03-16-2009 10:32 AM
03-16-2009 11:15 AM
01. That is why Pulse Updates were Created.
02. I don't think Signature-based Detection is useless - far from it - that is why Pulse Updates were Created. ;)
03-16-2009 12:25 PM
Floating_Red I never said that the detection signatures were useless, what I say is causing a time when the malware is not detected and for which can damage the equipment. This would not happen if we implement a smart detection system based on behavior. And given the level of current hardware, I do not think this kind of technology will cause a lot of slowdown in a modern computer with multiple cores processor and over 3 GB of RAM
03-16-2009 12:48 PM - edited 03-16-2009 12:50 PM
03-17-2009 09:44 AM
We have a number of methods we can adopt to provide detection against malware. You explicitly call out behaviour-based detections which is something we adopted a number of years back using our SONAR engine. While behavioural detections have their advantages in proactively detecting new threats, we are still not in a place where we can solely rely on behavioural methodologies. Signature-based detections offer some advantages over behavoural detections as they are more specific and as a result are less prone to false positives aswell as offering better performance. Signature-based detections these days are also not simply one-to-one detections, in fact we will always choose the signature which offers the broadest potential coverage.
We also develop a number of heuristic signatures which are designed to detect particular charateristics associated with malware. You mention Packed.Generic.200 which has been very successful in proactively detecting malware associated with downloading misleading antivirus products. Regarding polymorphic threats, we have a specific engine which allows us to emulate the behaviour of such complex threats and allow us to effectively detect and repair them. A recent example of a complex polymorphic threat is W32.Virut.CF - we currently have full detection and repair in place for this threat's many iterations.
In general, with the volume and complexity of today's threats, an effective antivirus product needs to offer a combination of detection possibilities. We continue to investigate improvements to our behavioural engines, in addition to regularly creating heuristics and generic signature detections. If you look at the list here you'll see 6-7 new generic/heuristic detections released in the past month.
Symantec Security Response
03-17-2009 09:59 AM
Unfortunately, I still don't feel safe to *test* what I know to be malware which would at the time of that testing still be undetected by Norton products.
The last 2-3 of times I did that the *test* resulted in a malicious process active and running on my system, creating hidden entries in the Run section of the registry, and so on and so on...
Never in my 5 years of almost incidentally using Norton have I seen a SONAR (behavioral) alert and detection. I and my family rarely come across an infection accidentaly, so Norton seemed sufficient to me thus far.
Would you be so kind to explain to us where this SONAR analysis takes place? On our system or on some Symantec's test machine? And what is the timeframe for that?
03-17-2009 10:07 AM
Also an anecdote about repair..
A couple of times I came across an obvious USB flash disk (autorun) spreading malware, still undetected by Norton (09) version, when scanned manually.
I would take it out, leave it on one of my disk as an inactive file. My system would never be infected in the firts place.
A couple of days (or a week) after, the file is detected by NIS 09 as SillyFDC!
And NIS would then promptly ''clean'' my Registry of entries that did not even exist (because malware never got the chance to be active on my system). Funny. :D
03-17-2009 10:08 AM
03-17-2009 10:24 AM
We don't really know, you see, even the generic and heuristic detections rely on some kind of downloaded signature, it seems to me.
Either it is a packer (a compression utility) that only malware authors use (those are these Packed.Generic detections), or it looks very much like a trojan in its code inside (Generic.Trojan)
What I haven't seen from Norton is a kind of alert that would stop a process from downloading, dropping and executing files, creating a hidden file in a system directory, a hidden entry in the Run section and the like...even if it is not described in any of those by-the-looks-of-the-file based detections..
Except maybe if Suspicious.MH960 is a precursor for such detections...