (endpoint) will not pick them up. I see that as a major issue in the context of enterprise security. If someone can run Cain, john, or pwdump on their system without being detected, then that is a major issue, and we really don't have endpoint security.

No matter what product you end up going with, I highly suggest running it through some rigorous testing on a regular basis (pre and post purchase). In doing so you will see where the shortcomings of the product are (they all have them) and be better prepared when responding to an incident. When I scan evidence, I tend to use 2 different products. One of which is always Avast. It has been the most reliable AV tool I have found. As a corporate-land examiner / investigator, you should use use your corporate standard AV along with another like Avast. That way if you find the alternate AV detecting something that Symantec is not, you can respond appropriately and report the issue to Symantec in hopes of getting a custom DAT.

-Chris

Incidentally http//www.scmagazineuk.com/Symantec-Endpoint-Protection/Review/2591/ gives 4 stars out of 5

Today's magazine ( just opened it ) gives five stars to

AVG Internet Security Network Edition 8.0
ESET Smart Security Business
FSecure Client Security 8

With the FSecure listed as the best buy …

Hi Azrael - after doing a little research I've been using Eset on my own Windows machines for a few months now, and can't recommend it highly enough. I would say that SC Magazine's reviews do come up with some 'anomalies' though; it gave FTK 2.0 top marks and a 'Best Buy' when the rest of the world found it unusable! [FTK 2.1 does work well though.]

Thanks for that Jonathan, I'd not heard of Eset until very recently - and even then it was a billboard in London ! I use AVG myself, and similarly have found it very good. ( Having said that - the update barfed yesterday, so I may have to revise that … Seems ok again now. ) I used FSecure years and years ago, and back then it was excellent.

With SC, I think that they are a bit better at the more "traditional" side of security - AV, Access Tokens, Firewalls - and seem to get a bit more … anomalous … with the things that have a smaller target audience - forensics, advanced IDS/IPS etc. Conversely, I guess you get what you pay for, and I have a free subscription 😉