Performance is the focus for 2009 - Rowan Trollope, senior vice president at Symantec

[Иван 290]

http://www.pcmag.com/article2/0,2817,2308131,00.asp

Norton to Speed, Not Slow, Computers

05.22.08

Rowan Trollope, senior vice president at Symantec, shares his vision of the ultimate security suite and some thoughts on Symantec's future, both in the security realm and beyond.

by Neil J. Rubenking

Rowan Trollope, senior vice president at Symantec , has a vision. He pictures a security suite that doesn't impact system performance at all—even one that makes the computer run faster. And he hopes Norton Internet Security 2009 will be that suite. Trollope shared this vision and some thoughts on Symantec's future, both in the security realm and beyond.

What Consumers Want

Trollope worked for Symantec in the early nineties supporting Norton Utilities, then moved to the Enterprise group. He returned to the consumer side in 2006 to take over the ailing Norton Internet Security line and turn it around; NIS 2007 and NIS 2008 are evidence of his success. But consumers don't have a clear yardstick for deciding which suite to buy. "They think Norton's pretty much the same as Kaspersky, or Microsoft ," said Trollope. "This is compounded by a feeling that maybe security isn't as important as it was. We've stopped hearing about virus threats on CNN, and Microsoft keeps trumpeting how great Vista's security is".

To determine the right direction for the 2009 edition, Trollope's team interviewed ordinary users to find out what they want. The users presented a unified front—plain and simple, they're tired of security software that slows down their computer. Performance is the absolute number one issue. "Therefore, it's obvious that we must be the absolute best in performance. If I could create what's unquestionably the fastest security product in the world, without compromising security features, it would be very clear to the consumer why they'd buy Norton. Performance is the focus for 2009," Trollope stated.

Trollope explained that the effort goes way beyond merely optimizing existing code. Five hundred engineers are working on different aspects of the program, completely reworking them for speed. He observed that it takes, on average, eight minutes to install NIS 2008. He challenged the team to take as little time as possible beyond what's needed to copy the program's files. The team had to stop using Microsoft's installer and write a new installer from scratch. Their aim—installation that takes just one click and finishes in under a minute.

Scanning is another slow process; the team strives to vastly increase scanning speed by using a huge whitelist of known good programs "in the cloud". Downloading updated signatures can also cause a periodic performance hit, so they invented a new type of streaming definitions. According to Trollope, they've made well over 300 individual changes specifically to improve performance and filed a number of patents on this new technology.

"We're not there yet," admitted Trollope. "We're still working on it."

NIS 2009 should go into beta testing this summer, and the final product is expected in the fall, as usual. We can hope that it will live up to this vision.

A New View of Security

New malware strains appear every day, and the rate is increasing. Existing solutions can't keep up. Trollope noted that in 2000, Symantec released about 10,000 new definitions, while in 2008 they anticipate over a million. The standard signature-based technique for virus detection was invented in the mid-eighties and is virtually unchanged today, though it's more refined. Non-signature behavior-based products generally detect 60 to 70 percent of actual zero-day threats in testing—maybe as high as 80 percent. But to reach the necessary better-than-99-percent range, they invariably start marking non-malicious programs as bad. This high rate of false positives means that behavior-based detection alone is not a viable solution.

Trollope explained that Symantec is in the middle of a three-year push to invent a completely new type of protection against malware. Developed by Carey Nachenberg, a Symantec Fellow and the company's most senior technologist, the innovative technology is built on statistical techniques. Trollope offered a very simple example. If a particular application is installed on millions of systems, it's almost certainly not malicious. But an application that's found on just a handful out of a million almost always is malware.

If successful, this will be a truly significant advancement. Signature-based detection is always a step behind the bad guys —a zero-day threat has free reign until they can cobble up a new signature. Even behavior-based detection needs samples of malware so it can distinguish malicious programs from good ones. The statistical technique doesn't need any information about a program's signature, nor about its behavior. It should detect a new malicious program from day one (with "should" being the operative word).

Trollope naturally couldn't say more about the details of the new detection system. It's still in development, and Symantec doesn't want to give away too many secrets. He did point out that a huge sample set is needed for statistical significance. The new technology will be present in Symantec's 2009 security products, but not active—just gathering information. They hope to have it fully functional and integrated into the 2010 version of the suite.

Solving All Your Problems

"In my own home," observed Trollope, "we have lots of technology. Laptops, the kitchen computer, wireless printers, network attached storage, music players…and for all of this technology we have problems. Things go wrong all the time. Norton products aren't solving these new problems."

