Endpoint Security Comparison: Bitdefender, Sophos, (update: Webroot)

Which of the following endpoint security solutions from Bitdefender, Sophos, and Webroot are best for you and your customers?

endpoint security comparison

When it comes to building a portfolio of services you can offer your customers, endpoint security is a must-have. In today’s world of organized criminals, ransomware, phishing schemes, and polymorphic threats, organizations of every type are in desperate need of protection. Some established MSPs, recognizing the critical nature of security, have changed their moniker to MSSP — managed security service provider — and lead their service sales pitch with security and fear of data loss or a breach. It’s not a bad idea.

Regardless of your market focus or size of customers, malware can be devastating for your customers. Valuable data can be lost or held ransom. If your customers are in regulated industries like healthcare, retail and banking, costly fines can be levied. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses go out of business six months after a cyber-attack.

However, it’s not just your customers who can suffer. When malware strikes, all eyes will turn to you, the trusted advisor who was supposed to be protecting your customer. Many MSPs make malware protection a mandatory part of their service offering. Fortunately, there are dozens of excellent endpoint security products available today. Unfortunately, there are so many that it can be overwhelming to determine which is the right one for you.

As with all of our comparisons, we will not be selecting a “best” or “Editor’s Choice.” Instead, our goal is to lay out the fundamental features and characteristics of each product to allow you to make the most informed decision for your business and your customers.

The Field

In this updated roundup, we’ll look at solutions from Bitdefender, Sophos, and — newly added — Webroot.

For this comparison, Bitdefender submitted its Cloud Security for MSPs solution.

Sophos submitted Intercept X, Sophos Intercept X Advanced (the company’s primary offering), Sophos Intercept X for Server, Sophos Mobile, and Sophos SafeGuard Encryption.

Webroot submitted its Webroot (Business) Endpoint Protection solution.

Methods Of Protection

The days of creating virus signatures after malware strikes are long gone. Today’s solutions leverage a variety of tools and AI to detect and protect against malware.

Bitdefender Cloud Security for MSPs is a security suite that features antivirus, anti-malware, content control, device control, anti-exploit, web filtering, and process behavior monitoring in the standard product without additional charges.

With a layered approach to security, Bitdefender Cloud Security for MSPs includes hardening and control, automatic prevention, threat investigation, detection and response. From the same console, MSPs can manage a dedicated security product integrated with Amazon Web Services designed to protect workloads hosted in Amazon.

To stop the broadest range of threats, Sophos Intercept X employs a defense-in-depth approach, rather than merely relying on one primary security technique. Intercept X combines proven foundational (traditional) techniques with modern (next-gen) approaches such as deep learning (advanced machine learning) and anti-exploit and active adversary protection capabilities.

Webroot (Business) Endpoint Protection provides a cloud-based architecture featuring a very small (<4MB) agent that is continuously monitoring each individual endpoint to predict, prevent, detect and prevent malware from a wide range of attack vectors.

A Webroot spokesperson reports: “We have a high prediction part of our endpoint solution that uses the initial scan to identify potential issues and mark unknown files and processes as undetermined while marking others 100% accurately as known good or bad.

“We then use the Webroot Platform and small metadata encrypted hash values to predict potential malware before it even starts to execute. We are also very highly focused on the protect/prevent area with numerous shields to protect credential theft, keyloggers, browser man in the middle attacks and of course our unique real-time anti-phishing that uses the Webroot Platform to stop phishing in real-time through user ‘time of need’ identification of phishing sites.

“Because we have a unique containment approach to unknown or undetermined files and processes trying to execute on an endpoint, we have invested in many prevent, detect, and protect shields. We also have unique host monitoring and journaling of suspicious undetermined files and processes that uses our proprietary technology to both protect the device and any data or system settings that are changed or modified. Finally, we offer as a built-in component an automatic way to remediating devices back to their last good known state.

“We do not focus on producing EDR kill chain analysis as very few MSPs have either the time or expertise. MDR too is too expensive for most SMB to deploy and as it is retrospective has limited value. Instead we focus on ADR (Automatic Detection and Response) and deliver comprehensive ‘dwell-time’ reporting and alerting and the use automated containment and remediation instead. MSPs and SMBs value this hands-off approach as its very effective and very inexpensive to operate and doesn’t require security expertise they don’t possess, or have little of.”

Mac Protection

Years ago, the need to protect Mac devices didn’t exist outside of school labs and graphic design companies. However, today Macs are used in many businesses and in all departments, including the C-suite. With increased adoption has come increased risk. Thankfully, many security solutions can now protect Macs. In fact, all three of the companies we compared support MacOS.

