Symantec’s Reputation Based Detection (Quorum) – How Can Something Unknown Have a Reputation?

I am confused. I just read another article about Symantec’s new roadmap and, in particular, their new reputation based product called Quorum.

Symantec has been all over the media touting their reputational based approach as the fix for the signature problem (more on that in a second).  Quorum leverages Norton’s Community Watch program, which essentially collects data from the Norton customers about applications and other things on the Web.  Quorum uses this data to create a reputation score that characterizes the application as good or malicious.  This is integrated with Symantec’s existing signature and behavioral based technologies. 

So here is where I get confused.  A Symantec representative has been quoted as saying that Quorum will offer “much higher detection rates against unknown malware”.  By definition, doesn’t the establishment of a reputation require some knowledge of the person or thing? How can you rely on the collective anecdotal evidence of a community for something that is, using Symantec’s word, unknown?  I have a lot of respect for the folks at Symantec but even they must see the irony in this positioning.

Thousands of machines were simultaneously attacked on July 4 by North Korea or a group sympathetic with North Korea.  Did the malware used in that attack have a “reputation”? This week’s exploits of the Active X flaw in Internet Explorer were previously unknown attacks in the forms of rootkits and Trojan downloaders. Again, it is doubtful that there was any prior reputation. 

It would also be interesting to find out from Symantec how many members of the community must post their reputational opinion to get a statistically relevant sample and therefore eliminate the potential for false positives.  If this number is high, that would indicate a significant number of attacks must be reported before the reputation could be established and therefore used as a preventative.

The bottom line is that while this reputation based technology may offer some additional endpoint protection, it still does not close the gap in traditional defensive software to address unknown attacks.  That is because no matter how you package it, no matter what you call it, the traditional defensive software from the established AV vendors requires prior knowledge of the attack to succeed.  Behavioral analysis, heuristics, and now reputational based protections are an upgrade from signatures, but make no mistake about the fact that they rely heavily on prior knowledge. The bad guys will always have the edge on any software that requires previous knowledge of an attack to detect it as malicious.

It is nice that Symantec is publicly stating that signatures are no longer a sustainable technology, as we have been pointing out with our Worldwide Signature Counter. Reputation based protection may play well in the consumer market, but for businesses and government agencies under the dynamic persistent threat scenario, the announcement by Symantec falls flat. 

As Symantec rolls out their new product line through the summer and into the fall, my guess is that the hype machine for reputation based technology will be running at full throttle.  You can put me down as unimpressed, underwhelmed, and mildly amused at the choice of words.