Reputation-based antivirus systems

1) Trend Micro Internet Security 2009 / 96.4%

2) Kaspersky Internet Security 2009 / 87.8%

3) Norton Internet Security 2009 / 81.8%

4) McAfee Total Protection Suite 2009 / 81.6%

Article

 

I wonder what the false positive rate is with a system like this. What this article is implying is that files can get flagged as malware simply because they don't have a good enough reputation. That might send the true positive rate through the roof, but what about the false positive rate?

 

A few AV's have high false positives especially McAfee's which dropped from 3rd placing last year to 9th.


AV Comparative

 

Could someone describe how this actually works. Because after reading the article, I thought any file that didn't have a sufficiently good reputation was flagged. So, in other words, it sounds like a whitelist.

But, its obvious that any file you create on your own computer isn't going to have any reputation at all. It can't possibly be flagging every file it doesn't recognize.

So, my next guess is that it's flagging files that users have had some/any problem with but haven't been proven to be malware yet. Correct?

 

I posted this on another thread here about these tests.

How exactly does "reputation based" work?
Does that mean me and 10 of my virus writing buddies can write a virus, whitelist it, and thereby influence whether it gets detected by other users? Does it mean me and several others who dislike a vendor can "blacklist" innocent software and influence whether or not it gets detected by others? Perhaps not easily, but what steps do they (meaning any vendor using reputation based, and "in the cloud" together) take to prevent this?

 

Oh, and one other thing. Is it blacklisting the websites, or just the software? It wasn't that clear to me from the pdf, but perhaps I missed it. And is that aspect consistent across anti-malware vendors who do this?

It actually wouldn't bother me much if it blacklisted the websites, at least until they cleaned up, provided it didn't blacklist websites without cause. At least not often and not too long.

 

Its more "usage analysis " than reputation analysis

Firstly I think it applies to files that can be executable.

It checks how long the programs has been on the users in its databases PC's
and checks if many users in the vendors database have this file.

A new program with a lot of users could well be a virus.
Or a program with very few users could also be a virus.

All AFAIK , see Prevx site for info on how they do it.

 

It had occurred to me that it could just be executables, but still, this type of system can cause a lot of problems, especially for small-time programmers who are just starting out. And what about people who use rare/uncommon programs? And what about people who compile their own programs?

So, if what you're saying is correct, this is basically a whitelist for executables, instead of the normal blacklist. I guess they're admitting the old system is ineffective.

 

Well I think they normally only warn based on those ratings.
Don't actually delete automatically.
& think you can report if a file is ok.

Agree about blacklist. Simply cannot keep pace with new stuff these days.

 

It's true that warnings for any new program the AV's cloud database hasn't seen before could be annoying. But they make AVs for the average user, and the average user doesn't really use tons of uncommon, unknown programs that no-one else uses. Also, the people who compile or even code their own programs could be expected to be smart enough to either not need AVs or at least to configure the AVs so they don't warn on all their own new files (ignore list?)

Personally, while I don't think too highly of AVs, I think the reputation-based / cloud approach will improve detection rates at least, while also probably causing some nasty false positives.

 

Taken from Trend Micro Whitepaper on the topic:
http://uk.trendmicro.com/imperia/md...network/smartprotectionnetwork_whitepaper.pdf

Web Reputation Technology
As a critical element of the Trend Micro Smart Protection Network, Web reputation technology guards against Web- based threats before they endanger a network or a user’s PC. By assigning a relative reputation score to domains and individual pages within these domains, Web reputation technology weighs several factors, including a Web site’s age, any historical location changes, and other factors that might indicate suspicious behavior. The technology then advances this assessment through malware behavior analysis, monitoring network traffic to identify any malware activity originating from a domain. Trend Micro Web reputation technology also performs Web site content crawling and scanning to complement this analysis with a block list of known bad or infected sites. Access to malicious Web pages is then blocked based on domain reputation ratings. To reduce false positives and increase accuracy, Trend Micro’s Web reputation technology assigns reputations to specific pages or links, rather than an entire site, as sometimes only portions of a legitimate site are hacked.

Email Reputation Technology
As an additional layer of protection, email reputation technology can stop up to 80 percent of email-based threats, including emails with links to dangerous Web sites, before these threats reach the network or the user’s PC. Email reputation technology validates IP addresses—or computer addresses—against both a reputation database of known spam sources and a dynamic service that can assess email sender reputation in real time. Reputation ratings are further refined through continuous analysis of the IP addresses’ behavior, scope of activity, and prior history. Malicious emails are blocked in the cloud based
on the reputation of the sender’s IP address, preventing threats such as botnets from reaching the network or the user’s PC. The reputation status is continually updated to ensure that a good reputation is restored when infected bots are cleaned, resuming delivery of legitimate email.

File Reputation Technology
The Trend Micro Smart Protection Network leverages file reputation technology, in addition to Web and email reputation technologies. Cyber criminals frequently move individual files with malicious content from one Web site to another to avoid detection, making file reputation checking a critical element to security in a Web 2.0 world. File reputation capabilities also address the fact that a reputation may not yet be assessed for a Web site that contains a malicious file. In addition, any file attached to an email is checked for malware. Malware in email attachments, if installed, can access the Web as an implementation mechanism. Files should also be checked on the Web itself. File reputation technology essentially checks the reputation of a file against an extensive database before permitting the user to download it. To accomplish this, a data crawl of each file hosted on a Web page or attached to an email, as well as an assessment of each file’s reputation, is performed to continuously update a database of file reputation in real time.

Correlation Technology with Behavior Analysis
The Trend Micro Smart Protection Network uses “correlation technology” with behavioral analysis to correlate combinations of threat activities to determine if they are malicious. Although a single email or other component of a Web threat may appear innocuous, several activities used in conjunction can create a malicious result. So a holistic view—gained by examining the relationship between and across the different components of a potential threat—is required to determine if a threat is actually present.
For example, a user may receive an email from a sender whose IP address has not yet been identified as that of a spam sender. The email includes a URL to a legitimate Web site that is not yet listed as malicious in a Web reputation database. By clicking on the URL, the user is unknowingly redirected to a malicious Web site hosting “information stealers” that are downloaded and installed on the user’s computer, gathering private information for criminal purposes.
Behavior analysis also correlates activities of a single session on the same protocol (e.g. an SMTP attachment with a suspicious double extension), as well as activities during multiple network connection sessions on the same protocol (e.g. a downloader blended threat in which individual files that each appear to be innocent are downloaded, but together form a malicious program). In addition, activities of multiple sessions and different protocols (e.g. SMTP and HTTP) are correlated to identify suspicious combinations of activities (e.g. an email with a URL link to several recipients and an HTTP executable file download from the linked Web page).
Information learned in the behavior analysis function at the gateway is looped back to provide the Web reputation technology and database with site-threat correlation data and to update the email reputation database of known bad IPs and domains. Similarly, information acquired at the endpoint is looped back to the file scanning capability at the gateway, network servers, and the Web reputation capability in the cloud. Both feed-through and loop-back techniques are needed to ensure real-time, Web threat protection across the entire network.

By correlating different threat components and continuously updating its threat databases, Trend Micro has the distinct advantage of responding in real time, providing immediate and automatic protection from email and Web threats.

Feedback Loops
Additionally, because Trend Micro solutions act as a single, cohesive security platform, built-in feedback loops provide continuous communication between Trend Micro products and Trend Micro’s threat research centers and technologies in a two-way update stream to ensure rapid and optimal protection against the latest threats.
Functioning like the "neighborhood watch" approach occurring in many communities, Trend Micro’s extensive global feedback loop system contributes to a comprehensive, up-to-date threat index that enables real-time detection and immediate, “smarter together” protection. Each new threat identified via a single customer’s routine reputation check, for example, automatically updates all Trend Micro’s threat databases around the world, blocking any subsequent customer encounters of a given threat.
Because the threat information gathered is based on the reputation of the communication source, not on the content of the specific communication, latency is not an issue, and the privacy of a customer’s personal or business information is always protected.

 

So, they're using white lists to complement their black lists. It's basically a continually updated white list. It's gotta be amazingly large, otherwise you'll see way too many false positives. I guess for the first time people will see false alarms prior to updates as the norm (rather than no alarms prior to updates) unless I'm missing something. Might I add that AVs now seem to be heading down the same route as HIPS (i.e. nagging alerts)

If the job of an AV didn't also entail cleaning up infections, they wouldn't even need black lists anymore.

I agree.

 

I don't necessarily agree. These kinds of FP appear before or during download. At least in this case, you have no chance to sc**w your machine, as it could be the case with a system file.

As you said, Win, it is an improvement for "average" users. They will simply not install the "not so much" used new program... As a consequence, it could cause even more damage to the little companies (think of Ilya, Tzuk...)

 

Cleaning "could" be done through the cloud as well

 

Not all reputation systems are equal - in fact they work in very different ways. I work for Symantec, just so my biases are clear, however, what we at Symantec call "reputation" is not the same as what other McAfee, Panda or Trend mean.

McAfee appears to be essentially signatures in the cloud with a static white list to cut down on FPs. I'm not sure why they call Artemis a "reputation" system.

Trend also provides signatures in the cloud - in fact they moved the bulk of their sigs into the cloud, reducing their local client footprint. They supplement this with a web site reputation system - so that files downloaded from sites deemed risky are flagged. They seem to do a good job blocking very new threats, though PC Mag had issues with their results. They too have a white list.

Panda I'm not sure of - their site makes it sound like they too are signatures in the cloud and a white list, but there may be more to it.

Symantec/Norton - we have an interesting approach. We too have sigs in the cloud. More importantly, our client sends security ratings of executable files back to us every time it encounters a new file (if the user opted into the Norton Community Watch). So we have collected prevalence data and security ratings on 1.5 billion or so files. This allows us to do some advanced data mining - looking for associations. When our desktop product encounters a new file it queries the database - if it has seen the file it sends the risk rating and the prevalence data.

Since rapidly mutating threats are a big part of the problem, knowing the number of copies of the file is great - after all, it is pretty rare that you will encounter the only copy of a legit program file. So if we know a file is a threat, we block it - no need to scan it again. If the file is known safe, also no need to rescan it. If we don't know, but it looks risky based on prevalence and associations, we tell you before you install or run the file. You make the choice - but at least you have some some data to go by.

The result is much faster scanning, high detection of new and rapidly mutating threats and far fewer FPs (since we know from the community if the file is safe).

I would take NSS Lab's results with a grain of salt - they were thrown out of AMSTO (or they took their ball and went home or their methodology was rejected . . . . . ). At any rate, we don't give their tests much credence. Stick with av-test and av-comp, esp their whole security tests.

 

What do you mean/meant with this?