Symantec Content & Malware Analysis vs. Trellix Intelligent Sandbox

If you have Symantec based environment including Symantec proxy and endpoints, Content and Malware Analysis is the obvious choice. You can't run the CAS-MAS as a standalone deployment, you need proxies or ICAP supported devices capable to send the files/URLS. It's not a network security device where you can flow/direct the traffic to C/MAS. It does not have UBA, NBA or NTR features, it is just working for analyzing files as expected.

McAfee Advanced Threat Defense is great in large enterprise environments with large, highly segmented networks. The administrator can create exceptions for specific applications as well as create exceptions through HAS which is very convenient for applications created in house. I do not recommend installing it on a computer with little ram memory, since this product demands a lot of resources and can be clearly distinguished in the Windows task monitor.

Incentivized

• 0 day detection and prevenion
• Flawless integration with Symantec Ecosystem
• Integration with other vendors supporting ICAP is also working
• Custom and golden image support
• High performance on busy environments
• Many threats are already detected and prevented through the CAS, it improves the performance drastically.
• Already builtin virustotal integration
• Reference to updates and updates information where I can see the product/service detecting which APTs
• Multiple Antivirus engines which you can select/subscribe
• Manual submission of file is supported through the gui
• URL manual submission is also supported

• Virus and threat prevention
• Sandbox option
• VPN
• It does run flawlessly in background
• It can detect email threats too

Incentivized

• API support is lacking
• Symantec/Broadcom security vision in general
• Symantec support is not perfect
• You can't run the product as a standalone network device
• No packet capture capabiliy or work in span mode
• You need a dedicated hardware to make it run
• You need to buy

• There should be more updates.
• It is heavy on our system's storage or we need a high-storage system to run this tool.
• Its pricing is disappointing.

Incentivized

Personally, I have only called our internal IT team about needing changes to permissions, not McAfee itself, but our IT team can make the changes though it seems to take them longer than I would think it needs to take. As someone who administers a different program, with different permissions, I would feel they should be able to make the exceptions faster and easier.

Incentivized

We have been using many solutions even tested nearly all available 0day sandbox solutions in the market. We choose Symantec CMA as we have already Symantec endpoint protection/EDR on the client, Symantec proxy for the web access, SCMA fits our environment. We have a big bargain when we puchase lots of equipment from the Symantec. Detection and prevention is very good at SCMA but some constant issues; like the product is not designed for heterogeneous environments, we can not integrate the SCMA with WAFs, it's lacking in api and request/reply calls. There's no file scanning, discover the option. SIEM integration is not smooth. I can not run some of the SOAR playbooks through the SCMA.

McAfee brand is used, mcafee antivirus scan, mcafee drive encryption, mcafee DLP, mcafee cloud proxy. He Kaspersky at the corporate level and used his admin dashboard is a bit rough. I recommend mcafee since the graphical environment is very friendly with the administrator. We selected it because at the administration level it is more comfortable, support for end users is very easy, the administration console can create roles and segregate permissions.

Incentivized

• 0-day and APT risk is covered by the SCMA
• As the SSL is inspected and analyzed at Bluecoat proxy servers, hidden threats, malicous files are passed to SCMA to be analyzed.
• Getting full visibility at file trajectory level
• As it's a full proxy and ICAP integration, we are sure that the files are to analyzed and scanned for malicious activity. This is a big plus compared to NGFW analyze concept, as the NGFWs have special failsafe mechanisms allowing bypass of file analysis. SCMA fully catches the hidden threats.
• Flawless integration with Bluecoat systems is a big plus, customers are getting the same type of messages within their browsers.
• A negative impact is the standardization when I deploy SCAM to one of our locations. Then the auditors demand the same coverage within other areas and it comes with the cost. Especially maintaining these devices on premise environment has a significant cost.

• It does provide real-time threat prevention
• Good customer support
• System needs high configuration for seamless operation

Incentivized