Video Screencast Help
Security Response

Losing Touch with Fingerprinting

Created: 01 Oct 2008 10:35:47 GMT • Updated: 23 Jan 2014 18:39:45 GMT
Carey Nachenberg's picture
0 0 Votes
Login to vote

This year's Cutting Edge, Symantec's internal conference "for engineers, by engineers," promises to be an interesting one. Why? The last few years have brought serious challenges to the dominant antivirus fingerprinting approach. Right now, the security industry is built around the fingerprinting model – all of our processes, our automation, our data collection, our publishing systems – they’re all designed around the blacklisting model. 
 
Unfortunately, while the industry had its head down honing the blacklisting approach (Symantec can automatically analyze and fingerprint up to 6M samples per week – how’s that for honing?), the rest of the world changed. Recent Symantec studies show that the volume of malware released now outpaces good software (potentially representing up to 65% of all unique software apps). Furthermore, industry reviews show that many new malware programs slip past all major antivirus products – it often takes days or weeks for antivirus vendors to catch up and protect against a newly released threat. And, some threats never get detected – a threat that’s personalized by an attack server for a single user may never be discovered by security vendors!
 
And of course, while we could just ratchet up the model and ship 20, 30, or 50 thousand fingerprints per day to customers, before long you’ll have no RAM left to run legitimate software. The model is close to being broken. Fortunately, Symantec’s been anticipating this problem for a long time. In fact, we started working on a replacement approach to classic blacklisting about two years ago.
 
This Cutting Edge is exciting for me because for the first time we’re sharing the results of our project with our colleagues, and the results are extremely promising: in many use cases it appears to be significantly better than traditional fingerprint-based antivirus software at detecting new threats. So good that the project’s lead engineer, Vijay Seshadri, is afraid to publish the initial results, even internally, given the stir they might make.
 
Stay tuned this week for more information on Symantec’s pioneering efforts in this space.

Message Edited by SR Blog Moderator on 10-06-2008 01:28 PM