Maybe you're getting a little bored with endpoint protection. Truth be told, it does seem more than a little reminiscent of the cold war. On the one side are malware producers, basically the bad guys, working hard at evolving their techniques to find and exploit even the smallest of vulnerabilities. On the other side are the endpoint protection developers, also working ceaselessly while looking for ever more intelligent ways to identify, block, andmalicious code in all its forms. The conflict is a never-ending struggle and, worse, it's one that's happening mostly in the background. At least until something awful happens

That's when endpoint protection becomes exciting real quick. But while those days tend to hit the headlines when they affect Fortune 500 companies and their clients, never forget that small to midsized businesses (SMBs) are just as vulnerable and subject to all the same exploits and attacks. And because they tend not to have thesecurity budgets of larger organizations, SMBs actually seem like easier targets or low hanging fruit for hackers. This means that SMBs need sophisticated and responsive endpoint protection just as badly as enterprises, if not more so

## Bitdefender GravityZone Business Security Enterprise
 Best for Advanced Threat Protection
 Bottom Line:
Bitdefender GravityZone Business Security Enterprise is an even stronger offering than its Premium cousin. Combining its excellent protection and patch management with advanced EDR capabilities makes this one an easy sell for businesses with budget to spare

- Excellent detection of unknown threats
- Good policy management tools
- Sandbox analyzer
- Customizable Dashboard
- Basic attack forensics even without EDR
- Pricing and plans hard to understand
- Some features have a steep learning curve
- Expensive
## F-Secure Elements
 Best for Device Management
 Bottom Line:
F-Secure Elements suffers from some annoyances, but they're relatively minor when measured against its top-notch customization, threat detection, and endpoint detection and response (EDR) capabilities

- Good mobile device management features
- Excellent custom profile and policy management
- Great detection performance
- Bundled patch management
- Reporting is still limited
- EDR features an expensive add-on
## Sophos Intercept X Endpoint Protection
 Best for Enterprise Endpoint Protection
 Bottom Line:

Sophos Intercept X Endpoint Protection keeps its Editors' Choice rating this year with an even more intuitive interface, an updated threat analysis capability, and excellent overall threat detection

- Intuitive and effective threat analysis/EDR
- Excellent and fast threat detection
- Easy to navigate interface
- Only available through third-party vendors
- Linux workstations not supported
## Kaspersky Endpoint Security Cloud
 Best for Low Reporting Needs
 Bottom Line:
Kaspersky Endpoint Security Cloud (ESC) has redesigned its interface and improved on key IT features, especially reporting

- Aggressive malware and virus detection
- Good network protection
- Excellent phishing detection
- User-based install is advantageous cost-wise
- Lacks full EDR capabilities
- Significant lag time between endpoint detection and cloud visibility
|Sold By||Price|
|Kaspersky300 Per Year for 10 Nodes||See It (Opens in a new window)|
## Microsoft 365 Defender
 Best for Microsoft 365 Customers
 Bottom Line:
Microsoft 365 Defender is for theMicrosoft enthusiast who knows how to work around its quirks. If you can fight through the confusing menus and have a high threshold for reading, there is a lot of power here, though you'll need to pay for it

- Included with Microsoft 365
- Powerful endpoint detection and response (EDR) features
- Excellent threat analytics and investigative capabilities
- Escalation for professional remediation of threats
- Lots of good documentation
- The interface can be confusing
- Setup is not intuitive
- Significant learning curve
- Expensive
## Trend Micro Worry-Free Business Security Services
 Best for Basic Small Business Protection
 Bottom Line:
Trend Micro Worry-Free Business Security Services has a lot to offer in the way of traditional protection, but it lacks features like vulnerability scanning and patch management

- Includes enhanced threat analysis and EDR at higher pricing tiers
- Excellent detection capabilities
- Built in Intrusion Prevention Rules
- No support yet for macOS Monterey
- Lacks patch management
- Slow performance against inactive threats
## Avast Business Antivirus Pro Plus
 Best for Businesses Using Lots of Desktops
 Bottom Line:
Avast Business Antivirus Pro Plus is very easy to use, making it a solid choice for small businesses. But if your needs are a little more advanced, you'll probably miss several features that the competition offers

- Excellent threat detection capabilities
- VPN and File Shredder included
- Easy to manage
- Includes basic remote control
- No mobile device management
- Patch management needs a separate license
- No EDR features
|Sold By||Price|
|AVAST||Visit Site||See It (Opens in a new window)|

## ESET Endpoint Protection Standard
 Best for Remote Management
 Bottom Line:
ESET has dramatically improved its SaaS offering in both interface and usability. It offers a high level of protection, too, but some lingering UI quirks might make it more challenging to use than some competitors

