This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Symantec Endpoint Protection and Intercept x

Hi,

We have been a Symantec Endpoint protection shop for a long time and just purchased Sophos Endpoint with Intercept X.  The sales rep said that they can coexist on the same machine yet when you install Sophos Endpoint it uninstalls Symantec Endpoint.  Now I am cautious to install Symantec on top of Sophos.  Is there anyone out there running both and is there a need to run both clients any longer. It appears to me that we only need Sophos.  Any suggestions out there??  Thanks.

Jae



This thread was automatically locked due to age.
  • There are 2 main components:

    • Intercept X - This is your Cryptoguard and Exploit mitigation piece
    • Sophos Endpoint Advanced - This is the Anti-Virus component with Control features. 

    Intercept X is designed to run alongside another anti-virus component such as Symantec.  It sounds like you have both components.

    Regards,

    Jak

  • Same "problem" (if it is one) here.  I found they cannot coexist.  Sophos EndPoint would not coexist with Microsoft defender too (Few Windows 10 versions ago).  It seems to coexist well with Windows Security Center (Latest Windows 10 versions) however.  If you really want to have two anti-virus engines scanning, maybe have a WEB Gateway and Anti-Spam from another supplier.

  • Thanks guys but one of you said they work together and one said they can't???  Which is it??  I can't a clear answer from Sophos or searching the Internet.

  • Well typically running more than one anti-virus products has always been frowned upon.  This was mainly in the past due to the on-access scanners causing problems that just end in performance issues.

    If you know what you're doing you could always run more than one but you probably need to be selective on features and really know the products well.  Always going to be hard to maintain but could be useful in a limited "sheep-dip" scenario where you may want to double check with two vendors detection data.

    The security products became more complicated to hook the various entry points for malware, e.g. web scanning, mail client extensions, etc...  At this point there are even more areas that can conflict.

    It is safe to say that no security vendor is testing their product alongside other vendor solutions so it's all pretty untested.

    To make it easy to adopt a new vendor, given the above scenario, the security companies (mainly from a Sales perspective) built in competitor removal tools.  These would have a database of product code GUIDs, uninstall strings etc and if they found competitors they would be removed.  Typically by default or maybe just block installation and error.  This maintained the "one" AV product rule.

    Then with new next-gen bunch of security products, typically light-weight, focusing on pre-execution, these could live side by side with the more traditional products: Mainly as they aren't mature enough to replace traditional solutions entirely, both for detection rates and other control features.  Maybe they just offer exploit prevention or specific features so wouldn't cause any conflicts.

    So you maybe able to install security product A with security product B, this could be intentional, this could be because the competitor detection capabilities don't yet detect the latest version of Product B to block it.

    From a Sophos perspective.  You can install other security products with Intecept X (i.e. no Endpoint Advanced) - There is no competitor detection utility run.

    If you install Sophos Endpoint Advance, which installs Sophos Anti-Virus, that's the traditional AV component that does competitor detection and removal where it recognises the other software.

    The command (in a command window):

    "C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\savxp\crt\AVRemove.exe" --l

    will list the products that are detected.  The user account that installs Sophos Anti-Virus with have a avremove.log file in the temp location.  E.g. %temp%.

    Regards,
    Jak 



     

  • Jak,

    Thank you for all the great info.  It makes more sense now.  I would like to go with just one solution and use Sophos for full endpoint protection.

    Jae