Symantec.com > Business > STAR Antimalware Protection Technologies
Security Technology and Response (STAR)
Security Technology and Response (STAR) is the Symantec division responsible for the innovation and development of our security technologies, which address protection in five areas: file, network, behavior, reputation, and remediation.

Overview

Within Symantec, Security Technology and Response (STAR) oversees the research and development efforts for all of our antimalware security technologies. These form the core protection capabilities of Symantec’s corporate and consumer security products.

Some years ago, traditional antivirus technologies were all that was needed to protect an endpoint from attack. However, with the dramatic shift in the threat landscape over the last few years, it is no longer reasonable to think that antivirus-based technologies alone are sufficient. To address this, STAR has developed a collaborative eco-system of security technologies to protect Symantec’s users from malicious attack.

This eco-system is comprised of the following five areas that work in collaboration:

  • File-Based Protection continues to play a major protection role due to new innovations in static file heuristics.
  • Network-Based Protection can detect when both known and unknown vulnerabilities are used to enter a user's system.
  • Behavior-Based Protection looks at the dynamic behavior of malicious activity rather than static characteristics.
  • Reputation-Based Protection examines the meta information of a file – its age, origin, how it travels, where it exists, etc.
  • Remediation is a set of technologies that can help clean up an infected system.

By collaborating, each technology is able to operate more efficiently and more effectively to determine whether a given situation is malicious or not. As each technology learns different attributes about a process or a file, it will share what it learns with the other technologies. For example, the network-based protection technologies are able to track where web downloaded files originate and thereby share this information with the other technologies.

Greater detail of each technology type can be found on the following tabs.

Learn more about Symantec's Security Technology and Response (STAR) division.

File-Based Protection

Modern antivirus solutions go beyond simple pattern matching and apply generic and heuristic techniques when looking for threats. In fact, the best antivirus engines provide multiple methods for identifying known and unknown threats. Symantec’s file-based protection is one such technology.

Although it is the most mature of our protection technologies, STAR continues to invest in and drive innovation to our file-based security to keep current with the latest developments on the threat landscape.

These three components form the core of our file-based protection technology:

Antivirus Engine

Symantec's unique scanning engine is broadly deployed on over 350 million machines. It is a stable, high-performance security technology providing advanced detection against the latest threats. The engine is frequently updated in the field via LiveUpdate to seamlessly respond to new threats.

Auto Protect

Symantec’s real-time file scanner detects threats being written to or from a file system. Written at the kernel level, Auto Protect is a high-performance and low-footprint scanning engine that protects against the latest threats while staying out of the user's way.

Malheur & Bloodhound

Heuristics-based protection in file-scanning technology, Malheur & Bloodhound signatures can detect unknown malware based on file attributes and attempts to exploit vulnerabilities.

A Deeper Dive into Features

Each of the following sections describes a file-based technology feature that is intrinsic to the three core components explained above.

Broad File Support

Compressed files and files embedded inside other files are among the broad set of file types that can be examined for hidden malware. Supported file types include:

DOC, .DOT, .PPT, .PPS, .XLA, .XLS, .XLT, .WIZ, .SDW, .VOR, .VSS, .VST, .AC_, .ADP, .APR, .DB, .MSC, .MSI, .MTW, .OPT, .PUB, .SOU, .SPO, .VSD, .WPS, .MSG ZIP, .DOCX, .DOCM, .DOTX, .DOTM, .PPTX, .PPTM, .PPSX, .PPSM, .XLSX, .XLSB, .XLSM, .XLTX, .XLTM, .XLAM, .XPS, .POTX, .POTM, .ODT, .OTT, .STW, .SXW, .eml, .MME, .B64, .MPA, ,AMG, .ARJ, .CAB, .XSN, .GZ, .LHA, .SHS, .RAR, .RFT, .TAR, .DAT, .ACE, .PDF, .TXT, .HQX. .MBOZ, .UUE, .MB3, .AS, .BZ2, .ZIP, .ZIPX

Unpacker Engine

Identifies malware obfuscated with packer technology. The Unpacker Engine can:

  • Decompresses effected executable files.
  • Unpack hundreds of distinct packer families.
  • Recursively unpack files that are multiply-packed until the core malware is reached.

Generic Virtual Machine

Delivers complex detection scripts and new un-packer logic via standard virus definitions, negating the need to ship product engine updates.

  • Byte code-based system like Java or C#, making it extremely safe to rapidly produce new protection technologies without crashes or hangs.
  • Applies extremely complex heuristics and family signatures, for threats like Trojan.Vundo.
  • Performs all scanning of non-traditional file formats e.g. PDF, DOC, XLS, WMA, JPG, etc.

Anti-Polymorphic Engine

Includes advanced CPU emulation technology to trick polymorphic malware into de-cloaking.

Anti-Trojan Engine

Includes advanced hashing techniques to simultaneously scan for millions of Trojans and spyware threats in microseconds.

  • Locates and extracts key file regions known to contain malware logic.
  • Takes cryptographic hashes of each section and looks them up in the fingerprint database.
  • Advanced algorithms enable the Anti-Trojan Engine to simultaneously scan for tens of millions of malware strains in literally microseconds.

Photon Engine

Uses 'fuzzy' signatures to identify both known and new, unknown malware variants.

  • Scans files using hundreds of thousands of fuzzy signatures simultaneously, drastically improving scan performance.
  • The fuzzy signatures can detect entirely new malware strains the moment they're released.

Advanced Heuristic Engines

Focused detection of server-side polymorphed strains.

  • Over a dozen different heuristics (and growing) search for different suspicious file characteristics.
  • All suspicious files are correlated against Symantec’s reputation cloud and our digital signature trust list.
  • Engines use context to adjust heuristic sensitivity, e.g. heuristics are more suspicious of newly downloaded files than of installed applications

Network-Based Protection

Network-based protection is a set of technologies designed to block malicious attacks before they have a chance to introduce malware onto a system. Unlike file-based protection which must wait until a file is physically created on a user’s computer, network-based protection starts to analyze the incoming data streams that arrive onto a user’s machine via network connections.

This category consists of three distinct protection technologies:

Network Intrusion Prevention Solution (Network IPS)

The protocol-aware IPS understands and scans over 200 different protocols. It intelligently and accurately breaks apart binary and network protocols looking for signs of malicious traffic. This intelligence allows for highly accurate network scanning while delivering robust protection. At its heart is a generic exploit-blocking engine which provides evasion-proof blocking of attacks on vulnerabilities. A unique feature of the Symantec IPS is the negligible amount of configuration needed to enable Network IPS protection capabilities out of the box.

Browser Protection

This protection engine sits inside the browser and can detect the most complex threats that traditional antivirus and Network IPS methods are unable to detect. Many network-based attacks today use obfuscation to avoid detection. Because Browser Protection operates inside the browser it is able to watch de-obfuscated code as it executes and so is able to detect and block attacks which are missed at lower layers of inspection within the protection stack.

Un-Authorized Download Protection (UXP)

Within the Network-based protection layer, this last line of defense helps mitigate unknown and unpatched vulnerabilities, without the use of signatures, providing a further layer of insurance against zero-day attacks.

Targeting the Problems

Together these network-based protection technologies address the following problems.

Drive-by Downloads

Leveraging the Network IPS, Browser Protection, and our UXP technology, Symantec’s Network Threat Protection technologies block drive-by downloads and keep malware from ever reaching the end system. We use a variety of prevention methods with these technologies including our Generic Exploit Blocking technology (mentioned below) and our generic web-attack toolkit detection. Our generic web-attack toolkit detection analyzes network characteristics of common web-attack toolkits regardless of the vulnerabilities being attacked delivering additional zero-day protection against new vulnerabilities as well as protection against the web-attack toolkits themselves. The best part of this protection is that the malware that would slow down an end user's system is kept off the system, something usually missed by traditional detection technologies. Symantec continues to block tens of millions of variants of malware that are not usually detected by any other means.

