Why is my cloud better than your cloud?

Very good of you to acknowledge that, Pleonasm. As I read through these threads in which PrevxHelp participates, I am impressed by his patience and depth of knowledge and his ability and willingness to engage in these discussions with members. I would say that his total participation here at Wilders, be it in discussion or support mode, if not unequaled, is rare indeed. I just have not seen the likes of it here or anywhere else, and it is one of the reasons I purchased a couple of licenses.

 

I'm going to throw a comment here too and agree completely with the above. I, too, bought a couple of licenses yesterday after shuffling through a *lot* of info about Prevx and seeing how quality help, if needed, would be right at hand.

Sorry 'bout the OT, but thanks PrevxHelp and keep up the incredible patience and the obvious passion for your work. I know i would have ran out of that by now.

 

Ofc, and both you and Page42 are right - but you should also know, just like I do myself, that it's not funny at all to have things pointed out that are personal. You also know as well as I do that "fanboy" is not a name - it's something negative that you call people that you think are annoying, praising a product too much, non-stop. Sure, a name can be used in a offending way, but it's not the same thing in this case.

I'm praising the products that I use and show a lot of dedication to them, and everything that's said bad about them I defend even if I know I'm wrong.

Nope, that last thing was not correct, or did you believe it was? You see, believe it or not - I'm open to whatever you say is wrong or not as good as long as it's a great base. Yep, dead serious. I haven't replied to things that you or others have been correct about, bringing undeniable facts. When that's been posted, I've given it thought, then probably written a proper post over at Symantec's official forums to try get things improved, since this is the product most blablabla has been about. Why? Because that's the product I use now, hence I try to contribute as much as I can in order to not only make myself benefit as a user, but all other users as well.

The sort of "problem", has not been these actual "facts", and criticism that's definitely correct - it's been the assumptions being made without a lot of source or seemingly thought behind it, if at all, and in that case, my opinion is that you shouldn't make any assumptions at all - cause you don't have the knowledge to be respected for what you're saying.

You should also know that I would bust into whatever I think is a wrong-made assumption at these forums. Now it happens to be about Symantec, and since it's a product that I use, ofc I read the topics where their products are being discussed. As simple as that.

What's something personal is that I hate assumptions being made without a base - that I bust in here is ONLY a coincidence, and nothing else. I bust in in real-life and I bust in in cyberspace when I think something is wrong to be said. That's just how I'm, and if you think that's fanboyism, so be it. I made a big mistake saying that I was one, and you've more than enough shown me that it was, cause here we are.


The post that I've quoted from you, Joe, feels offending against me personally - and no, I can't explain why really. It's just a feeling - a feeling because things have gone personal. In other words, this discussion has gone way too far - it's not just about products anymore, and I'm already offended enough as it's.

 

raven211 - I'm unsure why this exchange has turned to such a negative, offtopic, direction. If you re-read through the posts, I still do not see any reason for a trigger of animosity. One post which you corrected which I made was:

"I'd suspect Norton 360 v3 would have similar detection rates as NIS2010 if this (Quorum) is the only major technology change."

I was being hypothetical being that I am not well versed in every aspect of Symantec's offerings, which is why I prefaced it with "I'd supect" and "if this is the only" and "similar" instead of "exactly the same offering no additional benefit at all". Quorum is new, SONARv2 is an update - which is all I said.

At no point was I insulting Symantec's products, I was just under the assumption that if nothing else has changed, then it would perform the same. Various early tests so far have only tested the antimalware components of it so I was basing my assumptions off of what others have experienced. You've posted information that other things have changed - its impossible to say to what degree but they may indeed impact performance/protection.

Your post of: "Maybe you should start reading the posts ... I told you to not make it simple for you as well and then make "attacking assumptions" was, from my interpretation, an emotion-infused post that ignored what I was actually saying, hence my question back as to what the "attacking assumption" was.

It is not meant to be offending and I'm sorry if you've taken it that way.

In a previous post, you admitted that "The fanboy in me turns on" when your products are criticized "unrealistically". What I was saying was not a criticism but merely an observation, as explained before. You referred to making an emotional response after a different post which was misinterpreted and I believe the same held true in this last post - correct me if I'm wrong, however.

