Why is my cloud better than your cloud?

Discussion in 'other anti-virus software' started by Pleonasm, Jul 6, 2009.

Thread Status:
Not open for further replies.
  1. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Hence being default, just like I said. :D If the user doesn't want to, he or she can opt out, even if I can't see a reason - but they DO have the option to do so.

    Don't get me wrong, I don't actually think this is a good thing in some way. "Why" would be the beneficial value for all users of the product, which is indeed made to protect a system. My guess would be that the demand has simply been very high from "privacy-freaks" (okay, so that term was not serious - I just came up with something :D). Average Joes will just click "Agree & Install" (the big button which is what you see when you open up the installer - click it and the setup is off), and I believe that those who want to opt out are probably not trusting Symantec much overall, hence they probably use another product most of the time.

    My guess. :)
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No, because the storage of the data is key to how we operate to detect malware even if we miss it the first time and it would significantly decrease each user's protection (and system performance as we would need to re-query the database every time for every behavior).

    While it is of course technically possible to do this, the negative aspects far outweigh the benefits.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The version of Prevx's scanner which Hitman Pro uses is > 2 years outdated and Prevx 3 is definitely stronger than what is included in Hitman Pro.

    However, a layered approach is always recommended and they've combined a few products together. Hitman Pro itself is an on-demand scanner which has a cleanup trial to remove detected threats (last I checked at least :)) with no realtime protection.
     
  4. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Actually it has more than three other engines in addition to Prevx.
    Hitman Pro also uses A-Squared, G Data, Avira, and NOD 32.
     
  5. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Here is the thing... they've probably come to an agreement with a number of top companies' when it comes to security products - Prevx, G-Data (dual-engine), Avira and A-Squared included. What it does is using these "engines" in some kind of On-Demand malware-scan. Yes, "On-Demand" - that's where the biggest difference comes in; there's no real-time protection. Who knows, maybe it'll come in the future (?), but the software is already complex as it's.

    Theoretically it's stronger, simply because having things rated by so many more engines compared to Prevx alone, but testing mentioned and posted here at the forums have shown that Hitman doesn't seem to be full-fledged (yet) in its implementation. Like I said; it's indeed complex, so no surprise that it might take some time before it has its full potential.


    To sum it up: it works only on-demand, and, if chosen, also by schedule with its scans. It features multiple top-engines that are then used in some sort of cloud-db/tech.
     
  6. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    ssj must be overwhelmed with answers right now. :D
     
  7. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    PrevxHelp, Symantec “jumps in” when the executable is being downloaded and saved to the user’s PC -- even before the user attempts to run the application (see here).

    PrevxHelp, please consider Symantec’s perspective that Norton Internet Security 2010 “has the unique advantage of even observing behaviors that are exhibited by the software over the network. Since most malware are motivated to communicate externally over the network, the unique visibility we have into the process behaviors allows us to use this additional data point in the classification system resulting in very high success rates in the final classification of a process.” (see here).

    PrevxHelp, please note that if a user of Norton Internet Security 2010 has chosen not to participate in the Norton Community Watch, then that individual still fully benefits by the reputation ratings in malware detection/prevention. All customers receive the “use the full features of the protection which they're paying for.”
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    The vast - and I do mean way vast - majority of Prevx users are not here pummeling PrevxHelp with questions and suggestions about how Prevx operates. We all like it just fine and believe in the software and accept how it functions. What you see here on this thread are approximately three vocal members who, in my opinion, enjoy arguing more than anything else.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, many AVs do this but there is no technical benefit to scanning a file when it is saved as opposed to when it actually becomes a threat.

    Just because we don't have a user-configurable firewall component doesn't mean we miss out on web/network based behaviors ;) For example, see: http://www.prevx.com/filenames/132769587024169431-X1/CZ.EXE.html (and scroll to the bottom)

    Yes, but what data persists when analyzing the reputation rating? Surely they would have to still send up the same hash to check, correct? I'm not at all slighting Symantec here, but I think users who are overly privacy cautious are doing themselves a great disservice by disabling some components of Symantec's reporting which would indeed have a positive benefit on protection.
     
