Security Technology and Response

Symantec’s Security Technology and Response (STAR) division, which includes Security Response, is a global team of security engineers, virus hunters, threat analysts, and researchers that provides the underlying security technology, content, and support for all Symantec corporate and consumer security products. The group is Symantec’s eyes and ears when it comes to surveying and keeping a finger on the pulse of the Internet security threat landscape.



STAR’s experts are focused on the constantly evolving Internet security threat landscape and generate much of Symantec’s security innovation. The division considers not only today’s threats but the threats of tomorrow and uses this intelligence to develop entirely new approaches to security. These technologies are being developed for every possible platform including the network infrastructure, servers, desktops, and mobile devices. STAR’s protection runs on hardware from the largest mainframe down to embedded processors used in low-power mobile devices.

Surveying the Internet Security Threat Landscape

STAR is part of the Office of the CTO headed up by Stephen Trilling. With response centers located throughout the world, STAR monitors malicious code reports from more than 130 million Symantec and Norton systems across the Internet, receives data from 40,000 network sensors in more than 200 countries, and tracks more than 25,000 vulnerabilities affecting more than 55,000 technologies from more than 8,000 vendors. The team uses this vast intelligence to develop and deliver the world’s most comprehensive security protection. STAR has three broad areas of responsibility:

Technology Research and Development

STAR oversees the research and development efforts for all of the security technologies that form the core protection capabilities of Symantec’s corporate and consumer security products. This includes the core antivirus engine that formed the nucleus of Symantec’s original security products, as well as more recent technologies such as anti-spyware, intrusion prevention, and behavioral detection. Over the past few years, STAR has also aggressively invested in an entirely new generation of technologies to ensure protection against both emerging and future threat classes; for example, STAR developed its industry-first reputation-based security technology to address the problem of today’s micro-distributed malware.

Security Response

STAR’s Security Response organization develops and deploys new security content (malware fingerprints, reputation data, behavioral rules, new heuristics, etc.) to Symantec’s tens of millions of customers, around-the-clock. Our team of global threat analysts operates a follow-the-sun-model to provide 24x7 coverage to Symantec customers to track the latest developments on the threat landscape. Analysts continuously monitor a worldwide network of Symantec protected machines as well as a large-scale, global network of honey pots (machines designed to lure attackers). Using all of this data and intelligence, the Security Response team generates virus definitions and signature content for all of our core security technologies (e.g spyware, adware, viruses, spam, etc). This content is maintained in the STAR cloud-based infrastructure, and, where appropriate, pushed out to our customers computers via our patented LiveUpdate™ technology.


In order to handle the massive volume of activity in today’s threat landscape, STAR has developed a sophisticated back-office infrastructure to automate most collection, analysis and deployment activities. This enables Symantec to discover new threats and deliver new protection to our global customer base extremely quickly.

View More
View Less



STAR’s anti-malware security technologies break down into four broad categories: File-based Protection, Network-based Protection, Behavior-based Protection, Reputation-based Protection.

Defense in Depth

STAR’s malware protection technologies break down into four broad categories:

File-based Protection

Our signature and heuristic scanning engines form the backbone of Symantec’s security solutions; these engines use dozens of techniques to scan files for both known as well as unknown threats. These engines currently scan for over 7.5 million signatures, in an average of 25 milliseconds per file! Collectively, these engines detect billions of threats per year.

Although these are the most mature of our protection technologies, STAR continues to invest and innovate our core scanning technologies to keep current with the latest developments on the threat landscape. Included in file-based protection are the AntiVirus Engine – Symantec’s unique scanning engine that enables fast and efficient scanning of files; Auto Protect – Symantec’s real-time file scanner that detects any threats the moment they are saved to the hard drive on your computer; and Malheur and Bloodhound – our heuristics-based protection technologies which detect new/unknown malware by searching for suspicious instructions within static files, before they have a chance to execute.

Network-based Protection

STAR’s network-based protection includes a set of technologies designed to block attacks just as they transition from the network cable or wireless network to the computer, before they have a chance to introduce malware onto a system. Unlike file-based protection, which must wait until a file is physically created on a user’s computer before scanning it, network-based protection analyzes all incoming data streams before they can processed by the computer’s operating system and cause harm. This category consists of three distinct protection technologies: Network Intrusion Prevention solution (Network IPS) – protocol-aware IPS that understands and scans more than 200 different network protocols for possible attacks; Browser Protection – an engine that sits inside the user’s web browser and can detect the most complex web-based threats that are invisible to traditional AV and network IPS; and Unauthorized Download Protection - the last line of defense that helps mitigate unknown and unpatched vulnerabilities without the use of signatures, providing a further layer of insurance against zero-day attacks.

Behavior-based Protection

Behavioral-based protection technology observes actively running threats on your computer and can terminate running programs if they exhibit malicious behaviors; this technology provides proactive protection from entirely new, previously unseen attacks. The main engine, called SONAR, features an artificial intelligence-based classification engine, human-authored behavioral signatures, and a behavioral policy lockdown engine. These engines look for sequences of suspicious behaviors in running programs that are uncharacteristic of legitimate software; when SONAR observes such a suspicious sequence, it can terminate and remove the offending program immediately, without any virus fingerprints. Our advanced behavioral engine provides protection against entirely new day-zero attacks.

Our SONAR system uses artificial Intelligence-techniques to learn the difference between good and bad applications. To train SONAR, our engineers have provided the system with almost 200 million different behavioral profiles of both good and bad applications. SONAR then learns how to differentiate between legitimate and malicious behaviors on its own, enabling it to identify new threats based on past experiences. The system monitors nearly 400 different behaviors to make its classifications, enabling it to quickly spot malicious actions and remove bad applications before they can do damage.

To complement its artificial intelligence-based classification engine, SONAR also supports researcher-authored behavioral signatures. These signatures give STAR researchers the ability to identify entirely new malware threats that exhibit well-defined sets of behaviors; these signatures are useful since many malware families contain thousands of mutated variants, each of which looks entirely different on disk, yet all of these variants exhibit the same basic behavioral characteristics.

One well-written behavioral signature can instantly protect against the entire malware family. In addition, some of today’s most advanced threats literally “inject” themselves into legitimate applications or operating system files, from where they perform malicious actions. In such cases, it can be dangerous to remove these threats without causing damage to the underlying operating system or application. To address these threats, SONAR has the ability to impose a virtual sandbox around the infected but legitimate application. By doing so, SONAR can prevent the infected application from taking any malicious actions that might harm the computer.

Reputation-based Protection (Insight)

The initial version of this technology was first deployed in our Norton products in September 2009. This reputation-based technology blocks access to malicious files and websites based on the “crowd-based” wisdom of over 100M+ million customers.

The Insight reputation-based security system addresses the latest development in the threat landscape, that of micro-distributed malware. In prior years, attackers distributed a relatively small number of unique threats to millions of machines, making fingerprinting relatively easy. Today, attackers generate millions of distinct, mutated threats, sending each one to a very small number of machines. Our data shows that most threats today are observed on less than 20 machines across the globe. With attackers generating more than 600,000 new variants per day, it is not feasible for security vendors to create, test and distribute the volume of traditional signatures necessary to address the problem. Moreover, given their micro-distribution, many of these threats are never discovered or sent to security vendors for fingerprinting. And if the security vendor never receives a sample, they can’t fingerprint it. The result is millions of unique infections that totally bypass traditional fingerprints.

Symantec’s Insight leverages the anonymous usage patterns of Symantec’s massive user base to accurately derive security ratings for virtually every application, good and bad, across the Internet. The system derives security ratings by analyzing the distribution patterns (or lack thereof) of each file across Symantec’s huge user base.

To compute these ratings, Symantec users contribute anonymous, real-time telemetry data about the applications they use. STAR then supplements this data with telemetry from the Symantec Global Intelligence Network, from our Security Response organization and from legitimate software vendors who provide data on their newly published applications to Symantec. This data is incorporated into a large-scale model of relationships between files and anonymized machines, not unlike a massive anonymous social network, that is then processed to derive security ratings for every application. Currently, the Insight system is tracking more than 2.5 billion good and bad files from more than 175 million participating users and is discovering new files at a rate of more than 22 million per week.

View More
View Less


Symantec Intelligence

A key part of protecting customers is ensuring that they have access to information about new and existing threats in a timely manner. Vast amounts of knowledge are acquired by Symantec’s security sensors and researchers as they continuously monitor and analyze the threat landscape. This knowledge has great value not only in developing innovative security technology, but also for informing computer users on threat trends and security best practices.

Communicating Symantec Security Intelligence

A key part of protecting customers is ensuring that they have access to information about new and existing threats in a timely manner. Vast amounts of knowledge are acquired by Symantec’s security sensors and researchers as they continuously monitor and analyze the threat landscape. This knowledge has great value not only in developing innovative security technology, but also for informing computer users on threat trends and security best practices.

STAR engages in many different communication programs to share security knowledge, including:

  • Security Center: This portal enables business customers and computer users to get the latest threat and protection information. It contains detailed write-ups on the latest security threats and vulnerabilities, as well as details about the protection provided by Symantec.
  • Security Response Blog: This blog hosts a continuous stream of current articles and real-time updates on developments in the threat landscape.
  • Security Publications: These reports summarize the broad threat landscape and provide detailed data on new developments and regional trends. Key reports published include:
View More
View Less