1 Introduction

Both malware and anti-malware solutions have been around for a long time. Accordingly, individuals and organizations have been using an ever-changing mix of anti-malware software on endpoints. The earliest anti-virus programs were designed to combat file-based malware, often delivered via floppy disks. With the widespread adoption of email, it became the primary vector for spreading computer viruses. Network worms were (and still are) created by malicious actors to distribute malware across networks without needing users to open files or email attachments. Worms jump from host to host by compromising services listening to well-known TCP or UDP ports. Malefactors also found that users could be easily infected by placing their malware on heavily used websites, corrupting commonly used applications, packaging malicious executables in otherwise innocuous-looking data, using macros in Office documents, etc.

In recent years, the ransomware phenomenon has risen to prominence. Ransomware is a type of malware that encrypts user files and directs the user to pay the malware author a ransom for the decryption keys, usually in Bitcoin. These types of attacks often arrive in Office docs with malicious macros. The best advice for end users and organizations is to not pay the ransom, as the authors don’t always deliver the decryption keys, and one shouldn’t encourage future bad behavior by compensating the programmers for their fraudulent efforts.

At the time of publishing this report in 2017, we are witnessing another phase in the evolution of malware. The perpetrators are innovating by employing the worm delivery technique for ransomware. With the Petya/NotPetya attack, we have seen a type of malware that mimics ransomware, but seems to be intended for mostly destructive purposes rather than for financial gain. Suffice it to say that the variations in malware types has increased exponentially over the last few decades and will continue to be a significant threat for the foreseeable future.

Who are the malefactors behind all these attacks? At a high level, the major malware creators are hacktivists, fraudsters, and state sponsors. Each group has different motivations for making malware, and often different intended targets. But as with their biological analogs, computer viruses often infect unintentional targets as well. Malicious actors have learned and applied the “as-a-service” model, and now malware can be purchased on the so-called dark web and deployed by those who are not proficient at coding. This increases the frequency of attacks, as the ability to launch them now does not require technical skills, just malicious intent.

In the early days, anti-virus vendors gathered virus samples and created signature files that could recognize the more limited number of virus patterns. The vendors delivered the signature file updates to their customers; at first infrequently, but as the volume of viruses grew, updates grew more frequent. For vendors using signature files today, their clients typically receive updates several times a day.

Signature-based scanning alone is an ineffective malware prevention measure today. Malware has become far more sophisticated, often using polymorphic techniques to change their appearance to fool signature-based scanners. In the endpoint security market, most vendors have added new detection capabilities to more efficiently and effectively prevent malware infections. These new approaches to malware detection will be discussed in more detail later in this report.

Malware detection and prevention can happen in many places within a computing environment: at the network perimeter, email gateways, web proxies, application firewalls, desktop, virtual desktop, etc. Contemporary security researchers and analysts describe the potential points of intercept in an attack as the “cyber kill chain^TM”. A defense-in-depth approach is always recommended, thus anti-malware and related security solutions should be deployed at each possible point in the cyber kill chain^TM and physical architecture to maximize detection/prevention and minimize risks.

Endpoint security products may contain more features than anti-malware, such as URL filtering, application whitelisting, backup, configuration management, patch management, disk and file encryption, etc. The focus of this report is on anti-malware solutions at the endpoint, specifically desktops and laptops running Microsoft Windows, Mac OS, and Linux variants. Most of the vendors considered herein provide solutions for servers, virtual desktops, and mobile devices. Mobile anti-malware solutions will be the subject of another report.

This KuppingerCole Leadership Compass provides an overview of the leading vendors in this market segment. Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a customer and his requirements. However, this Leadership Compass will help identify those vendors that customers should look at more closely.

1.1 Market Segment

The anti-malware market is steady, with more than 1 billion devices deployed in the world. Mobile platforms are on the rise, and have overtaken PC-based hardware systems in popularity in recent years. Desktops and laptops and the concomitant need for protecting them against malware will persist into the foreseeable future, especially given the increasing frequency and complexity of malware attacks.

There are many vendors in the anti-malware market. There are quite a few that have been long-established in the space, dating back decades and providing the first signature-based anti-virus programs. In the last few years, new startups have emerged with new techniques to discover and prevent malware infections. In some cases, the small companies have been acquired by the major players in the space, with their technologies integrated into the suite vendors’ products.