Endpoint Protection, What are you using? and why?

greatkemo
Contributor II

Hi Folks,

As the subject suggests, I am trying to get a feel for what people are using for Anti-virus/spyware/malware etc solutions and what made you choose it/them. For many years now we have been using Symantec Endpoint Protection and so far it has been OK, but only just. We are starting an exploration effort to see if there is anything out there that would be better for our needs.

Some of the issues i have with it:

Mac and Windows clients do not have the same feature set, it is much more comprehensive on Windows.
Mac clients can't perform an inline update.
Windows clients inline update requires the admin to have domain admin privs.
Mac clients do not get their definitions from the SEP server.
With every major OS release there needs to be a server upgrade and client upgrade
The management console is stupid to say the least

And the list goes on.

So, what are you using? and why?

Regards,
Kamal

35 REPLIES 35

AVmcclint
Honored Contributor

We're using McAfee Endpoint Protection. Why? Because our security folks say we have to. I don't understand why since we have to exclude just about the entire hard drive from all its various protections. If we don't exclude everything, then the computers become unusable. And to make matters worse, they are dictating that we ALSO install ECAT. If you want to max out all your CPU cores for hours on end, install both ECAT and McAfee. It'll make your computer a nice warm spot on your desk to warm your hands this winter. Worker productivity is overrated, right?

psliequ
Contributor III

I might suggest looking at ways to secure clients further upstream than the endpoints themselves. Filtering malicious emails at the email server itself is always a good idea, and if you have file servers onsite those should be secured too with something that can check for malicious files and quarantine them.
Antivirus is limited in its functionality by how comprehensive its definitions are, and the reality is most of the definitions in an Antivirus product are there to protect Windows clients. OS X has had a number of vulnerabilities, but these are things that only Apple as a vendor has had any power to remediate. Apple has also integrated their own system of checking for and shutting down known malicious software (XProtect) into the OS. Updates to XProtect definitions are delivered along with other Apple software updates automatically (as long as you have your clients set to check for software updates. Long story. See here.

El Capitan also has System Integrity Protection (good overview here) so getting 10.11 out the door into your environment is accomplishing quite a bit of endpoint hardening on its own.

The best thing you can do on OS X is to make sure you have a way of quickly and regularly applying software & security updates that Apple makes available. Internal software update servers along with a policy that forces clients to pull updates on schedule is a very good idea. Coupling that with a way to quickly qualify and distribute major OS updates to clients is protecting you in a more fundamental way than any Antivirus product can.

This is to say nothing of the political battles one might have to wage in arguing against AntiVirus on OS X which is a separate discussion altogether :D

greatkemo
Contributor II

@psliequ I completely agree, and this is how I would have it as the admin, however, life is never that simple in an organisation, and the powers to be insist that all clients (even linux) have and AV installed or they are not allowed on the network. The second issue is that we have to have a solution that is cross platform across the three major platforms (thank God they are not asking for mobile devices yet).

So the objective is to find out what is the best solution out there, and why is it the best? even if the best is Symantec EP and we should do nothing, still we need to explore that.

Any ideas?

Kamal

psliequ
Contributor III

Gotcha. You mentioned in the OP that your clients don't receive definitions from the SEP server. You could definitely address that part at least by using the enterprise client rather than the standalone version. If you can get your hands on that it's among the easier antivirus packages to deploy and report on with Casper. Though you can't perform 'inline' updates per se you can easily package a new version, identify out of date endpoints and target them with a policy.

psliequ
Contributor III

Also, if moving to an entirely different product is in the cards, Bit Defender is worth exploring. Their admin console is fresher than a lot of the competition. Can't speak for its efficacy though.

djwojo
Contributor

We use Trend Micro Security on both Mac and Windows here. On the mac side it is an easy install with a script to the TMSM server that pulls the app install from the deployment location. The why: because we get audited and have to comply for compliance. We also have an excellent relationship that was established before i was here with Trend. Trend takes care of a few of your pain points listed below. All clients get the definitions from the same location that i have seen. The new version was previewed and looks much better as far as look and feel, usability adds some features also. Currently we are on TMS 2.0.3061.

Mac and Windows clients do not have the same feature set, it is much more comprehensive on Windows.
- Windows does have a few different features which i can't think of right now...
Mac clients can't perform an inline update.
- Macs update fine
Windows clients inline update requires the admin to have domain admin privs.
- Not with trend.
Mac clients do not get their definitions from the SEP server.
- they do with trend
With every major OS release there needs to be a server upgrade and client upgrade
- If the versions change to match the new OS changes (like sip) then yes. This is expected and should be imo.
The management console is stupid to say the least
- It's not terrible, but far from perfect.

Is it good? We get alerts on viruses, DLP, Malware etc that we wouldn't otherwise. Most of the Mac alerts are what i call "virus carriers" that won't effect the mac but will pass to windows if not removed. The windows side i can't speak to much as its not my world anymore. It was decent and low usage. Trend definitely doesn't tax the system like McAfee seems to on your side. We are primarily 10.10.5 and pretty loaded laptops.

Hope this helps! And no i don't work for them, we just had a really good experience with the product.

gachowski
Valued Contributor II

IBM has rolled out 60,000 Macs with no added AV and I think they expect half their workforce to use Mac eventual 200,000 Macs.

3rd party AV is dead, managers are just checking boxes, CYA and because that is what we have done in the past...

C

dgreening
Valued Contributor II

Sophos Enterprise 9.2.8 because we have to. We did have to dial down live protection (scan on access) for files in user directories as developers complained that app build time went WAY up when they moved from SEP to Sophos.

mm2270
Legendary Contributor III

@AVmcclint I hear you man! We also have McAfee Crapafee Endpoint Protection installed AND ECAT on all our Macs. And that's not even counting the NAC appliance doing all sorts of crazy compliance checking all the time. Its a nice way to make a modern Mac operate like it was designed in 2001. Its simply insane what we are required, no, forced to install on our Macs. Its all because some tin foil hat wearing jerk in security wants to secure his job and confidently say no virus has ever caused issues in the organization. Frankly, they don't give a crap that it completely messes up the productivity of our systems. They get to check a box on their self review that they kept the organization secure, and that's ultimately all that matters to them. Users do not matter (except that they do!)
We have Mac users dropping managed Macs in droves and going BYO, and somehow the powers that be scratch their heads and wonder why this is.

myronjoffe
Contributor III

@mm2270 Are you using McAfee as your firewall on your endpoints? Is anyone else using the firewall options as part of the endpoint protection suite?

greatkemo
Contributor II

@psliequ i hear what you saying, and we are using a managed package for the macs they and are connected just fine to the SEP management server, it's just that the Mac client definitions are not stored on SEP management server by design, they have to be pulled from Symantec for each client. It's about a 300MB download each time and it is super slow, but it is what it is. As for the packaging and upgrading I have a pretty cool workflow and I'm quite pleased with it, but I would still appreciate an inline update, that shouldn't be too hard for a company like Symantec that charges a ton for their solutions.

I manage a CrashPlan installation as well, and I just love how CrashPlan takes care of updating the clients automatically with no hassle on all three platforms, so I would really expect the same for an AV solution.

Loving the thread, didn't expect these many replies, much appreciated all.

Kamal

mm2270
Legendary Contributor III

@myronjoffe Yes, we are also using the McAfee firewall component, but we are only doing this for 10.10.x clients and up. Older OS versions were using, and continue to use a custom firewall application. But Yosemite clients make up the majority of Macs here now.
There were some initial tweaks required when we began testing it to make sure it wasn't blocking services unnecessarily, but once that was done, its been relatively smooth.
My issue with the McAfee security implementation here is with the A/V, and more specifically with the boneheaded insistence from our security people that McAfee must scan all On Access Writes and Reads to disk (with the exception of excluded paths) I understand the need to scan for viruses on writes, but scanning on all Reads absolutely kills performance on our Macs. The sheer amount of items being read from disk at any moment in OS X is huge, so you can imagine what it does to them. I just don't see the need to do on access read scans at all, and amazingly, even some folks at McAfee agree its unnecessary, but bafflingly, our security people are not taking the advice of the vendor of the product!

myronjoffe
Contributor III

@mm2270 I did a PoC for McAfee 1.5 years ago for a large Creative Media client and even with adding best practice file and folder exclusions it still made the machines run like a dog.

I had good experiences with Sophos AV but im told there is still no firewall parity with what the product offers for Windows endpoints. Can anyone else confirm this?

guidotti
Contributor II

@greatkemo we also use Symantec Endpoint Protection. The Windows engineering folks manage the SEPM server, and we are not allowed to use it, so I "manage" everyone individually like consumers. We do it with extension attributes to track if their definitions are up to date. I would rather run no AV and use SIP and XProtect like IBM is doing, but our Information Security is hesitant at this point.

Kaltsas
Contributor III

FISTBUMPU my EPM brothas and sistas @AVmcclint @mm2270

@AVmcclint @mm2270 and I went through the great EPM fiasco of 10.9 so if you have any questions we both can probably help. One has to become adept at both testing EPM and wrangling your EPO admin to making necessary policy changes.

OAS set on Read will destroy a Mac. Period. There's no getting around it on any AV, EPM/VS do seem to take a worse hit than other products but it's bad all around. I have had both our sales engineer and the product manager tell me do not run EPM with OAS read. Thankfully our InfoSec team has a semblance of sense and is ok with on Write. Theoretically OAS Write should catch anything anyway, and I'm especially not concerned on OS X.

We are using the firewall functionality, we are very "endpoint" heavy on securing our resources so we lean on McAfee a lot. First rule of EPM's Firewall (which it does by default), do not blindly apply your windows firewall policy to the Mac OS Node.

I need to start an EPM support group, or a slack channel or something....

gachowski
Valued Contributor II

@Kaltsas How many Macs do you have EPM on?

C

Kaltsas
Contributor III

FWIW @myronjoffe EPM 2.2 is better than Security for Mac 1.0 or EPM 2.0 and 2.1, they genuinely seem to be making an effort to make their macintosh product not be a complete boat anchor. I just can't help but think the resources that are given to any Macintosh project at McAfee are minimal. What if they are bound by the same corporate ideas we are. Wouldn't that be the worst.

I have looked at the new Endpoint Security for Mac 10 and I am not ultra impressed with their desire to completely merge the management policies for the Macintosh and Windows products. There's just too much difference, the Macintoshes necessarily need different policy applied to them. AT least with EPM everything but the firewall policy is separate (and even on the HIPS policy you should just make one for the Mac OS node). Converging these policies will just encourage organizations to think "awww yis, we can get away with the same policy applied to all endpoints".

AVmcclint
Honored Contributor

We've managed to make McAfee (all by itself) less painful by adding lots and lots and lots of exclusions. I just discovered that we are still set to scan on READ access. I will ask if we can change it to scan on WRITE access instead. I'm thinking that may also help with ECAT running at the same time since McAfee won't be scanning everything ECAT scans.

Kaltsas
Contributor III

@gachowski A few hundred, eventually it will be on all Macintosh endpoints (aprox 1700). It has been going out to new endpoints for a long time. There are a lot of endpoints in the wild that still have SCEP, Symantec, or nothing at all. I'm directed to be very hands off and let desktop go out and do the change, even if it is push buttons in self service.

There would be more endpoints with it but I put out SCEP for a while during the great tank your AD bound macs fiasco of 10.9.

Kaltsas
Contributor III

What is ECAT? Some other security software. I could see them stepping on each others toes if one or both are scanning on read. Especially spinning disk. shudder.

Here is a lesson I learned during the great mcafee fiasco of 10.9. There's a couple processes going on and even when a file or directory is excluded a mcafee process still checks the status of the file. If it is excluded it does not pass it to the scanner. Maybe this is how all AV products work I don't know. At any rate it still causes a performance hit just not as bad as on Read where every file is passed to the scanner.

AVmcclint
Honored Contributor

ECAT link I don't know exactly how it works, but based on the official product description and the explanations our security team has given, it just sounds like YAA (Yet Another Agent) that duplicates the efforts of the primary protection software (McAfee). If you are using ONLY ECAT, who knows, it may be a fine product. But we're being forced to deploying both at the same time.

The CPU battle we've discovered between the 2 suites is that when ECAT scans files, McAfee is then triggered to read whatever it is that ECAT is reading and if you watch Activity Monitor while using your computer, you'll see all of your CPU cores pegged at 100%. That's why I'm hoping that if we set our McAfee to only scan on WRITE, that may alleviate some of the pain.

