Symantec’s Reputation Based Detection (Quorum) – How Can Something Unknown Have a Reputation?

July 9, 2009

I am confused. I just read another article about Symantec’s new roadmap and, in particular, their new reputation based product called Quorum.

Symantec has been all over the media touting their reputational based approach as the fix for the signature problem (more on that in a second).  Quorum leverages Norton’s Community Watch program, which essentially collects data from the Norton customers about applications and other things on the Web.  Quorum uses this data to create a reputation score that characterizes the application as good or malicious.  This is integrated with Symantec’s existing signature and behavioral based technologies. 

So here is where I get confused.  A Symantec representative has been quoted as saying that Quorum will offer “much higher detection rates against unknown malware”.  By definition, doesn’t the establishment of a reputation require some knowledge of the person or thing? How can you rely on the collective anecdotal evidence of a community for something that is, using Symantec’s word, unknown?  I have a lot of respect for the folks at Symantec but even they must see the irony in this positioning.

Thousands of machines were simultaneously attacked on July 4 by North Korea or a group sympathetic with North Korea.  Did the malware used in that attack have a “reputation”? This week’s exploits of the Active X flaw in Internet Explorer were previously unknown attacks in the forms of rootkits and Trojan downloaders. Again, it is doubtful that there was any prior reputation. 

It would also be interesting to find out from Symantec how many members of the community must post their reputational opinion to get a statistically relevant sample and therefore eliminate the potential for false positives.  If this number is high, that would indicate a significant number of attacks must be reported before the reputation could be established and therefore used as a preventative.

The bottom line is that while this reputation based technology may offer some additional endpoint protection, it still does not close the gap in traditional defensive software to address unknown attacks.  That is because no matter how you package it, no matter what you call it, the traditional defensive software from the established AV vendors requires prior knowledge of the attack to succeed.  Behavioral analysis, heuristics, and now reputational based protections are an upgrade from signatures, but make no mistake about the fact that they rely heavily on prior knowledge. The bad guys will always have the edge on any software that requires previous knowledge of an attack to detect it as malicious.

It is nice that Symantec is publicly stating that signatures are no longer a sustainable technology, as we have been pointing out with our Worldwide Signature Counter. Reputation based protection may play well in the consumer market, but for businesses and government agencies under the dynamic persistent threat scenario, the announcement by Symantec falls flat. 

As Symantec rolls out their new product line through the summer and into the fall, my guess is that the hype machine for reputation based technology will be running at full throttle.  You can put me down as unimpressed, underwhelmed, and mildly amused at the choice of words.

1 Comment | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

A Practical Primer on Triumfant – the ActiveX IE Exploit

July 8, 2009

In his blog The Last Watchdog, Byron Acohido discusses the recent zero day attacks that exploit a flaw in the video Active X component of the Internet Explorer browser. Acohido goes on to discuss why Microsoft may not have a patch ready in time for the next Patch Tuesday on July 14.   The exploits and associated problems described by Acohido are a perfect context for a very practical primer on what Triumfant can do for an organization.

First, we would detect the zero days that exploit the flaw, including the two attacks described that use a Trojan downloader and a rootkit. No signature required.

But of course we do not stop at detection. Triumfant Resolution Manager will build a remediation and remove the detected attacks. This includes ejecting the rootkit attack and cleaning up the various hooks it established, and repairing all of the collateral damage made by the Trojan downloader to configure the machine for subsequent incursions as described in the post. No humans needed to write the script, no re-imaging required.

Third, it would be a simple task to build a policy in Resolution Manager that would address the registry changes Microsoft has recommended as a stopgap for the problem until a patch is issued. The policy would be enforced on all machines and the organization would get an up-to-date report on what machines had been updated and what machines were still vulnerable until a patch is created. Given the length of time Acohido describes for Microsoft to build a patch and the well known time gaps in organization’s distributing the patch, the action by Triumfant would protect machines for the weeks and even months until the patch was in place.

This is not meant to be a sales pitch – this is a perfect and very practical example of how the unique functionality and capability of Triumfant would step into a gap not currently filled by any other product that I (or any industry expert or analyst or writer) am aware. As a new technology it is sometimes hard for people to get their heads around what Resolution Manager can do and the benefit it delivers. And exploits like this ActiveX IE exploit show up on an all-too-frequent basis.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers