I work as a Security Consultant for my company and obviously as an Antivirus specialist.
So this story is about a client who had about 8,000 clients and was currently using MacAfee. They were at the end of their contract, in few months,so they were looking for a better solution as they were hit by number of outbreaks in the last couple of years and were not satisfied with the support provided.
So a Conference call was scheduled and I was invited to give my views on which antivirus solution to consider migrating, and why to switch. We also discuss the Pros and Cons.
Their requirement were pretty simple, but very strict, and they wanted a secure and Malware free environment due to the recent outbreaks which cost them too much with high downtimes and un-availability of critical production servers.
So when I joined the Conference, there were about 8 members with their own views and recommendations. Some recommended CA, Trend Micro, Kaspersky and some suggested to renew the present contract.
When my turn came to speak, I suggested Symantec Endpoint Protection. I was expecting some enthusiasm from everybody,i thought I would be bombarded with different types of questions etc.
But the very first reply I got was: “I thought you were going to speak about Symantec Antivirus version 10.x because Symantec Endpoint Version 11.x didn’t pass our Quality test, so we cannot even think about it.”
Then they were expecting me to speak about SAV but then I asked which version of SEP they tested? One of them answered, " 11.0.780.xxxx."
I told them that I agree that even I wouldn’t use that version on my home computer so there is no way I would suggest you to deploy that version of software.
I am talking about Symantec Endpoint Protection MR4.He then asked about the difference between 11.0.780.xx and 11.0.4000.xx
Every software has a life cycle when it is first launched. Generally, the developers wait for feedback from the customers and fix the bugs or add new features. They get this feedback via Technical Support or Technical Forums because everything cannot be tested in house.
Symantec Endpoint Protection has come a long way in its journey from RTM version to date. Performance is now better than Symantec Antivirus 10.x.
Today it is as stable as SAV 10.x with minor issues that will be fixed in coming releases.
It supports almost all the Windows OS including Windows 7 and will be fully supported in MR5.
In terms of Security features and functionality, there is no other software on the market which can be compared with SEP.
Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network. More than 240,000 sensors in over 200 countries! Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 32,000 recorded vulnerabilities (spanning more than two decades) affecting more than 72,000 technologies from more than 11,000 vendors.
The Symantec Endpoint Administration is the easiest for any body who knows about Active Directory - you can integrate AD with Symantec Endpoint Manager and set the policies and manage it similar to Active Directory. Every policy, Report and Log are Represented in good quality Graphical Interface. In one look, you know what’s going on in your network.
Lastly, reporting is also one of the remarkable features of SEP. You can set notification emails to the administrator for any discrepancy in your network.
So now if you do the Quality Assessment you will find that it is not the same product you tested a year ago.
The CTO said he would like to know more about the product if it passes the Quality test, so he would do the testing and then setup a one-on-one with me to learn more.
The next week I had the one-on-one with the CTO of that company.
In that meeting, I explained…
Antivirus and Antispyware - works the same way like all the other antivirus companies, but the strength of an antivirus depends on the number of detections it has with the number of sensors. From this perspective, Symantec is the best.
He said he had heard Symantec was not doing so well in detection rate.
I explained from the time I was working with Symantec, I didn’t remember an outbreak not being held under control within a few hours or at the max a day.
While it's true no Antivirus can be 100% secure, Symantec works more on the threats that can harm too many people at once, yet in doing so it might miss one or two spyware files that users download and install. With Symantec, even the spyware files are submitted and are remedied.
I then discussed the following functionality -
Proactive Threat Scan- is the Behavior based scanning that is the best in the market, it has detected many worms, Trojans, Spyware. The solution removes these files even before definitions were released for them.
Application Control- is the best feature available in Symantec with which you have a proper security control in your organization. You can decide which application clients should run and which should not. You can block any chat programs, unwanted browsers, P2P Programs, Autoruns.inf that may be in the main source of any threat to enter or spread in your system or network.
Device Control- As a security measure you would always like to have your confidential data not leave your network. This is particularly true with the USB sticks. 90% of the time when an outbreak occurs in your network, I explained it is due to internal security issues. In essence, a user with an infected USB stick could infect the entire network.
So in this case you either block the usage of USB drives for everybody, specific group of users, or computers. Symantec also allows you to make the USB stick/drive "read-only."
Firewall – Symantec's Firewall is one of the best "host-based" firewalls, taken from Sygate. I told him, the firewall is always a very essential part of any organization and host based firewalls help a lot in controlling access for users.
With this feature you can also block websites..
Intrusion Prevention System- It is always a best practice to have an IDS or IPS in your network and HIPS can also work as HIDS. Symantec Endpoint Protection IPS system is the best IPS available anywhere! I explained Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 32,000 recorded vulnerabilities (spanning more than two decades) affecting more than 72,000 technologies from more than 11,000 vendors.
You can also create your own IPS rules for your specific requirement.
Administration & Reporting– Symantec isvery simple when it comes to administration. If you have worked with Active Directory you won’t find any difference in SEP Administration. In one view you can understand what’s going on in your network and you will also receive scheduled reports and email notifications for whatever you wish.
Bandwidth Consumption- Symantec Endpoint Protection has a feature called Group Update Provider with help of which Administration remains centralized, but definition distribution becomes de-centralized. This helps in maintaining the bandwidth utilization. There are also features like Fail over and Load balancing which help you achieve this.
Support – Symantec Support engineers work closely with the development team to give their customers the best solution available even if the solution for an issue is not possible at the time. I see customers are always given a good workaround and a patch is released in the next update for that problem.
Symantec forums are a helpful community where all your questions are answered in a timely manner by Symantec Employees, Technical Support Engineers, and Customers who are using the product from a long time.
After this explanation and a long meeting I was requested to send them a Technical and Implementation design for SEP which I did it in a week.
Today as we speak they have already passed the testing phase and have started implementing SEP MR4MP2. In about 2000 computers they have already deployed SEP and the deployment is still going on for the rest.