Symantec looks to protect users from mutating malware

Symantec signature-based anti-virus seen as inadequate by itself to defend against "mutating malware'

Symantec today announced the 12th edition of its flagship enterprise desktop anti-malware product, Symantec Endpoint Protection, that looks to go beyond traditional anti-virus signatures to use a cloud-based file-identification system to protect users from virus mutations.

More on security: Antivirus didn't help in zero-day attack on power plant

By itself, anti-virus signature-based defense is becoming ever more futile because malware code authors are adept at finding ways to generate virus mutations at an enormous rate, making it practically impossible to block malware based on code signatures alone. Symantec counted 240 million viruses in total in 2009 and is still tabulating last year's count, which appears to have doubled, says Hormazd Romer, director of product marketing for the enterprise security group at Symantec.

"The malware authors have moved to a micro-distribution model based on mutated viruses," Romer says. "It's exploding."

To defend against this onslaught, Symantec is enlisting a cloud-based file-identification method it calls Symantec Insight that will be added to Symantec Endpoint Protection v. 12.0 . Insight is a technology Symantec tested out last year in its Norton consumer anti-malware software, and it works through cloud-based analysis of files being downloaded to the user.

By gauging what occurred to millions of Symantec customers, plus other factors, the goal is to determine the risk presented by the file under inspection. Important factors, Romer says, are whether the file is known, how often it's been seen, and how old it is.

"These mutated malware stick out like a sore thumb," says Romer, saying Symantec is tracking more than 2 billion files based on "the premise normal software doesn't mutate like this."

The new release of Endpoint Protection will make use of the Insight technology in a way that enterprise security managers will be able to decide to use it or not as an option, Romer points out. The Insight capability will let the security manager apply policy settings for users based on groups and the "configuration dial" settings in Symantec Endpoint Protection 12.0 would allow for different low or high "risk thresholds."

Depending on risk, it would be possible to decide to block any file, from the Web or e-mail, or just inform the user what's known about the file if it's suspicious. There could be a cautionary note not to open it though the user would make the choice.

Signature-based antivirus protection would still be there as another line of defense. A third detection method, called SONAR, which Symantec introduced previously in its consumer product for behavior-based detection, will also be added for the first time in an updated version into its enterprise product.

"It's checking files and processes real-time, and at the point it's executing, we open it in a sandbox," says Romer, noting the goal of SONAR is to stop anything that slips by Insight or signature-based detection.

Symantec Endpoint Protection 12.0 has started into a beta period with the final version expected out in the summer for Windows, Mac and Linux and recommended as optimized for VMware- or HyperV-based desktop environments. There will also be a separate version for small-to-mid-sized business (five to 99 employees) that will be similar but not virtualization-optimized and with a different management console.

Learn more about this topic

Network World's Anti-Malware Research Center

Symantec, Trend Micro rivalry heats up over antivirus tests

Antivirus didn't help in zero-day attack on power plant

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.