Kaltsas
Contributor III

That cat seems uhhhh, secure? Looks like one of those new "adaptive" security programs like SentinelOne or Checkpoint. I don't know enough about them to offer any educated opinion. I would offer an educated guess that setting one of your products to OAS on write only will solve some issues, you're probably on the right track with McAfee as their folks don't recommend it being enabled on OS X (I think if you install EPM standalone it will default to W only).

Look
Valued Contributor III

ESET here.
Not my decision but I believe it was a combination of the following.
Price
Small client footprint
Managable
Windows and Mac use the same backend infrastructure.
I know the Mas side is dead easy to deploy, simply run the install pkg and then send down a config to point it at the server, done!

lpierce
New Contributor III

Anyone not go the AV route and just add an extra layer of whitelisting beyond Gatekeeper, e.g. Bit 9?

Kedgar
Contributor

We are using the Microsoft SCEP client, which is unmanaged. It is simple to deploy, however there is not much you can do to manage it or report on it. I did do a write-up on JamfNation on how to create an extension attribute to get the virus def version and date. We are using this for a few reasons, cost, similarity to Windows clients, and because the Microsoft virus defs have caught things on the windows side that Symantec couldn't catch before.

Unfortunately, it is pretty much a requirement these days to run a local AV engine, our end users are the reason... some of them will click on anything despite training.

Better safe than sorry, even though that safety is somewhat of a lie to yourself. It's always nice to have a vendor to blame, rather than yourself :)

gachowski
Valued Contributor II

I haven't checked in a year, but back then Microsoft client only checked for windows stuff...

C

Chris_Hafner
Valued Contributor II

We're Sophos Cloud, mostly to make sure we kill any windowsy infected file and or genio like things. That said, I am really really tempted to forego the whole lot if I wasn't scared of 'future possibilities'.

Flopik
New Contributor

For those with EcatService running, if you have admin right, try pausing the process using process hacker

deadlift
New Contributor

@gachowski I find that interesting, and I keep hearing that. I was on a mac at IBM from 2011 until this spring. The workstation security rules said we had to run SEP, and i'm pretty sure the managed client I had last summer forced SEP installs. I heard this rumor again last week, and checked with two old colleagues. One still had SEP installed on his mac, and the other checked the security rules and said yup, still need SEP..

Which macs are not getting antivirus again?

jonlju
Contributor

@deadlift I used to work for IBM as well and think the whole company had to run SEP, regardless of if you were a Windows, Linux och OSX user. We had monthly checks run to ensure compliancy having SEP installed.

At my current workplace we use F-Secure on both OSX and Windows (I'd say it's a 50/50 split here).

gachowski
Valued Contributor II

@deadlift

I am just repeating what IBM said publicly here

https://www.jamfsoftware.com/resources/mac-ibm-zero-to-30000-in-6-months-video/

And that was confirmed in questions session here...

https://docs.google.com/document/d/1ufpf_yfXpRD7Qcid4ft2c-cGd_6XgYEZy_FPP78lXQQ/edit

C

deadlift
New Contributor

It may be posted, there, and I've since left IBM, but I had two friends still there with mac check. Still have SEP. Literally seen it on the managed MacBooks.

donmontalvo
Esteemed Contributor III

Liability and accountability are things.

Large enterprise requires that all workstations/servers are protected. Doesn't mean you have to live with "We don't understand Apple so out-of-box settings will have to do".

In every large company where we've managed Macs, part of our job is to teach/guide the company. This includes collaborating with the folks who manage SEP, ePO, etc., so exclusions are right, etc.

Its an inconvenient reality in large enterprise environments. Companies that are side stepping this requirement might want to shop for a big-@$$ diaper, and review their resumes, in case the platform is compromised.

That is if you're still employable after failing to protect big enterprise.

--
https://donmontalvo.com

gachowski
Valued Contributor II

@donmontalvo

That reads like you are implying that IBM and Apple don't understand Apple "don't understand Apple so out-of-box settings will have to do".

That is surely not fair, to IBM and Apple...

C

donmontalvo
Esteemed Contributor III

If a company requires antivirus protection, most complaints stem from bad (out of box) exclusions, etc.

When exclusions etc. are set up properly, requirements can be met without putting the company at risk.

--
https://donmontalvo.com