 

I know you didn't, and I'm sorry to have accused you for a big lot. I've been going on completely emotional for no good and I apologize to you. I hope you can accept that apology, and wish that one of the mods. will remove these OT discussions which I now will "admit" that I started. This is just a weakness of mine, and I hope that this has not been too offending for you or anyone else. I feel ashamed right now and am really tired of all this crap that's been going on because of me.

 

No problem at all - everyone gets emotional, especially when they care about what they're talking about!

 

Back on topic... Pleonasm, as thread OP, how would you summarize what has transpired in this thread? Have you come closer to finding answers to your original questions? Has your understanding of "the cloud" changed as a result of this thread? Do you view one cloud as being better than another?

 

I've been giving this topic and discussion some thought, and one thing I would like to note is that Joe does have a good point; they were first with the "cloud-security" deal - they were before its time. I'm pretty sure this is gonna pay off now pretty damn good. Not only has Prevx userbase and respect grown very, very strong thanks to being a great company - the time has finally catched up.

Ofc I'm gonna use Norton as my main, and seriously - after all this, who thought otherwise? That aside, it's no secret that a layered approach will always be needed, so if talking an AM-front - what if I combine the best from two worlds? What if I combine the two companies' that I actually respect and trust most right now? You probably guessed right - what if I use Norton 2010, with the forthcoming Prevx 4.0?


Only the thought makes me eager to know what I can expect from the new version of Prevx, so, Joe - would you be so kind and enlighten me with all the information that you're allowed to say about the forthcoming version, and maybe when you expect to have a beta ready for testing?

 

RottenBanana, while we’re temporarily “off-topic,” I admit that I too might be inclined to purchase Prevx as a supplementary anti-malware solution. However, in my own case, I can’t get my head to move past the issues surrounding Prevx’s privacy policy (see this thread) and my heart to move past the marketing practices of the company (which have been discussed ad nauseum in this forum). Obviously, others place varying levels of importance on these issues when making a purchase decision, and I respect those differences of opinion.

While we’re in mea culpa mode, I must acknowledge the obvious and say that I too have occasionally been guilty of the same sin.

 

The first betas will probably be making the rounds within the next 2 months. We've been developing a large number of different experimental technologies and components and are now at the phase where we're deciding what we'll keep and what works best so I honestly don't know exactly what the next version will hold, however, based on the changes in place already, this is definitely not going to be just a minor GUI tweak of an upgrade

 

Before triggering off another firestorm of posts, it might be interesting to see what other vendors have in terms of in-the-cloud privacy. What I gather of your concern, Pleonasm, is the fact that we store data about each of the programs which we scan. This data is stored anonymously and encrypted at every level in the transmission, but the data must be stored - this is the heart of how Prevx works - we analyze samples based on intelligence gathered from previous samples so that we can detect new threats and old threats if the new intelligence which we've gathered overlaps with a previously seen program.

Symantec must be doing the same if their reputation ratings persist throughout the community and I suspect Panda is doing the same if they have analysis running server-side to return determinations.

Speaking for us at Prevx and (hopefully!) for other AV companies, we all adhere to a strict code of ethics and there really is absolutely no reason for us to try and mine data or care about your personal details - that is the last of our worries being that we have more than enough to deal with when sorting through tens of thousands of new threats every day

 

Thanks for the link, i had missed that. Although reading it didn't change my opinion of Prevx nor decrease my trust in it in any way. I've come to the conclusion long ago that if i get too paranoid about what information about me is being stored and where, i will all of the sudden find myself unable to go anywhere, talk to anybody or do anything in general. As an example - if i'm having connectivity issues with my ISP, i will need to call them to ask what's wrong. While doing that, their tech will undoubtedly need to check my connection status, potentially revealing information about bandwidth consumption, visited IP addresses etc (which they probably know anyway, but have to reason to look up until i call them). If i keep thinking i don't want to give them any reason to look at me specifically, i'll have to stick with my malfunctioning connection. Quite equally if i don't want Prevx (or any other anti-malware vendor) to have a look at my possibly infected files, along with pathnames, OS info etc. i can't really expect to be helped with cleaning them.

The marketing techniques, well yes, the comparison charts on their front page are cheesy and give a rather immature feeling of whoever came up with the idea... In my opinion ALL comparison charts are stupid when it comes to marketing. Testing sites are different. Not to mention the blog post about Panda. Unprofessional. But i didn't want to let one person ruin the whole company's image in my eyes.

