Symantec Adds Zero-Day Defense To Consumer Security Line - InformationWeek
Software // Enterprise Applications
02:02 PM

Symantec Adds Zero-Day Defense To Consumer Security Line

Symantec Online Network for Advanced Response is based on technology acquired in the 2005 purchase of WholeSecurity, a maker of anti-phishing and intrusion-prevention software.

Symantec will add a new defense to its consumer security flagship products Norton AntiVirus and Norton Internet Security early next month to protect PCs from zero-day exploits, the company said Wednesday.

Sonar, for Symantec Online Network for Advanced Response, is based on technology acquired in the 2005 purchase of WholeSecurity, a maker of anti-phishing and intrusion prevention software. "It's a new behavioral technology," says Ed Kim, director of product management in Symantec's consumer product group. "It's a zero-day defense that doesn't use signatures."

So-called zero-day exploits are those for which no patch is available from the vendor, but the term is sometimes used to describe exploits for which there are no antivirus fingerprints, or signatures, yet distributed by security companies.

"Sonar uses an expansive list of behaviors" to look for possible exploits, says Kim. "It scores the application or executable by examining both positive and negative attributes. For example, does it have a shortcut on the desktop, is it digitally signed? On the other hand, is it just a one-pixel window?"

"It sounds like Symantec's talking about a sandbox, but they're not calling it that because [a sandbox] isn't new," says Roger Thompson, chief technology officer of rival security vendor Exploit Prevention Labs. A sandbox environment, which restricts what computer code can do or what other components it can impact, often is used to run suspicious or untrusted software to get an idea of what it does and whether it might be malicious.

Most desktop security that aims at stopping zero-days, claims Kim, rely on "shields," software that watches for changes in, say, the Windows registry or to the directory where Windows' system files are lumped, then compares those changes with a database of signatures, or rules, that identify known exploits. "Those are prone to false positives," Kim says.

Signature-based defenses, however, operate in real-time to block exploits as they try to make their way onto a system. Symantec's Sonar, by comparison, is a scanner, similar to the one that sniffs for viruses and worms, that runs daily. "It's not part of the real-time defense," admits Kim. "Scans run on a daily basis, so this is an extra layer on daily [anti-virus] scans."

The addition to Norton AntiVirus and Norton Internet Security 2006 and 2007 will be made available to users "around the time of general availability of the Vista products, in early February," shortly after the release of the new Microsoft Windows operating system to consumers on Jan. 30. Existing users will receive an online upgrade; the technology will also be integrated in the Vista versions of AntiVirus and Internet Security.

"We're very bullish about the technology," says Kim. "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."

Thompson, however, defended signatures in zero-day defenses. "Signatures are slower to react. Bad guys know they can shoot the world in the foot by releasing 10 variants of a downloader. Most AV [anti-virus] vendors will get the first two or three [variants] but let the others through. But our signatures aren't looking at the payload. We could care less about the payload. Most of the time the exploits themselves haven't changed, so we block the exploit."

Adding another layer of defense, however, is a smart move on Symantec's part, says Thompson. "We've never pitched LinkScanner as a replacement for antivirus, for example, but always as another layer. Each layer [of defense] catches a certain percentage of the problems."

In other news, Symantec's share prices rebounded slightly Wednesday after falling sharply on news the day before that the vendor failed to meet earlier third-quarter forecasts. Tuesday, chief executive John W. Thompson blamed the shortfall on weak performance from its Veritas group and a shift by more enterprises to long-term maintenance contracts. "There's a huge personal disappointment associated with all of this,'' Thompson said during a conference call. He also said that the company will disclose cost-cutting measures next week.

By mid-day, Symantec shares had climbed 16 cents to $17.95, after dropping $2.69 to $17.79 Tuesday, a one-day decline of 13.2%.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll