Triumfant Blog

I am still a bit baffled by the rush to embrace the reputational aspects of products like Symantec Quorum.  I do get how it works, I do get that it adds value and can help a user see if the application they are loading may be malicious based on its reputational score or lack therefof.

What I don’t get is the protection of the endpoint hinges on a user response.  The demo I saw of Quorum presents a user with a warning screen.  The screen tells them how many people in the Norton community have used the file – few (less than 10), very few, or unknown – and presents the user with three choices:

1. Decide later (the Scarlett O’Hara I will worry about that tomorrow option)
2. Remove this file from my system
3. Run the installation of the product anyway

So essentially the same user that got the endpoint machine into this mess is given a prevalence score and gets a choice of how to proceed.  In my opinion, prevalence protection is a smart idea right up to the reliance on the carbon based life form that clicked on something questionable or outright bad in the first place to now somehow have the wisdom and security awareness to properly respond.  

I am going to have to go with human nature here and guess that they will pick #3 – run the installation anyway.  Because human nature says: “If I clicked on it I want it and I don’t care about your fluffy risk rating”.  I actually think there is a direct correlation behind my claim – the more likely someone is to click on something dangerous, it will be proportionately likely that the same person would ignore any warning and proceed without care.   In other words, the more likely I need to be protected from my own actions, the more likely I will be to ignore the warning and continue on as if nothing had ever happened. 

 That is why I really believe that there has to be automated analysis and remediation behind this technology to really make it practical.  Just one man’s opinion.