  10. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Fax, of course, you’re right. I can’t speak for others, but my intention in participating in this thread is to explore (and therefore learn about) the differences in approaches and technologies used in the “cloud anti-malware” solutions which are appearing in the marketplace. Thanks to the insightful comments of PrevxHelp and others, I have learned quite a bit about Prevx, about Norton Internet Security 2010, and about issues related to “the cloud” in the context of anti-malware applications. Hopefully, a few other readers of this thread have likewise learned a tidbit or two.

    PrevxHelp, I don’t understand this point. Can you kindly elaborate?

    PrevxHelp, while I agree that most users will participate in the Norton Community Watch, we seem to disagree on the importance of “individual rights.” In my opinion, it is fundamentally proper to allow individuals the freedom to make their own assessment and to either voluntarily upload their data into the Community or not, as they themselves deem appropriate. I am not arguing that users should adopt one option versus the other -- only that they should enjoy the liberty of deciding for themselves.
     
  11. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    It's a pity someone from Symantec couldn't join in the discussions here and clear up some of the information regarding their forthcoming product. Reading and referencing blog posts and marketing material is all well and good, but it would help to have some questions answered that have been highlighted here in this very thread.
     
  12. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I can't recall if it's been mentioned in any of these posts, but on the subject of privacy policies, if Norton Community Watch remains enabled, data is collected as described in the following policy statement. I suspect many people who keep the default setting as enabled won't have given this as much thought as some of the correspondents here at Wilders. They just want to be protected as best as they can.

    Worth a read, but apologies if this has already been highlighted.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    My point is that Symantec must persist some data to perform the reputation check, otherwise the statistics would be incorrect as there would be people reading from but not writing to the count of users seen.

    The problem is that if they do not send up the data, we cannot scan with that data to detect malware. There really isn't a way around it, without the data we simply cannot find the malware. It would be like telling a doctor to diagnose your illness without letting him examine you.
     
  14. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    295
    I think data collection/upload is crucial to the way that Prevx operates from what I read on this forum. If this step is skipped, the analysis and detection of malwares may be impacted significantly. It was written in this thread that NIS 2010 uploads only a per file hash but personally I am not sure if either the new reputation system or SONAR2 by itself WITHOUT the help of other local components be sufficient to determine how good or bad a running program is if indeed only a file hash and nothing else is uploaded. Common sense will suggest with just a file hash being sent without other associated information will not provide a lot of insight into a process if the process is new. I think Prevx is totally cloud based so removing the data collection ability when it does not have other local components for malware detection and then trying to say that the same thing is optional in NIS 2010 is like not wearing a seat-belt when driving a car with no other safety features on the highway or driving the same brand of car choosing not to wear a seat-belt but this car has other safety features like anti-lock brakes, stability control, etc. Sure it is doable but it will impact the safety of the user a lot. And with cloud technologies, the aggregation of information relates to the safety of not just one user unlike in the driving scenario.
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I am sorry to say, without offense, that your intention seems to be an endless discussion about privacy. What is sad is that you seem to just ignore the answers and keep insisting on arguments that shows you have not really understood how the software works.

    The more scaring part is that your suggestions may be actually damaging to the effectiveness of the tool. I hope that the rule "The customer is always right!" does not apply to this specific case and that PREVX will continue to work like this and if necessary even upload more data if this will improve my security!!

