We just raised a $30M Series A: Read our story

Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?


One of the most popular comparisons on IT Central Station is MS Windows Defender vs Symantec EP. 

People like you are trying to decide which one is best for their company. Can you help them out?

Which of these two solutions would you recommend for endpoint protection? Why?

Thanks for helping your peers make the best decision!


ITCS user
3131 Answers

author avatar
Real User

If you have to choose between Symantec or MS, It would have to be Symantec. That is as long as you are willing to adopt more of their eco-system of solutions. I is more heavily geared torwards file protection (can be good or bad, pending the use case) but not dynamic enough in its policy creation capability. However the same can be said for MS Defender. MS Defender has one major shortcoming as it has tunnel vision on the windows platform. It leaves exposures with other operating systems. Also policy capabilities are not quite as effective and granular as one would think given the proximity to the Active Directory / Azure origin. I believe CarbonBlack is a superior solution. The breadth of its detection and response capabilities reside within the context of its primary solution. That said if you are looking for a heavier AV solution, Symantec is the way to go.

author avatar
LeaderboardReal User

Symantec is a complete endpoint security solution (Antivirus and anti-spyware, Application control and hardware control, Mitigation on memory exploring, Online reputation and signature-based solution, Behavior analysis and machine learning, Hist firewall and Hist IPS integrity with ATP/APT, Global reputation signature synchronization Compliance Validator, Host/application hardening or LockDown and Integrity with web proxy)
but Defender is only AV/malware features. If you need complete security you should choose Endpoint Protection.

author avatar

Symantec Endpoint Protection and Windows Defender both have their strong points. Microsoft has made great progress in its free edition of Windows Defender in Windows 7 and improved version in Windows 10. Its no cost feature is its strong point. Symantec Endpoint Protection is a purchased product, but the cost is worth the price. SEP is always near or at the top of Gartner’s Magic Quadrant both in execution and completeness of vision. In my 25 years as an IBM lead security engineer, I observed that SEP was chosen by IBM to protect its mobile workforce and also was the leader in Endpoint Protection chosen by the world’s largest banks, retailers and organizations. Powered by Sonar and now a Machine Learning Cloud interface in SEP 14.1, it is in most expert’s options the leader in Endpoint Protection.

My current experiences have also show that Symantec detects a far greater number of the zero-day threats than Windows Defender. However, the number of zero-day threats that can bypass the total of all anti-virus solutions has risen in recent years and the problem is that even though solutions such as SEP 14.1 are moving to machine learning detection engines, the number of data breaches continues to increase exponentially as the malicious actors are beginning to use AI to create and distribute Advanced Persistent Threats and it is a lucrative industry being run by organizations with a corporate structure mimicking the actual corporate structures of legitimate business.

Today only a holistic approach toward a foundational implantation of fundamental security controls at all levels will decrease the growing number of data breaches, reputational damage and monetary losses. Threat Hunting is the new norm and every organization should look beyond Endpoint Protection to an early detection and reduction in infection time by implementing an advanced Threat Hunting posture. Beyond that, Governance, Risk Management, Compliance and an increase in security awareness from the boardroom to the ground floor is making the more mature organizations leaner, agiler and less likely to suffer a data breach.

author avatar

Between Symantec and Defender, the best of the two is Symantec for detections and false/positive rates.

Couple sites to check

One thing you will notice is that the first site does not even consider Defender as a corporate solution, so take that for what it is.

One thing I will say about Symantec is the horrendous support. I find that every ticket I work on is pure frustration. Tickets are closed without actually solving the problem, constant debating around what the issue is and what the solution is. It has been driving me nuts!

But that being said, the product is fairly easy to manage and has kept us pretty clean. Our worst issue is spear-phishing attacks, but these cannot be prevented by malware software that well.

