STAR Malware Protection Technologies


Security Technology and Response (STAR) is the Symantec division responsible for the innovation and development of our security technologies, which address protection in five areas: file, network, behavior, reputation, and remediation.

Within Symantec, Security Technology and Response (STAR) oversees the research and development efforts for all of our malware security technologies. These form the core protection capabilities of Symantec’s corporate and consumer security products.

The Security Technology and Response (STAR) organization, which includes Security Response, is a worldwide team of security engineers, threat analysts and researchers that provide the underlying functionality content and support for all Symantec corporate and consumer security products. With Response centers located throughout the world, STAR monitors malicious code reports from more than 130 million systems across the Internet, receives data from 240,000 network sensors in more than 200 countries and tracks more than 25,000 vulnerabilities affecting more than 55,000 technologies from more than 8,000 vendors. The team uses this vast intelligence to develop and deliver the world’s most comprehensive security protection. There are approximately 550 employees in STAR.

Some years ago, traditional antivirus technologies were all that was needed to protect an endpoint from attack. However, with the dramatic shift in the threat landscape over the last few years, it is no longer reasonable to think that antivirus-based technologies alone are sufficient. To address this, STAR has developed a collaborative eco-system of security technologies to protect Symantec’s users from malicious attacks.

Top Threat Vectors these technologies protect against:

  • Drive-by Downloads and Web Attacks
  • Social Engineering Attacks – FakeAV and Fake Codecs
  • Bots and Botnets
  • Non-Process and Injected Threats (NPT)
  • Targeted Attacks including Advanced Persistent Threats (APT), Trojans and general Malware Zero-day threats
  • Malware as the result of drive-by downloads that bypassed other layers of protection
  • Malware using rootkit techniques to hide

This eco-system is comprised of the following five areas that work in collaboration:

  • File-Based Protection continues to play a major protection role due to new innovations in static file heuristics.
  • Network-Based Protection can detect when both known and unknown vulnerabilities are used to enter a user's system.
  • Behavior-Based Protection looks at the dynamic behavior of malicious activity rather than static characteristics.
  • Reputation-Based Protection examines the meta information of a file – its age, origin, how it travels, where it exists, etc.
  • Remediation is a set of technologies that can help clean up an infected system.

By collaborating, each technology is able to operate more efficiently and more effectively to determine whether a given situation is malicious or not. As each technology learns different attributes about a process or a file, it will share what it learns with the other technologies. For example, the network-based protection technologies are able to track where web downloaded files originate and thereby share this information with the other technologies.

Greater detail of each technology type can be found on the following tabs.

File-Based Protection

A common misconception about antivirus file scanners is that they simply look for known patterns in files in order to determine if a file is good or bad. Actually, modern antivirus solutions go beyond simple pattern matching and apply generic and heuristic techniques when looking for threats. In fact, the best antivirus engines provide multiple methods for identifying known and unknown threats. Symantec’s file-based protection is one such technology.

File-based security has a long history as one of the cornerstones of our protection technologies. STAR continues to invest in and drive innovation to our file-based security to keep current with the latest developments on the threat landscape. Having infected files on a target machine is one of the main methods for threats to maintain a presence on a machine beyond the initial attack. Because of this, file-based protection will always be instrumental in detecting, neutralizing and removing threats on our customers’ machines. Common threat vectors that file based technology protects against include:

  • Malware and Viruses
  • Targeted Attacks including Advanced Persistent Threats (APT), Trojans and general Malware
  • Social Engineering Attacks – FakeAV and Fake Codecs
  • Bots and Botnets
  • Rootkits
  • Malicious PDFs and Microsoft Office Documents (PowerPoint, Excel and Word)
  • Malicious compressed files
  • Spyware and Adware
  • Keyloggers

In order to address these threats, four components form the core of our file-based protection technology: the antivirus engine, Auto Protect, the ERASER engine, and our heuristic technologies, Malheur and Bloodhound.

Antivirus Engine

Symantec's unique scanning engine is broadly deployed on over 350 million machines. It is a stable, high-performance security technology providing advanced detection against the latest threats. The engine is frequently updated in the field via LiveUpdate to seamlessly respond to new threats. This allows us to update the detection capability of our product without requiring a complete product update.

Auto Protect

Symantec’s real-time file scanner detects threats being written to or from a file system. Written at the kernel level, Auto Protect is a high-performance and low-footprint scanning engine that protects against the latest threats while staying out of the user's way. When files are written to a machine’s disk, Auto Protect is triggered and uses the antivirus, Malheur and Bloodhound engines to scan the files. By running at such a low level, Auto Protect can block an infected file before it has a chance to run and infect the system. In addition to file protection, Auto Protect delivers key functionality for Download Insight, part of our advanced analytics reputation technologies.


Symantec’s ERASER engine provides repair and removal capability for threats found on a customer’s system by our various detection technologies. ERASER is also responsible for checking that drivers and applications that run at startup are not malicious. To ensure that our product is not being tricked by rootkits or other malware, ERASER uses a number of techniques that bypass regular system registry and disk lookups. These technologies allow ERASER to perform direct registry and direct disk access.

Malheur & Bloodhound

In addition to signature based detections, we provide technologies that can convict a file that has never before been seen, but has characteristics common to malicious files. This heuristics-based protection is provided in our Malheur & Bloodhound technologies. Heuristic signatures can detect unknown malware based on file attributes,attempts to exploit vulnerabilities, and other common actions found in known malware.

A Deeper Dive into Features

Each of the following sections describes a file-based technology feature that is intrinsic to the core components explained above.

Broad File Support

Compressed files and files embedded inside other files are among the broad set of file types that can be examined for hidden malware. A partial list of analyzed file types include:


Unpacker Engine

In some cases, malware will use “packer” technology to obfuscate their files in an attempt to avoid detection by simplistic pattern matching algorithms. Our Unpacker Engine can:

  • Decompresses affected executable files.
  • Recognize hundreds of distinct packer families.
  • Recursively unpack files that are multiply-packed until the core malware is reached.

Generic Virtual Machine

The GVM allows code to be executed in a sandboxed safe-environment.

  • Byte code-based system like Java or C#, making it extremely safe to rapidly produce new protection technologies without crashes or hangs.
  • Applies extremely complex heuristics and family signatures, for threats like Trojan.Vundo.
  • Performs all scanning of non-traditional file formats; e.g., PDF, DOC, XLS, WMA, JPG, etc.

Anti-Polymorphic Engine

Includes advanced CPU emulation technology to trick polymorphic malware into de-cloaking.

Anti-Rootkit Technology

Symantec has 3 different anti-rootkit technologies designed to find and remove even the most stubborn rootkits like Tidserv and ZeroAccess, working around stealthing techniques commonly used by rootkits. The techniques include:

  • Directly access the hard drive volumes.
  • Direct Registry Hive scanning.
  • Kernel memory scanning.

Anti-Trojan Engine

Includes advanced hashing techniques to simultaneously scan for millions of Trojans and spyware threats in microseconds.

  • Locates and extracts key file regions known to contain malware logic.
  • Takes cryptographic hashes of each section and looks them up in the fingerprint database.
  • Advanced algorithms enable the Anti-Trojan Engine to simultaneously scan for tens of millions of malware strains in literally microseconds.

Photon Engine

Uses 'fuzzy' signatures to identify both known and new, unknown malware variants.

  • Scans files using hundreds of thousands of fuzzy signatures simultaneously, drastically improving scan performance.
  • The fuzzy signatures can detect entirely new malware strains the moment they're released.

Advanced Heuristic Engines

Focused detection of server-side polymorphed strains.

  • Over a dozen different heuristics (and growing) search for different suspicious file characteristics.
  • All suspicious files are correlated against Symantec’s reputation cloud and our digital signature trust list.
  • Engines use context to adjust heuristic sensitivity; e.g., heuristics are more suspicious of newly downloaded files than of installed applications.


Network-based protection is a set of technologies designed to block malicious attacks before they have a chance to introduce malware onto a system. Unlike file-based protection that must wait until a file is physically created on a user’s computer, network-based protection starts to analyze the incoming data streams that arrive onto a user’s machine via network connections and blocks threats before they hit the system.

