January 8, 2013
Posted by on
Having noticed an increasing number of fake AV and ransom-ware installations on our network where we now run Forefront Client Security as endpoint protection, I ran a comparison between the latest version of Microsoft’s latest A/V product, System Center EndPoint Protection 2012 SP1 and Sophos’s most recent PC client A/V to decide whether the MS offering was still up to snuff before we deployed it.
Having used malc0de’s database to retrieve live malware links posted over the last three days we used a pair of VM’s on a segregated network to test detection of malicious code. Both VM’s were snapshot-ted before infection, one was installed with a fully updated (defs: 07/01) EPP and the other with Sophos (defs: 07/01), both running W8 x64. The comparison is solely with Sophos as we currently use that product on our macs. We use the Microsoft forefront Client Protection A/V on PC’s as it is free as part of the software assurance benefits received as part of our EA, I should add that i realise this is no reason on which to base a choice of endpoint protection product and this experience has prompted an immediate review of that choice.
Admittedly this is a very limited range of tests, and not particularly thorough, but as a quick review it indicates that EPP is not sufficiently often or thoroughly updated and is severely compromised by the lack of access to a url blacklist (which in fairness it does not claim to offer). In the below list, every single piece of malware was allowed to be downloaded by EPP and was not detected when manually executed – though if you tried to run directly from IE all but one piece of malware was initially blocked due to signature verification problems. Sophos blocked access to the below known malware sites and where they were unknown it recognised the malware and prevented its execution. Time to read some reviews and get some prices for alternative endpoint protection.