X by Invincea is an endpoint protection tool that is focused strongly on malware protection. It approaches malware protection by isolating execution or by using next-generation detection algorithms. If the isolation option is used for email, when a piece of malware tries to execute or when a spear-phishing message tries to redirect the user, it is isolated from the rest of the computer and cannot infect or redirect. Being a next-generation tool, it uses an advanced form of machine learning. It is not, therefore, dependent on signatures.
There are two components to X: the endpoint agent and the management server. We had virtually no trouble installing X in our test environment - with the exception that there are limitations on the versions of Google Chrome that it supports. Ours, it turns out, was too new. When we moved to a Microsoft browser, we had no trouble. We do think that, because this is not totally a Microsoft world, products need to stay current with the most important browsers, and, certainly, Chrome is one of those.
The endpoint agent is lightweight - 100MB RAM and one percent CPU - so there is no performance hit. Detection is accomplished by monitoring process activity on the endpoint. Prevention is a function of the machine-learning algorithms and isolation is localized to the execution of a process, preventing the process from accessing resources outside of the container. Should an infection-attempt occur, reverting to the pre-infection state is simple. Deploying the isolation within the endpoint simply required clicking an icon. Of course, the isolation feature must be enabled by the administrator.
The system is policy-driven and it is straightforward to manage policies and end-user functionality. Additionally, users are given some measure of control by allowing some limited user configuration. When the user and the administrator have selected isolation - the admin deploying it and the user invoking it - downloaded files need a digital signature. Without the signature they cannot be downloaded. There are quite a few features connected with the isolation capability and they usually can be invoked by either the user or the administrator - depending on how the administrator has set the system up. We really cannot see why isolation would not be every user's choice. Certainly, administrators should make it available.
Another of the isolation features is document protection. With this, users can restrict activities involving protected documents. Added to application protection, the isolation capability becomes very powerful. One thing that we particularly liked was the extensive collection of pop-up notification letting us know what the tool was doing at the moment. There also is an excellent alerting popup that contains a lot of detail.
We sort of put the cart before the horse in that we deployed an endpoint before the management console. When we deployed the management console, we were pleased that it had no trouble seeing our endpoint. It's really not a good idea to do this, though. We had to go back into the endpoint for configuration. We did that from the management console though, so it only was a minor inconvenience. As a colleague has expressed it, we suffered a self-inflicted wound.
The management console is very easy to use. The admin landing page let us manage activities, such upgrades and configuration. We also saw summaries of threat data. The default tab on the landing page is the user tab from with the administrator manages the users in the enterprise. Users can be created, modified and removed. The ability of the user to make the kinds of choices - changes, really - discussed above is controlled by the role-based admin flags. One security area which concerned us was the inability of the administrator to remove admin rights from a user. Only the user can remove those rights. We think that is potentially a serious security flaw. The workaround, of course, is to give the pseudo-superusers modify rather than admins rights. However, a careless or new administrator could inadvertently give the wrong rights for the best of reasons and then lose control over the endpoint.