F-Secure Protection Service for Business (which begins at $39.60 per device per year) is a cloud-based hosted endpoint protection software solution that delivers on most fronts. It supports a full range of popular office devices, including those based on Apple OS X and Microsoft Windows as well as mobile devices running Android or Apple iOS. It even offers server protection for Microsoft Exchange. Since devices are managed from the cloud, it promises to cut down significantly on the amount of time IT personnel need to manage and update client-side antivirus, anti-malware, and firewall configurations. However, while it did well on all of our tests, a weakness against some script-based attacks as well as a lackluster reporting module keep it behind Editors’ Choice winner Bitdefender GravityZone Business Security for now.
Another minor hoop you’ll need to jump through should you decide to purchase it is that F-Secure Protection Service for Business isn’t available directly from the company. It’s only available for purchase through resellers, though a free trial is available on the company’s website.
F-Secure Protection Service for Business’ web console is all business. The Home screen keeps it simple, with an indicator of systems protected and a notification that all software is up to date. But, similar to the overly simple user interface (UI) I found on Avast Business Antivirus Pro Plus, I also found this view in F-Secure Protection Service for Business to be a bit too simple for my liking. For IT professionals, a better way to spend their time might be on the Devices page or Reports page for a better variety of indicators and trends on the latest threats. The Infections sub-tab keeps a running tally of each threat blocked. Sadly, these reports are not printable. It’s possible to send a summary report to the website manager but this is not configurable by an administrator. You can, however, export a list of infections to a CSV file for later analysis. Still, this is a slightly sub-par reporting capability overall and could use some improvement.
Adding and managing devices is easy. To enroll a computer, simply click “Add New Device” and then select the appropriate license. After providing a name, email, and a phone number, a link is emailed to the user to install the endpoint software. Once enrolled, it updates and becomes available on the device list. It is important to recognize that, once the software is installed, not all protection measures are enabled until after all updates are completed. Malware protection seems to take the longest to turn on, so it’s best to make sure clients avoid doing anything daring until that update is completed.
It’s important to note that the Profiles page contains a few basic configurations that cannot be modified. However, they can be cloned into new configurations that can be customized and then later applied to devices. The profiles control a variety of switches and settings for scanning, real-time detection, firewall settings, and browsing protection. Surprisingly, F-Secure Protection Service for Business doesn’t include its own firewall but it does have a built-in system for managing the existing Windows Firewall as part of each policy. This lends an extra level of flexibility that you don’t often find in the bundled software firewalls of other security packages. The downside, of course, is that the complexity is still there. Fortunately, the defaults that F-Secure Protection Service for Business has in place are pretty good, so there isn’t much reason for the casual admin to touch these.
F-Secure Protection Service for Business does have a comprehensive device control section as part of its profile configuration. This generally revolves around devices that could be plugged into the system, such as webcams, external hard drives, and USB sticks. Since this is still a valid method of infection if the attacker has access to the physical device, it’s a good idea to be able to shut these down.
The Software Updater is another novel and useful tool. It keeps a running database of out-of-date software on your computer and can run updates automatically. While this relies on F-Secure Protection Service for Business’ database, I haven’t found any common software that isn’t on the list yet. For some of the more obscure applications out there, you might be on your own. But for many of the apps that are most often exploited, it will have you covered.
My initial testing involved using a known set of malware collected for research purposes. Each was stored in a password-protected ZIP file and was extracted individually. Out of the 110 threats presented to F-Secure Protection Service for Business, all of the items were detected. Furthermore, if there were multiple components to the malware, each was identified individually. While having the threat on disk was not often enough to trigger a warning, after a full scan, everything was identified. Triggering execution also halted the malware from progressing.
To test protection against harmful websites, a random selection of the 10 newest or known-bad websites were selected from PhishTank, an open community that reports known and suspected phishing websites. All of the Uniform Resource Locators (URLs) that attempted attack resulted in a “Harmful website blocked” message in the browser. Also, there’s a button to allow the website if it turns out to be a false positive.
Overall, F-Secure Protection Service for Business was on par with Editors’ Choice Bitdefender GravityZone Business Security when it comes to blocking exploits in my tests. Both Java- and Flash-based exploits were shut down immediately. The first test utilized a flaw in Java 1.7, and below that, lets an attacker run programs remotely if a specific URL is clicked. F-Secure Protection Service for Business quickly shut down the process and reported a threat on the dashboard. Similarly, the Flash-based exploit that allowed remote code execution was also blocked and eliminated. In addition, F-Secure Protection Service for Business successfully detected and removed several PDF documents infected with a Metasploit payload that would have allowed a persistent connection to the machine.
Once malware protection was activated, F-Secure Protection Service for Business was also able to detect several Microsoft PowerShell-based exploits generated by Metasploit. These sometimes tend to go undetected under other platforms, such as in Trend Micro Worry-Free which missed them entirely. One was caught by F-Secure Protection Service for Business’ Deep Guard after launching and the other was shut down as malware. A compiled Ruby-on-Rails-based exploit, however, was not flagged as malware and delivered its payload.
In addition to activating a keylogger, I could sniff keystrokes on websites secured by HTTPS. This goes to illustrate a pervasive weakness in many detection algorithms: scripting engines are generally under-served. While Microsoft PowerShell exploits are very much improved across the board, there are still weak links in the chain.
To further test my access levels, I attempted to elevate privileges by using a common User Account Control (UAC) exploit. Unfortunately, I could gain administrative privileges and proceed to completely compromise the system. I then retrieved a listing of all hashed passwords, cleared the event logs, added items to the windows registry, uploaded and downloaded files, encrypted files, and then made the keylogger persistent. Strangely, while F-Secure Protection Service for Business didn’t complain about these other things, it did completely shut down my attempts to modify the windows hosts file which contains overrides to domain and computer names. It only removed the modified hosts file, however, and did not get rid of my initial infection.
It is worth noting that this entry point would only have been available in the event of a social engineering attempt since a user would have to click on the malicious executable. With a plausible story and a phone call, however, this can and often does happen but it’s much less likely in an organization where employees are trained to resist this kind of attack. It’s also important to note here that all of this was also done by using a typical default configuration. F-Secure Protection Service for Business has far more draconian settings available that would have shut down all unknown outbound connections and that would have stopped this attack completely. Then again, there’s a reason I refer to those settings as draconian and you’ll probably face some user complaints if you lock down their devices to this degree.
AV-Test, an independent lab that reviews antivirus software, conducted a review of endpoint protection products in February 2017. They gave F-Secure Protection Service for Business a protection score of 6 out of 6 and a performance score of 5.5, which mostly jibes with my test results, though I might have graded a little more harshly for the scripting weakness.
F-Secure Protection Service for Business’ response is quick and thorough. If malware is detected on a disk, it’s quarantined or deleted. If the system believes that there is malware currently running, it will also prompt for a restart to ensure the process is terminated. Sometimes, however, F-Secure Protection Service for Business can be a little bit skewed on what it detects as a threat. For instance, when I modified the Windows hosts file, it detected the hosts file as a threat and not the process that changed the hosts file. This could use some improvement.
Overall, F-Secure Protection Service for Business is a great product and was very close to taking the Editors’ Choice award. But, because Bitdefender GravityZone Business Security did a slightly better job at detecting some script-based attacks and had better reporting capabilities, F-Secure Protection Service for Business fell to second place. With strong policy management, excellent detection abilities, and a full suite of security tools that extends beyond a simple anti-malware tool, F-Secure Protection Service for Business has earned its stars. With some minor improvements, it could be one of the best.