The missing glue in the fight against malware

While at Interop in Las Vegas, I was treated to dinner by representatives of Tenebril, developers of the anti-spyware product SpyCatcher.  At the table to convince me that the practically unknown security solution provider is a player to be reckoned with in the anti-spyware market were its newly installed vice presidents of marketing and communications Fred Felman and Te Smith (respectively).

While at Interop in Las Vegas, I was treated to dinner by representatives of Tenebril, developers of the anti-spyware product SpyCatcher.  At the table to convince me that the practically unknown security solution provider is a player to be reckoned with in the anti-spyware market were its newly installed vice presidents of marketing and communications Fred Felman and Te Smith (respectively).  Also present was Sierra Ventures venture partner Mark Fernandes, who recently poured $6.5 million into the company's coffers, a portion of which will be dedicated to turning SpyCatcher into an enterprise-class product that, they claim, will run circles around other enterprise offerings such as the corporate edition of Webroot's SpySweeper.  

Absent of any independently provided research or personal experience with the products, I can't possibly verify such claims.  But the record should also show that Tenebril practically cleaned Checkpoint's clock of the executives that came with its acquisition of Zone Labs.  Not only were Felman and Smith executives at Zone/Checkpoint before leaving to join Tenebril, so too were Irfam Salim and Chris Weltzien.  Salim, now CEO at Tenebril, was Zone's president and COO; and Weltzien, now senior vice president of Tenebril's consumer group, ran e-commerce for Zone.  Say what you will about Zone (in response to what I've written about the company's solutions, I have received both complaints and praise regarding its personal firewall solutions), this is a goodly part of the team that made Zone Labs' Zone Alarm (its personal firewall product) the most popular product in its category.  That all of them saw in the unknown Tenebril an opportunity to repeat that success is a tenuous vote of confidence.  Executives often move in teams and everyone has a price.  But it's a vote nonetheless.

Whether they'll succeed remains to be seen.  At Zone Labs, they practically invented the category of personal firewalls and never had to worry about playing catch-up.  At Tenebril,  they must rise from obscurity in an already crowded field.  That there even is a crowded field is the sign of a problem -- one that's common to the battles against all the other forms of malware: virii, worms, spam, phishing, etc.  It means that the industry lacks the standards necessary to secure certain protocols.  When the existing players in an industry cannot come to such agreements (and the purveyors of existing software can't seem to secure it), it gives rise to a plethora of proprietary offerings.   The world's best example of this deficiency is on the spam front, where the various e-mail service and solution providers have known for over three years that what's really needed in lieu of hundreds of proprietary solutions are some more fortified e-mail standards.  But here we are in 2005 and, for a variety of reasons (along with plenty of fingerpointing), the e-mail industry has failed to reach any significant technological agreements.  It's a travesty.  Back in January 2003, I tried and failed to put an end to that travesty with an initiative I called JamSpam.

Now, in 2005, I'm in agreement with headlines like the one from's Charlie Cooper that reads The end of spyware? Fat chance

The recent Antispyware Workshop, hosted by our own CNET, gathered many of the vendors on both sides of the fence for a day of discussion about the spyware and adware problem. Dan Farber reported from the event:

Esther Dyson hosted a panel of adware vendors, who were giving assurances that they want to be on the good side of consumers, while spyware expert Ben Edelman and Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), demonstrated the devious methods and the extended ecosystem the adware vendors use to fuel billions of dollars in revenue.

One of Tenebril's arguments is that it has some secret sauce in its technology that the other umpteen anti-spyware solutions do not -- a kernel of technology on which consumer and enterprise offerings will easily outperform their competitors.   This sounds strikingly similar to what all the anti-spam vendors have been telling me for three years.  Yet spam still exists and it's worse than ever.  If all of these solutions were so effective back then, one would think that by now, spamming would be a dead-end opportunity.  It's not.  It's a lucrative one -- if you know how to do it right and skirt the law.  So, I'm going to make a prediction.  Three years from now, the spyware problem will be worse than it is today and I'll be writing about one of the reasons that there has been no improvement: the failure of the industry to recognize where technological consensus is needed, and then to build solutions on top of that consensus technology. 

So, in the case of spyware, what would that technology be?  I'm directing that question rhetorically at the new executive team at Tenebril because it's simply an extension of the  same conversation that I was having with them about personal firewalls while they were at Zone Labs.  Personal Firewalls and anti-spyware have quite a bit in common.  In some ways, personal firewalls help to solve the spyware problem because they can block spyware from "phoning home" -- what happens when malware reports back to its creators or distributors with its findings (eg: logged keystrokes).  

