McAfee, Sophos, Symantec: Who is the best at stopping zero-day attacks?

November 29, 2007 Sophos Press Release

IT security and control firm Sophos has been found in an independent test to be superior to Symantec and McAfee at protecting proactively against zero-day malware attacks, vulnerabilities and exploits.

In an independent review conducted by Cascadia Labs, Sophos clearly outperformed Symantec and McAfee in detection of new, unknown viruses, spyware and Trojan horses. Sophos successfully intercepted 86% of the malware tested against prior to execution, compared to 43% for McAfee and 51% for Symantec. In addition, Sophos's run-time HIPS protection detected further malware samples at execution raising proactive detection of zero-day threats to an "impressive" 97% in Cascadia Labs' anti-virus tests.

Sophos's pre-execution detection including Behavioral Genotype® Protection - which guards against viruses, spyware, adware and malicious code before they execute - as delivering better protection from new and unknown malware than McAfee or Symantec's products.

Sophos better than Symantec and McAfee at detecting zero-day attacks

According to Cascadia Labs, McAfee's overall effectiveness was disappointing and Symantec's protection against zero-day attacks was found to often come too late in the infection cycle.

"While Sophos's HIPS protection significantly increased detection rates, we were unable to identify any significant impact of Symantec's behavioral or HIPS-based protection component," said the Cascadia Labs report. "[Symantec] doesn't match Sophos in terms of day-zero effectiveness, usability, or scanning performance... [Sophos is] a natural choice for enterprises looking for a well integrated endpoint security suite that is effective against day-zero threats."

Symantec 11 upgrade "painful and time-consuming"

The independent study also reported that Symantec users may face difficulties upgrading to Symantec Endpoint Protection 11.0, confirming Sophos's view that it is easy to switch from Symantec to Sophos.

"Users of previous Symantec products will face a painful and time consuming migration process moving to Symantec Endpoint Protection 11.0," said the Cascadia Labs report. "Given the workload involved in migrating to SEP 11, because of the extensive architecture changes, administrators will have difficulty choosing whether to migrate or perform a fresh install"