Symantec UBIQUITY

Symantec appears to be rebranding its reputation system and expanding it to the enterprise market under the name Ubiquity, “a technology that tracks billions of files from millions of systems to identify new threats as they are created.” The technology “puts files in context” by analyzing data from 75 million contributing users and leverages a global intelligence network of 240,000 sensors in 200 countries.

 

You can learn more about it here:

go.symantec.com/ubiquity

Dan
Symantec

 

"Served 1.5 billion Ubiquity ratings each day." - Symantec

Sounds like they're selling hamburgers.

 

At present, the Norton Insight Network (in Norton Internet Security 2011) reports a file count of 142 million. Why is this number considerably less than the “1.5 billion files" in the Ubiquity database?

 

Hmm. The British one billion is a million millions. The American one billion is a thousand millions. Probably doesn't answer the question but interesting.

SourMilk out

 

Mrs Cloud Fraud strikes again.

 

Haha, I used to marvel at that when arguing with a brother-in-law from Belgium! Apparently, the Americans won the Brits over on that, per: http://www.oxforddictionaries.com/page/114 .

Sorry! OT dismount.

 

wow. that's a lot of data.

also, pretty sweet numbers, eh? :fargo:

 

Pleonasm

I asked Insight/Ubiquity dev team the same question about why Norton Insight reports 142 million files tracked when they told me the total number is 1.5 billion (US billion) files.

They told me that they cut out the files that showed up only once to make the Norton UI work - so that they could show good, bad and undetermined reputation files on the same graph.

OK, that is not a satisfying answer - I asked them to update the Norton UI to represent the real number - we'll see if they listen to me. . . .

 

Thanks, Dan, for looking into this question.

To clarify, are you saying that the problem is (A) a display/formatting issue (i.e., the layout of the Norton Insight Network graph), or that the problem is (B) operational/functional (i.e., Norton Internet Security 2011 only leverages a subset of the entire Ubiquity database when evaluating the trustworthiness of a file)? I think (and hope) that the answer is “A.”

 

I'm just wondering that if Symantec has tracked more than 1.5 billion files, but their UI only shows 140m+ files, shouldn't the likes of Panda be showing similar? PCAV apparently has tracked over 126m files, which is close to what Symantec are saying in their current UI.

It's hard to get one's head around these figures, but I suppose it is feasible that 1.5 billion files have been tracked. However, Bit9 has already far exceeded that figure, something like over 6.9 billion files at the moment, which kinda begs the question how come they've seen more files than anybody else?

 

well there figure might not be exactly correct or atleasr shown correct to people

 

It is my understanding that Symantec is tracking a specific subset of all files (e.g., .EXE, .MSI, .DLL, .SYS, .DRV). It may be the case that Bit9 and other vendors are tracking a larger scope of files (e.g., .PDFs that may have embedded malware).

 

It is speculation on my part, but additionally I would not be surprised to learn that the 1.5 billion files tracked by Symantec are active threats -- i.e., malware that has been encountered within the recent past. Limited the Ubiquity database to active threats would presumably enhance performance with miniscule downside risk.

In contrast, the file count reported by other vendors may be cumulative (i.e., representing both active and expired threats).

Dan (from Symantec), can you please interject some insight into these issues? Thank you.

 

A few differences.

First, Symantec works with Bit9 - though I am not sure if their white list is used in the Ubiquity system. Bit9 can be integrated into Symantec Endpoint Protection for application tracking and white listing (enterprise feature).

Second, yes, Symantec is only tracking program files. As every .doc file and many pdf files are unique, tracking them for the purpose of identifying unique files isn't worth the effort. We do track both current and "expired" threats (hard to define an expired threat). But the point is that we do not track office files, for example, even though they may contain threats. If is faster to scan those file at the endpoint than to add all those file to the db and slow down the whole system. Interestingly, Trend seems to not track older threats.

3rd. Norton is using the full 1.5 B file db - it is just in the UI that they are showing the smaller #.

4rth Bit9 provides a big white list - but it lacks the detailed security ratings that we provide. No do they track associations between files, sources and patterns of infections. They simply give you a big list of things that appear to be safe for a go/no go decision. That is very different from getting a security rating and prevalence information.

 

Thank you, Dan, for the clarifications and insights. It is especially good to know that Norton Internet Security 2011 is leveraging the full power of all 1.5 billion files tracked in the Ubiquity database. Hopefully, the user interface in NIS11 will be modified to reflect that reality in the not too distant future.

 

Now the figures go up, according to the press release regarding Norton 360 v5 beta:

Is this right based on what we've been told already?

 

The math seems 'reasonable,' since it would require about 22 months to serve 1 trillion reputation ratings, given that 1.5 billion reputation ratings are served daily.

 

Some additional impressive statistics...

• 22 million applications are added to Ubiquity database weekly
• The size of the community contributing to the Ubiquity database is 100 million users
• More than 75 percent of malware discovered by Ubiquity affects less than 50 Symantec users
• Symantec blocked 3.2 billion attacks in 2009

Source: Symantec Ubiquity