Damballa unveils anti-botnet product, badmouths McAfee A/V

Start-up Damballa Monday unveiled the third version of its Failsafe botnet detection appliance, while also badmouthing McAfee's desktop antivirus software, claiming it often failed to detect malware samples during a six-month study.

Damballa's Failsafe 3.0 appliance, which starts at $100,000 for 10,000 nodes, is designed to sit behind the corporate firewall to detect botnet infections on desktops and servers within the enterprise by noticing if the botnet code attempts to call out to a command-and-control source for instructions.

Failsafe 3.0 works similarly to the previous version except that Damballa is switching from a service-based model where botnet-detection analysis was done at the security firm in favor of supplying its enterprise customers with a management console that can carry out this analysis on-site.

Damballa's vice president of product management and marketing, Bill Guerry, says this was done to satisfy customers that wanted tighter control over what is seen as sensitive information.

Dambala says it has 10 customers that use Failsafe, including Procter & Gamble, and that 3% to 5% of enterprise desktops and servers, primarily those which are Windows-based, are apt to be infected with botnet code.

"To us, botnets are targeted attacks by remote-access Trojans," Guerry says, adding that botnets are primarily designed to steal data on behalf of organized crime. Failsafe doesn't eradicate botnet malware after detecting signs of it, but will give network managers the forensic evidence to find and eradicate it on an infected machine, Guerry says.

Damballa has observed hundreds of different botnets in existence, not just the well-known Storm or Conficker, two types of botnets which he says have had little impact on the enterprise.

Damballa vs. McAfee

Damballa Monday also made controversial statements concerning security firm McAfee, asserting that a six-month study Damballa conducted with 200,000 malware samples found that McAfee's antivirus software often failed to detect this code.
According to Damballa, the immediate detection rate by McAfee antivirus software was 53% but 15% of the samples were never detected and 32% were detected after a delay of 54 days on average.

Guerry says Damballa believes this is because signature-based antivirus software can't keep up with the number of malware samples. Damballa may undertake a similar study using Symantec antivirus software, he says.

While McAfee had no immediate comment, others in the industry were skeptical of Damballa's statements concerning the antivirus software testing.

Vendor statements about testing other vendors' products and finding them wanting always have to be deeply questioned, says Graham Cluley, senior technology consultant at Sophos. He adds that customers would do better to put more credence in testing done by independent labs such as West Coast Labs, ICSA Labs or AVtest.org.

(Separately, Sophos said on Monday that by analyzing the Conficker code, it believes the malware can be expected on Friday,  March 13, to launch a search for a Web site URL owned by Southwest Airlines that directs traffic to the main Southwest site.)