Top Threat Vectors Symantec’s Network-Based technology protects against:

  • Drive-by Downloads and Web Attack Toolkits
  • Social Engineering Attacks – FakeAV and Fake Codecs
  • Attacks via Social Media such as Facebook
  • Detection of Malware, Rootkit and Bot Infected Systems
  • Obfuscated Threat Protection
  • Zero-day threats
  • Protection from Unpatched Software Vulnerabilities
  • Protection from Malicious Domains and IP addresses

This category consists of three distinct protection technologies:

Network Intrusion Prevention Solution (Network IPS)

The protocol-aware IPS understands and scans over 200 different protocols. It intelligently and accurately breaks apart binary and network protocols looking for signs of malicious traffic. This intelligence allows for highly accurate network scanning while delivering robust protection. At its heart is a generic exploit-blocking engine, which provides evasion-proof blocking of attacks on vulnerabilities. A unique feature of the Symantec IPS is that no configuration is needed to enable Network IPS protection capabilities out of the box. Every Norton consumer product and every Symantec Endpoint Protection 12.1 and later enable this crucial technology by default.

Browser Protection

This protection engine sits inside the browser and can detect the most complex threats that traditional antivirus and Network IPS methods are unable to detect. Many network-based attacks today use obfuscation to avoid detection. Because Browser Protection operates inside the browser it is able to watch de-obfuscated code as it executes and so is able to detect and block attacks which are missed at lower layers of inspection within the protection stack.

Un-Authorized Download Protection (UXP)

Within the Network-based protection layer, this last line of defense helps mitigate unknown and unpatched vulnerabilities, without the use of signatures, providing a further layer of insurance against zero-day attacks.

Targeting the Problems

Together these network-based protection technologies address the following problems.

Drive-by Downloads and Web Attack Toolkits

Leveraging the Network IPS, Browser Protection, and our UXP technology, Symantec’s Network Threat Protection technologies block drive-by downloads and keep malware from ever reaching the end system. We use a variety of prevention methods with these technologies including our Generic Exploit Blocking technology (mentioned below) and our generic web-attack toolkit detection. Our generic web-attack toolkit detection analyzes network characteristics of common web-attack toolkits regardless of the vulnerabilities being attacked delivering additional zero-day protection against new vulnerabilities as well as protection against the web-attack toolkits themselves. The best part of this protection against Web Attack Toolkits and Drive-by downloads is that the malware that would have silently infected a user's system is proactively stopped and kept off the system, something usually missed by traditional detection technologies. Symantec continues to block tens of millions of variants of malware that are not usually detected by any other means.

Social Engineering Attacks   

Since our protection technologies are looking at the network and browser traffic as it is being rendered, we are able to use the intelligence of the endpoint to determine if a social engineering attack, like a fake antivirus solution or fake codec, is popping up. Our technologies work to block social engineering attacks before they are displayed, thwarting their attempts to trick the end-user. Most of the other competitive solutions do not include this powerful capability. Our solution stops millions of attacks that, if left to execute, other traditional signature-based technologies would normally not detect.

Symantec blocks hundreds of millions of social engineering attacks with the network threat protection technology.

Attacks targeting Social Media Applications

Social Media applications have become a way to instantly share personal and professional updates and interesting videos and information to thousands of our friends. This instantaneous quest for updates and the breadth of those networks also mean it is key focus of hackers to also use this to infect you. Some of the common hacker techniques include compromising accounts and sending out spam or malicious links, tricking users into taking fake surveys, or Facebook “Likejacking” attacks where a user is lured into clicking on a link to watch a video while an invisible ‘Like” button follows your mouse cursor around. You instantly Like the update whether you intended to or not.

Symantec’s IPS technology can protect against these types of attacks often thwarting them before the user is ever tricked into clicking on something. Symantec stops rogue and malicious URLs, applications and scams with the Network based protection technology.

Detection of Malware, Rootkit and Bot Infected Systems

Wouldn’t it be nice to know where infected computers are in your network? Our Network IPS solution provides this capability and includes detection and remediation of threats that might have been able to bypass other protection layers. We detect malware and bots trying to ‘phone-home’ or get updates to spread more malicious activities. This gives IT managers, who have a clear punch-list of infected systems to investigate, the assurance that their enterprise is secure. Polymorphic and challenging threats using rootkit methods to hide such as Tidserv, ZeroAccess, Koobface and Zbot, can be detected and stopped using this method.

Obfuscated Threat Protection

Today’s web-based attacks use complex methods to hide or obfuscate attacks. Symantec’s Browser Protection sits inside the browser and can detect highly complex threats that traditional methods usually do not.

