Symantec desktop security software boasts reputation analysis

Symantec is readying the 2010 editions of Norton Internet Security and Norton AntiVirus, adding to its flagship consumer software a type of malware defense based on what's called reputation analysis.

Traditional signature-based defense "is still there and valid as a last line of defense," says Symantec senior director of product management Dave Cole about the 2010 editions of Windows-based desktop security software out in beta Monday and shipping in the September timeframe for Windows 7, Vista and XP. But signature-based defense, which detects malware through a known match, is a technology under strain due to the enormous explosion in the amount of malware created by cybercriminals. So in the Symantec products, signature-based defense will be working in conjunction with reputation analysis, which decides whether the code is good or bad through statistical sampling and behavioral patterns in order to derive its reputation.

"It's a hybrid," Cole says, comparing the malware-detection methodology in the 2010 security-software products to that of a hybrid car that can use both gasoline or battery power to run.

The reputation analysis capability in the 2010 editions of Norton Internet Security and Norton AntiVirus will rely on information gleaned from a community of tens of millions of Symantec customers. It allows for information about attack data to be submitted anonymously.

"We can use that data to statistically infer what's appropriate," Cole says, pointing to Symantec technology called Sonar II to call out to a cloud-based service to see if there are known signatures related to the code that's been identified as suspicious.
Many factors, including who is publishing the code and where the Web site is, come into play to make a decision on what's good and bad. And it's Symantec as the judge in getting ride of bad code.

"If it's bad, it's convicted," Cole says. "We tell the user we made a decision."

If there's reasonable doubt, Cole says, the user will get a "detection alert" as a notification the code appears to be malware so the blocking and eradication process will proceed. The user will have a chance to override in these cases, but it won't be advised.

In addition to this reputation-based feature, Symantec is swapping out its older antispam engine for the BrightMail engine, which is expected to boost spam filtering by about 20%.

In addition to antimalware protection, the Norton Internet Security software includes a firewall, antiphishing and the Identity Safe controls. It will also ship with the client software for Online Family, an interactive cloud-based service that helps parents and children reach agreement on appropriate online activities -- and then enforces them through monitoring, blocking and real-time reports, if desired.

That service is free until year-end. Symantec's earlier Parental Controls feature will be retained in the 2010 edition as well.

In addition, the 2010 products for Windows-based machines will include recovery tools that let the user remove any infection by booting outside the operating system that's infected. "It's a scan-and-clean environment," Cole says. "You can scan the system with the latest definitions and remove it."