Endpoint security solutions

techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
I've been tasked to find our next endpoint security solution since Vipre expires soon. Even as a SMB with 40 seats we have average at least 1 malware problem a month and would rather not go vipre again. I've priced and read some reviews and leaning towards Bitdefender, it scores great on av tests and is one of the cheapest 3 year options. The first priority is protection without being overly invasive, second is price, third is additional features like good patch management would be nice for adobe and java products.

What do you suggest and is there any I should stay away from?
2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)

Comments

  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Before spending a lot of money, or any money, on signature based AV type protection, look into deploying emet, applocker, and restricting users from admin access. Also, look at your software versions to make sure the are current, esp browsers, ms stuff, adobe and Java. You can do Java app whitelisting via emet or gpo. You can look at what you have as far as protection at the network edge, and maybe do a bit more there as well - block access to CN/RU, exe files, jar files, etc. Done properly, you can secure a machine without AV at all.
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    One of my projects 2 years ago was to find a Enterprise Endpoint solution to replace Forefront. At my job before that was working for a public school that had no money and basically did the same rollout. We did a POC on Trend Micro, Symantec Endpoint, Kaspersky and Sophos. After each of the trials between setting up the server and deploying the client and most importantly how it functions, the clear winner was Symantec Endpoint 12.1. Now that I'm working at a $40B year company that has almost unlimited budget, we still went with Symantec. Kaspersky was a close second. If you work with a regional rep, you will be shocked on how cheap you can get it for. We were in the teens per seat. It works with every program we have and the foot print is fairly small.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • 5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    I think that AV is definitely part of the 'security onion' you ought to be deploying to your endpoints - that being said, it's not the silver bullet of protection against viruses / malware, and employing technologies like wes allen suggested can help build out multiple layers of security for your endpoints. The goal of security is to enable your users to be able to do their jobs in the most safe and efficient way possible - you may find that blocking a lot of common file types is going to cause a large administrative burden, because there are legitimate as well as illegitimate executable's and JAR files.

    That all being said, I was a reseller for BitDefender for a few years and their product was pretty good at the time. I moved away from them about two years ago when their latest release of endpoint protection started causing BSOD's on systems I was managing, amongst other issues. They may have fixed it by now, but I've been recommending Kaspersky for non-centrally managed endpoints without issue for a while now.

    You can also check out how AV companies stack up against each other at AV-Comparatives Independent Tests of Anti-Virus Software » AV-Comparatives
  • Rocket ImpossibleRocket Impossible Member Posts: 104
    I saw a product called Bromium demonstrated at Data Connectors this year. It uses Xen to create micro VM's on the host and was very effective. May be a little bleeding-edge for you purposes, but check them out. We use Eset at my job. It's effective but I have no idea how much it costs.

    Bromium
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    EMET is interesting but it has no central management does it? I could do remote command line if emet allows for that. The problem isn't running installed programs so applocker I don't think would help. Would EMET give great protection against websites and email related malware? That's where it all comes from, not installing programs which most can't do already as they don't have admin access. There are a few that have local admin rights but I would like to change that, at least change it to another account so they aren't logged in with admin rights. I wonder if there's a way to allow an acocunt uac but not to login. It may sound a bit big brother but I would like to remotely control what programs are installed and be able to remove what I see fit remotely, I know pdq inventory does this, not sure it's worth the money though. Going to each workstation and setting this up would be a big hassle and probably a continuous headache. I would love to save the owner some money though.

    Forefront I was reading about today and it was only $12 per seat a year, is this true? Some people rave about it, is it any good? Kaspersky seems like it's packed with features and I had good luck with it at home when I used it awhile back, I've read it's pretty heavy though, is this accurate? All i3 and i5's workstations so maybe load isn't that big of a deal. Symantec seems a bit over the owners budget and I don't know how I could convince him to spend that much more, I've had nothing but bad luck with norton at home. We couldn't tolerate BSOD's, but I could do some testing with bitdefender.

    Bromium is an interesting approach but the few things I've tried like it have been really slow and in the long run they have to write back to the os. I wonder if it's any good at mitigating threats before writing back to os.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • emerald_octaneemerald_octane Member Posts: 613
    McAfee ePolicy orchestrator is one of the most versatile suites, I enjoy working with it.
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Number one is to make sure that no one is running as local admin for day to day tasks. Trusted users can maybe be allowed to sudo to a separate admin account if they really need it.