Symantec does offer a cloud connection for the agents now. My big issue right now is that you cannot have an internally managed server connect to the cloud (or reverse) to provide information in a consolidated view. I am told that this is coming though. I could move everything to the cloud I guess, but that is something for the future.

author avatar
Top 5User

Sid, you just hit the nail in the head. Sadly, I see here one comment from someone that appears to have CISSP certification saying MS is good for the home user that is ultra fantastic, so just for being a home user nothing will ever happen to them, even if they have a Roku box for IPTV ( I am being ultra sarcastic, here). Interesting, common guys.

author avatar
Top 5LeaderboardReal User

Symantec is an Enterprise Solution. It help you provide the enterprise reports that are a critical aspect of endpoint protection. It can also help you get an overall view of the state of your organization as a whole. Such is not possible with Windows defender which is an isolated solution . Windows defender is also comparatively simplistic in its detection capabilities compared to symantec. Symantec is the one of the leading companies in this space , others may be forcepoint

author avatar

I do recommend Symantec,

Reason like it has granular protection capabilities
Integrity with other advance solution also available to achieve maximum level protection.

Antivirus and antispyware
Application control and hardware control
Mitigation on memory exploring
Online reputation and signature-based solution
Behavior analysis and machine learning
Hist firewall and Hist IPS integrity with ATP/apt
Global reputation signature synchronization
Compliance validator,
Host/application hardening or lockdown
Integrity with web proxy

Symantec is not any path for the threat comprising,

Faster response to 0day attack
And three tiar integrity with Yara.

author avatar

By pure market rankings Symantec is a much better product and has a higher
detection rate than MS Defender. However, if your environment is
development heavy or file usage heavy, the impact on performance will be
high when using Symantec EP and going to Defender is a better option.

author avatar

Symantec Endpoint Protection (SEP) 12 has an extensive set of layered defense capabilities, such as Symantec Online Network for Advanced Response (SONAR), Symantec Insight and its network protect technologies, which go beyond traditional signatures for protection from advanced targeted attacks. Most recent improvements were in components of SONAR. Symantec also integrated an advanced repair tool, Norton Power Eraser, into the Symantec Endpoint Protection client.Symantec continues to be listed as the top overall competitive threat by vendors reviewed in this Magic Quadrant.Symantec's Security Technology and Response (STAR) technology allows evidence of compromise (EOC) scanning on the endpoint via SEP and is used by Symantec Managed Security Services and Symantec ATP.Cynic is a cloud-based sandboxing platform that provides bare-metal hardware and network sandboxing analysis of objects submitted by Advanced Threat Protection (ATP), Endpoint Protection and email. Results are passed to ATP for remediation.Application control offers one-click lockdown via a whitelist or blacklist of applications.Synapse integrates, correlates and prioritizes SEP, email security, cloud and ATP information.Symantec Data Center Security leverages VMware's vShield APIs and NSX to offer "agentless" antivirus and reputation security features on a VMware ESX hypervisor. On other platforms, such as Hyper-V or Kernel-based Virtual Machine (KVM), SEP provides input/output (I/O)-sensitive scan, virtual image exception and file cache, offline image scanner, and randomized scanning.Symantec's new Advanced Threat Protection will combine network-based object and traffic scanning with existing SEP clients to provide EDR functionality without the need for existing customers to deploy new client agents. Microsoft SCEP continues to rely heavily on signature-based detection methods. Test results (such as AV-Test and AV-Comparatives) of the effectiveness of SCEP remain very low when compared with industry averages. Microsoft is focused on reducing the impact of prevalent malware in the Windows installed base, with very low false-positive rates. It does not focus exclusively on rare or targeted threats, the impact of which minimal to the entire Microsoft ecosystem.SCEP still lacks numerous capabilities that are common in other security solutions, including advanced device control, network-based sandbox and application control. Windows features such as Firewall, BitLocker, and AppLocker are not as full-featured as comparable solutions from leading vendors, and the management of these components is not integrated into a single policy and reporting interface.While Microsoft supports anti-malware product updates independently, it delivers its most important security improvements in the OS. While every Microsoft customer benefits when the OS is more secure, including those that use alternative EPP solutions, most enterprises cannot upgrade OSs as fast as EPP versions.Despite the integration with system and configuration management, SCEP does not provide a security state assessment that combines the various security indicators into a single prioritized task list or score. SCEP also does not provide preconfigured forensic investigation or malware detection capabilities.SCEP provides support for virtual environments by enabling the randomization of signature updates and scans, and by offline scanning. It does not integrate with VMware's vShield or provide similar agentless solutions for Microsoft's Hyper-V environments.Intune EMM comes at an additional cost.

author avatar
Top 5User

Good afternoon and thanks for allowing me to put a grain of salt.

