Why is my cloud better than your cloud?

I dunno if you where refering to this, but anyways - there's where it describes that about 400 data points are taken into consideration. The technology of SONAR is only updated occassionally - that's, when needed - just like all the other behavior blockers and so on. Since it's indeed the behavior blocker Norton, which has been improved a lot since 2009-line (refering to the improvements mentioned in the blog - data points, cooperation with Quorum, etc., etc.), it doesn't need to updated frequently. That it's local in many aspects often leads to improved "performance" and a faster result atleast in my case.

 

Raven211, that’s a good catch. Upon reading the Symantec forum comment again, it says: “We place our signatures in the cloud, and our reputation ratings. ... The result is you have protection from the latest signatures instantly...” (see here). If a user receives “instant” protection from signature updates, then logically it seems that Norton Internet Security 2010 must be querying signatures in-the-cloud during a file scan that is locally executed.

Excellent insight! Yes, it appears that SONAR 2 (in conjunction with the other decision engines contained within Norton Internet Security 2010) decides locally whether a file is safe or not. That decision, however, considers reputation ratings and signatures from within Symantec’s cloud, thereby incorporating a similar (but not the same) “centralized perspective” as Prevx.

Obviously, I do not know what behaviors are uploaded to Symantec’s in-the-cloud database (nor is the company releasing that information). Possibly Symantec has likewise created a transactional database in-the-cloud to collect and analyze a large (400+) number of uploaded data points? After all, Symantec has considerable expertise in database management technology.

 

Yes, but this isn't what I'm wondering about - the actual behavioral analysis components of an AV rarely have to be updated (i.e. we haven't put out an update to the engine in ~2 months) but the fact of whether the programs are blocked by local analysis/interpretation of behaviors or if they send up those behaviors to the centralized database for a determination is the difference.

From what I can see and from what you've said, it looks like Symantec does not send up behaviors centrally for analysis.

 

Sure, that's possible, but I'd think they would have mentioned it at least somewhere if they're doing this as it is a massive deviation from where they have been in the past.

 

KL does indeed use in the cloud technology. In their current products it's called the Kaspersky Security Network [KSN]. They do discuss in the cloud technologies in a Viruslist article I posted at #78. (To save you looking for it, here it is again.) They forsee moving over to the cloud in a few years time as their databases will be extremely large resulting in higher memory use and a decrease in scanning processes.

KL Support has this page on KSN within their 2010 products.

Although the methodology is different, in a way they're currently similar to Symantec in that they're utilising all components to provide protection assuming, of course, that users enable the various modules to benefit from this.

 

This may be equivalent to the pulse updates that is a feature in the 2009 line of products that downloads the latest signatures every 5-15 minutes locally. I'm not sure if they're retaining this feature or letting the cloud take care of that aspect or even combining the two, but I would suspect if you're going use the cloud with signatures, there's no need for the local base to be updated every few minutes in addition.

 

Doesn't matter since the results are the same; Quorum works with SONAR - SONAR works with Quorum. All the components work together. One way or the other the software will come to a determination - behavior analysis included.

 

PrevxHelp, this is an interesting architectural difference between the products about which I would like to learn more. However, if the net result (i.e., percent correctly identified malware) in both cases is ‘equivalent,’ there seems to be little reason to argue for one approach versus another (as Raven211 has also noted).

PrevxHelp, I have no reason to believe that Symantec hasn’t historically uploaded significant amounts of information from a PC for a detected threat. The privacy policy of Norton Internet Security does state that the product operates in this manner. It does not, however, list the specific behavioral information that is captured and retained by Symantec.

TonyW, that does not appear to be the case. The same comment from Symantec says “With NIS 2010 we're doing both - placing signatures in the cloud immediately, and continuing to send down signatures every 5 minutes. The result is you have protection from the latest signatures instantly, and are still protected even when the Internet isn't available.” (See here).

 

I did - but my comment/question is to the extent which the data is analyzed/aggregated, and I'm afraid Symantec is most likely not going to divulge that information.

 

Hm... I'm not sure... I don't think I get this completely as well. Could you elaborate here as well - thanks a lot.


Dunno if these are the details you're looking for, but here's another post from the employee on the topic "AntiVirus Signatures on the Client (versus in the Cloud)":


"Both are used. The scan uses the local signatures. It also uses heuristics to find suspicious programs, and these are checked against the cloud definitions. The heuristics are very aggressive since there is no fear of false positives, because to convict we require the cloud to confirm it is a threat. To be clear, the whole cloud (what we call Quorum) is used in this scenario - signatures and reputation.


We also use Quorum at other points in the product - we use them in combination with SONAR, with Download Insight, and on our "quick scan" which scans running processes. "

 

I think what PrevxHelp means is the more intricate technical details will most likely be kept to Symantec's chest; the posts you're seeing are written in terms that most people will understand. I think PrevxHelp is saying is that they're not explicitly giving away what data is actually being aggregated - they're explaining how it's being scanned and what with, not what part and how much.

Like what I've said before, it'll be a race as to which component hits first, and for most people that'll most likely be the local signatures since they're being updated every 5 minutes or so.

I think we're perhaps reading too much into this. Symantec are obviously trying to put all their eggs into one basket and saying look, we have several methods here to keep you protected, and one or more of them should kick in when dealing with malware.

Several other products are using similar techniques with different modules then you get the standalone cloud-only offerings. Each of them have their merits, and every year they try to up their game. Marketing will do their best to convince customers their product is the one that has it all. Eventually, as KL points out in their article, in a few years many AV vendors will probably switch to cloud-only anyway, especially as dial-up internet access becomes less and less.

