We knew of the UTM (Unified Threat Management) in the appliance world : different security products are integrated within the same hardware platform and (for the best of them) share the same basic functions to optimize the work of the others. Packets, from example, are only opened once and analyzed by different solutions at different stages.

With EndPoint Protection 11.0 Symantec goes for the same approach. One software agent does antivirus, antispyware, firewall and host-based IPS, with NAC (Network Access Control) as an option. And yes, this is the same agent and not a suite of poorly integrated softwares sharing at best the same configuration window.

The product comes from the integration of many diverse technologies bought by Symantec in the past few year : personal firewall maker Sygate, HIPS vendor WholeSecurity and, in a lesser manner, storage giant Veritas.

Integration, at last !

The firewall functionality within EndPoint Protection 11.0 comes, of course, from Sygate. In 2005 Symantec bought what is considered one of the best personal firewall around, according several analysts, including Gartner. Sygate brings to the table network-dependent rules-based filtering (VPN, WiFi, LAN), encrypted traffic recognition, unauthorized drivers control, etc... Also, EndPoint Protection's port filtering (USB, mass storage, iPod, SCSI, PCMCIA, etc...) comes from Sygate as well.

WholeSecurity, a player in behavior analysis contribute to the host-based IPS functions. It defines a profile for each application based on its activity, and will alert of any deviation. The HIPS also controls access to files, to Windows registry, and DLLs.
A local network-based IPS is also present, looking at exploits signatures on the network interface. It is backed by what Symantec calls "Generic Exploit Blocking", supposed to detect variations of known attacks with no specific signature. Of course, we haven't tested this, and we know how prone to false alerts this can be. But that's at least a nice-to-have function, if it can be easily turned off.

And finally, there is Veritas. The largest, most expensive, acquisition to this day for Symantec ironically only contributes a small piece to the EndPoint Protection puzzle. But that's not to say it is not worth it : Veritas brings its VxMS technology (Veritas Mapping Service). It's being used by Symantec to have a first "raw" (low level) look at the file system, and to compare it with the (supposedly) same data coming from Windows. Any incoherences between those two could be an indication of rootkits activity, and will be dealt with as such by the antivirus.

Doing NAC, too

Network Access Control (Symantec NAC) is offered as an option. This makes the SEP client act as regular NAC client on top of its other security duties, eliminating the need to deploy a specific NAC client (the approach is, in part, followed by Sophos, who plans to integrate a NAC-light client in its antivirus engine).

NAC allows to control the client's security state (patch level, antivirus freshness, etc...) and either let it in on the network or, for example, re-route it to an isolated VLAN where it will only be able to update itself. It's very trendy, but not that well accepted yet, so making it a de-facto function within the antivirus (the desktop's historical citizen) makes a lot of sense.

Symantec antivirus have been bashed for a long time for being resources hog. The vendor promise a 84% drop on resources consumption (while idle, of course). That's a lot, and we'd love to hear from the first users of that SEP quite promising solution, and see if it, well, keeps it promises.