Downloading malicious software, typically when tricked into doing so, is becoming the primary way malware infects people’s computers. Nearly every threat today is unique in some way and is designed to evade detection putting tremendous pressure on the traditional signature-based approach. By the time a signature is written for a particular malware variant, it has already changed itself and as far as the signature is concerned it is an “unknown” file. Whether the signatures are on the disk or in the cloud, they are usually not fast enough to keep pace with modern threats.
The approach we are taking with Download Insight is to build a cloud-based reputation system. This system has knowledge of millions of applications and individual files across the globe and determines the reputation of each one using statistical methods. This approach is the perfect complement to signatures—it is tailor-made for making decisions about unknown executables whereas signatures excel at telling you about something that is already known (like an existing virus or Trojan). We call our reputation-based intelligence "Quorum".
At a high-level, Insight will contact the Quorum server and ask for the reputation of the package. Based on the reputation, the package will be allowed to sit on the disk and execute, or will be deleted and removed from the computer.
Why is my cloud better than your cloud?
Cloud based scanning is the new buzz word in the security industry and a few security vendors are using the term although they often mean something very different.
The obvious advantage of cloud scanning is that the turnaround time for a definition to be available is extremely fast – as soon as a definition is available in the cloud, it is available to the user. Note that this approach still requires you to actually have seen the threat before in order to make a signature, a questionable assumption to make given the thousands of new threats produced every day.
What we have done with Quorum is to build a system that analyzes the reputation of the new software and files across the Internet and then calculates a reputation score for each of them. This system receives feeds from tens of millions of customers that anonymously participate in the Norton Community Watch program. Quorum automatically starts working on calculating the reputation score as it becomes aware of new files.
Now this is powerful – we have a system that can receive knowledge of new files worldwide and use a Symantec “secret sauce” algorithm to calculate the reputation score automatically! This information is immediately available to Download Insight through the cloud, but quite a bit different than just moving the old signature model to the cloud.
How is the reputation score of a file determined?
A reputation score is calculated using a complex algorithm based on various parameters. Remember, the main feed in to the Reputation system is the information received from the Norton Community Watch program.
Here’s a list of a few parameters that are used to calculate the reputation score: - How many instances of a particular file are seen? - How long has that file been around? - From which URLs were they downloaded? - What is the basic health of the system that is submitting the data? - Which software vendor does the file belong to?
These parameters are fed into a complex algorithm that determines the score of an application or file. As we continuously receive new information – the score of a file can change over time.
Download Insight in action
Download Insight monitors when new files are downloaded, and once the download is complete it goes into action. From a user’s point of view, it should be straight-forward as there are basically two “flows”:
1) Save the downloaded File This is the flow where the user chooses to save the application to a folder on the computer.
1. Download Insight observes that the file download from the Internet is complete. 2. It calculates the SHA256 hash of that file and immediately asks the Quorum online servers for a reputation score. 3. Based on the reputation score, Download Insight will: a. Delete the application if the reputation score is at a “Bad” level and display a notification to the user. b. Allow the file to persist if the reputation score is “Good” and display a corresponding notification. c. Provide additional information when the score for the file is still being evaluated.
Here is what the notifications can look like depending on the reputation score:
The “View Details” link for each notification provides more information from our Quorum servers. Here are a few examples:
1. Prevalence – How widely used is this file is in the Norton Community? It can range from very few instances to millions of machines. 2. Age – How long has this file been around? 3. Reputation Rating – What does Norton think of this file? It provides an indication on how trustworthy the file is. 4. URL – This provides the website from which this file was downloaded.
While each individual item listed above is useful in itself, it becomes powerful when combined to build a picture of how trustworthy a particular file is.
Let’s try to draw an analogy – say you want to buy a new HD camera. Typically what you would do is try to find more information about it on the internet. After the research if you find that it is a popular camera and the camera itself has been available in the market for a long time then that builds credibility for that camera and your chances of buying it might be higher – or we can say that its “reputation” is good.
At the same time, if you come across a brand new camera that was released last week and very few folks out there have tried it out – you may say that you’d like to wait and see how this camera pans out – and your chances of buying it right away could be lower - or in other words its “reputation” would be considered lower.
Something similar can be applied to software applications as well.
2) Run the downloaded File The second user flow where Download Insight participates is the time when you run the application downloaded from the Internet – it could be right after you download the application or couple of days later when you choose to install the application.
If the reputation of the file was still being evaluated (yellow notification in Figure 1), Norton will alert the user with a dialogue that provides the information showed in Figure 2 and has recommendation on what the user can do with application. It looks like:
We can treat this category as “currently being monitored” – every time an application with a yellow reputation score is launched, we re-query the reputation server to see if it has any new information on this particular file. Both the notification (figure 1) & dialog (Figure 3) can be disabled or made more active via the feature settings depending on the user’s level of interest.
For the 2010 product line, we’re introducing a new reputation-based means of protecting our customers against unknown malware called Quorum. Quorum has been in the works for several years now and is designed specifically to protect against today’s breed of unknown malware. Even better, Quorom provides useful intelligence on all files, good or bad, that we make available to our customers through Download Insight and other features in 2010. Download Insight brings you this information when you need it the most—right before you install a downloaded file. We think the result will not only be better protection, but a great experience overall for our customers.
Q & A
Q: Is Download Insight similar to Norton Insight from the 2009 product line?
A: Reputation scoring based on the Quorum backend intelligence is a leap forward in the functionality of Norton Insight. In the Norton 2009 product line, we leveraged our Norton Community program to identify the “good guys” (files, executables). With our 2010 release, we have taken it to a next level where we identify who the “bad guys” are and provide more protection and intelligence to our users.
Q: What browsers do we support currently?
A: Currently Download Insight supports Internet Explorer 6.0 & above and Firefox 3.0 & above. We have plans to extend this functionality to more browsers in the future.
Q: How long does it take to retrieve the reputation score?
A: The amount of data sent and received for getting the reputation score is small, making the response time very fast. For a normal operation the delay will not be perceived by users.
Q: Can a reputation score change for the file I have already downloaded?
A: Yes, a reputation score can change as we continue to receive more information from Norton Community Watch and Quorum. The next time Download Insight asks for this information (e.g. run the file scenario above) we will fetch a new, updated reputation score if it is available.
Q: Is any personal information sent to or stored by Symantec?
A: No, the queries only include the file hash, and no personally identifiable information is submitted or stored by Symantec. This also applies to any Norton Community Watch submissions.