But exactly as you said; others place varying levels of importance on these issues. And all opinions should be respected. I determined i can trust this vendor and went forwards with it. I've got a full year ahead to see if it was worth it.

 

PrevxHelp, according to this thread (see posts #42 and #58 ), Norton Internet Security 2010 transmits only a hash of a file to their cloud (and no other information whatsoever), unless a user voluntarily enrolls in the Norton Community Watch. With Prevx, in contrast, participation in (and data collection from) the community is mandatory -- i.e., the company has declined to provide a choice to users. That is a hugely important distinction between the in-the-cloud privacy of Symantec and Prevx.

My hope is that (eventually) Prevx will come to see the wisdom of Symantec's approach and model their own framework accordingly. Perhaps you can be the internal change agent within Prevx to make it happen?

 

Following their approach would be a massive step backwards in the effectiveness of Prevx (and Panda for that matter) and I'm surprised they would admit this limitation in their system.

Unfortunately the difference between sending up the hash of a file and sending up details about the file and its behaviors shows an inherent difference in the approach taken by the vendor. Symantec is not doing any actual analysis of the file, rather, they are just comparing a list of hashes - the complete opposite of generic signatures/heuristics/scanning as there is only one definition per file.

Frankly, if users are not willing to submit the anonymous data about a program which we use to detect the program then they should not be using our software - there isn't a way to "opt out" because the data collected locally is what is directly used to determine the intent of a program.

Hashes are not effective past just identifying that this exact file is what you think it is. When polymorphism, file infectors, or any kind of change is involved (or even changing a single byte), a simple hash like SHA256 or MD5 breaks down and provides no protection against the changed file.

We have never just used file hashes to identify programs and we will never - it is not an economical or effective way to develop signatures.

Prevx is not merely a "check" in the cloud - it is full scanning in the cloud, completely different from what Symantec is doing which is why the privacy model can't be criticized when we send up more data.

It is impossible to improve protection without sacrificing some level of privacy - even when checking for signature updates with your AV you are exposing a large amount of data about your PC to the signature server.

 

Great post, and completely logical actually. No offence at all, Pleonasm, but that's the thing I thought about when reading your post, even if I think it's great that we can opt out such participation, should we wish, since - NOTE - generic signatures/heuristics/scanning is still mainly left to the other components of the suite, even if they all work as a whole.

Participating in the community is ofc the default option, however - only that it's an always-visible checkbox for those who, for some reason, don't want to participate. It also has a "(recommended)"-part in the end of the checkbox-text, kinda the same approach that the "no data-dialog" uses.

Every user obviously gets most out of participating all-out, which is what I do, but if they don't, Quorum is still a global, online community-database for everything that's seen on the system, working in harmony with the other components of the suite.


To sum it up - most users of Norton are all using the same participation approach as Prevx and probably Panda is doing. I would consider the case with opted out to be rare.

 

Exactly - Symantec's answer to malware scanning in general is by using local signatures. While we could do this, Prevx and Panda have moved the signature aspects into the cloud (reasons here: https://www.wilderssecurity.com/showpost.php?p=1499852&postcount=27)

Pure reputation checking, on the other hand, works fine with just hashes although I suspect there is a bit of misinformation in some of these descriptions because based on their description online, Symantec must also be sending up the vendor details of the files (located within the binary itself) and the URL which the file came from as well as if the PC is infected or not, therefore, not just the hash of the single file itself (and all of the above pieces of data have been criticized against Prevx in previous threads because we do them as well ).

So in summary, if you want a negligibly higher level of privacy by hiding anonymously collected data from legitimate vendors, don't use in-the-cloud protection. If you want illegitimate malware authors to get their hands on your private data when a 0-day exploit gets through that would have been blocked from an in-the-cloud vendor or reputation checking system, feel free to use an conventional antimalware product

While we do indeed have an "all-or-nothing" approach with our products, you are completely free to just not use our software. We would not stand behind a product that would not provide adequate protection and in our eyes, adequate protection from us is only achieved with the level of analysis/data-collection which we currently do.

 

Ofc, and I hope that Symantec will move more and more to the cloud while keeping what's beneficial locally, as long as it's proven to make everything faster and even more effective, which I believe it does. Until then, in my case, which is mentioned by me to no end, Norton will work faster in its process compared to Prevx for me. Yep, back at the processing of data-problem - hence I said v4.0 as it'll without a doubt feature major overhaul in terms of changes. I simply hope that I'll not experience what I think is a delay when Prevx needs to send and analyze data once the new version is a fact.

