Sophos Endpoint Security review
The concept of endpoint security has been with us for many years. Up until recently, software solutions have been strictly in the enterprise domain, but we’re now starting to see products aimed at the SMB. Trend Micro moved in this year with its CSS suite and this month, it’s the turn of Sophos and its Endpoint Security (EPS).
The suite takes a simple stance to securing workstations and servers, and concentrates on anti-virus and firewall measures – the same as Trend’s CSS. At the helm, you get Sophos’ highly respected Anti-Virus (SAV) 6 and this is backed up by a firewall client, which is the result of Sophos licensing Agnitum’s personal firewall technology last year. It’s a well-respected product, but note that it only supports Windows 2000 and XP workstations.
For management, the suite comprises four components, with the Enterprise Manager looking after package downloads. The Enterprise Console handles software deployment and policy enforcement, a database keeps track of all systems, and an EM Library stores signatures and packages. For testing, we opted to drop the lot onto a single Server 2003 system, although you can place each component on different machines. From the Enterprise Console, you create a new library to store your downloads and then decide on the update frequency. Predefined schedules are supplied where downloads occur every hour, but you can also check Sophos’ website as often as every ten minutes.
From the console, you search the network for computers and then drag them into custom groups. A wizard then fires up for software deployment, where you decide which components should be pushed to each client. Updates, SAV and firewall behaviour are all determined by policies assigned to each group. For example, SAV policies control functions such as the real-time scanner and its behaviour if an infection is detected. On-demand scans can also be scheduled for each group, and users can access SAV locally if they wish, but can’t unload it.
The firewall provides standard SPI protection, but is designed to offer application controls by creating checksums for each executable as it’s loaded. If the checksum has changed, it will block the executable from accessing the network. SAV itself also has a new application-control process, which is currently a work in progress. The idea behind this is that Sophos provides signature files that specifically identify applications to allow administrators to actually stop selected programs from being loaded at all.
We found SAV worked fine during testing. It picked up all our viruses as they were introduced to our clients and blocked downloads of infected files. The Alert tab in the console displays warnings next to systems that have had a virus blocked, and any firewall activity will be highlighted here as well. Mobile workers come into the picture too, as the EPS suite also includes standalone versions of SAV and the firewall. These can be updated either from your own download servers or from Sophos’.
Compared with Trend’s solution, Sophos EPS is more costly and features such as the SAV application blocker were in development at the time of review. However, it does deliver a strong combination of anti-virus and firewall measures, and doesn’t require a lot of manpower for deployment and general management.