Why is my cloud better than your cloud?

PrevxHelp, also note that Symantec hasn’t disclosed a complete listing of the parameters collected and used in the computation of the reputation ratings, but a partial enumeration of these file “behaviors” is at New Feature for Norton Internet Security 2010 - Download Insight. Thus, it does seem that Symantec isn't “only collecting hashes of programs.”

Which of these parameters are used by Symantec when creating anti-malware signatures is unknown. However, when Norton Internet Security actually identifies a threat, it transmits additional information to the cloud about that specific threat “only for the purpose of improving the ability of Symantec's products to detect malicious behavior.”

 

McAfee's Artemis is only sending up hashes - which is why I'm assuming Symantec's does as well, being that they don't say they are sending up anything else.

Until Symantec explicitly says that they're sending up behavioral data to the cloud to analyze the behaviors of the program to give back a good/bad reputation rating, I can't assume that it is.

I know they are doing some degree of behavioral analysis locally but it is a world of difference if they're aggregating them centrally and analyzing them with rules/generic signatures in the cloud.

 

This is exactly why I wish somebody from Symantec would chip in here and tell us all just exactly what they are doing. It would put some minds at rest, or not as the case may be.

The one thing I do know is NIS2010 is still in beta; we may get to know more through their blogs or from marketing as time goes on towards the final release. However, I can't see them divulging too much technical detail like this as it'll just befuddle the ordinary user. This is probably why a lot of people will leave the defaults set, and some of those people will not even review the info about the data collected/sent to Symantec even though, as Pleonasm says, that option is there.

 

Deleted

 

I heard nothing about Kaspersky's using cloud technology.I only heard Kaspersky would focus on HIPS and had much improvement.

 

Does Norton's Cloud Technology mean getting more viruses from Internet?It is different from Rising's Cloud Technology.Rising's Cloud Technology means getting viruses from Rising's users.It seems Rising's Cloud Technology needs a number of users.In my opinion,it is not a good way to improve virus detection.

 

Yes,now many AV companies use Cloud Technology.but,I think,HIPS is better than Cloud Technology.HIPS can detect and prevent unknow virus through observing virus's behavior.But some Cloud Technology only can give AV companies more samples of viruses.With virus to update,Cloud Technology can provide the newest viruses in time.It is a little bad.

 

kaspersky does have a cloud type thing, forget what its called tho, its something like kaspersky security network or something, can someone else clarify.

 

I think Symantec must be doing something like this, or at least sending up a summary of the local behavioural analysis, because they have said that one of the parameters used to calculate the reputation score of a file is the "basic health of the system submitting the data".

In essence, the approach used by their Quorum reputation system does look remarkably similar to how prevx works. Of course, whether Quorum is as sophisticated as prevx, and whether it will work as well, only time will tell. It's often said that imitation is the sincerest form of flattery.

 

Quote on a Symantec employee over at the official forums for the topic "AntiVirus Signatures on the Client (versus in the Cloud)" - might be interesting facts:


"Actually, we have both in the cloud. We place our signatures in the cloud, and our reputation ratings.

The benefit of having the signatures in the cloud is it enables us to shorten the time it takes to deploy a signature. This is just like what other vendors are doing. Of course, last year we were already deploying signatures every 5 minutes, which was faster than anyone else in the industry. With NIS 2010 we're doing both - placing signatures in the cloud immediately, and continuing to send down signatures every 5 minutes. The result is you have protection from the latest signatures instantly, and are still protected even when the Internet isn't available.


Signatures in the cloud is great, but it's a separate thing from the reputation ratings. The ratings are based on an entirely new technology that we've been working on for several years to completely change the way we detect threats (we're very excited about it). It just so happens it is easily deployed via the cloud. We think it is much more valuable than just putting signatures in the cloud - hence we've been touting it but forgetting to mention that the signatures are there too."

 

From 'what's new' over at forums:

"Enhanced SONAR
The SONAR behavioral protection technology was completely re-written for the 2010 products. SONAR now also utilizes the Quorum backend intelligence technology to further improve detections and reduce false positives."


My conclusion would be that one way or another it's working with Quorum, and either SONAR is what determines the "danger rating" (behavior analyzis) of files that you run - when analyzed by Quorum - OR, if it can't be determined by the signatures available in the cloud, or Quorum, SONAR will take data of Quorum into its determination when making a behavior analyzis itself.

 

PrevxHelp, I am perplexed. On the one hand, you have discussed the variables that are uploaded into the cloud to allow Norton Internet Security 2010 to compute reputation ratings (e.g., see your post #68 ); yet, on the other hand, you state that “Symantec has openly said they only collect hashes of programs” (see your post #149).

With respect to reputation ratings, my understanding is that the value of a reputation rating for any specific file is computed and continuously updated based upon many parameters collected across the userbase; that the value is retrieved from the cloud through the association with the file’s hash; and that the value is used by decision engines (plural) on the PC to classify the file as “safe” or as “malware.”

With respect to signatures, some news is emerging on whether NIS10 also retrieves signatures from the cloud when making a malware assessment (see this thread on the Symantec forum which Raven211 quoted in reply #167). We’ll need to await further clarification from Symantec personnel.

Pegr, I do agree. From a user’s perspective, the key question is performance -- how well does any one anti-malware solution succeed in detecting and preventing malware? At this point, it is unknown whether the Prevx or the Symantec approach will yield different levels of performance and, if they do, which is superior.

 

I am not a Symantec employee and I am merely making assumptions based on material available online. If you look at this link: http://community.norton.com/t5/Nort...curity-2010-Download-Insight/ba-p/113827#A325

They describe the reputation score as being composed of:

" - How many instances of a particular file are seen?
- How long has that file been around?
- From which URLs were they downloaded?
- What is the basic health of the system that is submitting the data?
- Which software vendor does the file belong to?"

They do not mention behavior at all, therefore I doubt they use behavior for their reputation ratings. Referring to the difference in my posts - the extra data which they collect is used for context, not actual fuzzy detection of threats, i.e. a flag if your PC is infected.

Regarding their signatures in the cloud, it is vastly different if they are analyzing files/data in the cloud or if they are using the cloud as a supplement to the local signatures - McAfee's Artemis uses file hashes to detect new static threats if they've identified them in the lab and want to block that specific file before they can issue an update. This is a world of difference away from actually scanning with generic signatures in the cloud, as Prevx and Panda do.

From what I've seen, I am still convinced that what Symantec is doing with their reputation ratings/Quorum is a subset of what Prevx and Panda are doing.

 

Ah, PrevxHelp, that comment was most helpful. I too am not a Symantec employee and am also basing my comments on publically available information, but I must agree: it does indeed appear that the reputation ratings are exclusive of a file’s behavior, if by “behavior” we mean activities such as attempted modifications to the registry and network activity. Reputation ratings seem to be more akin to file characteristics -- although, in fairness, it should be noted that Symantec isn't disclosing the full set of variables incorporated in their computation.

PrevxHelp, I have seen nothing from Symantec to suggest that the actual scanning of a file (i.e., the decision of whether a file is “safe” or is “malware”) takes place in the cloud. To the best of my knowledge, all decision engines in Norton Internet Security 2010 run locally on the client -- but, use input obtained from the cloud. As noted in reply #169, the question of whether the signatures employed in a file scan are obtained locally or via the cloud is yet to be clarified.

As expected, Symantec has a different perspective:

“Signatures in the cloud is great, but it's a separate thing from the reputation ratings. The ratings are based on an entirely new technology that we've been working on for several years to completely change the way we detect threats (we're very excited about it). It just so happens it is easily deployed via the cloud. We think it is much more valuable than just putting signatures in the cloud - hence we've been touting it but forgetting to mention that the signatures are there too.” (Source: this thread)​

PrevxHelp, what would need to be known about Symantec’s reputation ratings in order to determine (1) if they in fact are a subset of Prevx’s approach or (2) if they are indeed “an entirely new technology”?

Thank you.

 

Based on what Symantec has said already (and what I've quoted from their page), their technology is indeed a subset of what we do - we already use all of the metrics above (vendor/infected system status/file age/popularity) to determine the reputation of the file, but we also use our behavioral analysis centrally (and you are correct when I'm referring to behaviors as "X program modifying Y registry entry, deleting Z file, and downloading W url").

We aren't just focusing on signatures or individual files, we look at everything the local analysis would see and take a centralized view to correlate each piece of data across the community.

I don't see anything "entirely new" to the world but I do believe that this technology is "entirely new" to them (Symantec).

 

The technology has been developed during many many years - I would guess they started somewhere where the Norton Community Watch started. Again and again and again - SONARv2.

 

I'll take the same quote again... "Actually, we have both in the cloud. We place our signatures in the cloud, and our reputation ratings."

 

The question still remains, however, which Pleonasm raised in the Symantec forum - when you scan a file on your PC, what happens and what signature is actually given from the cloud? There are many things which they could do that they would call signatures but they aren't technically true signatures unless you only want to detect a single file by its hash.

 

I'm sorry, but I don't quite understand - could you try to elaborate? Thanks

 

I'm just curious as to if their in-the-cloud scanning provides equivalent detection to their local signature base, therefore invalidating the need to store signatures locally except for the case to protect the user when offline.

 

Yes, I would guess that's it - they're able to protect the user even if offline and delivers instant detection thanks to a database similar to yours when it comes to the signatures. "Instant" is what's mentioned in the quoted post that I posted previously.

Don't worry about worse performance because of local database or something else - it'll do intensive tasks only when the system is idle. This means that it'll only protect the system better.

 

PrevxHelp, that is intriguing. Are you saying that “behaviors” are the fundamental, atomic (most granular) unit in the database that is queried during the scan of a file?

Beyond the following patents, are there other documents (e.g., Prevx authored white papers) that provide additional insight into the methods used by Prevx for malware detection and prevention?

• Methods and apparatus for dealing with malware
• Method, Computer Program and Computer for Analysing an Executable Computer File
• Host intrusion prevention system and method

 

Behaviors are the core way which we detect programs and we correlate them in multiple different views (one being on a per-file basis, for example).

We don't have any pubic whitepapers describing how our technology works (and for what it's worth, those patents outline only a portion of what we do today).

 

PrevxHelp, I am not aware that Norton Internet Security 2010 performs scanning in-the-cloud, if we define “scanning” as the process by which a decision is made about whether a file is “safe” or is “malware". My understanding (and someone please correct me if I am mistaken) is that all decision engines in NIS10 run locally on the client -- but, use input obtained from the cloud.

It is possible that Symantec has determined that executing a file scan locally (with input from the cloud) is advantageous to scanning in-the-cloud, since a local decision making process has access to a plethora of information about the file and its behavior that might be prohibitively troublesome to upload and to maintain in-the-cloud. Consider, for example, that SONAR 2 alone uses 400+ data points in making a malware assessment.

 

This is my understanding as well.

Yes, this is the differentiation between Prevx and Symantec's SONAR 2. Correct me if I'm wrong, but SONAR 2 makes the decisions locally (even if it does receive input from the reputation checking, the behaviors are not each sent up to the database). We send up data about ~400 data points as well (not sure of the counts anymore but Prevx2 had ~300 around 2-3 years ago) and then we make the decision centrally - it requires quite a lot of computing power and a carefully designed database/transaction format both locally and centrally but that allows us to leverage the same/similar data as SONAR does locally from a centralized perspective.