McAfee has a smarter cloud too?

When Artemis came out I think it was just a network lookup with file hash value against their centrally managed signature database.

However, it seems that after F-Secure, McAfee also changed their cloud scanning technology to incorporate file reputation as well.

See here and here.

 

This whole concept is becoming less and less original. More and more vendors seem to be using similar techniques these days. It only takes one vendor to start a specific methodology, and before long others follow.

 

Norton Insight is the first Tier 1 vendor I am aware of that added File Reputation to automatically block executables.. not just prompts like other vendors are doing.

Ofcourse CrackAfee is always close behind sniffing Symantec's ...

 

FYI -- For information about Symantec’s “cloud,” please see this thread.

 

Not really. PrevX and Panda started this long time ago.

 

PrevX is not a tier-1 vendor EVEN if they weren't first, which they were not.

Panda added reputation only recently. Reputation IS NOT EQUAL TO Hosting Definitions in the Cloud. Thats why McAfee's Artemis doesn't qualify

 

I've been thoroughly impressed with Symantec for a while now.. Along with PrevX, and other reputation based AVs.. I've been following their Secure DNS system along with Sunbelt's take on it also.. I like the secure DNS, and gateway filtering solutions along with DEP/SRP and other technologies.. Fun to test drive to see how it holds up compared to traditional signature AV.. Meshed all together it's a great layered approached.

 

I must say that Symantec's cloud technology is by far the most protective one there is. It includes reputation and shows you how many users who've seen the file and how old the file is. Also, SONAR ranks the file based on the risk factors of the file at the same time. No other cloud-based AV does the same and no cloud-based AV provides the same protection.

However, with Prevx 4 (releasing early 2011), the users will be able to do all this without using a heavyweight champion which drains resources and uses signatures.

 

can u really say that with absolute certainty? where did u get this information that no other AV with cloud functions does that?

 

Empirical studies. I've tried most softwares out there.

 

u said "ranks the file based on the risk factors of the file at the same time" and that no other AV does the same, how can u know that for sure without knowing the technical side of all the AV's that have cloud functions?

 

Norton does for example state how many users who've encountered a certain file and when the file was first seen by the cloud. Correct me if I'm wrong, but do tell me if there's any other cloud AV that provivdes this sort of information? Furtermore, in this report, the SONAR2 tells you how risky the file is depending on a numerous of variables, all show to the end-user.

So, do please enlighten my silly mind if there's any other vendor on the cloud market at this date that provides the same excellent service? With Symantecs solution you pretty much get all the info you need in order to determine whether a file is good or bad. It even tells you if the source of the file is suspicious.

 

This is the important part: how do you know that other vendors don't use/include reputation in file processing behind the scenes (i.e not presented to the end user in the form of File insight etc.), thus using that reputation etc. in the cloud backend to determine file status (malicious/not malicious), amongst other criteria?

 

Although not quite containing the detailed info you're referring to, Prevx does currently offer some info on its website. For example, the following page gives details when the file 'OOJIK.EXE' was first seen. (I just plucked this at random to illustrate this point.) This is true for all other filename analyses conducted by Prevx. This is perhaps an area where they're expanding on with the launch of version 4.

Panda CAV provides details of when specific malware was first seen, not the file e.g. Tdss.AL.

Admittedly, these two examples aren't contained within their respective products, but some database structure is there on a website. It is possible Prevx may be providing a live link to more detailed info on files than they do currently without integrating that directly into the program like Norton is doing at the moment. I could be way off the mark with that - it's just a supposition on my part.

 

yes thats exactly my point, shadek never mentioned in the part that i quoted about displaying that information, i was simply saying how do u know other AV's with cloud functions dont do that type of analysis on the backend. remember to pay particular attention to the part of ur statement shadek that i quoted.

 

Kaspersky shows it, but only in the case when it's heuristic analyzer has detected that a relatively unknown (in the cloud) launching application might be potentially malicious (so it still depends on the heuristics).

