Gartner just released their annual report on endpoint security (see: Magic Quadrant for Endpoint Protection Platforms, Gartner, 2010)
As you can read in the report, Symantec extended its lead both in terms of vision and ability to execute. What is really notable, however, is the strong statement Gartner made about the future of endpoint security. The reports starts with an indictment, "Malware effectiveness continues to accelerate, while vendors are busy polishing increasingly ineffective solutions and doing little to fundamentally reduce the attack surface and protect users."
Gartner goes on to state, "Signature-based malware detection has been limping along on life support for years, yet vendors
seem unwilling to aggressively invest in more-effective solutions, preferring to "tweak" the existing paradigm."
I couldn't agree more. Last year Symantec encountered more than 240 million unique malware samples. True, these were mostly minor variants of a far smaller number of malware families. Also true, most of these variants could be detected through signature scans. But the point remains that "most" is not good enough. Malware writers are flooding the internet with automatically generated malware. Signature scanning isn't dead, it is gravely wounded. Heuristic/behavioral approaches can help, but results are often inconclusive. These approaches lack context and history.
Symantec recognized this as far back as 2006 when we started designing Insight (sometimes called Ubiquity), an innovative approach that analyzes files in context, using the age, frequency and source along with other security metrics to expose threats others miss. Insight won't replace signature or heuristic analysis, but it does make those approaches far faster and more effective. Insight seperates files at risk from those known safe, dramatically reducing the number of files to scan. It provides a safety rating for each file based on the file's context - allowing heuristics to indict or release files with confidence. Finally, it gives users confidence as well - confidence that the video codec they downloaded or the free disk utility really is safe.
Our Norton product line, powered by Insight, have dominated the most widely accepted 3rd party detection tests - those from av-comparatives.org and av-test.org. Recognition of this approach played a big part in Gartner's ranking of Symantec. Insight will be a cornerstone of all our malware detection products. Look for it in the next version of SEP.