We are constantly telling our customers that traditional anti-virus programs that rely mostly on ‘signatures’ from previous attacks will no longer keep a company safe. Attackers are now sophisticated, well funded and often government controlled. This means they rely less on exploiting known security holes and more on developing those holes.
A ‘zero day’ exploit is something that has been developed to take advantage of a security hole but has not been applied to other companies… yet. It is natural to think that these ‘zero days’ are so rare, that attackers would only use them on the largest, juiciest targets (like banks and other governments), but that just is not the case.
If your company has more than 100 employees or more than $1 Million in sales (not that big), it should be running ‘Next Generation’ endpoint protection software.
These NextGen tools do not rely on what happened yesterday, the way old school antivirus does. They are behavior based. They consider the characteristics of each file and what it is doing. Things like:
- is the file digitally signed
- is it from a region of the world with know issues (Russia, China…)
- is it trying to obfuscate its name (hide behind a similar file name i.e. Word.EXE is not a Microsoft program, but WinWord.exe is)
- is it transferring files outside company
- is it talking to a command and control server outside of your company
- is it trying to copy itself to other computers
- is it trying to encrypting your hard disk
- is it trying to launch other programs
and thousands of other parameters are what these Next Gen AV products consider.
We recently completed another review of several major Next Gen protection tools and the results are below.
Keep in mind that these companies frequently update their software and so these features and functions will change. The intent of this grid is to simply give you a solid starting point to work from.
Also note that:
- we have a full review of Dell Endpoint Security Services Enterprise HERE
- we had considerable experience with Trusteer Apex (aka. IBM Trusteer) but that product ‘sort of’ was rolled into IBM BigFix and then IBM sold BigFix to a company we contacted but could not get information from
Product | CarbonBlack Defense – Confer | Crowdstrike Falcon w/Overwatch | Cylance (Blackberry) | Sophos Intercept X | Malware Bytes 3.0 |
URTech’s Initial Rating | A | A | C | A | B |
Magic Quadrant / Wave | B | B+ | B- | B+ | B- |
Behavior or File Chrctrstcs | Behavior | Behavior | File | Behavior | |
24×7 Phone Support | Y | Y | Y | Y | Y – Optional |
Win 10 1903 Support | Y | Y | Y | Y | Y |
Server 2019 Support | Y | Y | Y | Y | Y |
Web Admin (SaaS) | Y | Y | Y | Y | Y |
Path White-listing | Y | Y | Y | Y | Y |
Dual Wildcard White list Path | Y | Y – but check | No | Y | Y |
Remote Delete Files | Y | Partial | Y | No – Need EDR | Y |
Virus Total Linkage | Y | Y | Y | Y & Internal | No |
Can Disable Windows Action Center AV Registration | Gen | Y but with Quarantine | Y | Y | Checking |
MD5 / SHA White-listing | Y | Y | Y | Y | Y |
Filename White-listing | Y | Checking | N | Y | Y |
Email Alert Bundling | Y | Y | Y | Y | … |
Block Access To Web Mail Attachments | N | N | N | ADDITIONAL | N |
Agent Update Frequency / Year | 2 | Every 2 Weeks | 2 | > 4 / year | Constant |
Agent Update Require Reboot | / | Never | N | Rarely 1/yr? | Rarely 1/yr? |
Agent Update Process | Console | Console | Console | Console | PDQ/SCCM |
Mobile OS | N | Fall 2019 | N | Additional | Separate Product |
Disk Encryption | N | N | N | Y – Additional | N |
Agent Alerts | / | Y | Y | Y – Customization | Y |
Sand-boxing | N | N | N | Y | Y |
Must Replace AV | N | N | N | N | N |
PreExecution Scan | / | N | Y | Y | Y |
Performance Hit | Low | Low | Low | Low | 20mb – .5% CPU |
Kernel Mode | Y | Y | Y | Y | Y |
Server Agent | Y | Y | N | Separate | Y – Policy |
AD Password Reuse Block | N | N | N | N | N |
Keyboard Encryption | N | N | N | Checking | N |
Malicious Com Block | N | Partial | N | Partial | Blacklist |
AV File Inspection | N | N | Just at Install | N | Y |
Misc | USB Tracking for data theft – Never had a single client data breach – Falcon Complete = Contract Workers inc AIG Insurance Up To $1M For Breaches $100K+ | File Inspection Only – not behavior Blackberry’s acquisition of Cylance brings future into question | Acquired Hitman Pro Just signed large contract with Microsoft | Very positive – Solid progress in last 2 years |
1 Comment
SOLVED: How To Uninstall CylancePROTECT – Up & Running Technologies, Tech How To's · September 21, 2022 at 3:07 pm
[…] are several ways to remove CylancePROTECT from a Windows computer but it is normally a two step […]