Each vendor takes a different approach to the control of applications on endpoints. While McAfee let us use the application (along with user, computer, location, and data) in its rules, Sophos gave us the ability to define which applications may be run on the endpoints. Both vendors have a fairly extensive selection of categorized applications from which to choose. Sophos requires the administrator to allow only applications supported by Sophos and block all others, while McAfee allows the use of a larger number of applications. A nice feature we discovered in Sophos was the ability to select "All added by Sophos in future" as an application under each category. This keeps the administrator from having to keep tabs on every new application that needs to be controlled.
The ability to filter e-mail is handled well by both vendors. In Sophos' case, the ES1100 acted as both the mail proxy and filtering device. McAfee required a separate proxy (we used McAfee's Email Gateway), which hands off the messages to the NDLP appliances.
McAfee also has a very mature network DLP product, which consists of several appliances that work together to get the job done. McAfee allowed us to not only block data leaks on supported operating systems or in traffic that could be proxied, but in any traffic leaving the network.
Encryption, stenography or other advanced methods of encapsulating data will keep it from being flagged. However, the product can analyze traffic on many levels, including the source and destination, type, and many others. So even if the employee payroll database is encrypted before being copied off-site, the NDLP can flag a large file being transferred via FTP for further analysis.
This dovetails into one of the most innovative features we found in the McAfee suite: the ability to search backwards in time. Since the monitor appliance constantly records all traffic it sees, and saves it for a configurable amount of time (with the option to save this to a storage-area network), an administrator can look for evidence in the past of policy violations in response to a newly detected event. For example, if it's noticed that a user was copying a sensitive proposal to a server in China, an administrator could look into the past to see if the user has a pattern of copying files to strange places. This search could then be saved as a filter so the administrator can keep tabs on this user.
Sophos does not provide a network DLP product. However, some of our test cases were accomplished with application blocking. Blocking things such as FTP clients, desktop search tools, untrusted browsers, P2P software, anonymity clients (such as Tor), or e-mail clients let us effectively control the types of traffic that could be generated on the network.