quote:

---

Why Download Insight?

Downloading malicious software, typically when tricked into doing so, is becoming the primary way malware infects people’s computers. Nearly every threat today is unique in some way and is designed to evade detection putting tremendous pressure on the traditional signature-based approach. By the time a signature is written for a particular malware variant, it has already changed itself and as far as the signature is concerned it is an “unknown” file. Whether the signatures are on the disk or in the cloud, they are usually not fast enough to keep pace with modern threats.

The approach we are taking with Download Insight is to build a cloud-based reputation system. This system has knowledge of millions of applications and individual files across the globe and determines the reputation of each one using statistical methods. This approach is the perfect complement to signatures—it is tailor-made for making decisions about unknown executables whereas signatures excel at telling you about something that is already known (like an existing virus or Trojan). We call our reputation-based intelligence "Quorum".

At a high-level, Insight will contact the Quorum server and ask for the reputation of the package. Based on the reputation, the package will be allowed to sit on the disk and execute, or will be deleted and removed from the computer.

Why is my cloud better than your cloud?

Cloud based scanning is the new buzz word in the security industry and a few security vendors are using the term although they often mean something very different.

The obvious advantage of cloud scanning is that the turnaround time for a definition to be available is extremely fast – as soon as a definition is available in the cloud, it is available to the user. Note that this approach still requires you to actually have seen the threat before in order to make a signature, a questionable assumption to make given the thousands of new threats produced every day.

What we have done with Quorum is to build a system that analyzes the reputation of the new software and files across the Internet and then calculates a reputation score for each of them. This system receives feeds from tens of millions of customers that anonymously participate in the Norton Community Watch program. Quorum automatically starts working on calculating the reputation score as it becomes aware of new files.

Now this is powerful – we have a system that can receive knowledge of new files worldwide and use a Symantec “secret sauce” algorithm to calculate the reputation score automatically! This information is immediately available to Download Insight through the cloud, but quite a bit different than just moving the old signature model to the cloud.

How is the reputation score of a file determined?

A reputation score is calculated using a complex algorithm based on various parameters. Remember, the main feed in to the Reputation system is the information received from the Norton Community Watch program.

Here’s a list of a few parameters that are used to calculate the reputation score:
- How many instances of a particular file are seen?
- How long has that file been around?
- From which URLs were they downloaded?
- What is the basic health of the system that is submitting the data?
- Which software vendor does the file belong to?

These parameters are fed into a complex algorithm that determines the score of an application or file. As we continuously receive new information – the score of a file can change over time.

For the 2010 product line, we’re introducing a new reputation-based means of protecting our customers against unknown malware called Quorum. Quorum has been in the works for several years now and is designed specifically to protect against today’s breed of unknown malware. Even better, Quorom provides useful intelligence on all files, good or bad, that we make available to our customers through Download Insight and other features in 2010. Download Insight brings you this information when you need it the most—right before you install a downloaded file. We think the result will not only be better protection, but a great experience overall for our customers.

---