In summary, Symantec Endpoint Protection is the only of the two products that will protect more. The MS solution is useless. Believe me, I had many customers infected by relying on this. Symantec product is a conglomerate of protections together, including the firewall and application control (inheritance when they purchased Sygate, a highly respected firewall for the enterprise market, in those days).
Symantec, (not to be confused with the Norton product they have, which is a dog) with its Endpoint Protection enables protection against DNS
poisoning, MAC address spoofing, and many other features. It can also be centrally controlled and would cut off any machines in a network that
might get infected.

The choice is easy, Symantec.

author avatar
Real User

I will agree with Migo, choosing a solution without knowing the environment and what you are dealing with as per the operating systems and applications is not a good idea. In order to have the right solution one must first evaluate the environment, selecting the solution based upon ones liking will result in a vulnerable environment.

author avatar
Real User

I see many people are answering and it's mostly biased to the product they are promoting, so I will try to take a different angle. I would consider 2 aspects:
1. From a security standpoint, what is the risk level you are willing to take?
If it's a security decision, let's try to understand the problem you are looking to solve.
1. Which assets you are looking to secure: Workstations? Servers? Windows only? macOS?
2. What other security products you have in place?
3. Have your company suffered from Ransomware in the past?
4. Beyond malware protection - are there any other features you are looking to have?

The above should help you understand if legacy solutions are the right way for your environment or not. Most legacy products are doing a decent job in protecting from file-based and known malware. So, if you have other security measures (like making your windows users run without admin privileges), you might want to consider legacy. If you are following this path, I think the free option by MS provides good ROI.
That said, recent campaigns were using more sophisticated approaches like file-less and lateral movement (Ethernalblue is one example), you if you want to be protected from such, you should probably thing beyond these options. If this is the right path for you (it also means you are ready to spend more than zero dollars or a little more), you should look at what is known as next gen. For this, you might want to look into "Endpoint security suites must have these features" https://www.csoonline.com/article/3255285/security/endpoint-security-suites-must-have-these-features.html.
2. Beyond malware protection - are there any other features you are looking to have?
If you are looking for more features, you should consider the suite options. MS does not provide it just yet, but other vendors do.

author avatar
Real User

Neither. Go for Sophos. I've used Sophos for many years without any trouble. It is good at protection, easy to use and admin. Although it is quite big, it has minimal effect on performance and has a pretty small running footprint.

I have experience of Symantec and McAfee an have found both of them to be less than ideal. Both products having a noticeable impact on endpoint performance and reliability. Also their management tools are not as intuitive IMV as those provided by Sophos.

Windows Defender just doesn't provide the complete protection of the commercial products. My current employer relied on it to their cost. We now run Sophos.

author avatar

Windows defender does not detect anything. Use Symantec.

author avatar
Real User

If you would like to protect your personal computer, MS EP is sufficient. For corporate network end point, I would vote for Symantec. Thanks

author avatar

Plus to all:
file servers as a rule represents by two ways
1. Storage system file service
2. Virtual server file service.
On both choices symantec support low level file protection. At the level of disk volume and virtualization...

author avatar

My team has done an Endpoint Protection Solution Report.
Endpoint protection solutions must constantly adapt to new threats. Without adaptation, we cannot protect users, endpoints or, ultimately, businesses. The endpoint is usually the last line of defense. This report compares large vendors of recent and existing antivirus solutions are compared with so-called Next-Generation solutions. The report is the third edition, collecting even more malware samples compared to previous reports to emphasize the results’ significance. The tested AV products were updated to their latest available versions.
You can download the report for free here. https://info.it-cube.net/reportendpoint.

author avatar
Real User

i will keep it short . SEP 14 has a lot more feature than Windows Defender. Defender is just basic AV solution but SEP can give you more protection on EP

author avatar

Microsoft is not in the leaders part of qudrant... But Symantec is :-)



author avatar

i would recommend the SEP 14 MP1 RU1 which is the most secure for latest new definitions of new malwares viruses phishing attack.. if well configured it is the most reliable AV using and had been trained for... with a good management console you can create policies, blocking devices which is not allowed in your environment or farm....

