It is unacceptable for an organisation to be without some form of Anti-virus protection. Symantec Endpoint Protection was a product we picked because we were coming off of Sophos as the charity discount expired. Charities tend to shop around for AV yearly to take advantage of discounts to standard pricing.Whilst this means install costs (time and/or money) it means we get to experience a lot of products and vendors. Now, that is a good and bad thing.
We had some teething problems on install. It wasn't the product at fault per se but the IT Company who installed a 2011 version instead of the current 2013 version. This resulted in multiple BSOD for our W7 users. I used Symantec support and logged an online ticket. Literally, within 10mins I had a call from a Symantec support engineer. I supplied the log files. 20mins later I had a suggested fix - which was an install of the correct version. I then had another couple of calls over the next week to check that the problem was corrected. Yes, our fault but it did highlight the level of support Symantec give you.
My issue with AVs is they can be like running a marathon in treacle - slow and unpleasant. Symantec didn't have that problem. It was inoffensive, with minimal pop-ups and scans that didn't slow down machines running W7, dual core and 3GB RAM. There aren't the best user machines in the world but they had no problem handling the installed AV.
The management console on the server kept track of any recurring issues and e-mailed reports to me. It also highlighted an infection on someone's machine in real time. This allowed me to get to the user and pop them on a laptop whilst we scrubbed the virus. The graphical reports were handy to provide proof of any KPIs for my monthly reporting process.
Endpoint protection is more than just AV. It features Symantec Insight and SONAR. They basically deal with zero day threats - okay, it simply won't catch everything but I've yet to find an AV that will. It's performed just fine. We had the odd catch and then it bubbled under the surface, tirelessly checking our systems for bad stuff. This is a great way of reducing reputational risk to your organisation.
Browser protection did prevent some users visiting scam sites or those genuinely deemed to be distributing malware (that we then blocked using OpenDNS).
Updates were pushed via GUP (group update provider) and any machines that, for whatever reason, were not included, ended up on my report.
Our W7 machines, Servers and the Macs were able to be protected. Yes, this is common these days but it's worth a mention. It also handled our VMs well - some of them using quite ancient software.
On the whole it did exactly what it was meant to do - protected the servers and end users seamlessly and gave us access to reporting that meant showing we'd hit KPIs was easy.