This content is part of the Buyer's Guide: Endpoint security tools: A buyer's guide

Evaluating endpoint security products for antimalware protection

Expert contributor Ed Tittel explores key criteria for evaluating endpoint security products to determine the best option for antimalware protection for your organization.

Choosing an endpoint antimalware protection product is no easy task. Ample research can help steer organizations toward the right decision, however, saving them time and money in the long run.

Read on for an overview of key factors to be considered, along with tips for streamlining the evaluation process, when looking to deploy endpoint security protection.

Evaluation criteria for endpoint security products

Here are a few common criteria for evaluating endpoint antimalware products.

Platform coverage: Does the proposed product support the OSes and versions running on all the endpoints, such as Windows, Mac and Linux? Consider mobile devices, too, which are typically iOS or Android. Because most antimalware suites have a server component, ensure the product supports the servers currently in use, along with any email and messaging platforms.

Feature set: Is the proposed product comprehensive? Does it provide all the features the organization requires to provide layered protection? Often, required features include antivirus and antispyware protection, antiransomware functionality, data loss prevention, integrated firewalls, device control, email protection, intrusion detection and prevention, support for virtual environments, and website browsing protection. Each organization will require some or all of these items, and perhaps others, such as data encryption, mobile device management, application control (whitelisting) and Network access control.

The key is to select a product that's the right size, and best fit, for the environment today, while anticipating overall endpoint security needs for the next few years.

Performance: This criterion includes detection rates, mainly for antivirus and antispyware, as well as system performance. In fact, protection performance is often cited by systems and network administrators as one of the most important factors to consider when deploying endpoint security products, and many admins eventually switch to a different antimalware protection product after finding out that their current product doesn't perform as expected.

For example, an organization whose selection is based mainly on high detection rates for the antivirus and antispyware component may find the computing resources required for scanning reduce system performance excessively, thereby delivering a poor end-user experience.

The following are some questions to consider regarding detection rates and performance:

  • What is the average malware detection rate of the proposed product?
  • How quickly does the vendor typically provide a new signature after a zero-day threat is discovered?
  • How much memory is required for a default configuration?
  • How much memory is required when all the desired features are fully enabled?
  • How much of the CPU resources are consumed for a default configuration?
  • How much of the CPU resources are consumed when all the desired features are fully enabled?
  • How much storage space is required for a typical installation?

It's important to remember that no single antimalware product is going to protect an environment against every threat. While researching products, keep track of a few free or low-cost products, such as Malwarebytes Anti-Malware or Trend Micro's HouseCall, to run intermittently to catch malware that the primary product may have missed.

Manageability: This criterion involves system configuration requirements and the usability of the management console. For each endpoint security product, what are its system configuration requirements?

For example, which server operating systems does it support? And what are the general features of the management console? Does the console show the status for all the endpoints, or are multiple consoles required to stitch together an entire picture? Does the console provide pertinent details about endpoints, such as the last time a scan was run, the last update, the items quarantined and so on? Can it push updates automatically, run remote diagnostics, and send email or text alerts to admins? Be sure to check the types of reports that are available, as well.

Price: Typically, endpoint security products are purchased as licenses per user or per endpoint, often in one-year, two-year or three-year increments. Vendors typically offer volume discounts for larger environments. License costs vary, but are usually $25 to $60 each, depending on the vendor and number of licenses purchased.

Legacy equipment can affect the cost of a product. If an organization runs a lot of legacy endpoints that are not supported by the product, determine whether a second product is needed for legacy devices, as well as the average cost to replace legacy equipment (if that's part of the upgrade plan anyway). Other costs to consider are server costs, if upgrades or replacements are needed, installation time and effort, and integration costs, if applicable.

Support: The level of support offered by a vendor can easily be a deciding factor between two antimalware protection products if all the other criteria are met. Although a comprehensive product that's working properly shouldn't require a lot of tech support calls, initial setup can require a good deal of assistance, especially for smaller organizations, and a malware infection often results in at least one point of contact with the vendor.

Research answers to the following support questions:

  • Does the endpoint antimalware vendor provide 24/7, year-round telephone access to support engineers?
  • How quickly does the vendor say it will respond to a call?
  • Can the vendor provide remote and hands-on support?
  • Are software updates and upgrades downloadable?
  • Are software updates and upgrades part of the licensing fee?
  • Are complete and detailed software manuals available?
  • Does the vendor have a detailed online knowledge base that's easy to search?
  • How many people may contact tech support for assistance? Some vendors offer contracts in which multiple employees may act as approved contacts.
  • Is training available? Is it included in the licensing fee, or is there a separate charge?
  • Is support provided in non-English languages?

Tips for researching endpoint security products

The first step in the evaluation process for endpoint security products is to create a matrix that lists each criterion and possible antimalware products, along with URLs of the websites visited.

For example, you can create a spreadsheet with criteria in the left column and each product under consideration listed across the first row. Create a separate tab to record URLs. As research is gathered from various vendor sites, fill in the matrix as completely as possible.

Be sure to search TechTarget sites for antimalware reviews, and browse forums on other tech community sites. Find out what other network administrators have to say about specific products.

In this part of the research process, look for trends rather than focusing on specific comments. Everyone has an opinion; there will be conflicting information from different people regarding the same products. Remember that a product can run nearly flawlessly in one environment, but experience problems in another, as no two environments are exactly the same.

While perusing tech community forums, also note the comments regarding the number of times an administrator may have had to contact the vendor for support. This can reveal how well the vendor's product detects and removes malware automatically, as well as indicating usability and performance.

Regarding detection rates, browse independent software testing and rating websites, such as AV-TEST, AV-Comparatives and Virus Bulletin. They provide unbiased statistics and reviews of the most popular software packages.

Testing proposed endpoint security products

Part of the research process should include testing products on the shortlist. Administrators highly recommend installing full software trials on test machines to find out how the software actually performs on an organization's network. If trial software isn't available, contact the vendor directly to find out why.

It probably won't be possible to test an actual malware infection -- and organizations shouldn't deliberately acquire one just to test the software -- but the testing process provides a feel for how well the management capabilities work, the impact on system resources and other parts of the enterprise infrastructure. For example, an EICAR test file is available that enables an organization to safely test the effectiveness of antimalware software, but it doesn't mimic real-world malware or zero-day threats.

In a nutshell, research endpoint security products as thoroughly as possible and pick two or three products that appear to be the best fit, especially with regards to its feature set, performance, price and support. To find out how to map evaluation criteria to certain types of user environments, user scenarios and specific endpoint antimalware products, see the next article in this series.

Next Steps

After antimalware: Moving toward endpoint antivirus alternatives

Keeping pace with emerging endpoint security technologies

This was last published in July 2017

Dig Deeper on Network security