News Stay informed about the latest enterprise technology news and product updates.

Symantec turns to reputation security to bolster malware signatures

Symantec Enterprise Protection 12 suite uses new Insight and SONAR technology to monitor executables and provide reputation scoring to its traditional malware signature approach.

Symantec Corp. is adding new reputation scoring technology to its enterprise endpoint protection suite in a move security experts and analysts say will force its competitors to react by bolstering similar technologies.

The Mountain View, Calif.-based security giant is poised to release Symantec Endpoint Protection 12 this summer, adding its Insight Reputation System, which analyzes downloadable files and assigns a risk score based on file behavior, prevalence and other factors. Those reputation security scores are kept in a database that Symantec said contains more than 2.5 billion files. The company made the announcement Tuesday at RSA Conference 2011 in San Francisco.

Reputation security technology

SONAR technology was added to Symantec's endpoint protection suite in the biggest update the suite has had since 2007. SONAR, which is a malware behavioral reputation engine, was acquired by Symantec in 2005 and incorporated into its Norton antivirus line for consumers. It monitors executables on endpoint machines and can detect whether a file is acting suspicious -- a feature that could block new exploits targeting zero-day flaws, Symantec said. The SONAR technology feeds the Insight technology and is also part of a new reputation-based approach Symantec is using to weed out nefarious files before a major outbreak can take place.

Reputation provides a far more predictable way of enhancing security.


Chris Christiansen,  IDC
industry analyst and program vice president for security products and services IDC

Seth Shestack, associate director of information security at Temple University, said he has been testing the technology on multiple machines with various degrees of success. So far the latest version seems to be detecting malware before any malware signatures are developed. The machines on average get a 12- to 36-hour lead time on detecting new malware variants over traditional detection methods, Shestack said.

The biggest benefit, according to Shestack, is the latest version's speedier scanning engine, which will skip over previously scanned files. Temple does a full scan of its machines twice a week and the new scanning feature helps reduce the impact on machine performance, he said. Symantec estimates that Insight's whitelisting capabilities, which skip over trusted, high-reputation files, can reduce overhead of virus scanning by as much as 70%.

Temple University is in Symantec's early beta program. Shestack said he would do a more widespread roll out in August. Symantec still has customers running Symantec Antivirus 10, said Piero DePaoli, director of product marketing. DePaoli wouldn't release details on when Symantec would stop supporting the early version.

Symantec also added support for new virtualization capabilities. The latest version can whitelist baseline images and maintain a local cache using its Insight technology. The feature will help reduce the load on virtual hosts. It also has new automated features to identify and manage virtual clients.

Other reputation-based security options

Many of Symantec's competitors are aware of the failure of signature-based antivirus to keep up with new malware and constantly changing variants, said Chris Christiansen, an industry analyst and program vice president for security products and services at IDC.

For example, Symantec's chief competitor, McAfee Inc., has integrated its Global Threat Intelligence service into the suite, using file reputation to close the gap between the malware protection it provides via signatures and real-time threats as they are detected in the wild. Trend Micro Inc. has a similar reputation-based cloud-based service that queries a remote database to check on an executable file before a user an open it.

"Users we've been talking to have been complaining endlessly about how a variety of the signature-based technologies have been failing them, and all of Symantec's competitors are keenly aware of the failure of signature-based solutions," Christiansen said. "Reputation provides a far more predictable way of enhancing security."

Endpoint protection suites market

Symantec has been winning the marketshare battle for endpoint protection suites pretty handily, Christiansen said. According to IDC's 2009 marketshare figures based on revenue(IDC has not released 2010 marketshare figures.), Symantec's share is 35% compared with McAfee's 18.1% share. Trend Micro ranks third (9%), followed by KasperskyLabs (5.8%), Sophos (3.4%) and AVG (2.9%).

Symantec Endpoint Protection 12 is aimed at organizations with more than 100 employees. A lighter weight version called Symantec Small Business edition 12.1 is available for businesses with 5 to 99 employees.

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.