McAfee has a smarter cloud too?

Discussion in 'other anti-virus software' started by Arin, Oct 19, 2010.

Thread Status:
Not open for further replies.
  1. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    When Artemis came out I think it was just a network lookup with file hash value against their centrally managed signature database.

    However, it seems that after F-Secure, McAfee also changed their cloud scanning technology to incorporate file reputation as well.

    See here and here.
     
    Last edited: Oct 19, 2010
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    This whole concept is becoming less and less original. More and more vendors seem to be using similar techniques these days. It only takes one vendor to start a specific methodology, and before long others follow.
     
  3. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Norton Insight is the first Tier 1 vendor I am aware of that added File Reputation to automatically block executables.. not just prompts like other vendors are doing.

    Ofcourse CrackAfee is always close behind sniffing Symantec's ...
     
  4. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    FYI -- For information about Symantec’s “cloud,” please see this thread.
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Not really. PrevX and Panda started this long time ago.

    :D
     
  6. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    PrevX is not a tier-1 vendor EVEN if they weren't first, which they were not.

    Panda added reputation only recently. Reputation IS NOT EQUAL TO Hosting Definitions in the Cloud. Thats why McAfee's Artemis doesn't qualify
     
  7. bradtech

    bradtech Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    84
    I've been thoroughly impressed with Symantec for a while now.. Along with PrevX, and other reputation based AVs.. I've been following their Secure DNS system along with Sunbelt's take on it also.. I like the secure DNS, and gateway filtering solutions along with DEP/SRP and other technologies.. Fun to test drive to see how it holds up compared to traditional signature AV.. Meshed all together it's a great layered approached.
     
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I must say that Symantec's cloud technology is by far the most protective one there is. It includes reputation and shows you how many users who've seen the file and how old the file is. Also, SONAR ranks the file based on the risk factors of the file at the same time. No other cloud-based AV does the same and no cloud-based AV provides the same protection.

    However, with Prevx 4 (releasing early 2011), the users will be able to do all this without using a heavyweight champion which drains resources and uses signatures.
     
  9. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    can u really say that with absolute certainty? where did u get this information that no other AV with cloud functions does that?
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Empirical studies. I've tried most softwares out there.
     
  11. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    u said "ranks the file based on the risk factors of the file at the same time" and that no other AV does the same, how can u know that for sure without knowing the technical side of all the AV's that have cloud functions?
     
  12. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Norton does for example state how many users who've encountered a certain file and when the file was first seen by the cloud. Correct me if I'm wrong, but do tell me if there's any other cloud AV that provivdes this sort of information? Furtermore, in this report, the SONAR2 tells you how risky the file is depending on a numerous of variables, all show to the end-user.

    So, do please enlighten my silly mind if there's any other vendor on the cloud market at this date that provides the same excellent service? With Symantecs solution you pretty much get all the info you need in order to determine whether a file is good or bad. It even tells you if the source of the file is suspicious.
     
  13. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    This is the important part: how do you know that other vendors don't use/include reputation in file processing behind the scenes (i.e not presented to the end user in the form of File insight etc.), thus using that reputation etc. in the cloud backend to determine file status (malicious/not malicious), amongst other criteria?
     
  14. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Although not quite containing the detailed info you're referring to, Prevx does currently offer some info on its website. For example, the following page gives details when the file 'OOJIK.EXE' was first seen. (I just plucked this at random to illustrate this point.) This is true for all other filename analyses conducted by Prevx. This is perhaps an area where they're expanding on with the launch of version 4.

    Panda CAV provides details of when specific malware was first seen, not the file e.g. Tdss.AL.

    Admittedly, these two examples aren't contained within their respective products, but some database structure is there on a website. It is possible Prevx may be providing a live link to more detailed info on files than they do currently without integrating that directly into the program like Norton is doing at the moment. I could be way off the mark with that - it's just a supposition on my part.
     
  15. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    yes thats exactly my point, shadek never mentioned in the part that i quoted about displaying that information, i was simply saying how do u know other AV's with cloud functions dont do that type of analysis on the backend. remember to pay particular attention to the part of ur statement shadek that i quoted.
     
  16. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    Kaspersky shows it, but only in the case when it's heuristic analyzer has detected that a relatively unknown (in the cloud) launching application might be potentially malicious (so it still depends on the heuristics).

