Endpoint Security Solutions Comparative Analysis Report (Physical Environment) Vendors Tested Trend Micro McAfee Symantec Sophos Microsoft To: Trend Micro Indusface Contact Kandarp Shah Vice President Indusface A/2-3, 3rd Floor, Status Plaza, Atladara Old Padra Road, Akshar Chowk, Vadodara 390020. Tel + 91 265 3933000 Fax + 91 265 2355820 Email kandarp.shah@indusface.com
Confidentiality INDUSFACE HAS PREPARED THIS DOCUMENT FOR TREND MICRO. NEITHER THIS DOCUMENT NOR ITS CONTENT MAY BE COPIED OR DISTRIBUTED OUTSIDE TREND MICRO, WITHOUT PRIOR WRITTEN APPROVAL FROM INDUSFACE THE CONTENTS OF THIS DOCUMENT ARE PROVIDED TO TREND MICRO, IN CONFIDENCE SOLELY FOR THE PURPOSE OF EVALUATING WHETHER THE CONTRACT SHOULD BE AWARDED TO INDUSFACE. Revision History Date Version Description Author 02/04/2013 1.2 Comparative Analysis on Endpoint Security Harsh Jadia Solutions (Physical Environment) Document Control Activities Responsibility Verified / Cleared Technical Approval Harsh Jadia Verified Final Approval Kandarp Shah Cleared Notice of Ownership THIS DOCUMENT IS THE EXCLUSIVE PROPERTY OF INDUSFACE ALL RIGHTS RESERVED 2 Confidential Copyright 2013 Indusface All Rights Reserved
Table of Contents Introduction of Products & Versions... 4 Project Scope... 4 Approach and Methodology... 5 Approach... 5 Test Cases & Execution... 5 Automated Script... 6 Architecture... 7 Lab Details... 7 Lab System - Endpoint Configuration... 8 Executive Summary... 10 Overall Ranking... 12 Test Results... 13 Test Case 1: Baseline Endpoint Client Installation... 13 Test Case 2: Signature Update... 13 Test Case 3: On Demand Full Scan (Heavy)... 14 Test Case 4: Scheduled Full Scan... 14 Test Case 5: On Access Scan... 15 Test Results Based On Criteria... 16 CPU Utilization Observations... 16 Memory Utilization Observations... 17 Network Utilization Observations... 19 Disk Utilization Observations... 20 Time Taken Observations... 21 Appendix 1 Introduction & Key Features... 23 Trend Micro OfficeScan (OSCE) 10.6 SP2... 23 Sophos Endpoint 10... 23 McAfee VirusScan Enterprise 8.8 (Patch 2)... 23 Symantec Endpoint 12.1.2... 24 Microsoft System Center 2012 Endpoint... 24 Features Comparison... 25 Disclaimer... 27 Disclaimer of Liability... 27 3 Confidential Copyright 2013 Indusface All Rights Reserved
Introduction of Products & Versions Objective performance testing was conducted on the following publicly available enterprise endpoint protection solutions using Windows 7 Professional Edition as the client system. PRODUCTS Trend Micro OfficeScan (OSCE) VERSION 10.6 SP2 McAfee VirusScan Enterprise 8.8 Patch 2 Symantec Endpoint (SEP) 12.1.2 Sophos Endpoint 10 Microsoft System Center Endpoint 2012 Refer to Appendix 1 for a brief introduction on the tested endpoint protection products and the key features of each. Project Scope The tests compared the metrics of the system components performance for the following endpoint protection solutions: Trend Micro OfficeScan (OSCE) 10.6 SP2 Sophos Endpoint 10 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint (SEP) 12.1.2 Microsoft System Center 2012 Endpoint 4 Confidential Copyright 2013 Indusface All Rights Reserved
Approach and Methodology Approach In order to achieve performance analyses on the endpoint protection solutions, Indusface followed a defined benchmark approach. The approach and methodology for the complete cycle, which consists of four phases, is described in the figure below. ARCHITECTURE: -Server and client setup -Required software setup REPORTING: -Gather and correlate the test results -Provide report analysis EXECUTION: -Execute the test case scripts -Monitor and record the resource utilization using tools -Check the security effectiveness TEST CASES: -Create test cases -Configure test cases Figure 1: Indusface Approach and Methodology Test Cases & Execution The comparative analysis was performed using the following test cases: 1) Baseline Endpoint Client Installation 2) Signature Update 3) Scheduled Full Scan 4) On Demand Full Scan (Heavy) 5) On Access Scans The analyses for each test case were based on CPU and memory usage, and the disk and network resource utilization of the endpoint protection solution. All test cases were performed one time except for the On Access Scan. The On Access Scan test case was performed five times and the average results were evaluated. Xperf is the monitoring tool that was used to record the system resource utilization and the time. 5 Confidential Copyright 2013 Indusface All Rights Reserved
