Symantec to identify safe software by 'reputation'

Symantec to identify safe software by 'reputation'

Summary: The company's tech will judge whether an app is unsafe by looking at where it can be found across the database of Symantec users and categorizing those machines as safe or otherwise.

Symantec will soon introduce a "reputation-based" software-rating technology that it has claimed can accurately differentiate malicious malware from legitimate programs.

"Reputation-based security is the latest and greatest technology in malware detection," said Basant Rajan, chief technology officer of the IT security vendor's India office.

Essentially, this approach involves looking at where a program can be found across the database of Symantec users, categorizing the reputation of those machines and coming to a judgment on whether the application poses any security risks.

"When seeking good food, we'll most likely go to the restaurant with the most customers. That's an example of a reputation-based choice in selecting a restaurant," Basant said in an interview with ZDNet Asia, during his visit to Symantec's Kuala Lumpur office.

"You just look at the behavior of people and make a decision based on that behavior. We can do the same with programs," he explained.

According to Basant, Symantec's reputation-based approach assumes three distinct populations in its user base, which numbers in the millions. "You have one population that is ultra-safe, one that is adventurous and one that is completely unsafe," he said.

"We identify these by looking at the history of infections on their machines," said Basant, who plays a key role in driving innovation for Symantec's next-generation technologies, architecture and standards.

The safe group encompasses "prim and proper" users who only download applications from reputable software companies, he explained, while the adventurous group is users who are generally safe, but are willing to try out online games or new programs.

Users in the unsafe crowd are those who frequent a class of websites where they can get infected easily, he added. For example, when a new program is detected, the reputation-based approach will entail looking at where the program is found among the machines of millions of Symantec users.

"If a large number of the 'safe' machines have it, making an educated guess is to say that this is a safe program," Basant said. "But, if you see this application only [installed] with the unsafe crowd and a few of the adventurous guys, it is almost certain that this is an unsafe program. You wouldn't lose money betting that this is an unsafe program."

The new technology, which is currently being tested, will complement Symantec's current approach to addressing problems with malicious codes. The traditional method involves a blacklist to identify highly prevalent malware, as well as a white list to identify popular and legitimate programs.

Asked when the new reputation-based technology will be introduced into Symantec's Norton security products, Basant said: "[This] will happen when the product teams deem the market timing is right for it". He added that tests have been encouraging so far, as the false positives rate was extremely low.

The white list component was introduced into Norton's security products at the end of 2007, to augment the traditional blacklist approach to detecting malware.

Bad outpacing the good
In its Internet Security Threat Report Vol XIII, covering a six-month period from June to December 2007, Symantec measured the release of both legitimate and malicious software and found that 65 percent of the 54,609 unique applications released to the public, were categorized as malicious. Basant said that marked the first time Symantec observed malicious software outpacing legitimate applications.

"This means, if you make a list of all the good programs and bad programs, and the list of good programs is smaller, it becomes worthwhile to keep track of the good programs as opposed to keeping track of the bad ones," he explained. He noted that a key advantage of adopting the white list approach was that it enables Symantec's security programs to run scans considerably faster.

Basant added that Symantec builds and maintains a white list of safe programs. While the obvious method is to list all programs from reputable publishers, such Microsoft, Adobe and IBM, he noted that there are also lesser-known, smaller players writing legitimate programs.

Symantec uses a "crowd sourcing" method to determine if applications from small software developers should be added to the white list.

"We can actually look at what seems to be running safely on a vast majority of machines on which… we have a footprint," Basant said. "We just look at the aggregate behavior of these programs over millions of machines, and deduce that these programs are safe and can, therefore, be added to the white list."

The Symantec executive acknowledged that the nature of today's security threats has changed radically, as organizations are now targeted individually. "So now, the malware that came to you probably only went to four other people in the world," he said. "How do you ever write a blacklist signature for it when only five people got it?"

To protect the targeted few, Basant said Symantec's security products leverage behavioral-analysis technologies and, in the near future, will tap reputation-based security, which does not depend on a signature but behavior or prevalence to determine whether a program is legitimate.

Lee Min Keong is a freelance IT writer based in Malaysia.

Topics: Software, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • If it's based on customer useage and bad is...

    outpacing good. Sounds to me like they will have a tendency to recommend the bad as good.

    This is a feeble attempt to sell their product. NOTHING will ever work short of an educated user. Fools will always be using infected computers.
    • Agree and Don't

      You are correct, an educated user will always be a safer user, but if this will help protect those uneducated users, what's the harm?

  • RE: Symantec to identify safe software by 'reputation'

    In order to accomplish this, Symantec would need a complete list of all the software installed on my computer - not just the infected software or infection rates. EULA not withstanding, isn't that pretty much the definition of spyware?

    It also seems that if you are a software contractor, or a small ISV with a limited product offering then Symantec is creating a barrier to entry in the market..
    • I'm sure Symantec ...

      ... has thought out the limiting factors, such as software submission to ensure one's products to not get blocked ... at least I hope so ...

      As far as Spyware goes, what do you think MS Update is?

  • RE: Symantec to identify safe software by 'reputation'

    I worked on this section of symantec's products last years. my guess this is very closely related to their initative on the safe web stuff (site advisor copy).

    they test everything on backend (crawl the web) then test one by one. that is intalling uninstalling all that. they might be producing hashes and checking it against the backend unsafe list.
  • I identify Symantec as garbage

    And quickly remove Symantec garbageware from any PC I encounter. Worst security products I have ever used. Hard to believe anyone can tolerate their swill.
    • Odd ...

      According to a different security companies finding, Symantec is actually the BEST security product in the world ... Can't remember the article name, but it was posted here about 3 weeks ago ...

  • RE: Symantec to identify safe software by 'reputation'

    I lost all respect for Nortons.... and Symantec..... there crapware was the worst thing ever on a pc... it made a powerhouse of a like crap
    • First Releases ...

      ... do tend to be bug ridden, but if you ensure you're up to date, things generally straighten out ...

      One of Symantecs current focus is to lower the amount of resources required by their products, and they are making good headway ...

  • RE: Symantec to identify safe software by 'reputation'

    I think I'll just keep using my MacBook Pro and not lose 20% of my system resources to virus scanners.

    You windows users go ahead and have fun.
    • I dual boot

      Windows XP and Suse 11.0 ... I definitely feel safer collecting my mail in Suse ...

      But unfortunately, Windows is required in some circumstances ...

  • A privacy issue?

    Should I deduce from this that Symantec will traul my system for:
    a) data on installed applications
    b) virus history, and
    b) web history
    to determine if I fall into the "safe" or "unsafe" category and use this to make an assertion about the maliciousness of the programs I run?
    • If they will ...

      ... use information from my PC to help minimize the spread of this crap around the world, please do ...

      If this minimal loss of privacy will help eliminate the jerks out there that create this stuff, I'm willing to allow it.

  • RE: Symantec to identify safe software by 'reputation'

    This is all great and good for the general population, but what about corporate machines that run in-house software or other niche software that is only used by a very very small fraction of the total user base? Will all these applications suddenly be flagged as "suspicious?" Any developer or power user machine is certainly going to have a few applications installed that are not used by 99% of the population. It doesn't seem like they have thought this through, unless they only plan for novice users to install their security suite (which would seem to cause the accuracy of their ratings to plummet.)