SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

How can you test and judge endpoint protection products?

Working out which endpoint protection product is right for your organisation requires a lot of thought.

Each product on the market has a pile of features and they don’t all do exactly the same thing. But at the very least, they should detect and stop malware threats. That should be your baseline when choosing between them. In this blog post, we explain how we test so you can judge which endpoint protection products are best for your organisation.


Do the major security products really protect us from threats?

In our latest Endpoint Security (EPS) reports we’ve checked many of the main brands, to see if they really do stop the sort of threats that hammer on our systems every day, as well as some of the more advanced, targeted threats.

Testing security technology is rarely simple. We’ve talked about online anti-virus reviews before, and how they can be too basic to help make sensible buying decisions. But we don’t have to get bogged down in details here.

Let’s get back down to basics. What should endpoint protection products do and how does SE Labs test them?

How do we test endpoint protection products?

Firstly, we install different anti-malware solutions onto real PCs – the sort you have on or under your desk. Then we attack those computers using threats we’ve found on the internet and using targeted attacks that we’ve built in our lab. Fundamentally, we behave like real attackers. It’s the purest kind of test.

The internet threats we use aren’t just malware files. They are a series of stages, such as opening an infected email and activating the attached file that then downloads and runs malicious code from the internet. Similarly, the targeted attacks involve delivering malware to the target and then taking some level of control to steal or destroy data.

We then score products on their performance. They get points for detecting the threat and further credit if they actually stop the attack. If they prevent the attack from running at all they score top marks for ‘blocking’ the threat. If they halt a threat after it starts running, then it gets fewer points for ‘neutralising’ the threat. If they fail to prevent the attack we deduct points due to the ‘compromise’ of the target.

Download the reports for enterprise, small business and home users now! (free – no registration)

It’s not as simple as ensuring the product stops threats

Security products don’t just have to stop bad things. They have to allow good things too, otherwise, you wouldn’t be able to use your computer. We also introduce good emails, websites and programs to the targets. If a security product blocks those, we deduct a lot of points because they are hampering users from using their computer properly.

That, in a nutshell, is how we test and judge anti-malware products. We install them like a user would, we attack the protected targets like hackers do and we score them according to how well they protected the system. It’s a basic approach that stands the test of time and gives you the most realistic view on which products are best for you.

Sign up to our monthly business and personal security newsletters.

Featured podcast:

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA