Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Security Blog

The Necessary Evolution of Endpoint Security Software

Created: 03 Feb 2011 • 5 comments
dschrader's picture
0 0 Votes
Login to vote

 

In one of Alan Shimmel's recent posts to his excellent The Ashimmy Blog, "Do you really need desktop AV anymore?" he states that surfing in safe neighborhoods and practicing safe computing (or safe-hex, as one of his readers posted in the comments section) can provide adequate protection. He is wrong. There are no safe neighborhoods on the internet.  Millions of legitimate web pages are hijacked every year and used to distribute malware. In the past we have seen newspapers, government sites, even the FBI’s home page hijacked – sometimes the networks serving ads to those and thousand of other legitimate sites have been taken over. Worse, malware or links to infected sites are often distributed through sources of trust such as Facebook friends and Twitter feeds. 

I also disagree with the widely-held belief that free products provide adequate protection. Take a closer look at these free products and you’ll find that most don’t offer a firewall or IPS.  Nor do any of them offer device control, application control, or can serve as enforcement for network access control.  Microsoft Security Essentials (which Shimmel references in the comments) has done poorly in detection tests from av-test.org. Check out their scores for Windows XP testing here:

http://www.av-test.org/certifications.  They didn’t even pass certification. The fact that they provide completely different levels of protection for XP and Windows 7 should not be overlooked.

Virus scanning needs to move beyond looking for signatures for known malware. We encountered, no exaggeration, over 600 million unique malicious files last year. Yesterday’s reactive virus scanners can’t keep up. Sandboxes have often been compromised by vulnerabilities in the OS or in apps, heuristics miss attacks and are subject to false alarms. The solution has to be to look at the reputation of files across many millions of machines to better inform other security technologies.  

Our Insight technology offers a unique approach to reputation-based security, leveraging the collective wisdom of our 175 million users to assign bad and good ratings to more than two billion software files worldwide. That data is being used today to block threats and speed up users' computers. We know apps are good or bad, and if your computer is running a good app, like Word, we will never scan that file again. That makes the scan process significantly quicker than the typical AV software that scans every file on your system or virtual machine.

We’ll have more news on how this Insight technology will be integrated into our security products at RSA 2011 next month. In the meantime, we’d like to know your thoughts on what changes, if any, you’ve seen in the number, types and effectiveness of the attacks you’re facing.

Comments 5 CommentsJump to latest comment

xlloyd's picture

We know apps are good or bad, and if your computer is running a good app, like Word, we will never scan that file again.

Doesn't this make room for hackers and the like to write programs to leverage these trusted programs and open up a kind of door into the target's computer?

In any case, we're running SEP 11 here at my office. Considering that combined with our permiter firewall and Websense filter, it's no surprise that we don't have any viruses running wild on our network. Also to add that we're all tech savvy so none of us would even consider clicking on those email scams much less downloading something that manages to get past Websense, y'know?

I have to agree with parts of what Alan Shimmel wrote in his blog though. I've been running my computer at home without an AV for years and I haven't seen any performance degredation outside of having too little space on my harddrive. I'd download a free AV every now and then to scan it and nothing showed up except 1 or 2 tracking cookies so I figured I did pretty well with my browsing habits. I'm pretty sure a paid AV would have turned up other stuff...but I guess since I live in Jamaica and don't shop online on that PC...there's not much useful information they could steal anyway since most targets are in North America.

Since I started working at this job though, I realised how many sites get hijacked and how easy it is to be compromised; even on "trusted" sites. That old computer I talked about is busted now 'cause of a power surge but when I get a new one I'll definitely get a paid AV. I'll still hold that a big percentage of infections could be avoided if you have good browsing habits. I wrote a blog about this some time ago:
https://www-secure.symantec.com/connect/blogs/my-t...

~xlloyd.

If this post has helped you, please vote up or mark as solution
-3
Login to vote
dschrader's picture

xlloyd, thanx for replying.

 

You asked, "Doesn't this make room for hackers and the like to write programs to leverage these trusted programs...." The short answer is, no.  In a reputation system, files are recognized not by their name, which can easily be subverted, but by a "hash".  The hash is derived by a formula that outputs a number unique to that file.  If one bit in the file changes, the hash no longer matches the file, and the file's reputation is no longer trusted.

You do go on to make a statement that see all the time, and it kills me, the "I run ABC antivirus and i never. . . ." statement.  I'm glad your experience has been good, but there is a big difference between a personal anecdote and data driven evidence.  If one in ten people get infected, then it would be surprising if your experience had been otherwise.  I prefer to look at well run detection and performance test results.  Perhaps in a future post I will go over the state of malware testing.

+1
Login to vote
imric's picture

that is re-calculated every 'scan'?

+1
Login to vote
xlloyd's picture

I figure it would only be recalculated if the file had been edited since last time. I'm not sure if hashing is less intensive than scanning =/

If this post has helped you, please vote up or mark as solution
-1
Login to vote
xlloyd's picture

I agree totally with what you're saying dschrader. You misunderstood me though...I didn't attribute my lack of viruses to a free AV. What I said was due to all the circumstances, I managed not to get any viruses. I'm sure that if you conducted a study on people with smart browsing habits who live in a place that isn't a major target of data theft who don't shop online (and therefore don't have any credit card info stored anywhere) you'd find that only 1 out of 10 people would experience any serious viruses or malware. If security companies sponsored a study on "Safe Browsing Habits and it's Effects on Virus and Malware Infections in Minor Countries" then I'm sure that in the section that outlines the infection rate of people who don't shop online, you'd find data that supports my point. Not the section titled "Infection Rates of People Using Free AV/AS Software".

I'm sure that if I were an "average Joe" Internet user who uses a free AV (or no AV), who lives in America (or another country full of prime targets) and who has information worth stealing on my computer...then I'd be one of the many who have fallen to malware.

 

In any event, thanks for the info about the trusted programs! I didn't think about using a hash of the application as a signature. That's actually brilliant!

Any idea when the Security Report for last year will be out?

~xlloyd

If this post has helped you, please vote up or mark as solution
+5
Login to vote