Abstract

Huawei Technologies commissioned Tolly to evaluate Huawei HiSec Endpoint against Fortinet FortiEDR. The main focus of the project was to compare the two endpoint security platforms across the NIST IPDRR framework—Identify, Protect, Detect, Respond, and Recover—with emphasis on endpoint management, threat prevention, malware detection, incident response, recovery, and unified-agent architecture.  

Tolly’s report presents Huawei HiSec Endpoint as a broader endpoint protection platform with integrated EDR, NAC, and ZTNA capabilities, while FortiEDR is positioned more narrowly as an EDR tool that relies on separate Fortinet products for NAC and zero-trust access. In the Identify category, Huawei supported multiple agent deployment methods including email to multiple recipients, shared links, and domain-controller deployment, plus endpoint asset registration and proactive asset discovery. Huawei also supported 19 compliance check items, automatic repair for six items, and configurable compliance check intervals down to one minute. FortiEDR, by contrast, did not support endpoint registration or proactive compliance checking in the tested scenarios.  

Protection and detection were major differentiators. Huawei supported host firewall rules, abnormal login detection, file anti-tampering, real-time kernel-level file backup, and flexible blacklist and whitelist controls. In malware scanning, Huawei achieved a 96.71% overall detection rate versus 61.49% for FortiEDR. Huawei’s reported results included 100% ransomware detection and blocking, 92.78% for info-stealers, 91.15% for cryptojacking Trojans, 95.20% for remote control samples, 97.00% for malicious PowerShell scripts, 100% for macro viruses, and 92.90% for phishing samples. Corresponding FortiEDR results were 85.60%, 28.33%, 43.36%, 72.40%, 2.60%, 99.60%, and 66.86%.  

The report also highlights Huawei’s stronger dynamic behavior detection. According to the test summary and detailed threat behavior sections, HiSec Endpoint detected or blocked web attacks, deceptive phishing files, remote-control Trojan activity, malicious shellcode loading, privilege escalation, persistence mechanisms, reverse shells, port forwarding, brute-force attacks, PsExec-based lateral movement, software-vulnerability exploitation, info-stealing activity, and phishing website access. FortiEDR detected some remote Trojans, some reverse shells, port forwarding, and password compromise, but did not detect several tested privilege escalation, persistence, lateral movement, web attack, and phishing website scenarios. Huawei also supported graph-database-based threat hunting with Cypher queries and one-click restoration of up to 100 hops in an attack chain, while FortiEDR supported only one-hop tracing.  

In response and recovery, both products could terminate malicious processes and isolate files, but Huawei provided deeper containment and stronger restoration. Huawei endpoint isolation allowed communication only with the management platform, while Tolly reported that FortiEDR still allowed inbound access after isolation. Huawei also supported 100% restoration of ransomware-encrypted files in the tested cases, recovery of falsely isolated files from quarantine, and automatic repair of macro-virus-infected files. Overall, the report concludes that Huawei HiSec Endpoint delivered broader functionality, higher malware detection rates, deeper threat visibility, and stronger recovery and unified-agent integration than Fortinet FortiEDR in the evaluated scenarios.