 

May I support Page42's comments.

A lot of the posts in this thread seem to be about Norton's latest offering but I do not see any similar threads over at the Norton Beta forums .

Why don't you tie up the Symantec support there and leave the Prevx boys to concentrate on real support queries for their software?

 

I think you got this a little wrong... PrevxHelp (Joe) is questioning Norton's effectivity and approach, and we respond. Atleast that's how it begins and what I usually reply to, then Pleonasm may as a follow-up question Prevx's effectivity and approach in the form of a reply - his activity here is completely his own choice in this matter.

 

Good post - I agree. The reason I'm replying is that even if he understands that this is the case, Joe seems to still be questioning it and so on. No offence, Joe.

 

I don't think Blackcat has actually got it wrong; what he is suggesting is that some of these questions about the effectiveness and approach of Symantec's new offering could also be put to them in their own forums. Seeing as no-one from Symantec is actively responding here, their own forums may be a starting point to get some insights (pardon the pun!) into how the 2010 line products will work, and I don't mean the information that's already available on their blog. Some users have asked some interesting questions here, and it would be nice to know the real answers from the horse's mouth so to speak; whether Symantec choose to answer is a different matter.

 

Yeah, now I get it. It's just that what I've seen has been mostly assumptions and such being made on how effective Norton's, and so I've responded to that the best I can. The good questions that have been made has not been made by me (atleast I think), since I'm already a member and active at the official beta forums of Symantec. I will just encourage that the few questions that have been brought up should be written over at the official forums as there you'll have the correct answers. Personally I post all my doubts once they come to my mind over there. If I have no doubts, I simply don't bother when it comes to Norton's effectiveness - all that matters is that I'm sure about the effectiveness and approach of the software that I use, and that I'm satisfied with it.

 

Here is a little different thought about the post here, Is anyone concerned with vendors going towards this cloud concept within their products rather than using a very efficient and robust heuristics approach, in collecting or accessing your personal information? If you read some of the privacy policies on certain vendor's websites in reference to this technology, to me anyway it brings some concerns as to just what they might collect from your machine and just what they may use it for.

Personally I feel security software industry seems to be moving towards a less secure model. Of course if this is correct, then to me these vendors are becoming the same type of entities that we are trying to protect from in the first place.

Anyway I thought I would add this to the thread here and see what others are thinking. In this country we are quickly losing privacy like never before and to me this whole concept seems to be keeping in line with that trend. I would like to see security software where NO ONE but the user has access to the machine. Maybe some might argue that the technology for this is not as robust but when you need to compromise your personal data to gain a supposed technological improvement, then you need to ask yourself, what is the real benefit at all?

 

Blackcat, while I sincerely appreciate the input of PrevxHelp and do hope his presence will continue, please note that this thread was not originated within the Prevx section of this forum and PrevxHelp was not requested to join the discussion. His participation has been entirely voluntary on his part, and I trust that he is completely capable to use own professional judgment on where best to spend his time.

TonyW, I’ve started doing exactly that to get answers (see here). This thread has been beneficial, I hope you agree, in identifying some of the key questions.

Raven211, I find this comment very informative. “Quorum” doesn’t mean only “reputation ratings,” which was my prior impression. Instead, “Quorum” encompasses both reputation ratings and anti-virus signatures, all of which are in-the-cloud.

Surprisingly, the number of individuals sharing your concern on this forum seems to be very low -- I am one of those exceptions, however. You’ll see a number of posts in this thread on privacy (especially #109-#122), and I encourage you to add your voice into the mix.

In my opinion, Symantec differentiates itself from other anti-malware vendors using in-the-cloud technology through a strong privacy policy and through robust privacy practices. I hope the company continues to successfully consider both privacy as well as protection in all future version of Norton Internet Security. These dimensions are not (and should not) be in conflict with one another.

 

well...all this cloud buzz,quorum/commumity base,secret sauce thingy right now are basically what the vendors/marketing teams want us to know-these have not been put to paces....have they?
and

well this certainly is an important aspect when security softwares claim to protect users from data stealing/siphoning programmes

 

Readers of this thread might find a white paper by Kaspersky to be of interest: Malicious Code Detection Technologies. It’s a nice overview of the technical and analytical aspects of malware detection.

 

albeit this thread has seen praises sung for norton it still misses,absolutely misses malware and not only you get infected but remain infected until some other tool catches it and as for prevx-if you have internet connection it is like a shaolin monk but without net connectivity it transcends to a zen zone and malware can run amok...now that's risky

 

They ALL miss malware , including Kaspersky.

 

I can see that you're a new Wilders-user since you've some insight, yet live in a basher's world (correct me if I'm wrong) and therefore only care about the past. Have you even been reading the facts that have been posted? - Articles, blog-posts, reviews, forum-topics - you name it, even if this might not be the only place where those are found on this forum, or is your mind just concentrated on the "praises"?

 

Yes thats true all products miss malware, however there are varying degrees of how much they miss and most importantly, whether or not they can correctly remove what they do find or actually botch up your system trying.

I personally like the idea of some vendors integrating the AV/AS into a single engine. I like that concept along with aggressive heuristics over any cloud type technology.

I think no matter what product someone runs on their system they should also run an antispyware tool along with it to cover this area.

 

Some early evidence by PC Magazine related to this performance issue has emerged...