The total resource utilization by endpoint client machines for each endpoint protection solution was recorded and the average value used for the final result. Test cases evaluated the usage of the following resources: CPU Memory Network Disk (total hard disk utilized) This report uses the percentage of resources used to display the data derived from the analyses. The percentage values were calculated based on the maximum amount of available resources compared to the actual amount of resources utilized. Automated Script An automated script was created to simulate end user activity. The Windows script was created in Python and can execute the following applications and actions: Microsoft Word Open, minimize, maximize, close, insert text, save modifications Microsoft Outlook Open, minimize, maximize, close, write random words/numbers, save modifications Microsoft Excel Open, minimize, maximize, close, write random numbers, insert/delete columns/rows, copy/paste formulas, save modifications Microsoft PowerPoint Open, minimize, maximize, close, and conduct a slide show presentation Google Chrome Open, minimize, maximize, close, and browse web pages Windows Media Player Open, close, and view a video Mozilla Firefox- Open, minimize, maximize, close, and browse web pages 6 Confidential Copyright 2013 Indusface All Rights Reserved
Architecture Lab Details In order to estimate the performance impact on a computing endpoint, a unified test environment was created to simulate the working environment of an average corporate network. A script driven end user automation was then developed to simulate the daily activities of a typical corporate user. Our main aim was to create a baseline image with the fewest possible benchmarks and the least chance of variation caused by external operating system factors. The lab environment was comprised of an endpoint client and a server for each instance of the endpoint protection product. The evaluation process was based on a single end user environment at a given point of time. Baseline Image Creation (Endpoint client): Windows 7 Professional version was used as the client machine operating system for testing purposes. Norton Ghost was used to create a clean baseline image. The baseline image was restored before testing each endpoint protection solution. The steps taken to create the baseline image were as follows: 1) Installed Windows 7 Professional on the client machine. 2) Disabled Automatic Updates for Windows. 3) Disabled Windows Defender to avoid unexpected background activity. 4) Disabled the Windows Firewall to avoid interference with security software. 5) Changed User Account Control settings to Never Notify. 6) Installed Windows Performance Toolkit x86 for testing. 7) Installed Python 2.7 for automated test scripts. 8) Installed Norton Ghost for imaging purposes. 9) Created a baseline image using Norton Ghost. 7 Confidential Copyright 2013 Indusface All Rights Reserved
Figure 2: Test Lab Environment Lab System - Endpoint Configuration Operating System System Model Windows 7 Professional (build 7600) Installation Language: English (United States) System Locale: English (United States) Processor Enclosure Type: Desktop Main Circuit Board 3.30 Gigahertz Intel Core i3-3220 32 Kilobyte primary memory cache 512 Kilobyte secondary memory cache 3072 Kilobyte tertiary memory cache 32-bit ready Multi-core (2 total) Hyper-threaded (4 total) Drives Board: Intel Corporation DH61WW AAG23116-302 Serial Number: BTWW23400J7J Bus Clock: 25 Megahertz BIOS: Intel Corp. BEH6110H.86A.0044.2012.0531.1710 05/31/2012 Memory Modules 500.00 Gigabyte of usable hard drive capacity 437.07 Gigabyte of hard drive free Space 3496 Megabyte Usable Installed Memory Table 1: Lab System - Endpoint Client Configuration 8 Confidential Copyright 2013 Indusface All Rights Reserved
Operating System System Model Operating System Model Windows Server 2008 Enterprise Service Pack 2 (build 6002) Installation Language: English (United States) System Locale: English (United States) Processor Enclosure Type: VMwareESXi Main Circuit Board 2.40 Gigahertz Intel Xeon 512 Kilobyte primary memory cache 64-bit ready Not Hyper-threaded Drives Board: Intel Corporation 440BX Desktop Reference Platform BIOS: Phoenix Technologies LTD6.00 09/21/2011 Memory Modules 42.95 Gigabyte of usable hard drive capacity 15.26 Gigabyte of hard drive free space 3496 Megabyte Usable Installed Memory Table 2: Lab System - Endpoint Server Configuration 9 Confidential Copyright 2013 Indusface All Rights Reserved
