Carbon Black vs Symantec Endpoint Protection

Carbon Black vs Symantec Endpoint Protection

Kaushik Sen
Kaushik Sen
updated May 11, 2022

The information security (infosec) space is for the most part divided into two camps:  established players using a combination of old/new tactics for combating cybercrime, and market entrants attempting to rethink security from the ground up. Attack methods are increasingly sophisticated and require novel approaches for detection and remediation—since very little is understood about the next generation of threats, opportunities abound for both incumbent leaders and upstarts alike. And with targeted attacks and advanced persistent threats (APT) on the rise, newer players with innovative approaches to security are seeing ample opportunities for supplanting longstanding market leaders and their aging security products.

One such upstart—Carbon Black—takes a different approach to security that utilizes signature-less threat prevention and application whitelisting. Let’s take a look at how the platform compares with security veteran Symantec’s Endpoint Protection offering.

Bit9 + Carbon Black

Though founded back in 2002, Bit9 came into its own in 2014 with the acquisition of Carbon Black. Bit9’s agent-based platform architecture allows the enforcement of whitelist policies on every endpoint, while Carbon Black enables endpoint file behavior monitoring and real-time threat detection through endpoint-installed sensors and data recorders. The merging of the two effectively combines Bit9’s signature-less, whitelist-based threat protection with Carbon Black’s continuous monitoring and incident response capabilities. In 2016, the company was rebranded to Carbon Black.

Carbon Black’s trust-based security model revolves heavily around its central whitelist database: a registry of trusted, known good software and their classifications/ratings. These trust ratings are provided by the Carbon Black Software Reputation Service—reputedly the world’s largest hash database of software. Additionally, the platform is augmented by the firm’s Threat Intelligence Cloud—a repository containing extended attributes for billions of software executables, as well as threat and trust ratings for published and rogue software.

A distinction should be made between traditional security methods employed by standard IDS/IDPS solutions and whitelisting—the latter of which is employed by Carbon Black. Though both methods use file hashes to track file changes, whitelisting by default assumes a “deny” posture, as opposed to the default “allow” approach used by most IDS/IDPS offerings. In Carbon Black’s case, an application whitelist contains a list of known good applications and their file privileges. Because only trusted software is allowed to execute in one’s IT environment, malicious packages are prevented from making any unauthorized changes . This is especially crucial when dealing with zero-day attacks that use malware unknown or unidentifiable by traditional security tools. With Carbon Black, maliciously altered files can be easily be prevented from execution by checking the application whitelist.

Symantec Endpoint Protection

A recognized name in IT security, Symantec features a full line of solutions for securing and managing information, identities, and infrastructures. Its own answer to endpoint detection is called—appropriately enough—Symantec Endpoint Protection. The platform enables comprehensive infrastructure protection through the following core components:

  • Endpoint Protection Manager—a server that manages computers connected to a protected network.
  • Endpoint Protection Manager Database—a datastore of security policies and events
  • Endpoint Protection Client—endpoint software that protects and scans machines for viruses and malware.

A firewall and IDPS are included with the suite, with paid add-ons available for extending Symantec Endpoint Protection’s capabilities. For example, purchasing the Symantec Protection Suite gives the platform the ability to filter/block email and web threats.

Similar to Carbon Black, Symantec Endpoint Protection utilizes a trusted datastore for identifying files to  be scanned—in this case, with data provided by the Symantec Global Intelligence Network (GIN). This network of hundreds of millions of sensors feed data into a massive repository of security data gleaned from the monitoring, analyzing, and processing of more than 10 trillion security events per year worldwide. According to Symantec, this gives its platform significant speed benefits by incorporating scan elimination—instead of scanning every file, it eliminates and deduplicates unnecessary scan jobs for smarter and faster operation.

Security Ratings

UpGuard's VendorRisk platform is used by hundreds of companies to automatically monitor their third-party vendors. We ran a quick surface scan on both Carbon Black and Symantec, and found them to have similar scores:

Our quick assessment showed that both companies carry similar risks which include:

Based on their score, Carbon Black edged out Symantec. But both companies have work to do in maintaining good security hygiene and best practices for themselves.

Let us automatically measure and monitor the security of Carbon Black, Symantec and your other third-party vendors for you.

Get a demo of UpGuard VendorRisk today. 


Cyber threats are constantly evolving and security tools must follow suit. This cat-and-mouse game often puts many legacy vendors at a disadvantage, as they often lack the agility to reinvent ageing security models and architectures from the ground up. That said, newer security firms developing advanced methodologies for threat protection are essentially building solutions that are unproven against future threats. Symantec Endpoint Protection and Carbon Black are representative cases of each—interestingly enough, both incorporate consolidated threat intelligence datastores as critical components of their respective offering. And despite the apparent similarities, Symantec’s GIN is actually quite different than Carbon Black’s whitelisting mechanism. The latter uses a hash database of software trust ratings— the Carbon Black Software Reputation Service—to determine which files to whitelist. The GIN datastore is used for quick identification of good and bad actors to optimize file scanning efficiency.

Both approaches have their advantages and drawbacks. Symantec Endpoint Protection is comprehensive but lacks integration capabilities with other security tools like an SIEM. And no matter how expansive GIN’s intelligence gathering capabilities, the solution still relies on known threat data to drive its security enforcement model. Also, non-Windows users may be out of luck with Symantec, as the Manager component requires a Windows machine to run on.

Carbon Black’s whitelisting technology seems promising, but needs further refinement—a recent compromise resulted in malware being sent to several of the company’s customers. And just to be fair, Symantec's offering has not been without its own vulnerabilities. Suffice to say, no one solution can effectively protect an organization’s infrastructure against today and tomorrow’s threats. A competent security strategy should consist of best-of-breed tools assembled in a continuous security toolchain, with monitoring layered across them —through deep coverage, organizations can maintain an optimal security posture.

  Carbon Black Symantec Endpoint Protection
installation and setup

Single endpoint installation is straightforward

Supports WIndows, MacOS, Red Hat Linux, and CentOS

Enterprise environment require professional services, which can be costly

Installs as a standard Windows application

Manager component only works on Windows platforms


Built entirely on open APIs and features easy integration with other tools

Uses the Carbon Black Software Reputation Service— the world’s largest hash database of software

Powered by the Symantec Global Intelligence Network (GIN), a big data repository of threat intelligence accumulated from one of the largest collection of sensors in the industry

Includes a standard suite of security tools including IDPS, firewall, and anti-virus/malware.

Pricing $420/3-year license $54/1-year license
Documentation & Support Available on website Available on website. Community support is fairly extensive

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape