Inside the Symantec Security Response labs

Austin McCabe, Symantec's European managing director, pictured left, and Kevin Hogan, Symantec's director of security response, stand outside the "Airlock": the entrance to Symantec Response. The Airlock leads to three zones in the building: the blue zone, which contains "clean" servers; the green zone, which acts as an interface between between the blue and red zones; and the red zone, which contains infected machines.

The clean machines the antivirus staff work on are physically located inside the blue zone, pictured, while the researchers sit in the red zone, which contains infected machines. The analysts use thin-client terminals linked via cables to the clean "Definition, Build and Certification" systems to compile antivirus signatures.

Hogan said there was "nothing cloak and dagger" about infected machines being physically separate from employees' personal work machines, and that it was simply "to prevent accidents". Hogan added that the antivirus researchers would prefer to work in physical proximity to their personal machines. "It's more of an annoyance, as they can't [easily] access their production [personal] machines," said Hogan.

The green zone is a mixed server room that separates systems requiring access to both the viral network and the clean network. The green-zone servers also maintain firewalls between the blue and red zones.

Pictured here is the red zone, where Symantec researchers work, and which contains infected machines.

The Dublin response team is part of a global network: there are Symantec security response units in Calgary, San Francisco, Mountain View, Culver City, Pune, Taipei, Chengdu and Tokyo. Analysts monitor the internet and customer submissions, on rolling eight-hour shifts for possible pieces of malware.

Symantec receives approximately 60,000 submissions per month, leading to 2,000 manually coded antivirus definitions per month, produced by approximately 135 analysts globally. A network of anti-malware companies also collaborate to produce a "zoo" of 150,000 to 200,000 pieces of possible malware for which Symantec builds signatures, mostly automatically.