    Its not the first time you rise this issue and explanations seems to bounce back without effect. I have the impression that you simply don't like the tool and how it is designed to work. But there is an easy solution to implement: Use something else! :)

    Fax
     
  16. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Is Joe the third? :D
     
  17. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    It's not - thanks for bringing it to attention. ;) I could probably not go with many license agreements at all if I cared too much about what they collect (companies collect that's) and such. Testing EULAlyzer for a short period long ago I got to that conclusion. Nothing is free (yes, I'll not bring up privacy issues with Google here - it's OT, and nothing to do about, all users of Google are victims to their "privacy-infringement", and we all know that's not a small amount of users...), "free software" is showing that, and yes, I do want to be protected as good as possible.

    EDIT: I got so curious that I had to test this agreement against EULAlyzer. And the results are... two items. :D See screenshot below;
     

    Attached Files:

    Last edited: Jul 18, 2009
  18. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    How do you know Symantec doesn't use these other measures?

    Is this just speculation on your part, or do you have evidence to back up your statement?
    Thanks
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Symantec has openly said they only collect hashes of programs. We collect a significant amount of additional data, including the behaviors that the program performs on the system/other programs and additional data which allows us to create generic signatures on the server.

    Using hashes to detect malware is not effective, as demonstrated by a quick look at Conficker or the Storm worm or any file infector or any polymorphic trojan. For instance, using hashes would require upwards of 2,000,000 different signatures to detect the Storm worm. Using a generic signature requires 1.
     
  20. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    They DON'T use it to identify malware (atleast primarily) - now it's time for all the Norton Community Watch data to really come to use, since it now has a db where all that data is thrown into, and that's checked against on all PCs running the software; Quorum. My guess is that the hash is instead used like your kind of ID to see that "oh, here we've it - this is the unique file that we're seeing on this particular system." Like you've understood yourself, the data which is used in Quorum, is what's gathered from Norton Community Watch. I thought you'd come to that conclusion yourself already, since that's why we discussed why participation in that community is so important. o_O

    Again... generics - Auto-Protect. Community, reputation and gathering of data for fast detection of zero-day malware - Quorum. Don't go in circles again and again. o_O
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, I know - "Someone" was asking about the differences in the community protection.
     
  22. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Understood. I hope no offence was taken.
     
  23. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    TonyW, I agree. It reflects well on Prevx that PrevxHelp has been willing to share his perspectives in this thread. Hopefully, Symantec will emulate that behavior at some point in the future.

    TonyW, one of the very nice features of the implementation of this privacy policy is that the user can review “the data collected and sent to Symantec by selecting Norton Community Watch in the product’s Security History.” As a result, Symantec provides complete transparency about the data collected. Do you know of any other in-the-cloud anti-malware application that has this same feature?

    PrevxHelp, I am surprised by your perspective that Symantec “only collects hashes of programs.” Clearly, that's not the case. The file hash simply serves as a primary database key that is computed locally and is then uploaded to the cloud, in order to retrieve the associated reputation rating that is stored in the cloud. And, the value of that reputation rating is computed from many file characteristics and behaviors, and is updated continuously as a function of information provided by the voluntary participants in the Norton Community Watch.

    A file's hash is not used to detect malware -- rather, the reputation rating associated with the hash is used (in part) for protection.
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I could be wrong but from what I've read, Symantec does not send up the behavioral information you're referring to - they only send up the file hash, file's vendor information, originating URL, and status of if the PC is infected.
     
  25. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    And, PrevxHelp, I could be wrong -- it wouldn’t be the first time, unfortunately! :) However, what you are suggesting is so bizarre that I can’t imagine any anti-malware vendor would design and develop such a methodology.

    More to the point, I encourage you to view the video available at New Feature for Norton Internet Security 2010 - Download Insight. It seems to be clearly implying that my interpretation of how NIS10 works is correct: (1) the file hash is computed locally, (2) it is uploaded to the cloud, (3) the associated reputation rating is retrieved and downloaded to the client, then (4) that reputation rating is used in several decision engines on the PC for malware identification. The value of the reputation rating, however, is updated continuously based upon a variety of variables that are uploaded from the voluntary participants in the Norton Community Watch. Makes sense?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.