Executive Summary The project focuses solely on the comparison of endpoint protection client system components against performance metrics for the following products: Trend Micro OfficeScan (OSCE) 10.6 SP2 Sophos Endpoint 10 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint (SEP) 12.1.2 Microsoft System Center 2012 Endpoint The testing demonstrated how each endpoint protection solution utilizes hardware resources in respect to the CPU, Disk, Memory and Network components and also the time taken for the client system to execute the tests under a comparative framework of evaluation. The methodologies used, as described later in this report, were not biased for any solution. From the analysis of the test results, it can be observed that Trend Micro OfficeScan 10.6 SP2 is optimized compared to the other publicly available endpoint protection products. McAfee VirusScan Enterprise 8.8 (Patch 2) scored second in optimization results in comparison to Trend Micro OfficeScan (OSCE) 10.6 SP2. Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the least amount of system resources while Microsoft System Center 2012 Endpoint utilized the greatest amount of system resources. McAfee VirusScan 8.8 (Patch 2) utilized the greatest amount of CPU resources in ideal conditions and also consumed comparatively more resources during a signature update. It utilized more CPU and Network resources during the On Access Scan. Trend Micro OfficeScan (OSCE) 10.6SP2 utilized the least amount of resources in ideal conditions. It consumed a very low amount of resources in the least amount of time during a signature update. Its Smart Server (which performs caching) made client system resources available during updates and scans. Symantec Endpoint 12.1.2 used a considerable amount of resources in all the test cases. It utilized more CPU and Network resources during the On Access Scan in comparison to the other endpoint solutions. Sophos Endpoint 10 consumed comparatively more memory during all test cases. Microsoft System Center 2012 Endpoint consumed a greater amount of time performing all the test cases. It also utilized more CPU resources during both Scheduled Full Scan and the On Demand Full Scan (Heavy). 10 Confidential Copyright 2013 Indusface All Rights Reserved
Test Results The following table indicates the scores received by each product during the evaluation of the various test cases. *Mem=Memory Utilization, N/W = Network Utilization, Time = Time taken for execution of each test case, CPU= CPU Utilization. The ranking was determined based on the test results. A score of 1 to 5 was given for each value measured, where 1 indicates the best performance and 5 represents the poorest performance. The following formulas were used to determine the scores given to each of the endpoint solutions for each test case: Baseline - Endpoint Client installation: Average CPU (%) + Average Memory (%) + Average Network (%) + Time taken Signature Update: Average CPU (%) + Average Memory (%) + Average Network (%) + Time taken Scheduled Full Scan: Average CPU (%) + Average Memory (%) + Average Network (%) + Time taken On Demand Full Scan (Heavy): Average CPU (%) + Average Memory (%) + Average Network (%) + Time taken On Access Scan: Average CPU (%) + Average Memory (%) + Average Network (%) + Time taken 11 Confidential Copyright 2013 Indusface All Rights Reserved
Note: Product scores of 1 to 5 for particular test cases can be interpreted as follows: Score of 1: Indicates the product that utilized the least amount of resources on the client machine. Score of 5: Indicates the product that utilized more time/resources on the client machine compared to the other products. Products that scored the same overall percentage received the same ranking. For example, if the test results for Microsoft and McAfee both recorded a full scan time of 15 minutes, their rankings are the same and the next slowest product s ranking is one higher. Overall Ranking The following table demonstrates the overall product rankings after analyzing the successful execution of the various test cases. Products Ranking Score Trend Micro OfficeScan (OSCE) 10.6 SP2 1st 38 McAfee VirusScan Enterprise 8.8 (Patch 2) 2nd 54 Symantec Endpoint 12.1.2 3rd 60 Microsoft System Center 2012 Endpoint 3rd 60 Sophos Endpoint 10 4th 66 12 Confidential Copyright 2013 Indusface All Rights Reserved
