Symantec Corp. today announced that it has integrated its revolutionary reputation-based security technology, Quorum, into its new Norton 2010 solutions: Norton Internet Security 2010 and Norton Antivirus 2010. Quorum leverages the anonymous software usage patterns of Symantec’s extensive opt-in user community to automatically identify entirely new spyware, viruses and worms.
“This new technology changes the rules of the malware game, shifting the odds significantly in favor of our users,” said Gordon Love, regional director for Africa, Symantec. “By harnessing the wisdom of our tens of millions of users, we’re able to detect threats that are invisible to traditional security products.”
Why reputation-based security technology?
Significant changes in the threat landscape over the last few years have dramatically altered the typical distribution profile for new malware. Today, instead of a single malware strain infecting millions of machines, it is much more common to see many millions of malware strains, each targeting only a handful of machines. In 2008, Symantec discovered more than 120 million distinct malware variants. In this environment, it is necessary to move beyond traditional security approaches to stay ahead of new malware.
Traditional antivirus software relies on virus signatures to blacklist those pieces of malware that should be blocked from a user’s machine. Ten years ago, Symantec published an average of five new virus signatures each day. Today, in spite of the fact that each signature can detect many different malware strains, security vendors regularly publish thousands of signatures or more per day.
Quorum reputation-based security complements traditional security techniques by using anonymous software usage patterns to classify files as safe or unsafe. The Quorum technology was developed at Symantec from the ground up, and provides a fundamentally new layer of protection from today’s latest threats. Symantec Research Labs began development of the technology about three years ago, investigating how small amounts of data regarding file usage on a user’s system, collected from a very large distributed community, could be used to predict the likelihood of a given file being malicious or not. After a successful prototype was developed, the project was transferred to the Security Technology and Response group to develop a full commercial release and bring the new technology to market.
How does it work?
Symantec’s Quorum reputation-based security leverages data from multiple sources, including: anonymous data contributed by tens of millions of Norton Community Watch members (an opt-in feature of all Norton security products), data provided by software publishers and anonymous data contributed by enterprise customers in a data collection program tailored to large enterprises. The data is continually imported and fed into the reputation engine to produce a security reputation rating for each software file, all without ever having to scan the file itself. Quorum uses information such as the file’s prevalence, age and other attributes to compute highly accurate reputation scores. These reputation ratings are then made available to all Symantec users through a large cloud-based infrastructure of Symantec servers. For more detailed information on Quorum, visit the Norton Protection Blog.
What are the benefits of Quorum?
– Provides information on all executable files. Traditionally, security companies primarily have protection for the malware actually sent to them by vigilant users or exchanged with other security researchers. In contrast, Quorum holds reputation ratings on every file used by every participating Symantec user across the globe.
– Integrates with Symantec’s new Download Insight. The most visible way to see Quorum in action in Norton Internet Security 2010 and Norton AntiVirus 2010 is to download a new executable file off the Internet. The new Download Insight feature uses Quorum reputation information to help determine each downloaded file’s safety – the user is then informed of the file’s reputation, and bad-reputation files are automatically blocked. In addition, a user can right click on any executable file and find out where the file came from, how many other Symantec users are using the file, when Symantec first saw the file and what the security reputation is for the file.
– Reduces dependence on traditional signatures. Quorum defeats an attacker’s ability to mutate their malware to evade traditional signature-based detection. In fact, with Quorum the more an attacker modifies a threat the more obvious it will be that the file is suspicious.
– Amplifies existing security technologies. In addition to providing an additional layer of protection, Quorum also allows existing Symantec security technologies, including heuristics and behavior-based detection, to be deployed in a more aggressive mode to increase the overall level of protection provided to users.