- Much-improved user interface
- Wide variety of detailed reports
- Easy to use remote management
- Plugin-free phishing protection
- UI can be inconsistent and overly complex
- Expensive, and EDR requires a costly upgrade
- Lackluster detection rates
## Vipre Endpoint Security Cloud
 Best for Multiple Device Types
 Bottom Line:
For businesses that need something that's both easy-to-use and frugal, Vipre Endpoint Security Cloud is an excellent fit, as long as you don't need advanced threat analysis or endpoint detection and response (EDR) features

- Easy policy definition and management
- Includes an intrusion detection system (IDS)
- Excellent detection rate
- Includes VPN and identity theft monitoring
- No EDR capabilities
- Many features are Windows-only
|Sold By||Price|
|VIPRE||Visit Site||See It (Opens in a new window)|
## WatchGuard Panda Adaptive Defense 360
 Best for Maximum Security Policies
 Bottom Line:
Recently acquired by WatchGuard, Panda Adaptive Defense 360 still sports excellent threat protection combined with easy deployment

- Airtight, no-nonsense security model
- Indicators of Attack feature helps find attacks before they happen
- Data protection feature helps with regulatory compliance
- Configurable intrusion detection
- Reporting features are limited
- Tends to produce false alarms
- Less effective against script-based attacks
## What Is a Hosted Endpoint Protection Solution?
A hosted endpoint protection solution amounts to a business-grade antivirus and anti-malware platform, theof which are hosted entirely in the cloud. That means administrators log into a web console to perform scans, register users, manage licenses, and perform other daily management tasks as well as reporting. This is a natural evolution as the benefits of a cloud-managed security service are just too many to ignore

Sticking with an old fashioned endpoint protection suites means IT must create a server-based back-end on premises, then deploy scanning software and agents to every device they want to protect manually while taking on responsibility for scanning engine updates. Contrast that against a cloud managed service and most of those headaches are taken on by the service provider. The back-end is entirely managed by the vendor and your users get their device software and updates automatically, all while providing IT with clear reporting of any exceptions, problems, and threats. The cloud even helps vendors deploy more advanced solutions for the more difficult threats

The challenge all these tools face is the ever-changing landscape of cybersecurity threats. They need to figure out exactly what's malicious and clamp down on it without flagging so much that protecting the business actually grinds it to a halt. This is a difficult problem to solve since maliciousness can be a very hazy thing. False positives, therefore, are an ongoing issue and handling them is one of the major aspects of how developers differentiate their products and compete for market share

This is where the cloud has proven a boon in recent years. Any hosted endpoint protection solution will have at least part of its overall architecture resident in the cloud. With that comes the ability to leverage Big Data science and advanced analytics on the server side. This lets service providers build machine learning (ML) models that can significantly enhance detection rates, something that wasn't nearly so achievable when vendors had to rely on their customers' on-premises computing power. While signature-based detection certainly still plays a major role in clearing the field, machine learning is where most of our vendors see the future going and we saw big strides made here during this year's testing. Our reviews clearly surfaced ML as the year's hottest security component, driving many of the newest features, especially behavior-based detection. While these engines can still be fooled, that's rapidly becoming more difficult to do

Still, with the right amount of tweaking, malware developers are still more than capable of cleverly disguising their malicious payloads and sneaking them past an IT department's defenses. Bad applications use all kinds of tricks to accomplish this, from digital disguises all the way to social engineering. For this reason, performing due diligence before deciding on an endpoint protection solution is critical. To help with that, this roundup puts ten of the top endpoint protection players through their paces. First, we examine deployment and management capabilities from an IT professional's perspective, and then we perform a four-part suite of detection tests to see just how these tools match up against one another

## How We Test Hosted Endpoint Protection Solutions
With threats and countermeasures constantly evolving, testing endpoint protection has become a tricky thing. The ML algorithms we saw vendors deploy are great at picking out known problems, which makes using known malware batches something of a token gesture. Everyone's prepared for it, so how effective of a test can it really be? Well, it's certainly a necessary test to establish a baseline of competence for every vendor, but it's also a good reason to take a multi-pronged approach to testing these solutions

As a rule of thumb, the weakest security link in any organization's defense chain is always going to be the people that work there. So, PCMag Labs starts by testing phishing detection. Sometimes the fastest way todown an attack is to simply stop users from handing over their credentials, even if they're doing so innocently. To do this, we leverage a website called PhishTank(Opens in a new window), which posts an ever-growing list of validated phishing websites. There we randomly pick 10 sites that are still active, and use those as a barometer to check how well phishing detection works in our test candidate. We just navigate to all ten sites using a test machine running the candidate's software and recording what happens

