Symantec is readying the 2010 editions of Norton Internet Security and Norton AntiVirus, adding to its flagship consumer software a type of malware defense based on what's called reputation analysis.
Traditional signature-based defense “is still there and valid as a last line of defense,” says Symantec senior director of product management Dave Cole about the 2010 editions of Windows-based desktop security software out in beta Monday and shipping in the September timeframe for Windows 7, Vista and XP. But signature-based defense, which detects malware through a known match, is a technology under strain due to the enormous explosion in the amount of malware created by cybercriminals. So in the Symantec products, signature-based defense will be working in conjunction with reputation analysis, which decides whether the code is good or bad through statistical sampling and behavioral patterns in order to derive its reputation.
“It's a hybrid,” Cole says, comparing the malware-detection methodology in the 2010 security-software products to that of a hybrid car that can use both gasoline or battery power to run.
The reputation analysis capability in the 2010 editions of Norton Internet Security and Norton AntiVirus will rely on information gleaned from a community of tens of millions of Symantec customers. It allows for information about attack data to be submitted anonymously.
“We can use that data to statistically infer what's appropriate,” Cole says, pointing to Symantec technology called Sonar II to call out to a cloud-based service to see if there are known signatures related to the code that's been identified as suspicious.
Many factors, including who is publishing the code and where the Web site is, come into play to make a decision on what's good and bad. And it's Symantec as the judge in getting ride of bad code.
“If it's bad, it's convicted,” Cole says. “We tell the user we made a decision.”
If there's reasonable doubt, Cole says, the user will get a “detection alert” as a notification the code appears to be malware so the blocking and eradication process will proceed. The user will have a chance to override in these cases, but it won't be advised.
In addition to this reputation-based feature, Symantec is swapping out its older antispam engine for the BrightMail engine, which is expected to boost spam filtering by about 20%.