Immunet Blog

Over my next few blog posts, I’d like to describe (at a reasonably high level) Immunet’s approach to dealing with today’s threats as well as our overall protection stack.   Even for a high-level description, there is a decent amount of material here, so I thought it would make sense to break it apart into several blog posts.  

In this post, I’d like to go into our core design principles.  Our goal in creating Immunet Protect was to build an AntiVirus solution with a clean slate leveraging what we understand about today’s threat landscape.   We found that many existing AntiVirus solutions were encumbered by legacy technologies and legacy approaches, which greatly inhibited their ability to meet the unique demands of current threats.  With that in mind, the following were the guiding principles used in our approach:

• Adapts rapidly:  Threats today are quickly changing.  We literally see many tens of thousands of unique malware variants each day.  These variants have a very short lifetime.  In fact, about 75%+ of threat instances that we have traditional signatures for only appear once in the field. Moreover, these variants are becoming increasingly complex -- with the current generation of viruses building upon their predecessors.  To make matters worse, in the fight against malware, attackers also tend to have an inherent advantage since they can download and install all the well-known antivirus solutions, and can keep morphing the threats they write until they evade detection.  On the other hand, AntiVirus vendors have less access into the operations of malware authors.  Consequently, AntiVirus technologies need to have a simple and rapid mechanism by which they can be calibrated to protect users in the field from these changes.
• Lightweight and interoperable:  All the well-known AntiVirus solutions available on the market today tend to be very heavy weight.  This shortcoming has several repercussions.  First, they tend to slow machines down considerably – perhaps even more so than the very threats that they claim to protect against!  Second, users tend to disable these heavyweight AntiVirus solutions.   Third, heavyweight antivirus solutions tend to have stability issues and even worse can have adverse behavior if running on the same system as other existing security technologies.   Our sense is that performance has become the number one criterion by which customers decide which solution to go with (even outranking the protection these solutions provide)!
• Data Driven:  Because of their current architecture, many existing AntiVirus vendors have limited insight into how their products are really performing in the field.   For a given threat, they may not know how many times it has triggered in the field, and for a given technology in their protection stack, they may have a hard time understanding its true in-field efficacy (as well as the specific value it adds).  Oftentimes when a new antivirus technique is deployed within an existing antivirus product, vendors are essentially shooting in the dark.  This approach can be costly since one has to literally deploy a technology into production before being able to determine how it will actually perform. While this approach could suffice for yesterday’s threats (which were more simple in nature), it is not appropriate for today’s more complex (and more unpredictable) threats.   
• Community Aware:  Threats tend to propagate across “social” networks.  For example, if your friend’s computer is infected, chances are that it will be a launch pad for an attack on your system.  For example, an attacker will compromise your friend’s system, and then send an email from your friend’s account containing malicious content.   Along similar lines, if you share a USB stick with a friend or colleague, then it can be used to carry a threat from their machine to yours.  The adage that there is safety in numbers is especially true for online threats.

The architecture of Immunet Protect, which we will describe in the next few posts, was developed with the above principles in mind.