Test Results Test Case 1: Baseline Endpoint Client Installation Approach After the installation of the endpoint client on the baseline system, resource utilization was measured for five minutes without any user activity. The system s CPU, Memory, Network, and Disk utilization was recorded. Test Results CPU (%) Memory (%) Network (%) Disk (%) Trend Micro OfficeScan (OSCE) 10.6 SP2 0.47 22.5 0.001 0.0002 McAfee VirusScan 8.8 (Patch 2) 2.73 24.6 0.001 0.0004 Symantec Endpoint 12.1.2 0.76 30.42 0.004 0.0003 Sophos Endpoint 10 1.29 30.3 0.003 0.0001 Microsoft System Center 2012 Endpoint 1.44 26 0.003 0.0001 Table 3: Baseline - Endpoint Client Installation Observations Based on the test results, Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the least amount of resources following the client installation compared to other endpoints clients. The lower amount of resource utilization (by Trend Micro OfficeScan (OSCE) 10.6 SP2) enables the user to have more resources available for productivity compared to the other endpoint solutions. Test Case 2: Signature Update Approach After the installation of the endpoint protection solution s server, scheduled update was turned off for three days. After three days, updates were collected by the server and were pushed from the server to the client. During the signature push from the server to the client, the system resource utilization was recorded. Test Results CPU (%) Memory (%) Network (%) Disk (%) Time Taken (mm:ss) Trend Micro OfficeScan (OSCE) 10.6 SP2 8.8 33.19 0.025 0.0019 0:20 McAfee VirusScan 8.8 (Patch 2) 10.84 44.5 0.35 0.0031 3:50 Symantec Endpoint 12.1.2 17.64 37.1 0.069 0.0024 1:30 Sophos Endpoint 10 18.44 42.5 0.42 0.0022 3:25 Microsoft System Center 2012 Endpoint 9.21 32.52 0.087 0.0034 6:15 Table 4: Signature Update 13 Confidential Copyright 2013 Indusface All Rights Reserved
Observation Based on the test results, Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the least amount of resources (8.8% of CPU and 0.025% of Network resources) during the execution of a signature update during the time allotted (20 seconds) for the test execution. All the other endpoint protection suites required more time and/or resources, which would have a negative impact on the client-side user performance. Test Case 3: On Demand Full Scan (Heavy) Approach An On Demand full scan was initiated on the endpoint client using an end user automation script that simulated a heavy workload of an end user s daily activities. The automation script was executed until the On Demand scan was completed. Resource utilization for the On Demand full scan was recorded in terms of CPU, Memory, and Network utilization of the endpoint client. Test Results CPU (%) Memory (%) Network (%) Disk (%) Time Taken (mm:ss) Trend Micro OfficeScan (OSCE) 10.6 23.08 35.4 0.03 0.0087 5:35 McAfee VirusScan 8.8 (Patch 2) 22.53 32 0.03 0.009 7:10 Symantec Endpoint 12.1.2 9.92 37.35 0.05 0.008 10:25 Sophos Endpoint 10 17.95 56.3 0.01 0.004 11:00 Microsoft System Center 2012 Endpoint 31.51 34.77 0.02 0.012 15:15 Table 5: On Demand Full Scan (Heavy) Observation Based on the test results, Symantec Endpoint 12.1.2 utilized the least amount of resources (9.92% of CPU resources) during the execution of the On Demand Full Scan (Heavy) test, but took almost twice the amount of time (11 minutes) compared to Trend Micro OfficeScan (OSCE) 10.6 SP2 (5 minutes and 35 seconds). The increased amount of CPU usage by Microsoft System Center 2012 Endpoint may degrade the overall performance of the system during the On Demand Full Scan. However, Trend Micro OfficeScan (OSCE) 10.6 SP2 completed the scan in the least amount of time by using more resources, which indicates that it provides more efficiency for the client systems. Test Case 4: Scheduled Full Scan Approach For this test case, a full scan was scheduled at a particular time (e.g. 11 PM on Monday). During the test, an ideal client system was implemented (i.e. no user activity was performed). The server initiated a scheduled scan on the endpoint client and the resource utilization of CPU, Memory, Network and Disk was recorded. 14 Confidential Copyright 2013 Indusface All Rights Reserved