author avatar

Yes as mentioned above,DD about the environment is mandatory only based on that we can propose a solution. However just FYI, Symantec is Leader in Magic Quadrant for 2018 & for past few years. You can get the Gartner report for Endpoint Security.

author avatar

I believe in this day when we choose an endpoint protection, one of the consideration is to have :

* Endpoint Detection and Respond (EDR) capability.
* Integration with Network protection, Sandboxing or SIEM

With that two point in mind, I would suggest Symantec Endpoint. As consider the MS Defender is just another Anti Virus.

author avatar

Both are ok. But Cylance better.

author avatar

Neither, I will recommend CrowdStrike why?
Check Gartner MQ 2018 for endpoint protection. Those solutions are with high TCO, low benefit-cost rate, but mainly they cant stop breaches of fileless or no malware attacks. Crowdstrike's protection is based in a single, light agent for a cloud-based protection of EDR, NGAV and treath hunting services

author avatar
Real User

I would in the first instance recommend a comparison with reports with a high level available on Peer review however the subscription-based reporting will go to a much finer detail. We have completed this recently ourselves but I would need to seek approval to share this information in a redacted state due to some information is are under an NDA. Whilst the decision process would also require a current state architecture to define the limitation and whether other product/solution you could suite the need and the Cloud usage and what the agency is looking to expose to these services.

I would from my review recommend Symantec Antivirus and you will be able to validate the use with the Gartner Report and with an agency engagement with Symantec can provide a further detailed customer review once the NDA is signed. Your regional support managers with Symantec also will have an additional internal document that can be provided to the customer on their review and experience.

Leave this with me and I will try to pull together our resource contact list and whom you can refer to reviews. High-level Defender protects about 85% protected offerings compared to Symantec, with Layer 4 being problematic and in an operational standpoint for investigation is cumbersome taking license access upgrade and up to 4-5 portal for each case investigation compared to Symantec single view. However, if you are also looking into cloud with MS services under Azure with E5 licensing there are some unique offerings if this was wholly a cloud-based service with MS CAS Services.

author avatar

I agree with Migo's viewpoint in that it depends on the degree of risk you are willing to accept.
Defender is potentially "good enough" to start with, but as your security matures you may need more capability to address your risks. Symantec is an example of Tier1 EPP. Check out Gartners 2018 EPP+EDR magic quadrant report for some guidance. Both Symantec and Crowdstrike offer this report on their websites. Symantec now also has a cloud managed version called SEP Cloud, for <1000 users and/or multiple sites, that is much simpler to configure, but still very effective. I have experience with McAfee and Symantec.
The key starting point needs to be your requirements and what risks you need to address/mitigate. This is what should drive decisions not the shiny toys ;o)
Some other points to consider: People and process. Do you have the staff to water and feed an enterprise EPP. Who will be accountable to ensure an acceptable level of endpoints are up to date. Also consider the hidden IT operational costs involved of managing/upgrading your fleet, potentially 1 or twice a year, depending on the technology chosen.

author avatar

None of those solutions are as accurate and reliable as the Check Point End Point solution. Check Point Endpoint Security solutions include data security, network security, advanced threat prevention, forensics and remote access VPN for complete endpoint protection.
To simplify security administration, Check Point endpoint suite products can be managed using a single console. No other solution provides the comprehensive coverage than Check Point.

author avatar
Real User

Here is my write up on the topic:

author avatar

I would say neither. Buy Carbon Black Defense. Real Next Generation AV and EDR combined. We stop attacks not just malware.

author avatar
Real User

I agree with Sean. My org. made the switch from Symantec several years back and we love Sophos. Granted, this is a personal experience and not every environment is the same, but Symantec caused us nothing but problems. For instance, management level users would take their laptops home get a virus and then we wouldn't know until the laptop was back on premises. There was no protection until their laptop could communicate with the management server. Sophos has proven to protect our workstations whether they are on site or not.

author avatar

If I were covering a PC, I would choose Windows Defender. That won’t secure a Mac, so for those, I would have to use SEP. But over and above either of those solutions I would choose CrowdStrike. (I realize that wasn’t one of your two choices, but that’s my real answer.)

Find out what your peers are saying about Microsoft Defender for Endpoint vs. Symantec End-User Endpoint Security and other solutions. Updated: November 2021.
552,695 professionals have used our research since 2012.