Social Engineering Attacks

Since our protection technologies are looking at the network and browser traffic as it is being rendered, we are able to use the intelligence of the endpoint to determine if a social engineering attack, like a fake antivirus solution or fake codec, is popping up. Our technologies work to block social engineering attacks before they are displayed, thwarting their attempts to trick the end-user. Most of the other competitive solutions do not include this powerful capability. Our solution stops millions of attacks that, if left to execute, other traditional signature-based technologies would normally not detect.

Infected Systems

Our Network IPS solution includes detection and remediation of threats that might have been able to bypass other protection layers. We detect malware and bots trying to ‘phone-home’ or get updates to spread more malicious activities. This gives IT managers, who have a clear punch-list of infected systems to investigate, the assurance that their enterprise is secure. Polymorphic and challenging threats to remediate, such as Tidserv, Koobface and Zbot, can be detected using this method.

Obfuscated Threat Protection

Today’s web-based attacks use complex methods to hide or obfuscate attacks. Symantec’s Browser Protection sits inside the browser and can detect highly complex threats that traditional methods usually do not.

Zero-Day and Unpatched Vulnerabilities

One of our more recent protection additions is our added layer against zero-day and unpatched vulnerabilities. Using signature-less protection, we intercept System API calls and protect against malware from being downloaded – what we call our Un-Authorized Download Protection (UXP). This is the last line of defense within our Network Threat Protection technology and helps mitigate unknown and unpatched vulnerabilities without the use of signatures. This technology is enabled automatically and has been shipping since the debut of Norton 2010.

Network Vulnerabilities

Symantec’s Network Protection solutions provide an additional layer of protection called Generic Exploit Blocking (GEB) technology. Regardless if a system is patched or not, GEB ‘generically’ protects against the exploitation of underlying vulnerabilities. Vulnerabilities within Adobe Acrobat, Internet Explorer, ActiveX, or QuickTime are commonly found in today’s threat landscape. We created our Generic Exploit Blocking protection by reverse engineering how the vulnerability could be exploited and then looking for the characteristics of the exploitation on the network, essentially providing a network-level patch. One single GEB or vulnerability signature can protect against thousands of variants of malware that Symantec or other security vendors have not seen before.

Behavior-Based Protection

Behavior-based protection technology provides an effective and non-invasive protection from previously unseen zero-day computer threats. The Symantec Online Network for Advanced Response (SONAR) is the main engine of our behavior-based technology and features: a classification engine based in artificial intelligence, human-authored behavioral signatures, and a behavioral policy lockdown engine. Together these components combine to provide industry-leading security protection against threats that are most often social engineered and targeted attacks.

These three components form the core of our behavior-based protection technology:

Classification Engine Based in Artificial Intelligence

By anonymously collecting attributes of running applications from the members of the Norton Community Watch program, SONAR has built up one of the world’s largest databases of behavioral profiles on nearly 200 million application instances. Relying on almost 400 different behavioral attributes, the SONAR classification engine is quickly able to spot malicious behaviors and take action to remove bad applications before they do damage.

Behavioral Signatures

To complement the classification engine, SONAR includes the ability to process behavioral signatures. These signatures are fast to write, test, and deploy and they give SONAR the flexibility and adaptability to respond to certain classes of emerging threats with a very low false-positive rate.

Behavioral Policy Lockdown

In some cases, malware threats get deeply entrenched in various legitimate applications or operating system files. In such cases, it can be dangerous to remove them. SONAR has the ability to implement a virtual sandbox around the infected but legitimate application and by doing so can prevent the infected application from taking any malicious actions that might harm a user’s computer.

