Beginners Guide to Endpoint Protection Systems

What makes a good endpoint security system?

The key feature of any endpoint security system is still its anti-virus (and other malware) functionality, and any good one detects malware:

• in email attachments
• in files downloaded from the internet
• copied onto a computer from a USB stick or other removable device

To do this, endpoint security systems offered by leading security software vendors such as Avast take a layered approach, employing many different digital methods to detect malware. "What we find in our tests is that the more layers of protection an anti-virus product offers, the better it is," said John Hawes, a former technical consultant at anti-virus product certifier Virus Bulletin.

 

Endpoint security systems employ some or all of the following layers or protection:

• Scanning using malware signatures

This is the traditional method of virus detection, which involves scanning data and spotting known malware by matching some or all of its computer code with a sample, or signature, held in a regularly updated database of virus signatures. A major drawback of this approach is that it can only spot malware which is already known, but not new malware, or new variants of existing malware, for which no signature exists.

 

• Behavioural analysis

Instead of relying on signatures, good endpoint protection systems also look at the behaviour of unknown software to detect if it displays suspicious activity such as altering certain operating system registry values, or encrypting large numbers of files – a sign of possible ransomware activity.

 

• Cloud-based threat intelligence networks

All good endpoint security system vendors now operate their own threat intelligence networks which share information with the endpoint security software running on customers’ machines. That means that if one endpoint downloads a file which is found to be malicious – perhaps though behavioural analysis - information about that file and the source website can be sent to the intelligence network and shared with all other customers almost instantly.

 

• Reputation analysis

This type of protection involves checking the reputation of a website or files which may be downloaded from it using information from the threat intelligence network. So as soon as one customer has downloaded a file and it has been detected as malicious, all other customers will immediately be protected from software on that site. "Reputation systems are very important, because they present the only way of stopping some zero-days (i.e. previously unseen malware) from reaching your machine," said AV-Test’s Marx.

 

• Sandboxing

A sandbox is a safe area on a computer or in the cloud where suspicious computer code can be run to establish whether or not it is malicious, without actually affecting – or infecting – the computer.

 

Recommendation: Use endpoint protection software which offers a cloud-based threat intelligence network, behavioural analysis and reputational analysis as a bare minimum.

 

 

Other security features offered by endpoint security systems

• Protection from fraudulent phishing emails and websites

Endpoint security systems can use the reputation information about email addresses and websites contained on their threat detection networks to block phishing emails and sites.

 

• Intrusion detection

Some software may use techniques such as storing decoy files which the user need never access on an endpoint. If these files are accessed, it may indicate that a cyber criminal has access to the computer.

 

• Data loss protection

This allows computer users or IT specialists to block certain types or quantities of data from being sent from the machine (for example by email) to prevent an intruder from stealing data.

 

• Firewalling

Most computer operating systems have a rudimentary firewall to help keep intruders out, but many endpoint security systems feature a more powerful firewall offering better protection.

 

• File or full disk encryption

Encryption may make it harder for a cyber criminal to access and steal data. Some endpoint protection products use their own encryption systems, while others simply manage an operating system’s built-in system (such as Windows’ BitLocker.)

 

Recommendation: All of these extra security features are valuable, but it is the core anti-malware functionality which is most important.

 

Products to consider

AV-Test carries out regular tests to identify how effective endpoint security products are. Tests carried out in the first two months of 2020 identified that the vendors of the most effective endpoint protection systems include:

 

Avast (Charities can purchase certain Avast Business security products at discounted rates from the Charity Digital Exchange) (Business Antivirus Pro Plus 19.7)

Bitdefender (Endpoint Security 6.6 - Charities can purchase certain Avast Business security products at discounted rates from Charity Digital)

F-Secure (PSB Computer Protection 19)

Kaspersky (Endpoint Security 11.2)

Seqrite (Endpoint Security 18.00)

Symantec (Endpoint Protection 14.2)

Trend Micro (Apex One 14.0)