Another very popular attack vector is to trick users into downloading a seemingly legitimate application that's then used for nefarious purposes or even just waits for a time, behaving normally, and then detonating some kind of malicious payload. Being able to look under the hood of apps that may be carrying rogue code must be a significant area of focus for any winning endpoint protection solution. We focus on how each candidate performs such analysis, how those results are reported, what countermeasures can be taken, and how easily they might be defeated

We also make sure each candidate is familiar with the current threat landscape. We do this by throwing a fresh database of known malware against our test system that's running the candidate's protection client. So far, we’ve not tested a system that doesn’t pick up at least 80 percent, and usually far more, of these known malware variants. However, sometimes there can be a delay until the system is able to perform to its best levels, which is important for potential buyers to know. Also, some systems rely on waiting until the malicious software executes before flagging it and then just aim to clean up the mess afterward. Still others rely on pure signature-based detection algorithms and ML to pick out commonalities. Each of these approaches, or even a judicious mix, means a different level of success, and buyers always want the percentage detected and cleaned to be as high and as early as possible

Our more advanced testing is looking to see whether or not the system can be penetrated using browser or Microsoft Windows exploits as well as how easy it might be for an active attacker to compromise the system. We accomplish the first part by dropping malicious executables directly on our test system to see how the endpoint protection software reacts. We also enable awebsite with a specific (and effective) browser-based exploit and also launch that against our test system

We use the test system's remote desktop protocol (RDP) password and assume it's been compromised through a brute force attack. Then download a wide variety of malware samples to the system via RDP. This procedure relies heavily on both the Metasploit(Opens in a new window) framework and the Veil 3.1 framework to generate and encode attacks. How quickly the detection engine catches on is the paramount metric here, since in the wild these kinds of attacks can go undetected for some time. While we found that most systems will catch them on execution, some will allow the process to persist for a disturbing length of time. We score based on the amount of damage that can be done while the system is being compromised. We also attempt to delete documents, alter system files, and even uninstall or disable the antivirus package

## Other Key Features
Raw protective potential is certainly a key buying metric for an endpoint protection solution, but there are other features to consider. For one, support for mobile devices was a key feature, even when we tested hosted endpoint protection solutions last year, we certainly found that trend continuing this year. Making sure your chosen protection suite can protect all the devices in your organization's stable can mean the difference between having to learn and pay for multiple tools and being able to see your company's endpoint security health from a single control pane. Mobile features to look for include not only agents that can install on Google Android and Apple iOS, but also basic mobile device management (MDM) capabilities, like automated device registration, remote encryption policy enforcement, and remote device wipe

Patch management is another heavily-weighted component in this crop of protection products. Many of the issues that come from malware happen because the malicious software exploited a bug left on an unpatched system. Microsoft Windows is probably the most often cited culprit here, but in reality patch exploits happen on all kinds of systems and your endpoint protection solution should address this.That's especially true now that Microsoft has mostly forced users to automatically update its patches. This has bred a false sense of security among users who figure as long as Windows has its updates installed automatically, they're safe. But in reality, countless other applications often go unpatched and the bad guys often use one or more of these to accomplish just as much chaos

Just knowing that the patch exists is the first step in communicating the dangers to the business owners and allowing for a patching process that needs to include not only downloading the patch, but first testing and only then deploying it. Being able to deploy and rollback those patches from a web console is something no business should be without, whether you get it as part of your endpoint solution or as a separate patch management tool

Another key ability, and one upon which we placed great weight in our testing, is policy management. The ability to set customized policies on large or small groups of users or devices is not only a useful tool to have, it's practically a necessity in an age when users are commonly using multiple devices, even their own devices, to get work done. Power users and developers might require a bit more leeway with their operations, while standard end users might be locked down a bit more tightly. Having a clean way to do this is not only a management joy, it's often the only way to avoid significant nightmares in the future

## Evaluate In Your Environment
Finally, while we consider our testing methodology to be sound, we like to validate results against those of third-party resources. This year, that was primarily AV Comparatives(Opens in a new window) and the results of their 2019 testing. Comparing our results against those of AV Comparatives allows us to add an extra point of comparison to better represent the products from multiple viewpoints. It's also independent verification of our results across factors such as usability, detection accuracy, false positives, performance, and more

All this adds up to an excellent buying guide for businesses looking for a new or updated endpoint protection solution. However, reading this guide shouldn't be the end of your research. Once you've narrowed down your options, finding out for sure which is best for your company means evaluating the solution in your own environment. This means it's a good idea to always look for products that provide the ability to initiate an evaluation period, whether that be after some conversation with a sales person or just using a free download link on the vendor's website

*(Editors' Note: Vipre is owned by Ziff Davis, PCMag's parent company