The Necessary Evolution of Endpoint Security Software
In one of Alan Shimmel's recent posts to his excellent The Ashimmy Blog, "Do you really need desktop AV anymore?" he states that surfing in safe neighborhoods and practicing safe computing (or safe-hex, as one of his readers posted in the comments section) can provide adequate protection. He is wrong. There are no safe neighborhoods on the internet. Millions of legitimate web pages are hijacked every year and used to distribute malware. In the past we have seen newspapers, government sites, even the FBI’s home page hijacked – sometimes the networks serving ads to those and thousand of other legitimate sites have been taken over. Worse, malware or links to infected sites are often distributed through sources of trust such as Facebook friends and Twitter feeds.
I also disagree with the widely-held belief that free products provide adequate protection. Take a closer look at these free products and you’ll find that most don’t offer a firewall or IPS. Nor do any of them offer device control, application control, or can serve as enforcement for network access control. Microsoft Security Essentials (which Shimmel references in the comments) has done poorly in detection tests from av-test.org. Check out their scores for Windows XP testing here:
http://www.av-test.org/certifications. They didn’t even pass certification. The fact that they provide completely different levels of protection for XP and Windows 7 should not be overlooked.
Virus scanning needs to move beyond looking for signatures for known malware. We encountered, no exaggeration, over 600 million unique malicious files last year. Yesterday’s reactive virus scanners can’t keep up. Sandboxes have often been compromised by vulnerabilities in the OS or in apps, heuristics miss attacks and are subject to false alarms. The solution has to be to look at the reputation of files across many millions of machines to better inform other security technologies.
Our Insight technology offers a unique approach to reputation-based security, leveraging the collective wisdom of our 175 million users to assign bad and good ratings to more than two billion software files worldwide. That data is being used today to block threats and speed up users' computers. We know apps are good or bad, and if your computer is running a good app, like Word, we will never scan that file again. That makes the scan process significantly quicker than the typical AV software that scans every file on your system or virtual machine.
We’ll have more news on how this Insight technology will be integrated into our security products at RSA 2011 next month. In the meantime, we’d like to know your thoughts on what changes, if any, you’ve seen in the number, types and effectiveness of the attacks you’re facing.