Kaspersky Endpoint Security for Business
Strengths: Comprehensive feature set. Just about anything you need to secure and manage endpoints is here.
Weaknesses: Setup and deployment, while certainly not difficult, requires getting used to. Setting up scripts helps but you may want to experiment a bit before you attempt an enterprise-wide roll-out.
Verdict: For the midsized to large organization, this is a one-stop shop for endpoint security and is well worth exploring.
Kaspersky Endpoint Security for Business is an enterprise-grade endpoint security system that addresses malware, mobile device management, endpoint controls, encryption and systems management. All of these functions are integrated into a single endpoint management system console. Since Kaspersky writes all of the applications, rather than integrating third-party tools, the end result is tight and the tools interact smoothly.
Installation of the management console is quite simple even though it comprises a fair number of individual steps. We found that those steps, however, allow the administrator to customize deployments to pretty much any environment.
The core of the system is cloud-based from the perspective that it is the cloud that collects data from customer implementations around the globe and redistributes it to the customer base. Thus, a new piece of zero-day malware seen by a Kaspersky deployment in Africa is sent to the cloud where it is analyzed and a new signature created. From that point, the signature is sent to all of Kaspersky's users globally. The same holds true for such things as reputations of applications and websites.
The setup file is downloaded and installed on Windows just as any other setup file would be. By default, the backend database is MS SQL Express, but there are other choices available as well. Initial setup is about a 10-minute project. The console is part of the application rather than being a web-browsed deployment. This tends to speed response and, more important, avoid conflicts with such platforms as Java.
Deployment, likewise, is straightforward. Everything is wizard-based and adding devices is simple enough to become routine. Deployment is best begun with the communications agent. Once that is in place, identifying and configuring clients is fast and easy. The amount of drilldown at the client end is excellent. Overall, both hardware and application info is at the administrator's fingertips.
Policy building is next and that, too, was straightforward. Clients can be configured easily from the console. All of the client deployment tasks - including removing prior anti-malware products - can be scripted. Endpoints can even be configured to know when they are off the network and, if desired, change their configuration automatically to adjust to the more exposed threatscape.
Much of the policy configuration is based on categories, such as application categories. There are more than 80 of these out of the box. The policy can be set to block everything except those things that are explicitly whitelisted (a typical default deny policy). Administrators can override blocks when they need to for the purpose of system administration. Policies can be set to manage access to just about any resource and can be set so that nothing that is not explicitly whitelisted can execute on the endpoint, a powerful anti-malware action.
Encryption of the entire disk - including such external devices as thumb drives - or of files and folders is part of this comprehensive product. Encryption includes a way for authorized administrators to access encrypted data if a user leaves the organization or forgets a password.
Reporting is everything you might need and it comes in three flavors. First, the system sports real-time reporting. This allows administrators to set up reports that can be run ad hoc. Static reports are the usual expected reporting approach and there are a number of pre-made templates. New reports can, of course, be defined using the New Report Template Wizard. The final type of reporting is notifications. This is similar to alerting and is configurable, just as is everything else.
Overall, this is a solid product that is easy to set up and deploy with a reliable endpoint management capability all tied up in a single console.