Sophos’ Mac release features CryptoGuard ransomware protection which detects malicious encryption activity, stops the attack, and rolls back any impacted files to their previous state. Also included in the Mac version is Root Cause Analysis (RCA), which offers forensic analysis capabilities to determine the details behind an attack. Other included features are Malicious Traffic Detection, which monitors for suspected command and control servers, endpoint self-help for easier diagnostics, and local cache updates.

Bitdefender’s Endpoint Security for Mac provides antivirus/anti-malware, content control (including web traffic scan, anti-phishing, web categories filtering, web access control, application blacklisting), device control, and full disk encryption (as a separate add-on).

Webroot provides equivalent protection for Mac, and deployment, management capabilities and features are kept as close to practical to those of Windows, given OS differences.

Management Consoles

Whether you have tens or hundreds of customers, each with tens or hundreds of endpoint devices, it can quickly become overwhelming to manage everything. Therefore, it’s critical to have a solution that makes it easy for you to:

  1. see what’s going on with all your customers
  2. install and push out updates remotely and
  3. integrate with your other systems (e.g., RMM [remote monitoring and management] and PSA [professional services automation] tools).

All three of the solutions here offer a management console that can be accessed remotely.

Sophos Central provides centralized management for all Sophos services and allows partners and MSPs to integrate with common PSA and RMM vendors. Sophos has integrations with Kaseya and ConnectWise Automate and is currently working with other RMM vendors. Sophos has also created sample scripts that MSPs can use to automate the installation of the Sophos agent. MSPs can use the company’s scripts as a baseline to write their own scripts and get the Sophos agent deployed across their customers quickly and easily. Sophos Central also has ConnectWise Manage billing integration.

Webroot’s management console is via secure remote access from any browser and provides a unified single pane of glass with global level policy management and individual client/site/location policy management with separate keycodes for each entity. There is no on-premise version.


Staying ahead of criminals and malware is difficult, if not impossible. Therefore, many providers have devised new ways of addressing zero-day threats. One technique is to use a form of journaling whereby the software keeps constant track of all changes being written to a device. In the event malware attacks, the journal or record of all changes can act as a time machine to roll the device back to a previously safe state.

Bitdefender creates an audit trail of changes made by processes on the endpoint. Based on this audit trail, when a threat is detected, it automatically kills the malicious process and any other related processes and rolls back the malicious changes made by these processes. For example, it removes other instances of the file or other dropped files, persistence mechanisms such as registry keys and startup locations containing or pointing to the file. However, a rollback does not cover files encrypted by ransomware on the local computer or file shares.

Webroot patented the built-in and secure auto-remediation feature that uses journaling and roll-back and were the first endpoint vendor to bring this to market in 2011. It protects the host (system drive) but does not protect network share drives, or other non-host endpoint drives.

Zero-Day Threats And Ransomware

MSP cyberattack

As mentioned earlier, Sophos Intercept X includes rollback capabilities called CryptoGuard. CryptoGuard runs a file filter driver and intercepts file opens of certain file types. It creates copies of those files in a folder on the machine. When those files are closed, it compares the closed file with the copy taken earlier. If the file is determined to be maliciously encrypted, CryptoGuard notes the process or IP that did it and retains a copy of the file. CryptoGuard then looks back at all the malicious file modifications and restores them to their original location. This feature applies to network shares as well — an important distinction among security products.

Bitdefender anti-exploit stops zero-day exploits by looking not at signatures of known exploits but by looking at behavior and techniques that the exploits invariably use to hijack legitimate programs.

MSPs can limit users’ exposure to ransomware by preventing access to malicious websites or preventing malicious emails from reaching users. If systems are unpatched and a vulnerability is used as part of the ransomware attack, Bitdefender anti-exploit blocks the attack in memory before it can compromise the system and before the attacker payload can run on the machine.

Known ransomware is stopped using cloud and local lookups, while zero-day samples are stopped using machine learning algorithms. Bitdefender also includes a Ransomware Vaccine that causes ransomware to believe it has already infected the system, thus preventing it from trying to infect the same system again.

If ransomware does get by these layers of protection, it is stopped by the continuous monitoring process which notices malicious actions and terminates the process.