The reason was everything that's running in the background of Windows - services, etc. - or what was it? I'm just curious why no one else experiences what I do - maybe I'm too demanding when it comes to speed? If it was indeed the reason that I recalled you saying, I would be kinda suprised since I'm running a stripped CD aimed at performance without taking out what's great in the OS (Windows XP, that's).

 

It is indeed subjective, hence my preposition: "from us"

"We would not stand behind a product that would not provide adequate protection and in our eyes, adequate protection from us is only achieved with the level of analysis/data-collection which we currently do."

 

The issue came from an idiosyncrasy on how programs are loaded on some systems. Essentially, rather than being able to bunch up queries into a nice packet, your cache was never being held causing you to have to make round trips far too often. The issue has been patched over for now but it will be conceptually eliminated in 4.0

 

I'm very glad to hear that and am looking forward to it.

 

PrevxHelp, Symantec estimates that it will create 2.5 million antivirus signatures in 2009 (here). I am extremely incredulous that most (or even many) of these are generated manually. Can you kindly provide references to support the assertion that Symantec uses a small army of human virus researchers?

PrevxHelp, you’re right in saying that “Symantec is not doing any actual analysis of the file, rather, they are just comparing a list of hashes” in so far as reputation ratings are concerned. Of course, as you know, reputation ratings are but one component in the protection framework of Norton Internet Security 2010.

PrevxHelp, you’re right. The outstanding question, however, is whether (1) scanning-in-the-cloud is a superior or inferior methodology to (2) scanning-on-the-client coupled with reputation-ratings-in-the-cloud. It is not a foregone conclusion that the former is better, but a hypothesis awaiting confirmation or disconfirmation (especially in the context of a full-featured security suite, which Prevx is not).

PrevxHelp, that may be true for some anti-malware products, but not for Norton Internet Security. Please review Symantec’s LiveUpdate Privacy Policy for details.

Raven211, I suspect that you are correct. However, the key point isn’t whether few/some/many users opt-out/participate-in the Norton Community Watch -- rather, the key point is that the users have a choice. Providing this option is respectful of individuals' privacy preferences.

PrevxHelp, you’re right: but, these details are uploaded from a user’s PC only if that individual has consented to voluntarily participate in the Norton Community Watch; otherwise, only the file hash is transmitted to the cloud.

 

Symantec has more than 17,000 employees (found by a quick search on a Symantec page) that are most likely not all graphic designers. I can't release exact details but most large antivirus companies have in the high hundreds/low thousands of virus researchers creating signatures as well as automated systems.

I don't see how it could possibly be inferior and I've outlined some of the benefits here: https://www.wilderssecurity.com/showpost.php?p=1499852&postcount=27

A full-featured security suite provides protection at different points but that isn't our intention and, in the end, if malware wants to infect your system, it will have to execute code on your system. That is where we jump in - we don't bother checking for spam or preventing your children from learning anatomy from unaccredited sources. The additional functionality offered from a security suite may provide marginally higher information on where the threat entered and could catch malware by coincidence of blocking another threat (i.e. spam or an external connection blocked by a firewall) but we're talking about comparing antimalware technologies in the cloud.

Chemotherapy doesn't try and cure the flu.

Sure, and we don't think that is effective enough for antimalware scanning in the cloud and honestly, with only a file hash, they won't be able to do a fraction of the reputation checking so users really should take off their tinfoil hats and use the full features of the protection which they're paying for.

 

PrevxHelp, even under this architecture in which users’ “anonymous data” is uploaded into your cloud for malware analysis, it is still possible to provide customers with a choice about whether or not their “anonymous data” is retained by Prevx and is incorporated into the communal database. Couldn’t Prevx, at a minimum, provide this flexibility?

 

Hitman Pro uses an older version of our scan engine as one of their components.

 

This is really irritating... can't a product be like it is?
PREVX is not Symantec nor Panda, it works differently and requires different type (and extent) of data to be sent back to the mother ship. This is how it has been designed to work and this is also part of its strenght!!

Also the option of not uploading data is a nonsense, it is like to turn off, in a ordinary signature based product the on access scanning. If data is not allowed to be sent, no determination will be possible.

I am tempted to buy another PREVX license for solidarity to PREVX and PrevxHelp, Lol

Fax