In a nutshell, Symantec's new approach to detecting threats automatically derives reputation ratings (e.g. safe, unknown, unsafe) for every executable file available on the Internet. The reputation ratings are derived automatically using algorithms, not unlike Google's Page Rank algorithm, from literally billions of Norton Community Watch file reports from our tens of millions of participating users. Just like you use reputation ratings to choose whether or not to buy a book or a new MP3 player on sites like Amazon.com, the next generation of antivirus software can use the project's data to determine whether or not to allow an application to run on your computer. Think of it as the world's largest list of rated applications.
Unlike traditional antivirus, all of our reputation data is stored in the cloud - that is, in Symantec data centers - meaning that...
This year's Cutting Edge, Symantec's internal conference "for engineers, by engineers," promises to be an interesting one. Why? The last few years have brought serious challenges to the dominant antivirus fingerprinting approach. Right now, the security industry is built around the fingerprinting model – all of our processes, our automation, our data collection, our publishing systems – they’re all designed around the blacklisting model.
Unfortunately, while the industry had its head down honing the blacklisting approach (Symantec can automatically analyze and fingerprint up to 6M samples per week – how’s that for honing?), the rest of the world changed. Recent Symantec studies show that the volume of malware released now outpaces good software (potentially representing up to 65% of all unique software apps). Furthermore, industry reviews show that many new malware programs slip past all major antivirus products...
Back in June of 1992, I joined Symantec’s nascent antivirus team as a scruffy intern after a brief stint with the Norton Commander and Norton Desktop teams. At the time, Norton AntiVirus was a third-tier product with virtually no market-share. But that was about to change. That summer, Symantec hired over a dozen contractors to drastically improve Symantec’s detection rate and make us a world-class product. To give you an idea, back in 1993, top-notch products detected about 1,400 virus strains.
Over the course of that summer, and during my follow-up internships over the next few years, my teammates and I quickly realized that viruses were evolving at an extremely rapid pace, and would soon prove impossible for NAV’s core detection engines to detect. A detection engine is the heart and brains of the antivirus product; it performs all of the actual virus fingerprint scanning, and ours was quickly becoming obsolete.