Zero-Day and Unpatched Vulnerabilities

One of our more recent protection additions is our added layer against zero-day and unpatched vulnerabilities. Using signature-less protection, we intercept System API calls and protect against malware from being downloaded – what we call our Un-Authorized Download Protection (UXP). This is the last line of defense within our Network Threat Protection technology and helps mitigate unknown and unpatched vulnerabilities without the use of signatures. This technology is enabled automatically and has been shipping since the debut of Norton 2010.

Protection From Unpatched Software Vulnerabilities

Malware is often silently installed on systems by exploiting software vulnerabilities. Symantec’s Network Protection solutions provide an additional layer of protection called Generic Exploit Blocking (GEB) technology. Regardless if a system is patched or not, GEB ‘generically’ protects against the exploitation of underlying vulnerabilities. Vulnerabilities within Oracle Sun Java, Adobe Acrobat Reader, Adobe Flash, Internet Explorer, ActiveX controls, or QuickTime are commonly found in today’s threat landscape. We created our Generic Exploit Blocking protection by reverse engineering how the vulnerability could be exploited and then looking for the characteristics of the exploitation on the network, essentially providing a network-level patch. One single GEB or vulnerability signature can protect against thousands of variants of malware that Symantec or other security vendors have not seen before.

Malicious IP and Domain Blocking

Symantec’s Network-based Protection also includes Malicious IP and Domain blocking capabilities preventing malware and malicious traffic from ever coming from known malicious websites. By leverage analysis from the Security Technology and Response team to find malicious websites and update them via LiveUpdate, Symantec delivers real-time protection against the continually changing threats.

Improved Evasion resistance

Additional encoding support has been added to improve detection efficacy and improve evasion resistance in attacks when encoded with common techniques like base64 and gzip.

Network Audit Detection for Policy Use Enforcement and Data Leakage Identification

Network IPS can be used to identify applications and tools that may violate corporate use policies or be used for stop Data leakage protection via the network. It is possible to detect, alert or prevent traffic such as Instant Messaging, Peer to Peer, Logging in to open share, Social media and other 'interesting' traffic.

STAR Intelligence Communication Bus

The Network Protection technology doesn’t work by itself. This engine shares intelligence with our other protection technologies using the STAR Intelligence Communication Protocol (STAR ICB). The Network IPS engine communicates with the Symantec SONAR engine as well as the Insight Reputation engine allowing for more informed and accurate protection that no other security company can deliver.

Symantec Products

The following contain forms of network-based protection.                               

Behavior-Based Protection

Millions of end users today are tricked into clicking on malware that are masquerading as video players or rogue antivirus applications that do nothing except infect the user and social engineer the user into paying for software that doesn’t do anything. Drive-by downloads and web-attack toolkits are silently infecting users who visit mainstream websites by the hundreds of millions. Some malware will install rootkits or inject malicious code into running programs and system processes. Malware today can be dynamically generated rendering file-based detection insufficient for protecting end users systems.

Why Behavior-based security?

In 2010, Symantec saw more than 286 million variants of malware and blocked more than 3 Billion attacks. With the continued growth of malware threats and variants, Symantec saw the need to create industry-leading innovative approaches that to prevent malware infections and to protect users silently and automatically no matter what the end user does or how the malware gets on the end users systems. Symantec’s Insight Reputation Technology and our Symantec Online Network for Advanced Response (SONAR) behavior-based security are two of those innovate approaches.

Behavior-based security technologies are best positioned to scale to this rate of rapid growth due to the fact that behaviors can generalize a vast population of malicious files and good files far better than file-based heuristics. Behaviors hardly change or cannot be changed very easily without serious effort that is detrimental to malware propagation and creation strategies.

Behavior-based protection technology provides an effective and non-invasive protection from previously unseen zero-day computer threats. SONAR is the solution that provides protection against threats based on what the application does rather than what the application looks like. SONAR is the main engine of our behavior-based technology and features: a classification engine based in artificial intelligence, human-authored behavioral signatures, and a behavioral policy lockdown engine. Together these components combine to provide industry-leading security protection against threats that are most often social engineered and targeted attacks.

Top Threat Vectors Symantec’s Behavior-Based technology protects against:

  • Targeted Attacks including Advanced Persistent Threats (APTs), Trojans, Spyware, Keyloggers and general Malware
  • Social Engineering Attacks – FakeAV, Rogue Key Generators and Fake Codecs
  • Bots and Botnets
  • Non-Process and Injected Threats (NPTs)
  • Zero-day threats
  • Malware as the result of drive-by downloads that bypassed other layers of protection
  • Malware using rootkit techniques to hide

When does the Symantec Behavior Based technology layer provide protection?

