Immunet Blog

Introduction to 3.0

On February 9th we will be releasing our version 3.0 with some notable changes and improvements.

Before I detail what's new from a feature perspective I should also note that we are changing the name of the product with this release, the new name is going to be Immunet 3.0 - Powered by ClamAV. The new product will look like this screenshot here:

In addition to our name change, you will also note a change in the icon we use in your tray. The new icon is the 'star burst' in white and blue, it should like like this in your tray:

The name change is the result of the acquisition of Immunet Corp by Sourcefire Inc. This acquisition has brought both the Immunet and ClamAV teams under the same roof to deliver our 3.0 release and future products.

New Features

Our 3.0 release was primarily intended to sharpen our focus on malware detection and to provide comprehensive protection to users who are not always connected to the cloud. Some of the features we have added are cutting edge and allow both advanced and basic users of our software to benefit from much higher detection rates. Our new features are detailed below.

Complete Offline Protection

The 3.0 release will now ship with an 'Offline' engine. This engine (which is ClamAV .97) once enabled will automatically pull down our latest detection sets and allow for complete detection coverage, even when you are not connected to the Internet. We are creating detections for 'hot' threats, prevalent on the net, so that you will be protected from current 'in the wild' threats and their variants. With our Offline protection we now also have several complex engines for detection native to the desktop and have support for file formats such as .DOC, .XLS, HTML etc. as well as strong unpacking support.

If you are installing fresh, you will have the option to install this engine turned 'On' by default. If you are upgrading from ClamAV for Windows this engine will be turned off be default. The screenshot here shows how to enable it from the 'Settings' feature on the front the User Interface.

Cloud Recall

One of the advantages of a Cloud model for hunting and identifying threats is that we are able to retain and analyze vast amounts of data about what our community is seeing at any given time. Unlike traditional Anti-Virus, or even other Cloud Anti-Virus we constantly reconsider all the data we see or have seen in our community. This allows us to evaluate every decision we have made about a file in our community and see if we still agree with that decision as time advances. If we find that our position has changed about the security of a file in our community because of new information on that file we can now seamlessly act on it. To put this in practical terms if you look up a file today and we do not know it's malicious yet and tonight or tomorrow we discover it is malicious we will alert your system to find the file and remove it, all without you needing to download a single definition update. This 'Cloud Recall' ensures that your security is advanced with every new piece of information we become aware of. You will always know as much as we do, when we do.

Custom Signature Creation

Something which has been missing in modern Windows Anti-Virus products is a feature which allows advanced users to craft and deploy their own signatures or detection capabilities. With 3.0 we now offer the first Windows Anti-Virus product which allows our users to write their own detections with our engines just as we would.

Users can now hunt threats (or Advanced Persistent Threats if you like) by creating signatures which range from simplistic (straight MD5 matches) to complex (logically chained expressive signatures w/ offset support and wild carding). Signature management is done with the new SigUI tool which is available in Start -> All Programs -> Immunet 3.0 and looks like this:

Documentation for the SigUI may be found here and our manual for creation of signatures can be found here. We encourage you to write your signatures and post them to our online Forum.

All in and all this represents the most ambitious release we have ever done. The beta program for this version has been full of very positive feedback and we are excited by it's general release.

If you have any feedback about this release or questions, please do not hesitate to email me at ahuger @ sourcefire.com .

At 8:00 PM Mountain Standard the Immunet Cloud will experience fluctuations in connectivity due to scheduled maintenance. These outages will be experienced by different regions at different times and are expected to be intermittently in effect until 10:00 PM MST, November 8. Users in affected areas may experience their Immunet Product indicating it is in an 'Unconnected' state. The state will change once the outage is complete.

If you have any questions about this outage or continue to experience it past the proscribed time please contact support@immunet.com

Best Regards,

Team Immunet

Dear Immunet User,

On Saturday October 9 (MST) we will performing upgrades to our Cloud Infrastructure. During this time Immunet Protect Free users will, from time to time, see that their status is 'Disconnected'. This outage is expected to continue through to the early morning hours of October 10 (MST). Not all regions will experience the outage at the same time.

Immunet Protect Plus users are still able to update their protections and will not be affected by this outage although their 'Connected' Orb will be in a red state until this upgrade is complete.

Best Regards,

Alfred Huger

VP, Development

Immunet Corp

At Immunet we constantly try to find the balance between fast, community based detections and 'false positive management'. In simple terms this means we spend a lot of time trying to hunt down threats in our community and try diligently to avoid convicting innocent files as malicious. Each day, 7 days a week, 3 times a day, we manually review our potential False Positive detections. We do this by looking at what files our users roll out of the Quarantine section in Immunet Protect. We examine each and every file. This allows us to correct errors we make and ensure strong in-field quality. Mistakes can happen, certainly, but we try to limit them as much as possible.