The information is viewable again at any time though, and for any application.

However I wouldn't say that KL is using KSN as effectively as Norton is using their cloud. IMO KIS should automatically trust any application with 1000+ users and automatically restrict unknown applications without a digital sig even if the heuristic analyzer wouldn't find anything potentially dangerous.

 

Maybe not PrevX. Whether Panda is tier-1 that can be debated but it is NOT something Symantec has started.

I don't agree with that. Collective Intelligence was announced on 2007 which was not only scanning using signatures from cloud but also intelligent scanning in the cloud using file reputation data as well. I do not think Norton 2007 or 2008 had Insight. I might be wrong though.

Which was the point of my thread. McAfee, it seems, followed F-Secure.

 

Can you provide a quote to substantiate this ?

 

From August 2007:
http://research.pandasecurity.com/technology-paper-from-av-to-collective-intelligence/
There's a paper at the end of the article if you care to read up on the details of the different techniques "our cloud" had back then, including reputation, white-listing, etc.. Of course it has evolved quite a bit since then.

In fact the 2007 date mentioned by another poster above is incorrect. The first product we released which took advantage of Collective Intelligence was a really small online scanner called "NanoScan" and this was in 2006:
http://www.pcmag.com/article2/0,2817,2091498,00.asp
The article is from Feb 2007 but the product was released in 2006.

 

Thank you for correcting me.

 

Well then Panda is a pioneer in the field. Well deserved.

Thanks.

 

Panda’s “Collective Intelligence” approach, while worthy of admiration at the time, did not use “file reputation data,” to the best of my knowledge. In fact, the word “reputation” is not to be found at all within Panda’s paper published in 2007 (see From Traditional Antivirus to Collective Intelligence).

Reputation is more than simply whitelisting and more than hosting signatures in the cloud. See, for example: Not all Reputation Technologies are Created Equal.

 

We did not use the word "reputation" back then but we did use reputation as a technique in the cloud backend. Its one of the big pillars of any cloud-scanning infrastructure.

 

I guess it may be a question of how you define ‘reputation.’ Thus, from Panda’s perspective, what are the key distinguishing characteristics of reputation-based security?

As I read the 2007 paper from Panda, I see nothing that conceptually corresponds to the current understanding of reputation-based security -- i.e., it is not a linguistic issue of whether the specific term ‘reputation’ was employed. That paper, innovative in its day, presents “collective intelligence” primarily as a means and a method to enhance malware protection through the more rapid deployment of antivirus signatures to the community of users through cloud-based technologies. For example, the paper describes the main benefit of "collective intelligence" as "these signatures do not need to be downloaded to each client as they operate from the cloud."

If I am overlooking something, then please cite one or more paragraphs in that paper (or in another) that document a more comprehensive approach to ‘reputation’ by Panda in 2007.

Thank you.

P.S.: It is not my intention to be argumentative. However, I do think it is educationally beneficial to be clear about what ‘reputation’ does (or does not) encompass.

 

To us reputation has always been a part of the equation of Collective Intelligence, an important part but not the only part.

It's not something we push down to the client interface (ie: "this program has only been seen in the community x times, do you still want to run it?") but nonetheless use it heavily in the procesing and detection algorithms of the backend. We try to make the implementation much more transparent to the user, by being deterministic about a specific file or object based on many variables (automated analysis, reputation, heuristics, etc.) and not relying on a single one which is more prone to failure. In the example above some people might choose not to run it but some will.

To illustrate differently: security suites rely on multiple layers of protection. Not a single layer can offer perfect security and each layer has its shortcomings and benefits. Its the combination of layers which makes it strong. Likewise a cloud-security infrastructure has different layers in its backend (specific sigs, generic sigs, heuristics, reputation, sandboxing, etc.) and its the combination of these which make it better than a single implementation.

At least that's how we see it, but of course each vendor will have a different view.