No matter if the user executes the malicious application on purpose (tricked by social engineering) or malware attempts to automatically and silently get installed by a web-based attack like a drive-by download, SONAR stops malware from infecting systems in real-time after the malware is executed or started or tries to inject itself into running processes (NPTs). Providing zero-day protection against Hydraq/Aurora, Stuxnet, as well as malware embedding rootkits like Tidserv and ZeroAccess have shown SONAR is an essential technology for endpoint protection.

How does it work? Classification Engine Based in Artificial Intelligence

Symantec has built up one of the world’s largest databases of behavioral profiles on nearly 1.2 billion application instances. By analyzing the attributes of what good applications and bad applications do using machine learning analysis, Symantec is able to create profiles of behaviors for applications that haven’t even been created yet! Relying on almost 1,400 different behavioral attributes and rich context that we can gather from our other endpoint security components such as the Insight, IPS, and AV engine, the SONAR classification engine is quickly able to spot malicious behaviors and take action to remove bad applications before they do damage. In 2011, more than 586 million executables, dll’s and applications were analyzed by SONAR for Norton and Symantec customers.

Non-process Based Threat Protection

Today’s threats are not always just standalone malware executables. They try to hide as soon as possible by injecting into commonly running processes, applications or registering components to extensible applications, thereby concealing their malicious activity on behalf of trusted OS processes or trusted applications. As an example, when a malware runs, it can inject malicious code into running processes, such as explorer.exe (desktop shell process) or IExplorer.exe (Internet Explorer browser) or register malicious components as extensions to such applications. Henceforth the malicious activity is exhibited by well-known and trusted OS components. SONAR prevents the code from being injected into the target process by classifying the source process that attempts the injection. It also classifies and if necessary prevents malicious code from being loaded or executed in the target/trusted process.

Behavioral Policy Lockdown

Drive-by downloads work by exploiting vulnerabilities in browser plugin such as Adobe Reader, Oracle Sun Java, and Adobe Flash. After the vulnerability has been exploited the drive-by download can get the vulnerable application to silently launch any application it wants. By creating a behavioral policy lockdown definition, we can block malicious behaviors such as “Adobe Acrobat should not be creating other executables” or “dll’s should not be allowed to be inject into the explorer.exe process thereby protecting the system. This can be described as locking down a behavior based on a policy or rule. These SONAR definitions/policies are created by the Symantec STAR team and automatically deployed in blocking mode and require no management by the customer. This prevents suspicious behaviors from good applications and automatically protects users.

Behavioral Policy Enforcement (BPE) Signatures

Being able to evolve with the continually changing threat landscape is the essential part of our SONAR technology and our protection is expanded with the ability to target tomorrow’s threats as well. When a new family of threats is seen, such as a new rootkit, Trojan, FakeAV or other type of malware, we can now create new behavioral signatures in order to detect a new family of threats and release them without having to do code updates to the product. These are called SONAR Behavioral Policy Enforcement signatures. These signatures are fast to write, test, and deploy and they give SONAR the flexibility and adaptability to respond to certain classes of emerging threats with a very low false-positive rate. We have many SONAR BPE signatures targeting FakeAV misleading apps to specific malware threats and rootkits like Graybird, Tidserv, ZeroAccess and Gammima.

So how do the BPE Signatures work?

Let’s take a look at an application that gets executed.

  • It drops certain components in the windows temp directory
  • It adds a bunch of registry entries
  • It changes the hosts file
  • It doesn’t have a user interface
  • And it opens up communications on high ports

Any one of these behaviors alone may not be “bad”, but taken as a whole the behavioral profile is bad. Our STAR analyst creates a rule that says if we see this sequence of behaviors with executables with certain Insight Reputation characteristics, then we should stop the process from executing and roll-back the changes – SONAR has the ability to implement a virtual sandbox around the infected but legitimate application and by doing so can prevent the infected application from taking any malicious actions that might harm a user’s computer. This is quite a new paradigm in endpoint security protection by leveraging what the application does and how it behaves rather than what it looks like.