    EMET is very, very GPO and powershell friendly, so it is totally remote manageable. The only thing that would be tricky would be pulling the log files, though that is also easy to script. EMET basically makes it harder for vulnerabilities to be exploited by making it harder for exploit code to run. So, that malicious pdf or webpage may not be able to take advange of a software flaw to run exploit code.

    Applocker, if properly configured prevents the secondary payloads that are downloaded from running. A basic rule base would not allow a normal user to have write and execute permissions to the same directory. So, they could run programs installed in the program files directory, but not their user directory or applocal, etc. It is also easy to GPO and powershell, though it also only logs locally. It is also only available in win7 enterprise/ultimate or win8 enterprise.
    techfiend wrote: »
    EMET is interesting but it has no central management does it? I could do remote command line if emet allows for that. The problem isn't running installed programs so applocker I don't think would help. Would EMET give great protection against websites and email related malware? That's where it all comes from, not installing programs which most can't do already as they don't have admin access. There are a few that have local admin rights but I would like to change that, at least change it to another account so they aren't logged in with admin rights. I wonder if there's a way to allow an acocunt uac but not to login. It may sound a bit big brother but I would like to remotely control what programs are installed and be able to remove what I see fit remotely, I know pdq inventory does this, not sure it's worth the money though. Going to each workstation and setting this up would be a big hassle and probably a continuous headache. I would love to save the owner some money though.

    .
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    I'm trying EMET at home now, is it really all that's needed on a clean system? I just want to stop the malware I don't really want to monitor things being blocked on a regular basis. Maybe some times during slow times for curiousity.

    I think only 3 workstations are running 7 ultimate at work. It's all 7 pro and 8.1 pro otherwise. Applocker isn't really an option.

    I miss sudo every day at work, microsoft's way of handling admin rights, among other things, really pales in comparison to linux. The few that have local admin rights are IT or previous IT staff so it's tough to convince them, especially me being the new guy, but they really should know anyways. They've asked me why I don't run local admin and I've explained some experiences but if it hasn't happened to them... The way they use their computers after initial setup might require 1 UAC prompt a day, too many for them I guess. However these aren't the ones having malware issues, it's the employees that have to visit a lot of websites to fulfill their job, they have no admin rights.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • discount81discount81 Member Posts: 213
    We use Symantec Endpoint Protection at my current work, I don't like it.
    Admittedly there isn't a lot of viruses any more, but I partially think that is since we switched to Windows 7 and took away admin rights for all non IT users, and we also use Viewfinity for whitelisting safe applications which I think has stopped most infections.
    I don't recall a real infection since we set up viewfinity a year or so ago.

    Personally I don't think Symantec actually stops much, but I don't have any statistics or anything to give, I just dislike it because the software itself seems to be more problematic vs my prior experience with Trendnet.
    http://www.darvilleit.com - a blog I write about IT and technology.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    I'm testing EMET at work now, hopfully full rollout by the end of the week. I brought up admin rights again today to the manager after finding yet another user that had it with no reason to have it. I think I angered him and while he doesn't matter if I take it away from these users he wants him and the admin, yes the admin, to be logged in with local admin rights. I learned years ago at home how being logged in as administrator can be an issue, because of this bad practice I had 4 of 5 computers basically rendered useless and the only reason one wasn't was because it wasn't turned on. That would be a complete disaster for this company.

    Symantec is what the 2 other IT guys are looking at, personally I don't want it based on previous norton experiences. Luckily it and kaspersky are quite a bit more than Bitdefender and Trend Micro. The final say is mine because I'm the only one that cares about security. I'm going to trial them both at work when I find the time. My list already has at least 2 weeks of things to do and my hours were just cut in half. Hopefully they are both quick rollouts. Sure has been a rollercoaster ride here, hopefully the ride is almost over, one way or the other.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    You can look at eset. I used to run their NOD32 product and found it to be very good.
    Endpoint Antivirus, Server, Mail & File Security for Business | ESET Business Products
    “I do not seek answers, but rather to understand the question.”
  • TheNewITGuyTheNewITGuy Member Posts: 169 ■■■■□□□□□□
    Sophos End-Point
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    McAfee pays my bills, so add me to the ePo groupies. lol
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    Nod32 was good when I was running it at home but eset business is by far the most expensive. Kind of surprising.

    Sophos I've heard a lot of good but it didn't do very good on the latest av-test Test antivirus software for Windows 8 - October 2014 | AV-TEST McAfee also didn't do great, is expensive and I've had bad experiences with their home products.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
Sign In or Register to comment.