During this daily exercise we've found something quite alarming, many times a day we are seeing users rolling things out of Quarantine (in the Immunet Protect product) that are actually threats. Nearly every time this is because the threat is masquerading as software they really want to run (and it's often pirated...). In the last 72 hours 523 different Community users rolled back this SHA256 (and related threat name):

AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
Trojan.Rootkit-1503

It's our biggest single item rolled out of Quarantine in the last 72 hours. The rub is, this threat is real. In fact it's Conficker.

See the Virus Total Results.

This goes to show how insidious some of the packaging and social engineering can be to get people to run threats. Please continue to be careful about what you download and run off the Internet. Avoid running pirated software at all costs and be very leery of ANY links offered to you on Social Networking sites.

I was recently was at a conference where, over coffee with a colleague from a competitor, the figure of 26,000,000 was floated for the number of viruses created or yet to be created, and unleashed on an already beleaguered public this year.  This number is based off what the industry is generally seeing in the ‘wild’ so far this year and is being telegraphed somewhat given that your year is not yet complete.

The number seems a little high to me given from what we see but I’ll concede that we still think it’s going to trend out north of 20,000,000 this year. I suppose the difference becomes meaningless at some point and I suspect that point is well before the 20,000,000-virus mark. Presented with such a daunting number the first question I ask is, “that’s interesting, but what does it mean for me?”.

When it comes to encountering computer viruses where you end up often depends heavily on where you start.  Behavior certainly plays a role in risk here but for the sake of simplicity we will avoid discussing it for this article. Each user has some basic exposure variables that fall outside their control. The first such variable is where you live. Generally speaking, countries with heavily built up Internet infrastructure and large populations will see much heavier threat activity than other locations.  Brazilian users for example are (according to our data) 5 times more likely to experience a threat in a given year than an American user while American users are 2 times more likely to experience a threat in the same period when compared to Japanese users. Western Europe and Canada look much like the US when considered from an aggregate viewpoint.  The other factor is previous exposure. Simply put if you have seen viruses in the last 30 days you are 5 times more likely to encounter one in the next 30 days than someone who has not encountered a threat in the same period of time.

All of this helps set the stage but still does not directly answer how you, personally, are positioned. To answer this, I looked to our data in the Immunet Community. Before calculating out the data I shed the notion of location to provide a simple average. Using a test group of 250,000 users in our global Community we see an average of 82,000 threats a week. These 82,000 threats are seen by 1/3rd of our user base. This means that 1 in 3 of our users see a threat monthly (on average). Projecting our data over a year (using a variety of calculations) our users should be expected to see between 2 and 3 viruses a year. This number is being presented in very simple terms but it gives you a mile high view of your real exposure. 

In summary this means that of the 26,000,000 million possible threats this year, your real exposure is to a small handful of them. Keep appropriate Anti-Virus software installed and be diligent with your online behavior and you’re well prepared to avoid a negative outcome.


On August 19th of 2009 Immunet Protect was unveiled to our Community with version 1.0.10. Our product was the first cloud-based free Companion Anti-Virus product on the market. It seems like only yesterday that we published the software, but twelve months have flown by and now we’ve come upon our first birthday. It's been a tremendous year for us and our whole team would like to thank you and the rest of our Community for the success we've experienced since August 19 of 2009.

Our year has been thick with achievement and our entire user Community has driven nearly all of it. As a small contender in the Anti-Virus world we rely on word of mouth to build our global footprint and this comes from directly from you, our end user. It's difficult to overstate this; we started as and remain a Community driven project. To illustrate our successes this year, I'll break down 3 quick areas where you helped us excel:

1. Strength in numbers

In our first week of deployment we saw a little over 1000 users join our Cloud.Our first 6 months saw us hit 75,000 new users into our Cloud. The last 6 months have seen us gain an additional 385,000 new users! As I write this we are at slightly over 460,000 users in our Cloud, all working together to stop threats from impacting one another's systems. If our growth rates continue on our current trajectory we have a good chance of seeing 1,000,000 users in the not too distant future.

We are also now protecting users in 192 countries around the globe. We service users in nations as large as the United States and as small as the Vatican City. We are showing up everywhere and all of this is driven by you and other users like you in our Community.

2. Coverage

When we released in 2009 we covered a little over 3,000,000 million threats. Today we protect against 14,474,614 specific threats and many more variants of those same threats. On average we actually stop cold over 17,000 attempted infections in our Community daily.

3. Software & Community

We initially released Immunet Protect 1.0.10 with a simple user interface, a single engine and a series of configuration options. It was a clean, basic Anti-Virus product, and we were very proud of what we had produced.

