Gartner defines an endpoint protection platform (EPP) as security software designed to protect managed endpoints — including desktop PCs, laptop PCs, virtual desktops, mobile devices and, in some cases, servers — against known and unknown malicious attacks. EPPs provide capabilities for security teams to investigate and remediate incidents that evade prevention controls. EPP products are delivered as software agents, deployed to endpoints, and connected to centralized security analytics and management consoles.

EPPs provide a defensive security control to protect end-user endpoints against known and unknown malware infections and file-less attacks using a combination of security techniques (such as static and behavioral analysis) and attack surface reduction capabilities (such as device control, host firewall management and application control). EPP prevention and protection capabilities are deployed as a part of a defense-in-depth strategy to help reduce the endpoint attack surface and minimize the risk of compromise. EPP detection and response capabilities are used to uncover, investigate and respond to endpoint threats that evade security protection, often as a part of broader threat detection, investigation and response (TDIR) capable products.

A hosted endpoint protection solution amounts to a business-grade antivirus and anti-malware platform, the guts of which are hosted entirely in the cloud. That means administrators log into a web console to perform scans, register users, manage licenses, and perform other daily management tasks as well as reporting. This is a natural evolution as the benefits of a cloud-managed security service are just too many to ignore.

Sticking with an old fashioned endpoint protection suites means IT must create a server-based back-end on premises, then deploy scanning software and agents to every device they want to protect manually while taking on responsibility for scanning engine updates. Contrast that against a cloud managed service and most of those headaches are taken on by the service provider. The back-end is entirely managed by the vendor and your users get their device software and updates automatically, all while providing IT with clear reporting of any exceptions, problems, and threats. The cloud even helps vendors deploy more advanced solutions for the more difficult threats.

The challenge all these tools face is the ever-changing landscape of cybersecurity threats. They need to figure out exactly what's malicious and clamp down on it without flagging so much that protecting the business actually grinds it to a halt. This is a difficult problem to solve since maliciousness can be a very hazy thing. False positives, therefore, are an ongoing issue and handling them is one of the major aspects of how developers differentiate their products and compete for market share.

This is where the cloud has proven a boon in recent years. Any hosted endpoint protection solution will have at least part of its overall architecture resident in the cloud. With that comes the ability to leverage Big Data science and advanced analytics on the server side. This lets service providers build machine learning (ML) models that can significantly enhance detection rates, something that wasn't nearly so achievable when vendors had to rely on their customers' on-premises computing power. While signature-based detection certainly still plays a major role in clearing the field, machine learning is where most of our vendors see the future going and we saw big strides made here during this year's testing. Our reviews clearly surfaced ML as the year's hottest security component, driving many of the newest features, especially behavior-based detection. While these engines can still be fooled, that's rapidly becoming more difficult to do.

Still, with the right amount of tweaking, malware developers are still more than capable of cleverly disguising their malicious payloads and sneaking them past an IT department's defenses. Bad applications use all kinds of tricks to accomplish this, from digital disguises all the way to social engineering. For this reason, performing due diligence before deciding on an endpoint protection solution is critical. To help with that, this roundup puts ten of the top endpoint protection players through their paces. First, we examine deployment and management capabilities from an IT professional's perspective, and then we perform a four-part suite of detection tests to see just how these tools match up against one another.

Antivirus utilities distinguish themselves by going beyond the basics of on-demand scanning and real-time malware protection. Some rate URLs you visit or appear in search results using a red-yellow-green color-coding system. Some actively block processes on your system from connecting with known malware-hosting URLs or fraudulent (phishing) pages.

All software has flaws, and sometimes these flaws can compromise your security. Prudent users keep Windows and all programs up to date, patching those flaws as soon as possible. The vulnerability scan offered by some antivirus apps can verify that all necessary patches are present and even apply any that are missing.

Spyware comes in many forms, from hidden programs that log every keystroke to Trojans masquerading as legitimate programs while secretly mining your data. Any antivirus should handle spyware, along with all other types of malware; however, some include specialized components dedicated to spyware protection.

You expect an antivirus to identify and eliminate malicious programs, while leaving legitimate programs alone. What about unknowns, programs your AV can't identify as good or bad? Behavior-based detection can, in theory, protect you against malware, so new researchers have never encountered it. However, this isn't always an unmixed blessing. It's not uncommon for behavioral detection systems to flag many innocuous behaviors performed by legitimate programs.

Allowlisting is another approach to the problem of unknown programs. This type of security system only allows known good programs to run; unknowns are banned. This mode may not be suitable for all situations, but it can be useful in certain cases. Sandboxing allows unknown programs to run, but it isolates them from full access to your system, preventing them from causing permanent harm. These various added layers serve to enhance your protection against malware.