What is our primary use case?
The solution was added to the existing infrastructure such as AV Next-Gen. We were using it to expand into whitelisting. Primarily the use case was to test technologies that could grow beyond the traditional approaches for Next-Gen AV and get into more deterministic protection against unknown attacks, without relying holistically on behavioral type approaches that were meant to stop attacks, and protect processes and data.
What is most valuable?
The whitelisting works well.
What needs improvement?
The technology would provide a DLL hook injection into memory to monitor processes as they were inserted into memory. Assuming they pass the other tests from the AV side, and they're allowed to be inserted into the memory, then the DLL hooks allowed the product to monitor those processes for injection, or for any risk. That worked some of the time but didn't work on everything.
We found ways to inject code into processes that were being monitored and it was a silent failure. The solution didn't see everything. It did a good job of just stopping the insertion of malicious code from normal sources, but more advanced items it didn't catch. It was a silent failure on some of the more advanced attacks.
The solution needs an easier integration in heterogeneous and dynamic environments.
The product needs to offer more protection for memory-based attacks.
For how long have I used the solution?
We only really used the solution for three weeks as part of a test.
What do I think about the stability of the solution?
The solution was very stable on the current supported operating systems. We tried to deploy it on some legacy systems that McAfee didn't officially support, and ran into a lot of issues there, going into older operating systems. Current operating systems and their support list worked just fine. There were no compatibility issues with supported operating systems.
What do I think about the scalability of the solution?
In terms of scalability, it would really go back to the deployment with the same type of concerns. Where scalability in a homogeneous environment is relatively simple, but in a heterogeneous environment is vastly more complex and challenging.
How are customer service and technical support?
Technical support was good for what we needed. We just needed some support on the original install and set up, and we ran into some issues with unsupported systems. However, support was responsive and pretty timely. I had no concerns with support. It was good.
Which solution did I use previously and why did I switch?
We had used other McAfee solutions before. McAfee was the status quo. Then, the expansion was into Solidcore and app control. It was really about expanding within the McAfee portfolio.
How was the initial setup?
The initial setup was somewhat complex. It was a little time consuming just to get everything functioning and set up correctly. I would say it wasn't heavily complex, however.
The documentation on how to do it was relatively good. It was something that, without a lot of skill, could be deployed. It just requires some focused knowledge.
Overall, I would say it has a moderate level of difficulty as far as ease of deployment.
The deployment takes quite a bit of time, based on the variety of applications in the system. For us, if it was a very homogeneous environment and all systems had the same applications, and they were all sort of built off the same images, so it would be relatively easy to do. There would still be some complexities with the unique differentiation between systems.
If we were deploying to an environment that was very heterogeneous and a highly varied array of software in the different systems, it would be much more complex and time-consuming to deploy.
The maintenance would be pretty difficult if it was an actively managed environment. If the environment has new applications and updates and changes on a regular basis, it requires quite a bit of management within the technology to keep up and authorize new known items for protection. However, in a less dynamic environment, it would be much easier to maintain. My concern, and one of the concerns we had just with the technological approach, was how easy would it would be to maintain and manage the system long term.
What's my experience with pricing, setup cost, and licensing?
I don't have any insight into the cost. We were looking mostly at the technological aspects of the solution. There might have been some extra charges for the aggregation and SOC integration type of items.
What other advice do I have?
We were a service provider and reseller.
We had the solution in a lab environment for about three weeks, so we weren't a longterm user of it. We had a client that had familiarity with other aspects of McAfee protection solutions, and they were looking to just expand it to get more into whitelisting. They wanted to use it as a stop-gap for the deficiencies in the other aspects of their technology. We were looking for it to provide protection against more advanced malware and unknown malware attacks. That's what we did in the lab environment. We tested it.
I don't know which version of the solution we tested.
I would advise other companies to take care of understanding the environment that the solution is going to deploy in. They need to be cognizant of the challenges with dynamic and heterogeneous environments, as it relates to how the technology is deployed and how easy it is to deploy and maintain. Finally, they should be wary of the limitations in the protection efficacy, as it relates to some of the most advanced types of malware attacks, where we found the product to be deficient in some areas.
The biggest lesson we learned from using the solution was that there's a high expectation that as a company, McAfee implements this type of a solution to expand upon their solutions in the AV that they came from. What we've learned is that the step change in protection is not as great as we had hoped. The ability of it to stop the most advanced malware and other unknown types of attacks didn't live up to the expectations that were associated with a whitelisting solution.
I'd probably rate the solution six out of ten. It's not a bad product. It has some deficiencies, however. We found other technological approaches that offered much higher efficacy in protection and were easier to maintain.
Which deployment model are you using for this solution?