Test Results Trend Micro OfficeScan (OSCE) 10.6 SP2 CPU (%) Memory (%) Network (%) Disk (%) Time Taken (mm:ss) 15.84 29.4 0.005 0.0071 5:50 McAfee VirusScan 8.8 (Patch 2) 15.56 26.31 0.006 0.002 3:25 Symantec Endpoint 12.1.2 11.61 33.9 0.003 0.0016 13:00 Sophos Endpoint 10 17.31 54.13 0.005 0.016 8:15 Microsoft System Center 2012 Endpoint 30.11 26.1 0.006 0.0125 14:18 Table 6: Scheduled Full Scan Observation Based on the test results, Microsoft System Center 2012 Endpoint utilized the greatest amount of resources during the execution of the Scheduled Full Scan test case, and required the greatest amount of time. McAfee VirusScan 8.8 (Patch 2) completed the full scan in the least amount of time but utilized 15% of CPU resources, which is a better resource utilization result than Symantec Endpoint 12.1.2 (11.6%). Test Case 5: On Access Scan Approach A group of different file types was copied to the endpoint client from a network file server. This group of files (3.47 GB) contained several types of file formats that a Windows user would encounter during daily use. These formats included documents (e.g. Microsoft Office documents, Adobe PDF, ZIP/RAR files), media formats (e.g. Images), system files (e.g. Executable, CAB, MSI, libraries) and miscellaneous files (e.g. ISO, APK, logs, SIG, PEM). The test was executed multiple times and the average of the results was calculated. Test Results CPU (%) Memory (%) Network (%) Disk (%) Time Taken (mm:ss) Trend Micro OfficeScan (OSCE) 10.6 SP2 5.2 36.5 9.66 0.0022 6:00 McAfee VirusScan 8.8 (Patch 2) 7.92 27.22 10.52 0.001 6:04 Symantec Endpoint 12.1.2 11.45 35.41 10.5 0.0018 6:40 Sophos Endpoint 10 5.07 45.95 9.68 0.0016 7:00 Microsoft System Center 2012 Endpoint 5.78 28.49 9.93 0.006 6:30 Table 7: On Access Scan Observation Based on the test results, the overall file transfer process took almost the same amount of time for Trend Micro OfficeScan (OSCE) 10.6 SP2 and McAfee VirusScan 8.8 (Patch 2). Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the least amount of resources (5.2% of CPU for six minutes) and Symantec Endpoint 12.1.2 utilized the greatest amount of resources (45% of memory for seven minutes). 15 Confidential Copyright 2013 Indusface All Rights Reserved
Test Results Based On Criteria The following table displays the test results based on the different criteria for each respective endpoint client. These test results highlight the products performance according to the testing criteria. CPU Utilization Observations Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint 0.47 8.8 15.84 23.08 5.2 2.73 10.84 15.56 22.53 7.92 0.76 17.64 11.61 9.92 11.45 1.29 18.44 17.31 17.95 5.07 1.44 9.21 30.11 31.51 5.78 Table 8: CPU Utilization Comparison CPU utilization was measured on: 3.30 Gigahertz Intel Core i3-3220 32 Kilobyte primary memory cache 512 Kilobyte secondary memory cache 3072 Kilobyte tertiary memory cache 32-bit ready Multi-core (2 total) Hyper-threaded (4 total) 16 Confidential Copyright 2013 Indusface All Rights Reserved
CPU Utilization (%) 35 30 25 Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) 20 Symantec Endpoint 12.1.2 15 10 5 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint 0 Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan The CPU Utilization graph demonstrates: Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the lowest amount of CPU resources after the Baseline Endpoint Client Installed test and during the Signature Update. Symantec Endpoint 12.1.2 utilized the lowest amount of CPU resources during the Scheduled Full Scan and On Demand Full Scan (heavy) tests. Symantec Endpoint 12.1.2, Trend Micro OfficeScan (OSCE) 10.6 SP2, and Microsoft System Center 2012 Endpoint utilized almost the same amount of CPU resources during the On Access Scan test. Memory Utilization Observations Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan 22.5 33.19 29.4 35.4 36.5 24.6 44.5 26.31 32 27.22 30.42 37.1 33.9 37.35 35.41 30.3 42.5 54.13 56.3 45.95 26 32.52 26.1 34.77 28.49 Table 9: Memory Utilization Comparison 17 Confidential Copyright 2013 Indusface All Rights Reserved
Memory utilization was measured on: 3496 Megabytes of usable installed memory o Slot 'DIMM1' had 2048 MB o Slot 'DIMM3' had 2048 MB Memory Utilization (%) 60 50 40 30 Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 20 Sophos Endpoint 10 10 Microsoft System Center 2012 Endpoint 0 Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan The Memory Utilization graph demonstrates: Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the lowest amount of memory after the Baseline Endpoint Client Installation test. McAfee VirusScan Enterprise 8.8 (Patch 2) utilized the greatest amount of memory during the Signature Update. McAfee VirusScan 8.8 (Patch 2) and Microsoft System Center 2012 Endpoint utilized least amount of memory during the Scheduled Full Scan. McAfee VirusScan 8.8 (Patch 2) utilized the least amount of memory during the On Demand Full Scan (Heavy) and On Access Scan. 18 Confidential Copyright 2013 Indusface All Rights Reserved