Automation Remediation of malicious files with sandboxing

Real-time behavioral protection engine monitors and sandboxes applications, process and events as they are happening instead of statically. System changes can be rolled-back to prevent the malicious activity from impacting the system.

Real-time application and process monitoring

SONAR monitors and protects against over 1,400 aspects of all running applications, dll’s and processes delivering real-time protection against threats as they execute.

STAR Intelligence Communication Bus

The SONAR technology doesn’t work by itself. This engine shares intelligence with our other protection technologies using the STAR Intelligence Communication Protocol (STAR ICB). The SONAR engine communicates with the Network IPS, AV and the Insight Reputation engine allowing for more informed and accurate protection that no other security company can deliver.   

Reputation-Based Protection

The newest addition to the suite of protection technologies developed by STAR, reputation-based security, addresses the latest development in the threat landscape, that of micro-distributed malware. Using the combined wisdom of over 130 million contributing users, our reputation system learns which applications are good and bad based on the anonymous adoption patterns of our users. It then uses this intelligence to automatically classify virtually every software file on the planet. This reputation data is utilized by all of Symantec's products to automatically block new malware and, conversely, to identify and allow new legitimate applications.

The Problem: A Changing Threat Landscape

In prior years, relatively small numbers of threats were distributed to millions of machines. Each one could easily be stopped with a single antivirus signature deployed to each protected system. Realizing this, malware authors have shifted techniques and today use a variety of obfuscation techniques to rapidly change the appearance of the threats they produce. It is has become commonplace to see attackers generate a new threat variant in real-time for each victim, or a handful of victims, resulting in hundreds of millions of distinct new variants every year.

These threats are then distributed via web-based or social engineering attacks to targeted computers. Our data shows that most threats today end up on less than 20 machines across the globe making it nearly impossible for security companies to learn about most of these threats, capture a specimen, analyze it and write a traditional reactive signature. With over 600,000 new variants being created per day (Symantec received 240 million unique threat hashes last year from protected customer machines), it is infeasible to create, test, and distribute the volume of traditional signatures necessary to address the problem.

The Solution: Reputation-Based Protection

Traditional fingerprinting of a virus requires the security vendor to obtain a specimen of each threat before they can provide protection. Symantec's reputation-based security takes a totally different approach. It doesn't just focus on bad files, but attempts to accurately classify all software files, both good and bad, based on countless anonymous telemetry "pings" sent to Symantec every second of every day from around the world. These near real-time pings tell Symantec about:

  • The applications being deployed on our customer's machines (each application is uniquely identified by its SHA2 hash).
  • Where applications came from on the web.
  • Whether or not the applications are digitally signed.
  • How old the applications are.
  • A host of other attributes.

We add to this data from our Global Intelligence Network, our Security Response organization, and legitimate software vendors who provide application instances to Symantec.

This data is incorporated into a large-scale model, not unlike Facebook's social network, and is composed of links between applications and anonymous users rather than just user-to-user connections. This encodes the relationships between all of these files and our millions of anonymous users. We then analyze this application-user network in order to derive safety ratings on every single application – identifying each as either good, bad, or somewhere in between. Currently this system is tracking more than 1.98 billion good and bad files and is discovering new files at the rate of more than 20 million per week.


Symantec client, server and gateway products use Reputation data to help improve their protection in the following four ways:

Superior Protection

The reputation system computes highly accurate reputation ratings on every single file, both good and bad. This is not only effective against popular malware, but can also identify even the most arcane threats – even those affecting just a handful of users across the entire Internet. This increases detection rates across all categories of malware.

The most visible aspect of the increased protection provided by reputation can be seen in the Download Insight (DI) feature in Norton products and our Download Advisor (DA) feature of our Symantec Endpoint Protection product. DI/DA intercepts every new executable file at the time of download from the Internet. Then it queries the Symantec reputation cloud for a rating. Based on ratings received from the cloud, DI/DA takes one of three different actions:

  • If the file has developed a bad reputation, it is blocked outright.
  • If the file has developed a good reputation, the file is allowed to run.
  • If a file is still developing its reputation and its safety is unknown, the user is warned that the file is unproven. The user can then decide, based on their tolerance for risk, whether or not they want to use the file. Alternatively, in corporate deployments, the administrator can specify different block/allow thresholds for different departments based on each department's unique tolerance for risk.

