Symantec today announced the 12th edition of its flagship enterprise desktop anti-malware product, Symantec Endpoint Protection, that looks to go beyond traditional antivirus signatures to use a cloud-based file-identification system to protect users from virus mutations.
By itself, antivirus signature-based defence is becoming ever more futile because malware code authors are adept at finding ways to generate virus mutations at an enormous rate, making it practically impossible to block malware based on code signatures alone. Symantec counted 240 million viruses in total in 2009 and is still tabulating last year's count, which appears to have doubled, says Hormazd Romer, director of product marketing for the enterprise security group at Symantec.
"The malware authors have moved to a micro-distribution model based on mutated viruses," Romer says. "It's exploding."
To defend against this onslaught, Symantec is enlisting a cloud-based file-identification method it calls Symantec Insight that will be added to Symantec Endpoint Protection 12.0. Insight is a technology Symantec tested out last year in its Norton consumer anti-malware software, and it works through cloud-based analysis of files being downloaded to the user.
By gauging what occurred to millions of Symantec customers, plus other factors, the goal is to determine the risk presented by the file under inspection. Important factors, Romer says, are whether the file is known, how often it's been seen, and how old it is.
"These mutated malware stick out like a sore thumb," says Romer, saying Symantec is tracking more than 2 billion files based on "the premise [that] normal software doesn't mutate like this".
The new release of Endpoint Protection will make use of the Insight technology, but enterprise security managers will be able to decide to use it or not as an option, Romer points out. The Insight capability will let the security manager apply policy settings for users based on groups, and the "configuration dial" settings in Symantec Endpoint Protection 12.0 would allow for low or high "risk thresholds".
Depending on risk, it would be possible to decide to block any file, from the web or email, or just inform the user what's known about the file if it's suspicious. There could be a cautionary note not to open it, though the user would make the choice.
Signature-based antivirus protection would still be there as another line of defence. A third detection method, called SONAR, which Symantec introduced previously in its consumer product for behaviour-based detection, will also be added for the first time in an updated version into its enterprise product.
"It's checking files and processes in real-time, and at the point it's executing, we open it in a sandbox," says Romer, noting the goal of SONAR is to stop anything that slips by Insight or signature-based detection.
Symantec Endpoint Protection 12.0 has started into a beta period with the final version expected out in the summer for Windows, Mac and Linux and recommended as optimised for VMware- or HyperV-based desktop environments. There will also be a separate version for small-to-mid-sized business (five to 99 employees) that will be similar but not virtualisation-optimised and with a different management console.