Symantec's new approach in detecting malware

Discussion in 'other anti-virus software' started by Miyagi, Oct 1, 2008.

Thread Status:
Not open for further replies.
  1. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Back on topic, the new system is community based. Fingers crossed for the law of large numbers!
     
  2. Balatsokas

    Balatsokas Former Poster

    Joined:
    Sep 21, 2008
    Posts:
    86
    Location:
    Land of NoWhere
    Code:
    Take the hard disk of the compromised computer out of that computer
    and stick it into another (clean) computer as a slave drive
    (in other words, not the primary/master drive that that 2nd computer boots from) and scan it that way...
    We -Also- did it to compare this 'proper' method with our -Raw- one (run code off of the suspect drive/system).
    Code:
    Try testing out the Recovery CDs that various vendors make available
    This is what we actually do this period.
    We believed that we would see -Significantly- different results But....
    Forget it.This is not the proper thread.

    To be On Topic,
    NAV2009 was improved but not as much as Marketing wants us to believe.
    This holds for some other 'Big Names', too.
    Not after what I've seen...
    Promotion is one thing and Reality is a different one.
     
  3. hex_614

    hex_614 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    155
    Location:
    Manila, Philippines
    great for norton. i love norton products
     
  4. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    I dont understand how this is not fingerprinting at all. And how this is different to fingerprinting stored in the cloud as he mentioned in the post.

    Isn't it just an community based Whitelist / Blacklist of application that is Safe, unknown and unsafe stored in the cloud?

    Unless there are more to be unveiled i cant see anything that is so Revolutionary.
     
  5. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    They need to improve much more than what they say.

    ~EC edit: Link to virustotal removed as per TOS~
     
    Last edited by a moderator: Oct 21, 2008
  6. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    NEVER ? :) Wake up.. if you take FPs into account, then both are already behind Symantec as shown by the latest tests.
     
  7. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
  8. rolarocka

    rolarocka Guest

    Why doenst Virustotal update the engine to the new NIS2009?
     
  9. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    I'd rather have a couple more false positives and be #1 in the tests. I use Avira and it's been a little while now since I've had a FP.
     
  10. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
  11. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    if you did that and it worked it would reflect really, really poorly on symantec...
     
  12. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    For me, this sounds pretty much like what PrevX is already doing for a while. How is this new? And if it's so extremely superior, why is PrevX not "pwning" the market already? How they want to protect against mass false ratings by botnets? What about things like Antivirus 2008, Antivirus XP which no normal user can distinguish from normal software anymore? Normal users will vote those rogue programs as "good". I guess the malware writers will just get more professional with their social engieering approaches.

    In the end, this is shifting the work from the virus lab to the user. The user now must decide which program is good or not.
     
  13. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    That's an excellent point.Any 'community based' approach to determining the legitimacy or otherwise of files is only as good as the community that's rating it.

    To the uninformed user the likes of XPAntivirus type rogues are an impressive looking piece of software.If sufficient numbers of such users rate them so then the 'community' is advising users to run malware simple as.
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    And that is what scares me. When you leave it to John, Dick and Harry, you can hang it up.:doubt:
     
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    +1 on this... :thumb:
     
  16. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    while i agree that this is a valid concern, i think people are getting a little carried away with it... vendors would have to be complete morons to leave user ratings as the final word on what's bad and what isn't and i'm rather confident that they aren't morons... my intuition says that those ratings are going to supplement or be supplemented by vendor supplied ratings...
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    But would you not agree, some do it better then others.:doubt:
     
  18. Medank

    Medank Registered Member

    Joined:
    Aug 25, 2008
    Posts:
    102
    And that is the most wrong to do from the Lab team, because many of my friends and many people i know they dont know how to decide if a program is good or bad,
     
  19. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Of course they can and will do that. But if you have to recheck the ratings all the time, you don't reduce the workload of the vlab to a reasonable level. Which was the idea (and advantage) of this approach.
     
  20. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    The only positive thing you can gain out of this is getting priorities for reviewing the stuff.
     
  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    It's a recipe for lazy vendors to leave it up to Joe Public to sort out their own security.A-squared is using a similar community rating system and during my time testing it's thrown up some interesting recommendations to say the least.Not to say that Emsi is a lazy vendor but others may well place greater importance on this kind of lottery than using expert analysis.
     
    Last edited: Oct 20, 2008
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We (Prevx) have learned that, with no offense intended to our users, the user clearly does not know how to make any decisions on good/bad. Therefore, when a user clicks Block or Allow, we log the decision, however we do NOT say "trust this program if x% of users have clicked Allow" as some other 'community' approaches are doing currently. Obviously, this would lead to a very exploitable framework via botnet/automated response/etc.

    Our approach to 'Community' intelligence is to aggregate behaviors from across the community and analyze them centrally. The analysis of these behaviors allows us to see infections with a unique global perspective and update heuristics on-the-fly without updates, immediately applying them to thousands of samples at once.

    Sure, we might not be "pwning" the market, but we've been doing quite a lot of growing on our own and will continue to do so as we improve our product offerings. :)
     
  23. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Remember those mass outbreaks years ago? How nicely the AV were able to handle them with outbreak sensors and automatic responses? What was the answer of the malware writers? Right, small targeted attacks.

    Now, with the current amount of resources available to the malware writers, I think they could be able to simply switch to single point attacks. Unique samples for every single user. You wouldn't be able to draw conclusions from several users voting. And simply mark every unknown (unique) executable as suspicious will not help either. There are too many of those around. And those cases will be the ones who will produce the most work for the AV company as they still will require manual analysis.

    I think this is a good idea but has serious problems which needs to be taken care of. But will the users really accept this approach? All the joe users I know expect their AV program simply to tell them "yes, your computer is clean, this program is safe" and not "this program is maybe not safe to run, because nobody else has executed it before". They will be totally confused.
    And how well did user education work in the past? o_O
     
  24. thathagat

    thathagat Guest

    av industry bigwigs... have the marketing machinery to create a niche and sadly keep it too for their products whether the products are upto the mark or not that is another question....
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.