ENTERPRISE ENDPOINT COMPARATIVE REPORT

Transcription

1 ENTERPRISE ENDPOINT COMPARATIVE REPORT SECURITY STACK: EXPLOITS Authors Randy Abrams, Thomas Skybakmoen Tested Products Bitdefender Endpoint Security v5.3 ESET Endpoint Antivirus v6.1 Fortinet FortiClient v5.2 F-Secure Client Security Premium v11.60 G Data Endpoint Protection 13.1 McAfee VirusScan Enterprise Kaspersky Endpoint Security v Sophos Endpoint Security and Control v10.3 Symantec Endpoint Protection v12.1 Trend Micro OfficeScan v McAfee test results were not published as a result of a configuration issue that caused inaccurate results. McAfee has been made aware of this issue and NSS Labs is working with McAfee s team to make sure it will be resolved with their results slated to be published in the next stack security test report

2 Exploit Protection The exploitation of software vulnerabilities is one of the most common and effective cyber-attacks that enterprises face today. Commonly known as drive-by exploits, these attacks silently compromise a victim s computer without the user being aware. Drive-by exploits have become a favored tool of cyber criminals and other threat actors. Endpoint protection (EPP) products must provide robust defenses against these threats. This test was conducted with live (real-time) web-based exploits being used by threat actors in active campaigns identified with NSS Cyber Advanced Warning System. In this report, NSS tests 10 EPP products in order to determine which products offer the best protection against drive-by exploits. This test was conducted free of charge, and NSS did not receive any compensation for vendor participation. Product Block Rate NSS Labs Rating F-Secure Client Security Premium % Recommended Kaspersky Endpoint Security % Recommended Symantec Endpoint Protection % Recommended ESET Endpoint Antivirus % Recommended Fortinet FortiClient % Recommended Trend Micro OfficeScan % Recommended G Data Endpoint Protection % Neutral Sophos Endpoint Security and Control % Neutral Bitdefender Endpoint Security % Neutral Figure 1 Block Rate The results presented in this report were obtained via 24x7 continuous testing between March 10, 2015 and March 24, 2015 at the NSS facility in Austin, Texas. This test includes a total of 726 attacks used by Threat Actors in active campaigns during the course of the test. In order to test a real-world deployment, vendors are encouraged to configure their products for optimal security effectiveness and performance as they would recommend in a typical enterprise deployment. Blocking exploits is a critical component of an endpoint protection product. When an exploit is blocked, the delivery of known and unknown malware is also blocked. For this reason, blocking exploits offers more comprehensive protection than malware protection alone. Figure 1 (above) depicts the percentage of attacks blocked throughout the duration of the test. Testing was performed in accordance with the Security Stack: Test Methodology v1.5. NSS test methodologies are available at 2

3 Consistency of Protection Figure 2 depicts the consistency of protection rates throughout the duration of the test. Figure 2 Protection over the Duration of the Test Fluctuations in coverage can be caused by a variety of factors. EPP updates will at times drop detection for an exploit and then restore the protection in a subsequent update. As new domains are registered, or legitimate websites are compromised, time is required to update reputation systems in order to provide protection. Frequent fluctuations in protection indicate undetected exploits, erratic protection against new and existing attacks, or both. Average block rates are less reliable indicators of protection quality when significant lapses occur frequently. 3

4 Environment Operating System: Windows 7 Enterprise Service Pack 1 32-bit Windows Defender disabled Windows Firewall disabled Browser: Internet Explorer Smart Screen Filter disabled Application Reputation disabled Applications: Silverlight 4.x and 5.x versions Adobe Flash Player 10/11 with ActiveX/10/11 Plugins Adobe Reader 10/11 Java 6 and Java 7 versions 4

5 Test Methodology Security Stack: Test Methodology v1.5 A copy of the test methodology is available on the NSS Labs website at Contact Information NSS Labs, Inc. 206 Wild Basin Road Building A, Suite 200 Austin, TX info@nsslabs.com This and other related documents available at: To receive a licensed copy or report misuse, please contact NSS Labs NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, ed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 5