With the explosive growth of the internet, keeping up with the accompanying rise of malicious web activity has kept a number of vendors busy rolling out layers of updates. The top dog, Symantec, reeled in $5.9 billion in revenue last year from its Norton products, alone. But are current AV solutions enough to protect end-users?
According to an August white paper from Cyveillance, online fraud scams continued to grow in frequency, geographical reach and technical complexity in the first half of 2008. “Compounding the malware problem, top anti-virus programs can only detect an average of 50 percent of the malware being distributed on the internet.”
A good number of users have grown frustrated with AV tools. Don Leatham, director of solutions and strategy at Lumension Security, points to a Texas bank which replaced its traditional AV solution with Lumension Sanctuary, anti-malware software that whitelists administratively approved programs with run permissions, but restricts any unknown and unauthorized executables from springing to life.
“This approach eliminates the shortcomings of anti-virus, such as the inability to defend against the unknown and false positives, while adding additional benefits such as increased endpoint integrity, stability and end-user productivity,” he says.
Alex Eckelberry, the ceo of Clearwater, Fla.-based Sunbelt Software, says that being that it's not simply viruses, trojans and worms anymore, but instead complex malware that drops multiple infections onto networks and users' computers, a whole new approach to protection is needed to deal with new threats.
He explains that as he and his team talked to system administrators, he was shocked at the rage many of them expressed at the AV companies. The products couldn't keep up with new infections, all they did was pile on updates. This often slowed systems down considerably, many said. Even though Sunbelt had its own AV product on the market, CounterSpy, the decision was made to go ahead and develop a new product from the ground up.
“We wanted to make something fresh and new using the latest technology,” says Eckelberry.
The result, VIPRE, recently launched for home and enterprise users and adoption is very strong, he says.
What's different, he explains, is that in addition to a full range of anti-malware features, it adds behavioral detection that looks at malware. Also, it adds anti-rootkit tools and heuristics to look for known bad patterns. Toward the end of the year, IDS (Snort) and firewall tools will be added into the mix.
Existing layers of protection are important as traditional attacks are alive and well, but as hackers have become more organized attacks have grown at an alarming rate, says Jordy Berson, senior product manager at Check Point Software. Firewall, AV and anti-spyware are necessary components in the fight, but they are not cutting it against new browser-based attack types, he says.
ZoneAlarm from Check Point Software offers more relevant security for browsers, he says. By implementing a technology the company calls virtualization, the software has so far stopped 100 percent of drive-by downloads tested. Virtualization acts like a firewall, creating a temporary clone of users' browsers. Anything done on the web runs in a protected shell, sealed off from the user's PC.
Is the launch of Sunbelt's VIPRE the end of the Symantec curse?, asks Rod Trent on his blog.
Not quite, says Peter Firstbrook, an analyst at Gartner. “Almost all AV vendors make identical claims. Enterprise AV is very sticky, so unless [Sunbelt has] invented a better mousetrap that also offers considerable business benefits (read lowers TCO), I doubt it will be the “death” of anybody.”
Chenxi Wang, principal analyst, security and risk management, Forrester Research, says, “From what I can gather, this looks like an integrated anti-virus and anti-spyware product, which is not a new idea. As for its claim of not using as much system resources as Symantec, I am not sure how much to believe since I have not spoken with any of their customers or tested the product myself. One thing I do want to point out: Symantec may have an old-school approach to anti-malware, meaning putting all the signature on the endpoint and update it as necessary. With the rate of new malware emerging (Symantec reported more than 1,900 daily new malware instances for 2007), soon the updating signature approach will no longer be fast enough or scalable enough. It is without question the time to look for alternative approaches.”
Rich Mogull, founder of Securosis, agrees. “I never believe anyone when they say they will kill McAfee or Symantec. I hear that all the time and it never happens.”
“If you want to compare VIPRE enterprise, I think you should compare it to Trend Micro's latest Smart Protection Network approach,” adds Weng. “What Trend did is to move malware signatures into the cloud. The endpoint will only house a small percentage of popular signatures. Every time the endpoint engine encounters a potential malware, a hash code is sent to the cloud to look for a match. This approach leverages on the resources of cloud computing and can minimize CPU impact on the endpoint.
Eckelberry makes the case that his mission is to get individuals thinking about the customer. “It's enlightened self-interest. Vendors make so much money with AV products, but service calls go offshore and offer bad support, and subscription renewals are horrific.”
And the market is projected to grow even more as organized criminal gangs step up their efforts.
"What drives people to get a full security suite is generally an event happens," says John Gale, director of product management for ZoneAlarm, the consumer division of Check Point. "They read an article about identity theft, or a friend or they themselves have trouble. There have been a whole lot of stories, and they scare people straight."