Sophos uses multiple approaches for zero-days. First, the company’s deep learning malware detection engine can detect malicious files even if they’ve never been seen before. This works by examining the “DNA” of the file and determining if it’s malicious before it executes. Also, Intercept X disrupts the attack chain by focusing on 25+ tools and techniques attackers use as part of exploit-based attacks (as opposed to only looking for malware). This is highly effective against zero-day attacks, including file-less and exploit-based attacks. Even if Sophos has never seen the threat before, it has likely seen the tool or technique used to distribute the attack, install the threat, move laterally, steal credentials and exfiltrate data.

The company also has multiple ways of stopping ransomware. First, Sophos’ anti-exploit capabilities can stop the delivery and installation of ransomware in many cases, such as the use of Eternal Blue or Double Pulsar used in WannaCry. If the ransomware does make it on disk, the software’s deep learning technology would look at the DNA of the file and determine it is ransomware (even if it’s never been seen before). It would then quarantine the file before it executes. If the ransomware were executed, CryptoGuard technology would see malicious encryption happening, stop the ransomware, and roll back any impacted files to their original state. All these techniques are included in Intercept X.

Webroot’s endpoint is designed to categorize all files and processes into 100% known “good” or “known bad.” In addition, it also can categorize items as unknown or undetermined as all of today’s threats are polymorphic and any new or changed processes are continuously checked and monitored. The key techniques that Webroot also employs include:

  • Behavioral analysis — to identify malicious files based on how they deviate from normal behavior;
  • Real-time threat intelligence — data processed through machine learning and artificial intelligence to determine whether a file is malicious, or not.
  • Ransomware protection with the ability to cache a copy of a file prior to it being executed and restore the file from the cached copy.
  • ADR-automated detection and response through continuous monitoring and response to mitigate advanced threats on each individual device we are deployed on.
  • Extensive use of Webroot Platform machine learning algorithms that accurately predict whether a file is malicious or not.

New script and exploit prevention techniques are also in Beta testing.

Ransomware is how Webroot started to build its MSP market as the company was, from day one, able to identify CryptoLocker and autoremediate attacks. Modern versions coming from Emotet and other malware are handled as all malware, with the added advantage of monitoring, journaling, and autoremediation to the last good known state.

Latest Endpoint Security Enhancements

As we’ve mentioned a couple of times now, security products are continually evolving to keep up with threats. If you evaluated any of these products a few years ago — even one year ago — some things have changed. We asked each vendor to share some details about their latest enhancements and new features.

Bitdefender also added patch management. Additionally, Advanced Threat Security (HyperDetect, and Sandbox), and EDR (Endpoint Detection and Response) are the newest functionalities that were made available in July 2018.

Sophos Intercept X with deep learning technology was released in Q1 2018. Intercept X for Server (which includes deep learning) was launched in the summer of 2018.

Financial Considerations

Let’s face it, you can have the most feature-rich solution in the world, but if it isn’t priced right for you and your customers, it might be out of reach. While some vendors require an annual minimum spend to participate in their partner program, none of these three impose such restrictions.

Today, it’s possible that a user has multiple devices that need protection. Another potential cost factor is whether charges are incurred per device or user. Bitdefender and Webroot are priced per device, while Sophos is priced per user. We’re not suggesting one model is better than the other, but it’s worth knowing the differences and calculating the number of endpoints you’ll be protecting vs. the number of users.

Under Bitdefender, MSPs are invoiced based on the total number of endpoints protected in the previous month based on usage reports that are available in the console.

Since Sophos is licensed per user, if a customer brings on an employee who needs protection, you can add the employee and modify the billing during that cycle.

With Webroot, pricing per device starts at an MSRP of $25 per device per year (before standard MSP channel discount) and drops to an MSRP of $15 before discount at 1,000 devices. Endpoint pricing is offered in flexible ways to allow MSPs to meet the needs of their client billing. There is month to month usage with no commitment from the MSP at the highest pricing to annual and multi-year contracts at the company’s lowest pricing and tiered pricing by volume. Billing flexibility means that the MSP can benefit from a billing timing and method that suits them.

In addition, the MSP is given a parent keycode and is then free to issue as many child keycodes and associated licenses as needed. In other words, the MSP oversees licenses. Webroot also provide usage data so it is easy for an MSP to see with 100% accuracy their license exposures overall and by client, including trials.

Final Thoughts

Having talked with many MSPs over the years, we know that what’s best for one isn’t necessarily so for another. Your choice might be limited by the PSA platform or RMM tools you’ve already adopted. Maybe the pricing model isn’t right for you. Regardless, weighing the options contained in this product overview should give you good food for thought to help you make the best decision for you and your customers. 

Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of Managed Services Journal (formerly XaaS Journal) and DevPro Journal.