Prevents False Positives

Two separate aspects of the technology contribute to further lowering Symantec's already markedly low false-positive rates on legitimate software:

Firstly, because reputation-based technology derives its file ratings based on the social adoption graph rather than on the contents of each file (like traditional antivirus scanning technology) it provides a second opinion to augment our traditional detection technologies such as antivirus heuristics or behavior blocking. If both opinions point to a file being 'malicious' the likelihood of a wrong conviction becomes infinitesimally small.

Secondly, because the system maintains prevalence information on all executable content, this information can also be included into the decision to convict or not. For example an ambiguous conviction on a file that is on only two systems across the globe would be far less damaging than a comparable conviction of a file that is on millions of machines. Factoring this information into every decision means better informed decisions to better protect our users.

Improved Performance

A typical user's machine has many thousands of files that never change, and, with very few exceptions, all of these files are good. However, because traditional antivirus focuses on looking for bad files based on a list of known malicious threats, it has to scan every file on a user's system to compare it against the list of known threats. As new threats are discovered, each file on a user's system must be rescanned with the new signatures to see if the file matches any of the newly discovered threats.

This becomes a very inefficient process when you consider that security vendors publish thousands of new virus signatures each day. Reputation-based security, however, has accurate safety ratings on all files – both good and bad, by design. This enables products with reputation technology to scan a user's system and definitively mark known good files as good and set them aside so they are not scanned again – that is unless their contents change. This has a dramatic impact on performance, reducing the resource need of a traditional scan and real-time protection by up to as much as 90 percent – providing a much improved user experience.

Policy-Based Lockdown

Traditional security solutions have focused on blocking known malware in a binary way – anything that is definitively identified as bad is removed from a user's machine and everything else is left alone (whether or not it's actually bad). Many opportunities in the real world where malware can still gain a foothold on a user's system are left unaddressed. Consider a brand new piece of malware that has just been created by a cybercriminal, it is highly likely that existing antivirus signatures will not be able to detect such a threat since the vendor has never had a chance to analyze it first. Unless the new threat exploits a known vulnerability or exhibits a predetermined pattern of suspicious behaviors, it may go undetected by existing security techniques. Reputation-based security helps users and IT administrators address this situation by making better, more informed decisions about the executable content that they allow onto their machines.

In addition to managing information on whether a file is good or bad, Symantec's reputation-based system maintains additional attributes like each file's prevalence and age. These attributes can be used to implement policies in our upcoming enterprise products to enable administrators to control what can be installed on a user's system. For example, in the case of a new threat, even if it is not yet flagged as malicious, its age will be very young and users and IT administrators can use reputation information to implement policies about what they allow on to their machines. For example, the IT administrator might choose to restrict employees in the Finance department to downloading only those applications with at least 1000 certified users and at least two weeks of availability on the Internet, whereas staff on the IT help desk might be allowed to download files of any age with at least 100 other users and a moderate reputation score. These policies enable administrators to tailor their protection based on each department's unique tolerance for risk. Our studies show that this is a very effective way to mitigate the risk exposure to new malware within an enterprise.


Although our goal is never to allow a threat to reach a machine, in the real world there are still situations where a user's system can get infected. Such circumstances likely include:

  • Users who previously had no installed security product.
  • Users whose product subscription expired.
  • Users attacked by a new zero-day threat.

Symantec remediation technologies address these situations by providing capabilities to clean up already infected machines. The core set of these technologies is built into all our malware security products.

More recently we made available a set of standalone tools to assist with remediating more aggressive infections. These tools include Norton Power Eraser and Symantec Power Eraser (included in the Symantec Endpoint Protection Support Tool). Features of these remediation tools include:

A Nimble and Easily Updatable Engine

Since the threat space is always changing in order to evade security suites, these tools can be easily updated to react to new zero-day threats.

Targeting Infections in Their Entirety

From the downloaders to the payloads and the rootkits that hide them, today's infections are complex, utilizing multiple components to orchestrate a profitable outcome for the hackers. The Power Eraser engine is tuned to detect and remove these risks by looking for behavioral patterns of not just the threat itself, but also the downloader that introduced the threat to the system in the first place.

Aggressive Detection Techniques

The Power Eraser engine utilizes multiple new heuristic engines and data analysis points in order to detect a broad range of threats. These include packer heuristics, load point analysis, rootkit heuristics, behavioral analysis, distribution analysis, and system configurations monitors.