Immunet Blog

I often get asked what makes Immunet’s approach to detecting threats different than the mainstream Anti-Virus companies.  In a nutshell, our goal is to find threats which are in small parts of our community, analyze them and then protect the whole community from them as fast as possible, often in near real time.

We do not focus on obscure threats, or threats which circulate outside of our community. We are not big fans of the 'boil the ocean' approach to doing Anti-Virus. It works well for reviewers (who test with everything under the sun) but it rarely really helps your community. There is a reason people are still getting viruses and it's time we rethink our (the industry) approach to tackling this problem.

As to 'how' we convict files. All of our current approaches entail communication back and forth with the cloud so that rarely is a decision made in 'decision support isolation’. This allows you to work with the most current, up to the minute, information that we have. Here are some of the approaches we use:

1. Generic detection of threats through broad hashing. We look for things that look 'like' threats we know of and try to further analyze them for conviction so we can protect the community. This can also be called a 'heuristic' engine if you like.  Our generic engine is ETHOS; we have another planned for May, which is called SPERO.
2. Context conviction, this is where we make decisions based off the data we receive about a file in field. From community collected data we can make assumptions about whether a file is a virus or not. For example, did our AV stop working after it was installed? Did the system start to see other viruses after it was installed? Questions like this will often lead to answers, which make us highly suspicious of a file.  
3. One-to-One conviction, this is where there is a known threat we've collected from the community, through collection trading or gathered from web crawling. For each of these collected (and verified malicious files) we generate a signature. When users do file look-ups this signature is sent to us, if it matches a known threat we convict the file as a virus.

There are a few other ways as well and each of those approaches above could be a daylong chat on their own but that's the mile high view today (March 7, 2010).

Earlier in this month the Immunet team shipped and enabled a new engine to our Immunet Protect Beta. This Anti-Virus engine, titled ETHOS, is focused on helping us leverage our community to help protect our community. Essentially the engine looks for threats (heuristically) on the desktops of our community. If it finds a suspected threat it remediates it and then communicates about it (and sometimes the file itself) to our Cloud so the rest of the Immunet Community is protected from it instantly.

It's long been our opinion that the most dangerous malware our community faces is malware which is making the rounds in the 'here and now' . This 'active malware' is what we all need to be worried about. This is the stuff that you and those around you are most likely to encounter. Sounds like common sense right? It is, but the vast  amount of Anti-Virus signatures (well over 97%) created for most Anti-Virus products are created from traded malware collections (which are tired and old) or collected/crawled from malware web sites which are often fallow and no longer active. This results in most Anti-Virus products downloading millions of largely useless definitions a year. We believe it's the small minority of threats which are live and on the move which need your attention.

So with the small minority in mind we built ETHOS. I am going to present some data here for you put context around our findings.

General Threat Data (Based off the last 7 days)

• Every 24 hours we block 1910 (on average, outliers removed) threats
• We process (create cloud definitions) for 17,500 files a day. This malware comes from crawling and malware collections which we trade. We will refer to this as 'Cloud Processed' malware.
• We separately collect and process 50 threats a day (on average) from our ETHOS engine. This engine is only active on 7,120 users in our community this is about 10% of the whole user base.

So with these numbers in mind here is the story so far, of the 1910 threats we stop each day, 382 or 20% come from ETHOS.  So to put this into perspective graphically our overall processing looks like this:

Now, if we look at what our actual user base is seeing for 'in-field' protections it looks like this:

What you should take away from this is that ETHOS is contributing a wildly disproportionate amount of protection to our Community when compared to our other protection generation. This is with only 10% of the Immunet Community running ETHOS right now. As we grow ETHOS will see wider deployment and these numbers should become even more compelling.  

For all my German-speaking friends I will start by apologizing if I butchered the title. I was hoping to query "No more Internet Explorer?” That question is probably being asked a fair bit in Germany and France right about now. Both governments recently advised their constituencies to ditch IE in favor of other browsers.

I'd have to be on record that I think this is poor advice because it's at best a short-term fix. It's true that IE has had a long history of security vulnerabilities, but this is also true for all browsers that have been around long enough and have a large enough user bases. 

The more functionality we push into browsers, the more complicated the web becomes, the more we have to add to our browsers to compensate. 'More' in this case means more code, more code means a higher likelihood of mistakes of which some portion will be software vulnerabilities that will be exploited. It's all math at the end of the day and Firefox, Safari and Chrome are no more immune to it than IE.

What makes IE more dangerous is that it has a larger following. People looking to exploit software vulnerabilities for profit are generally going to follow 'Sutton's Law'. Willy Sutton was a famous bank robber who when asked why he robbed banks replied, "Because that's where the money is". People research IE and exploit it's vulnerabilities because it has the largest user base. If you incite people to abandon it in favor of other choices those other browsers will start to suffer the same fate. This is not a problem that's going to be solved as simply as changing browsers.

My advice, consistently, is this:

1. Upgrade to IE 8 - it's much better.

2. Get off XP to Windows 7 if you can.

3. Turn on automatic Windows Update.

4. Run up to date Anti-Virus software