Network Utilization Observations Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan 0.001 0.025 0.005 0.03 9.66 0.001 0.35 0.006 0.03 10.52 0.004 0.069 0.003 0.05 10.5 0.003 0.42 0.005 0.01 9.68 0.003 0.087 0.006 0.02 9.93 Table 10: Network Utilization Comparison Network utilization was measured on: Broadcom NetLink (TM) Gigabit Ethernet (100 MBps) Note: The Network bandwidth of 100 MBps was tested. 12 Network Utilization (%) 10 8 Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 6 Sophos Endpoint 10 4 Microsoft System Center 2012 Endpoint 2 0 Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan 19 Confidential Copyright 2013 Indusface All Rights Reserved
The Network Utilization graph demonstrates: All the endpoint protection solutions utilized almost the same amount of Network resources for the Baseline - Endpoint Client Installation test case. Trend Micro OfficeScan (OSCE) 10.6 SP2 utilized the least amount of Network resources during the Signature Update test and also took less time to update due to its Smart Server (caching) option. All the Endpoint Solutions utilized almost the same amount of Network resources during the Scheduled Full Scan and On Demand Full Scan (Heavy) tests. Trend Micro OfficeScan (OSCE) 10.6 SP2 and Sophos Endpoint 10 utilized the least amount of Network resources during the On Access Scan. Disk Utilization Observations Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan 0.0002 0.0019 0.0022 0.0087 0.0022 0.0004 0.0031 0.001 0.009 0.001 0.0003 0.0024 0.0018 0.008 0.0018 0.0001 0.0022 0.0016 0.004 0.0016 0.0001 0.0034 0.006 0.012 0.006 Table 11: Disk Utilization Comparison Disk utilization was measured on: 244 Gigabytes of usable hard drive capacity 217 Gigabytes of hard drive free space 20 Confidential Copyright 2013 Indusface All Rights Reserved
0.014 Disk Utilization (%) 0.012 0.01 0.008 0.006 0.004 0.002 Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint 0 Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan The Disk utilization graph demonstrates: All the Endpoint solutions consumed almost the same amount of disk resources on the Baseline Endpoint Client Installation, during the Signature Update and On Access Scan tests. Microsoft System Center 2012 Endpoint utilized the greatest amount of disk space during all the test cases. Time Taken Observations Trend Micro OfficeScan (OSCE) 10.6 SP2 McAfee VirusScan 8.8 (Patch 2) Symantec Endpoint 12.1.2 Sophos Endpoint 10 Microsoft System Center 2012 Endpoint Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan 5:00 0:20 5:50 5:35 6:00 5:00 3:50 3:25 7:10 6:04 5:00 1:30 13:00 10:25 6:40 5:00 3:25 8:15 11:00 7:00 5:00 6:15 14:18 15:15 6:30 Table 12: Time Utilization Comparison 21 Confidential Copyright 2013 Indusface All Rights Reserved
Time Taken (mm:ss) 16:48 14:24 Trend Micro OfficeScan (OSCE) 10.6 SP2 12:00 McAfee VirusScan 8.8 (Patch 2) 09:36 Symantec Endpoint 12.1.2 07:12 04:48 Sophos Endpoint 10 02:24 Microsoft System Center 2012 Endpoint 00:00 Baseline - Endpoint Client Installation Signature Update Scheduled Full Scan On Demand Full Scan (Heavy) On Access Scan The Time utilization graph demonstrates: Trend Micro OfficeScan (OSCE) 10.6 SP2 took the least amount of time for the Signature Update and On Demand Full Scan (Heavy) tests. McAfee VirusScan 8.8 (Patch 2) took the least amount of time for the On Demand Scheduled Full Scan test. Sophos Endpoint 10 took the greatest amount of time for the On Access Scan test case (7 minutes). 22 Confidential Copyright 2013 Indusface All Rights Reserved
Appendix 1 Introduction & Key Features Trend Micro OfficeScan (OSCE) 10.6 SP2 Trend Micro OfficeScan (OSCE) 10.6 SP2 joins endpoint and mobile security with a unified management infrastructure that offers global threat intelligence to stop malware in the cloud, and provides virtual patching against zero day threats, and optimized security for virtual desktops. Optional modules allow instant deployment of data loss prevention, mobile device management and Mac protection. Key Features as listed by Trend Micro are: Unique plug-in architecture Optimized for desktop Virtualization Security Superior malware protection Easy to manage Sophos Endpoint 10 Sophos Endpoint 10 protects tablet, phone, and laptop or desktop, everywhere. Mainly Endpoint security, mobile