    The information is viewable again at any time though, and for any application.

    However I wouldn't say that KL is using KSN as effectively as Norton is using their cloud. IMO KIS should automatically trust any application with 1000+ users and automatically restrict unknown applications without a digital sig even if the heuristic analyzer wouldn't find anything potentially dangerous.
     
  17. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Maybe not PrevX. Whether Panda is tier-1 that can be debated but it is NOT something Symantec has started.

    I don't agree with that. Collective Intelligence was announced on 2007 which was not only scanning using signatures from cloud but also intelligent scanning in the cloud using file reputation data as well. I do not think Norton 2007 or 2008 had Insight. I might be wrong though. ;)

    Which was the point of my thread. McAfee, it seems, followed F-Secure.
     
  18. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Can you provide a quote to substantiate this ?
     
  19. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    From August 2007:
    http://research.pandasecurity.com/technology-paper-from-av-to-collective-intelligence/
    There's a paper at the end of the article if you care to read up on the details of the different techniques "our cloud" had back then, including reputation, white-listing, etc.. Of course it has evolved quite a bit since then.

    In fact the 2007 date mentioned by another poster above is incorrect. The first product we released which took advantage of Collective Intelligence was a really small online scanner called "NanoScan" and this was in 2006:
    http://www.pcmag.com/article2/0,2817,2091498,00.asp
    The article is from Feb 2007 but the product was released in 2006.
     
  20. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Thank you for correcting me. :)
     
  21. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Well then Panda is a pioneer in the field. Well deserved. :thumb:

    Thanks.
     
  22. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Panda’s “Collective Intelligence” approach, while worthy of admiration at the time, did not use “file reputation data,” to the best of my knowledge. In fact, the word “reputation” is not to be found at all within Panda’s paper published in 2007 (see From Traditional Antivirus to Collective Intelligence).

    Reputation is more than simply whitelisting and more than hosting signatures in the cloud. See, for example: Not all Reputation Technologies are Created Equal.
     
  23. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    We did not use the word "reputation" back then but we did use reputation as a technique in the cloud backend. Its one of the big pillars of any cloud-scanning infrastructure.
     
  24. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I guess it may be a question of how you define ‘reputation.’ Thus, from Panda’s perspective, what are the key distinguishing characteristics of reputation-based security?

    As I read the 2007 paper from Panda, I see nothing that conceptually corresponds to the current understanding of reputation-based security -- i.e., it is not a linguistic issue of whether the specific term ‘reputation’ was employed. That paper, innovative in its day, presents “collective intelligence” primarily as a means and a method to enhance malware protection through the more rapid deployment of antivirus signatures to the community of users through cloud-based technologies. For example, the paper describes the main benefit of "collective intelligence" as "these signatures do not need to be downloaded to each client as they operate from the cloud."

    If I am overlooking something, then please cite one or more paragraphs in that paper (or in another) that document a more comprehensive approach to ‘reputation’ by Panda in 2007.

    Thank you. :)

    P.S.: It is not my intention to be argumentative. However, I do think it is educationally beneficial to be clear about what ‘reputation’ does (or does not) encompass.
     
  25. pbust

    pbust AV Expert

    Joined:
    Apr 29, 2009
    Posts:
    1,173
    Location:
    Spain
    To us reputation has always been a part of the equation of Collective Intelligence, an important part but not the only part.

    It's not something we push down to the client interface (ie: "this program has only been seen in the community x times, do you still want to run it?") but nonetheless use it heavily in the procesing and detection algorithms of the backend. We try to make the implementation much more transparent to the user, by being deterministic about a specific file or object based on many variables (automated analysis, reputation, heuristics, etc.) and not relying on a single one which is more prone to failure. In the example above some people might choose not to run it but some will.

    To illustrate differently: security suites rely on multiple layers of protection. Not a single layer can offer perfect security and each layer has its shortcomings and benefits. Its the combination of layers which makes it strong. Likewise a cloud-security infrastructure has different layers in its backend (specific sigs, generic sigs, heuristics, reputation, sandboxing, etc.) and its the combination of these which make it better than a single implementation.

    At least that's how we see it, but of course each vendor will have a different view.
     
Loading...
Thread Status:
Not open for further replies.