Defense in Depth

STAR’s malware protection technologies break down into four broad categories:
Our signature and heuristic scanning engines form the backbone of Symantec’s security solutions; these engines use dozens of techniques to scan files for both known as well as unknown threats. These engines currently scan for over 7.5 million signatures, in an average of 25 milliseconds per file! Collectively, these engines detect billions of threats per year.
Although these are the most mature of our protection technologies, STAR continues to invest and innovate our core scanning technologies to keep current with the latest developments on the threat landscape. Included in file-based protection are the AntiVirus Engine – Symantec’s unique scanning engine that enables fast and efficient scanning of files; Auto Protect – Symantec’s real-time file scanner that detects any threats the moment they are saved to the hard drive on your computer; and Malheur and Bloodhound – our heuristics-based protection technologies which detect new/unknown malware by searching for suspicious instructions within static files, before they have a chance to execute.
STAR’s network-based protection includes a set of technologies designed to block attacks just as they transition from the network cable or wireless network to the computer, before they have a chance to introduce malware onto a system. Unlike file-based protection, which must wait until a file is physically created on a user’s computer before scanning it, network-based protection analyzes all incoming data streams before they can processed by the computer’s operating system and cause harm. This category consists of three distinct protection technologies: Network Intrusion Prevention solution (Network IPS) – protocol-aware IPS that understands and scans more than 200 different network protocols for possible attacks; Browser Protection – an engine that sits inside the user’s web browser and can detect the most complex web-based threats that are invisible to traditional AV and network IPS; and Unauthorized Download Protection - the last line of defense that helps mitigate unknown and unpatched vulnerabilities without the use of signatures, providing a further layer of insurance against zero-day attacks.

Behavioral-based protection technology observes actively running threats on your computer and can terminate running programs if they exhibit malicious behaviors; this technology provides proactive protection from entirely new, previously unseen attacks. The main engine, called SONAR, features an artificial intelligence-based classification engine, human-authored behavioral signatures, and a behavioral policy lockdown engine. These engines look for sequences of suspicious behaviors in running programs that are uncharacteristic of legitimate software; when SONAR observes such a suspicious sequence, it can terminate and remove the offending program immediately, without any virus fingerprints. Our advanced behavioral engine provides protection against entirely new day-zero attacks.
Our SONAR system uses artificial Intelligence-techniques to learn the difference between good and bad applications. To train SONAR, our engineers have provided the system with almost 200 million different behavioral profiles of both good and bad applications. SONAR then learns how to differentiate between legitimate and malicious behaviors on its own, enabling it to identify new threats based on past experiences. The system monitors nearly 400 different behaviors to make its classifications, enabling it to quickly spot malicious actions and remove bad applications before they can do damage.
To complement its artificial intelligence-based classification engine, SONAR also supports researcher-authored behavioral signatures. These signatures give STAR researchers the ability to identify entirely new malware threats that exhibit well-defined sets of behaviors; these signatures are useful since many malware families contain thousands of mutated variants, each of which looks entirely different on disk, yet all of these variants exhibit the same basic behavioral characteristics.
One well-written behavioral signature can instantly protect against the entire malware family. In addition, some of today’s most advanced threats literally “inject” themselves into legitimate applications or operating system files, from where they perform malicious actions. In such cases, it can be dangerous to remove these threats without causing damage to the underlying operating system or application. To address these threats, SONAR has the ability to impose a virtual sandbox around the infected but legitimate application. By doing so, SONAR can prevent the infected application from taking any malicious actions that might harm the computer.
The newest addition to the suite of protection technologies developed by STAR, Insight, our reputation-based security system, has been in development for more than four years. The initial version of this technology was first deployed in our Norton products in September 2009. This reputation-based technology blocks access to malicious files and websites based on the “crowd-based” wisdom of over 100M+ million customers.
The Insight reputation-based security system addresses the latest development in the threat landscape, that of micro-distributed malware. In prior years, attackers distributed a relatively small number of unique threats to millions of machines, making fingerprinting relatively easy. Today, attackers generate millions of distinct, mutated threats, sending each one to a very small number of machines. Our data shows that most threats today are observed on less than 20 machines across the globe. With attackers generating more than 600,000 new variants per day, it is not feasible for security vendors to create, test and distribute the volume of traditional signatures necessary to address the problem. Moreover, given their micro-distribution, many of these threats are never discovered or sent to security vendors for fingerprinting. And if the security vendor never receives a sample, they can’t fingerprint it. The result is millions of unique infections that totally bypass traditional fingerprints.
Symantec’s Insight leverages the anonymous usage patterns of Symantec’s massive user base to accurately derive security ratings for virtually every application, good and bad, across the Internet. Think of it as the Zagat survey of software. The system derives security ratings by analyzing the distribution patterns (or lack thereof) of each file across Symantec’s huge user base.
To compute these ratings, Symantec users contribute anonymous, real-time telemetry data about the applications they use. STAR then supplements this data with telemetry from the Symantec Global Intelligence Network, from our Security Response organization and from legitimate software vendors who provide data on their newly published applications to Symantec. This data is incorporated into a large-scale model of relationships between files and anonymized machines, not unlike a massive anonymous social network, that is then processed to derive security ratings for every application. Currently, the Insight system is tracking more than 2.5 billion good and bad files from more than 175 million participating users and is discovering new files at a rate of more than 22 million per week.