But, one reason personal firewalls aren't always successful in this endeavour is that they often require user inputs.   When a personal firewall detects a first time attempt by some process to reach the outside world, it notifies the user that something new is trying to get out and it asks the user if the attempted communication should be permitted.  But, as I've written before, this allow/disallow inquiry is all too often noticably deficient in the kind of information a user needs to make an informed decision.  This is particularly troubling since, regardless of whether it's trapping malware or legitimate software,  the wrong answer might render your software inoperable.  "LSASS.EXE is trying to reach   Allow Always?  Allow this once?  Deny?" it asks me.  What the heck is LSASS.EXE?  What or where is  And finally, why isn't the software answering these questions for me?

The answer to that last question is easy.  The software doesn't know.  Nor, considering the number of software components out there (legitimate and not), can it know.  For a while, with many personal firewalls, this meant that answering the allow/deny question was guesswork (or, a lot of Googlework).  Fortunately, guessing couldn't get you into too much trouble.  Sooner or later, every networked computer loses its connection to its network anyway.  When, through a personal firewall, a user denies network access to a particular software component,  the net result for that software component is pretty much the same as what happens when the system suddenly loses its network connection for some other reason (the cable get pulled out, the Wi-Fi signal disappears, etc.).  If a user mistakenly denies network access to a legitimate software component that needs it, and the system or the software hangs, fixing the problem requires little more than a reboot and a correction to the firewall's ruleset. 

But that's not how software should work. And when I started dinging Zone Labs and other firewall makers for having this problem, I also recognized that no single firewall developer -- not even Symantec -- was big enough to develop and maintain the database they'd need in order to provide  users with the information required to make an informed decision.  How do I know this? Some of them tried.  But the information was invariably incomplete.  To really do that database right would require the participation of all the software vendors,  and for them to participate, it would have to be easy and it would have to be centralized. 

To date, a centralized database that lists legitimate software components along with a description of what they do and the types of servers (or even their IP addresses) that they may attempt to communicate with doesn't exist.  It needs to and the only way such a database could come to be is if all of the vendors that need access to it contribute to its development.  Though it wouldn't be a standard per se, agreement on specifics (schemas, logistics, etc.) would be required.  Should such a central database exist, and should it list both legitimate software as well as malware, then personal firewalls would have a resource they could mine to help users respond to the allow/deny question. 

So, why all the talk about personal firewalls when this is a story about anti-spyware?  Well, for starters, history is repeating itself.  The industry has so far failed to work together on spam.  Since I explained this sort of personal firewall consortium idea to firewall vendors, nothing has happened.  And now, here we are trying to face down spyware, which is like trying to boil the ocean.  Sound familiar?  If you characterized today's anti-malware as proprietary attempts at boiling the ocean, you wouldn't get any argument from me (although you might from the anti-malware vendors).

Presumably, the interest in Tenebril on behalf of Sierra Ventures and the ex-Zone Labs executives had to do with their belief that the company's secret sauce -- developed by founder and CTO Christian Carrillo -- is much better at boiling the ocean than anything else they looked at.   But, as good as it may be at boiling the ocean, Tenebril's SpyCatcher is still human.  I haven't seen it, but it has to be.  It may indeed turn out to be better than its competitors at identifying suspicious activity and artifacts of spyware.  But like all anti-malware products, anti-spyware, lest it mistakenly be acting on something that legitimately belongs on a system, needs confirmation from a human before it takes final action (eg: eradication). 

My case in point is Webroot's SpySweeper.  Webroot was at Interop as well.  At the show, Webroot announced that it wil be releasing, on a quarterly basis, a comprehensive research report on the state of spyware.   The first version of it (2005Q1) is 90 pages long and rivals in comprehensiveness the sort of category-specific research that you might pay to get from an outfit like Gartner.  That's not surprising, since the company hired a security analyst -- Richard Stiennon -- away from Gartner to produce the reports.  While businesses -- particularly ones that want to stay on top of spyware trends -- will find the report to be a valuable resource, the catch is that you have to supply some personal information to Webroot before it can be downloaded from the company's Web site