Reputation-Based Protection

The newest addition to the suite of protection technologies developed by STAR, reputation-based security, addresses the latest development in the threat landscape, that of micro-distributed malware. Using the combined wisdom of over 130 million contributing users, our reputation system learns which applications are good and bad based on the anonymous adoption patterns of our users. It then uses this intelligence to automatically classify virtually every software file on the planet. This reputation data is utilized by all of Symantec's products to automatically block new malware and, conversely, to identify and allow new legitimate applications.

The Problem: A Changing Threat Landscape

In prior years, relatively small numbers of threats were distributed to millions of machines. Each one could easily be stopped with a single antivirus signature deployed to each protected system. Realizing this, malware authors have shifted techniques and today use a variety of obfuscation techniques to rapidly change the appearance of the threats they produce. It is has become commonplace to see attackers generate a new threat variant in real-time for each victim, or a handful of victims, resulting in hundreds of millions of distinct new variants every year.

These threats are then distributed via web-based or social engineering attacks to targeted computers. Our data shows that most threats today end up on less than 20 machines across the globe making it nearly impossible for security companies to learn about most of these threats, capture a specimen, analyze it and write a traditional reactive signature. With over 600,000 new variants being created per day (Symantec received 240 million unique threat hashes last year from protected customer machines), it is infeasible to create, test, and distribute the volume of traditional signatures necessary to address the problem.

The Solution: Reputation-Based Protection

Traditional fingerprinting of a virus requires the security vendor to obtain a specimen of each threat before they can provide protection. Symantec's reputation-based security takes a totally different approach. It doesn't just focus on bad files, but attempts to accurately classify all software files, both good and bad, based on countless anonymous telemetry "pings" sent to Symantec every second of every day from around the world. These near real-time pings tell Symantec about:

  • The applications being deployed on our customer's machines (each application is uniquely identified by its SHA2 hash).
  • Where applications came from on the web.
  • Whether or not the applications are digitally signed.
  • How old the applications are.
  • A host of other attributes.

We add to this data from our Global Intelligence Network, our Security Response organization, and legitimate software vendors who provide application instances to Symantec.

This data is incorporated into a large-scale model, not unlike Facebook's social network, and is composed of links between applications and anonymous users rather than just user-to-user connections. This encodes the relationships between all of these files and our millions of anonymous users. We then analyze this application-user network in order to derive safety ratings on every single application – identifying each as either good, bad, or somewhere in between. Currently this system is tracking more than 1.98 billion good and bad files and is discovering new files at the rate of more than 20 million per week.

Features

Symantec client, server and gateway products use Reputation data to help improve their protection in the following four ways:

Superior Protection

The reputation system computes highly accurate reputation ratings on every single file, both good and bad. This is not only effective against popular malware, but can also identify even the most arcane threats – even those affecting just a handful of users across the entire Internet. This increases detection rates across all categories of malware.

The most visible aspect of the increased protection provided by reputation can be seen in the Download Insight (DI) feature in Norton products and our Download Advisor (DA) feature of our Symantec Endpoint Protection product. DI/DA intercepts every new executable file at the time of download from the Internet. Then it queries the Symantec reputation cloud for a rating. Based on ratings received from the cloud, DI/DA takes one of three different actions:

  • If the file has developed a bad reputation, it is blocked outright.
  • If the file has developed a good reputation, the file is allowed to run.
  • If a file is still developing its reputation and its safety is unknown, the user is warned that the file is unproven. The user can then decide, based on their tolerance for risk, whether or not they want to use the file. Alternatively, in corporate deployments, the administrator can specify different block/allow thresholds for different departments based on each department's unique tolerance for risk.

Prevents False Positives

Two separate aspects of the technology contribute to further lowering Symantec's already markedly low false-positive rates on legitimate software:

Firstly, because reputation-based technology derives its file ratings based on the social adoption graph rather than on the contents of each file (like traditional antivirus scanning technology) it provides a second opinion to augment our traditional detection technologies such as antivirus heuristics or behavior blocking. If both opinions point to a file being 'malicious' the likelihood of a wrong conviction becomes infinitesimally small.

Secondly, because the system maintains prevalence information on all executable content, this information can also be included into the decision to convict or not. For example an ambiguous conviction on a file that is on only two systems across the globe would be far less damaging than a comparable conviction of a file that is on millions of machines. Factoring this information into every decision means better informed decisions to better protect our users.

Improved Performance

A typical user's machine has many thousands of files that never change, and, with very few exceptions, all of these files are good. However, because traditional antivirus focuses on looking for bad files based on a list of known malicious threats, it has to scan every file on a user's system to compare it against the list of known threats. As new threats are discovered, each file on a user's system must be rescanned with the new signatures to see if the file matches any of the newly discovered threats.

This becomes a very inefficient process when you consider that security vendors publish thousands of new virus signatures each day. Reputation-based security, however, has accurate safety ratings on all files – both good and bad, by design. This enables products with reputation technology to scan a user's system and definitively mark known good files as good and set them aside so they are not scanned again – that is unless their contents change. This has a dramatic impact on performance, reducing the resource need of a traditional scan and real-time protection by up to as much as 90 percent – providing a much improved user experience.

Policy-Based Lockdown

Traditional security solutions have focused on blocking known malware in a binary way – anything that is definitively identified as bad is removed from a user's machine and everything else is left alone (whether or not it's actually bad). Many opportunities in the real world where malware can still gain a foothold on a user's system are left unaddressed. Consider a brand new piece of malware that has just been created by a cybercriminal, it is highly likely that existing antivirus signatures will not be able to detect such a threat since the vendor has never had a chance to analyze it first. Unless the new threat exploits a known vulnerability or exhibits a predetermined pattern of suspicious behaviors, it may go undetected by existing security techniques. Reputation-based security helps users and IT administrators address this situation by making better, more informed decisions about the executable content that they allow onto their machines.

In addition to managing information on whether a file is good or bad, Symantec's reputation-based system maintains additional attributes like each file's prevalence and age. These attributes can be used to implement policies in our upcoming enterprise products to enable administrators to control what can be installed on a user's system. For example, in the case of a new threat, even if it is not yet flagged as malicious, its age will be very young and

Users and IT administrators can use reputation information to implement policies about what they allow on to their machines. For example, the IT administrator might choose to restrict employees in the Finance department to downloading only those applications with at least 1000 certified users and at least two weeks of availability on the Internet, whereas staff on the IT help desk might be allowed to download files of any age with at least 100 other users and a moderate reputation score. These policies enable administrators to tailor their protection based on each department's unique tolerance for risk. Our studies show that this is a very effective way to mitigate the risk exposure to new malware within an enterprise.

Remediation

Although our goal is never to allow a threat to reach a machine, in the real world there are still situations where a user's system can get infected. Such circumstances likely include:

  • Users who previously had no installed security product.
  • Users whose product subscription expired.
  • Users attacked by a new zero-day threat.

Symantec remediation technologies address these situations by providing capabilities to clean up already infected machines. The core set of these technologies is built into all our antimalware security products.

More recently we made available a set of standalone tools to assist with remediating more aggressive infections. These tools include Norton Power Eraser and Symantec Power Eraser (included in the Symantec Endpoint Protection Support Tool). Features of these remediation tools include:

A Nimble and Easily Updatable Engine

Since the threat space is always changing in order to evade security suites, these tools can be easily updated to react to new zero-day threats.

Targeting Infections in Their Entirety

From the downloaders to the payloads and the rootkits that hide them, today's infections are complex, utilizing multiple components to orchestrate a profitable outcome for the hackers. The Power Eraser engine is tuned to detect and remove these risks by looking for behavioral patterns of not just the threat itself, but also the downloader that introduced the threat to the system in the first place.

Aggressive Detection Techniques

The Power Eraser engine utilizes multiple new heuristic engines and data analysis points in order to detect a broad range of threats. These include packer heuristics, load point analysis, rootkit heuristics, behavioral analysis, distribution analysis, and system configurations monitors.

download guide