device management, web protection, data protection, network protection, email protection and central management are integrated with it. It makes security easier whether it s enabling BYOD, day-today administration with streamlined management, or getting support when you need it. Key Features as listed by Sophos are: Gives you endpoint security and mobile device management, all in one Secures Windows, Mac, Linux, ios, Android, and more Provides integrated encryption (Allows users to store and share data securely) Makes web browsing safe with built-in URL filtering Simplifies management with workflows engineered for business Reduces complexity with a single license from a single vendor Threat-aware patch assessment Integrated Encryption: Integrated full disk encryption in Endpoint encryption 10 McAfee VirusScan Enterprise 8.8 (Patch 2) McAfee VirusScan Enterprise 8.8 (Patch 2) combines anti-virus, anti-spyware, firewall, and intrusion prevention technologies to stop and remove malicious software. It also extends coverage to new security risks and reduces the cost of responding to outbreaks with the industry s lowest impact on system performance. Key Features as listed by McAfee are: Block multiple threats Stop malware in real time Safeguard email programs Low impact on performance Get high-performance security Lessen damage from outbreaks Defend against threats that target Microsoft applications 23 Confidential Copyright 2013 Indusface All Rights Reserved
Symantec Endpoint 12.1.2 Symantec Endpoint 12.1.2 is built on multiple layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. Built for virtual environments, it can integrate with VMware vshield Endpoint for dramatically improved performance. Symantec Endpoint 12.1.2 includes the latest features for improved security, performance and management. Key Features as listed by Symantec are: Integration with VMware s vshield Tuned for Windows 8 and Windows Server 2012performance Support for Mac OSX 10.8 (Mountain Lion) Support for HTTPS in trusted web domain exceptions Enhanced security features Improved management Microsoft System Center 2012 Endpoint Microsoft System Center 2012 Endpoint (previously known as Forefront Endpoint 2012) protects client and server operating systems against the latest malware and exploits. Built on System Center 2012 Configuration Manager, it reduces IT management and operating costs by providing a single, integrated platform for managing and securing your desktops. Key Features as listed by MSSC are: Single console for endpoint management and security Central policy creation Enterprise scalability Highly accurate and efficient threat detection Behavioral threat detection Automated agent replacement Windows Firewall management 24 Confidential Copyright 2013 Indusface All Rights Reserved
Features Comparison This is a list of notable Endpoint product features in the form of a comparison table. Features Endpoint Security Microsoft System Center 2012 Endpoint Product Features Comparison McAfee VirusScan Enterprise 8.8(Patch 2) Symantec Endpoint (SEP) 12.1.2 Sophos Endpoint 10 Trend Micro OfficeScan (OSCE) 10.6 SP2 Antivirus Endpoint Web Filtering X Application Control Device Control DLP Patch Web & Email Gateway X Encryption Mobile Backup & Recovery X X Behavioral threat detection X Central Management Console Supported Platform Windows Mac X Linux Built for Virtual Environment Advanced Firewall In the Cloud X IDS/IPS X Zero Day Attack Scanning Full Scan Smart/Active Scan X X Scheduled Scan On Demand Scan 25 Confidential Copyright 2013 Indusface All Rights Reserved
On Access Scan Point Desktops, Laptops, Servers Microsoft Exchange Email Server *All of the above information has been derived from the publicly available data. 26 Confidential Copyright 2013 Indusface All Rights Reserved
Disclaimer The product versions covered in the report are the latest available at the time of testing. The versions are specified under the Product Scope section of the report. The list of products tested is not exhaustive of all products available in the comparative business security market. Products used for the comparative testing were the evaluation versions available (free/trial/demo). Disclaimer of Liability Every effort has been made to ensure that the information presented in this report is accurate however, Indusface shall not be liable in any manner whatsoever for damages caused by the use of this information. 27 Confidential Copyright 2013 Indusface All Rights Reserved