Inside the Symantec Security Response labs

1 of 5 NEXT PREV

Part of Symantec's main European campus in Dublin houses Symantec Security Response labs, which analyses samples of malware and pushes out antivirus signatures to customers. The Symantec Dublin campus at Blanchardstown also contains the company's anti-malware product manufacturing facility.

"We manufacture and distribute six-and-a-half-million yellow boxes [of software] a year here, in 20 different languages, to Europe, the Middle East and Africa," said Austin McCabe, Symantec's European managing director.

The facility also houses helpdesk support, customer response and technical support, as well as the email security group, and product and marketing translation teams. The total employee headcount fluctuates but remains close to 900, said McCabe.

Published: February 29, 2008 -- 17:31 GMT (09:31 PST)
Caption by: Tom Espiner
Austin McCabe, Symantec's European managing director, pictured left, and Kevin Hogan, Symantec's director of security response, stand outside the "Airlock": the entrance to Symantec Response. The Airlock leads to three zones in the building: the blue zone, which contains "clean" servers; the green zone, which acts as an interface between between the blue and red zones; and the red zone, which contains infected machines.

Published: February 29, 2008 -- 17:31 GMT (09:31 PST)
Caption by: Tom Espiner
The clean machines the antivirus staff work on are physically located inside the blue zone, pictured, while the researchers sit in the red zone, which contains infected machines. The analysts use thin-client terminals linked via cables to the clean "Definition, Build and Certification" systems to compile antivirus signatures.

Hogan said there was "nothing cloak and dagger" about infected machines being physically separate from employees' personal work machines, and that it was simply "to prevent accidents". Hogan added that the antivirus researchers would prefer to work in physical proximity to their personal machines. "It's more of an annoyance, as they can't [easily] access their production [personal] machines," said Hogan.

Published: February 29, 2008 -- 17:31 GMT (09:31 PST)
Caption by: Tom Espiner
The green zone is a mixed server room that separates systems requiring access to both the viral network and the clean network. The green-zone servers also maintain firewalls between the blue and red zones.

Published: February 29, 2008 -- 17:31 GMT (09:31 PST)
Caption by: Tom Espiner
Pictured here is the red zone, where Symantec researchers work, and which contains infected machines.

The Dublin response team is part of a global network: there are Symantec security response units in Calgary, San Francisco, Mountain View, Culver City, Pune, Taipei, Chengdu and Tokyo. Analysts monitor the internet and customer submissions, on rolling eight-hour shifts for possible pieces of malware.

Symantec receives approximately 60,000 submissions per month, leading to 2,000 manually coded antivirus definitions per month, produced by approximately 135 analysts globally. A network of anti-malware companies also collaborate to produce a "zoo" of 150,000 to 200,000 pieces of possible malware for which Symantec builds signatures, mostly automatically.

Published: February 29, 2008 -- 17:31 GMT (09:31 PST)
Caption by: Tom Espiner