He noted that while NIS 2008 protects the system against threats, it can't help, for example, with connectivity. He'd like to see Symantec solve a wider range of problems. "Going back to my tech support days, I can say confidently that if you have a PC, then you have a problem."

Typically, a user with a problem gets bounced around. The OEM blames Microsoft, Microsoft blames the ISP, the ISP blames Symantec. Often, users call Symantec with problems that are completely unrelated to their Norton product. As an experiment, Trollope's team started funneling some of these calls to a group of professional analysts and helping out the consumers with any type of problem. The experience gained from this trial led to the creation of Symantec's PC Checkup service—for a fee they'll fix whatever is wrong.

Trollope hopes to position Symantec as the company that's all about keeping tech working in your home. The company examines the kind of problems users ask them to solve and looks for product possibilities. Consumers want protection for their kids online, yet aren't happy with current solutions. To address this problem, a team is working on Symantec Family Safety. Families have tons of important personal documents, pictures, music, and more stored on their computers, but only a tiny few backup this data. As a result, Symantec integrated online backup into Norton 360.

"You'll start to see us kick off more products that solve problems," concluded Trollope. "First, we're addressing the number one request in security: better performance. Next, we're inventing new technology to protect against future malware with 99 percent accuracy. Finally, we're going to grow our vision in the world and help solve problems. It's a big shift from just being a security company."

But to those of us who remember the Norton Utilities, maybe it isn't such a big shift after all.

[Виталий Я. 859]

Спасибо за "наводку", Иван!

По производительности - интересное заявление. В плане ОЕМ-версий Симантека уже не зря поджали МакАфи на Асеровских ПК.

"But to reach the necessary better-than-99-percent range, they invariably start marking non-malicious programs as bad. This high rate of false positives means that behavior-based detection alone is not a viable solution." - а это "автодятла" грамотно "приложили".

huge whitelist of known good programs "in the cloud" - тоже интересно, как реализован сбор. Если это про то звон: "The new technology will be present in Symantec's 2009 security products, but not active—just gathering information." - то очевидно, что статистику "хорошего софта" попробуют накопить сперва.

[Иван 290]

"But to reach the necessary better-than-99-percent range, they invariably start marking non-malicious programs as bad. This high rate of false positives means that behavior-based detection alone is not a viable solution." - а это "автодятла" грамотно "приложили".

смотрю в книгу вижу фигу

это "приложили" поведенчески технологии, там же ясно написано

Non-signature behavior-based products generally detect 60 to 70 percent of actual zero-day threats in testing—maybe as high as 80 percent. But to reach the necessary better-than-99-percent range, they invariably start marking non-malicious programs as bad. This high rate of false positives means that behavior-based detection alone is not a viable solution.

почему приложили тоже ясно - они у симантека в зачаточном состоянии

[Виталий Я. 859]

Иван, я по диагонали читал - спасибо что глаза открыли

Как же сложно стало здраво оценивать слова про поведенческий блокиратор.

ясное дело - Матусека так проходить и не будут в 2009 версии.

[Илья Рабинович 521]

почему приложили тоже ясно - они у симантека в зачаточном состоянии

Их у симантека вообще нет- их AntiBot есть отребренденный продукт Sana Security. И то, что оно ловит только 80% максимум и требует предварительного разбора поведения зловредов- это всё про них.

[Иван 290]

Sonar?

[Илья Рабинович 521]

Sonar?

Ну и где он? Купить-то они его купили, а вот дальше что-то его не сильно видно. Ну и- если он есть, то зачем делать отдельно проект AntiBot на переребренденном движке? А вообщзе, если я правильно помню, Sonar- это софт корпоративного использования.

[Иван 290]

Ну и где он? Купить-то они его купили, а вот дальше что-то его не сильно видно. Ну и- если он есть, то зачем делать отдельно проект AntiBot на переребренденном движке? А вообщзе, если я правильно помню, Sonar- это софт корпоративного использования.

нет такая галка есть и в персональных продуктах

насколько я понял в своё время эта штука оценивает по каим-то критериям приложения в данный момент запущенные в системе, причем не в реальном времени, а с определенной переодичностью, а также в тот момент когда и если приложение лезет в сеть.

по опыту фактически ничего не ловит - по заявлению Symantec "зато практически вообще не фолсит"

[Илья Рабинович 521]

Ну, если оно мышей не ловит- значит, нет у них ничего, кроме переребренденного SafeConnect. Думаю, в таком случае всё логично.