With heavy Community involvement serving as a guide for additions and changes we've since shipped 16 more releases on the 1.0 code base. We then shipped a brand new product with version 2.0 and are now at version 2.0.15. In total we have shipped 2 major releases and 30 minor releases in the last 12 months. Our product now has 4 engines and a Community focused new User Interface complete with a new commercial stand alone Anti-Virus offering (Immunet Protect Plus) which offers Offline support and advanced complex threat removal. We have produced all of these features while *still* shipping our Free product under 7.5 megabytes in size.

As our first birthday passes us we are already looking ahead to our roadmap over the next year and the next 1,000,000 users. You will see new languages supported in our product, leaps in detection abilities and completely unique protection features in the product in the next 12 months. Without giving too much away I think you’ll be pleased with the changes we have planned.

Finally, if you're one of our users from the Community Forum I would like to extend a special thanks to you. Your help during our day-to-day operations of the company is critical - you make us possible. If you are not actively having a say on our future, please feel free to join us at our Forum and let us know where you think we need to be headed. Thanks so much for your help so far, we depend on it, please keep up the good work!


Best Regards,
Al Huger

VP of Engineering & Co-Founder
Immunet Corp.




This morning while reading my mail I came across an email purportedly from Google notifying me that my AdSense account had been disabled. On closer inspection the email was a clear a phishing attack designed to steal my AdSense username and password. The mail looked like this:

You can see from the URL which I have outlined in red that clearly this is not going to take you to a real Google website but rather a (likely) hacked page at orientcasinos.com. If I go to the site it looks like a fair passing imitation of the actual AdSense page:

The URL though is still quite obviously not AdSense so thankfully this particular scam is not likely to go far. These sorts of scams are not new per se but it's important to understand that not only are your direct financial assets (bank account, credit card etc.) a target but so are your indirect financial assets like your AdSense account which controls potential revenues for your business. Like we posted earlier about Facebook accounts being targeted  your online presence is something you need to consciously guard as well as your PC. You can start by being sceptical about any email asking you to log in and change your credentials for an online service you use. If you do feel you need to follow up on an email which requests something like this, always open your browser separately and navigate to the site on your own, do not copy and paste from the email and do not click on the link in the email.

All,

We are in the process of defining our 'Officially Supported' list for which other security products we will support in 'side by side' installation mode for Immunet Protect 2.0. This is an important decision for us and we'd like your input. Please drop by our community forum and have your say.

Click here to take part!

I often get asked what makes Immunet’s approach to detecting threats different than the mainstream Anti-Virus companies.  In a nutshell, our goal is to find threats which are in small parts of our community, analyze them and then protect the whole community from them as fast as possible, often in near real time.

We do not focus on obscure threats, or threats which circulate outside of our community. We are not big fans of the 'boil the ocean' approach to doing Anti-Virus. It works well for reviewers (who test with everything under the sun) but it rarely really helps your community. There is a reason people are still getting viruses and it's time we rethink our (the industry) approach to tackling this problem.

As to 'how' we convict files. All of our current approaches entail communication back and forth with the cloud so that rarely is a decision made in 'decision support isolation’. This allows you to work with the most current, up to the minute, information that we have. Here are some of the approaches we use:

1. Generic detection of threats through broad hashing. We look for things that look 'like' threats we know of and try to further analyze them for conviction so we can protect the community. This can also be called a 'heuristic' engine if you like.  Our generic engine is ETHOS; we have another planned for May, which is called SPERO.
2. Context conviction, this is where we make decisions based off the data we receive about a file in field. From community collected data we can make assumptions about whether a file is a virus or not. For example, did our AV stop working after it was installed? Did the system start to see other viruses after it was installed? Questions like this will often lead to answers, which make us highly suspicious of a file.  
3. One-to-One conviction, this is where there is a known threat we've collected from the community, through collection trading or gathered from web crawling. For each of these collected (and verified malicious files) we generate a signature. When users do file look-ups this signature is sent to us, if it matches a known threat we convict the file as a virus.

There are a few other ways as well and each of those approaches above could be a daylong chat on their own but that's the mile high view today (March 7, 2010).

The updater files for migration to Immunet Protect Beta 1.0.26 are now posted.  Migration can be done from any Immunet build from 1.0.14 up to current (1.0.25). You will be prompted for a reboot as we are replacing drivers with this install. Windows XP SP2 is not supported, only XP SP3 and up. Vista SP1 + and Windows 7 are also supported.

The primary changes in 1.0.26 are:

•  Fixed an installer issue where some driver failures were occurring on Windows XP SP3 systems.  
•  Changed our installation process to ensure cleaner removal and installation of drivers.
•  Changed our internal logging to add additional wide character support.
•  Addressed 54 additional issues reported in field from previous builds.
•  Added additional conviction logic into our back office.
• Rounded out support for OEM functionality.

If you are not currently having problems with your installation there is no reason to upgrade. If you are in doubt about whether to upgrade or not please mail Support and ask, we are happy to help.