At Interop, Webroot was providing the report on a CD that also had a copy of Spysweeper on it. So, while on the flight home, I decided to see if SpySweeper thought any Spyware was on my system.  If you believe what Tenebril has to say, the fact that SpySweeper didn't find any actual spyware on my system (which it didn't) is no guarantee that spyware isn't there.  At the same time, I feel better having installed a "sweeper" where none was before.   While SpySweeper didn't find any spyware, the aforementioned opportunity for human intervention arose when it spotted 24 suspicious cookies.  Spysweeper wanted confirmation before eradicating them.  But, just like the way personal firewalls don't provide enough information on which to base an allow/deny decision, Spysweeper was unable to give me enough decision support data for each of the suspicious cookies.  In fact, in many cases, it just provides you with a boilerplate explanation.  This, in addition to the fact that it flagged two cookies from my own company's Web site, undermined my confidence in the accuracy of Spysweeper's suspicions.  For example, I know my company's site issues cookies to maintain my login state (which, for ease-of-use reasons, I want maintained).  I worried that by deleting those cookies, my login state would get wiped out.  Not enough information was provided to help me through this decision.  Given the absence of accurate decision support information when it comes to cookies from my own company,  what should I make of the other 22 suspicious cookies? 

It would be ridiculous for me to expect Webroot or Tenebril or any other spyware vendor to independently catalog, perfectly identify, and recommend precise action on every cookie out there.  But, the industry could get together with vendors in other security verticals (eg: anti-virus personal firewalls) to build that centralized database.  To the database,  my company could submit disclosures about the cookies it issues and links to its privacy policies.  To the database, software developers could submit disclosures about their software and its expected behavior.   Would this database be perfect? No.  Could some spyware developer lie on the their disclosure?  Yes.  But they'd get outted pretty quickly. 

Of course, anti-malware vendors would probably rather not see such a database get developed.  To the extent that any individual anti-malware vendor is taking on this responsibility on its own (insanity) or feels as though it has come up with something that obviates the need for additional decision support  information (perhaps through their secret sauce), that vendor may see a centralized database as something that undermines their competitive advantage.  In fact, they should be seeing it the other way around.  Such a centralized database is the sort of standard platform on which they can not only build better products for their customers, but they can also build on the data that's provided with more comforting advice; perhaps more comforting than what the competitors have come up with.  The bottom line is that if it makes sense to fingerprint malicious software, then it makes even more sense to fingerprint legitimate software (and cookies) too (something that anti-malware does, but it's on a per system basis instead of being centralized).

On behalf of consumers and businesses that are threatened everyday by malware, I'm reaching out to the anti-malware vendors -- the Tenebrils, the Webroots, the Zone Labs, the Symantecs -- to pull such a consortium together, to get the database up and running, and to support it in their products.  Such vendor run and sponsored consortia are not unprecedented and you know it would be a relief for legitimate software vendors and Web sites to have a way to reach users at decision time to help those users understand exactly what the ramifications of their allow-deny/eradicate-keep decisions are. Users will appreciate it because the resulting software will be significantly less frustrating than it is today.

Finally, should the anti-malware industry get serious about pulling something like this together, then there are at least two companies that I think should be involved.  One of them is Verisign and the other is Uniblue. Anybody who has ever downloaded an Active-X control knows that Verisign has  long been in the business of code-signing.  Code-signing is a technique that assures users that the code has not changed since it was issued by the developer. In other words, it wasn't corrupted, or worse, infected between the time the developer issued it and the time you installed it onto your system. 

Today, most anti-malware products use the same sort of technique to watch for changes to executable code.   To the extent that a centralized database of legitimate software, cookies, and web sites might be developed, perhaps it could also include a list of legitimate developer-applied signatures to look for on all the software components being tracked.  Verisign has some experience in this business and while I'm not suggesting that this portion of the proposed consortium be turned over to one company, my sense is that Verisign's experience in the area of distributing signed code might come in handy to a new consortium.

Why Uniblue too? If there's one company that has developed some really good intelligence on existing software components, that company is Uniblue.  The company, formerly known as LI Utilities, has the most complete database on Windows software that I've seen. I've come to rely on its product -- WinTasks -- to not only keep my system in tip-top shape, but also for decision support when making decisions with my anti-malware.  How many times have you tried to figure out what all those programs listed in Windows' Task Manager are doing?  While WinTasks doesn't know about all of them, it knows about more than any other product I've seen.  More recently, since I last tested WinTasks, the newest version of the software now has some anti-malware-like features such as software block and allow lists. (Users can ensure that certain executables never run on their systems while explicitly allowing others.)   In fact, on the basis of its database and WinTasks features, I wouldn't be surprised if LI Utilities gets swept up into some other vendor's anti-malware portfolio in the very near future.