Symantec Adds Zero-Day Defense To Consumer Security Line

Symantec will add a new defense to its consumer security flagship products Norton AntiVirus and Norton Internet Security early next month to protect PCs from zero-day exploits, the company said Wednesday.

Sonar, for Symantec Online Network for Advanced Response, is based on technology acquired in the 2005 purchase of WholeSecurity, a maker of anti-phishing and intrusion prevention software. "It's a new behavioral technology," says Ed Kim, director of product management in Symantec's consumer product group. "It's a zero-day defense that doesn't use signatures."

So-called zero-day exploits are those for which no patch is available from the vendor, but the term is sometimes used to describe exploits for which there are no antivirus fingerprints, or signatures, yet distributed by security companies.

"Sonar uses an expansive list of behaviors" to look for possible exploits, says Kim. "It scores the application or executable by examining both positive and negative attributes. For example, does it have a shortcut on the desktop, is it digitally signed? On the other hand, is it just a one-pixel window?"

"It sounds like Symantec's talking about a sandbox, but they're not calling it that because [a sandbox] isn't new," says Roger Thompson, chief technology officer of rival security vendor Exploit Prevention Labs. A sandbox environment, which restricts what computer code can do or what other components it can impact, often is used to run suspicious or untrusted software to get an idea of what it does and whether it might be malicious.

Most desktop security that aims at stopping zero-days, claims Kim, rely on "shields," software that watches for changes in, say, the Windows registry or to the directory where Windows' system files are lumped, then compares those changes with a database of signatures, or rules, that identify known exploits. "Those are prone to false positives," Kim says.

Signature-based defenses, however, operate in real-time to block exploits as they try to make their way onto a system. Symantec's Sonar, by comparison, is a scanner, similar to the one that sniffs for viruses and worms, that runs daily. "It's not part of the real-time defense," admits Kim. "Scans run on a daily basis, so this is an extra layer on daily [anti-virus] scans."

The addition to Norton AntiVirus and Norton Internet Security 2006 and 2007 will be made available to users "around the time of general availability of the Vista products, in early February," shortly after the release of the new Microsoft Windows operating system to consumers on Jan. 30. Existing users will receive an online upgrade; the technology will also be integrated in the Vista versions of AntiVirus and Internet Security.

"We're very bullish about the technology," says Kim. "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."

Thompson, however, defended signatures in zero-day defenses. "Signatures are slower to react. Bad guys know they can shoot the world in the foot by releasing 10 variants of a downloader. Most AV [anti-virus] vendors will get the first two or three [variants] but let the others through. But our signatures aren't looking at the payload. We could care less about the payload. Most of the time the exploits themselves haven't changed, so we block the exploit."

Adding another layer of defense, however, is a smart move on Symantec's part, says Thompson. "We've never pitched LinkScanner as a replacement for antivirus, for example, but always as another layer. Each layer [of defense] catches a certain percentage of the problems."

In other news, Symantec's share prices rebounded slightly Wednesday after falling sharply on news the day before that the vendor failed to meet earlier third-quarter forecasts. Tuesday, chief executive John W. Thompson blamed the shortfall on weak performance from its Veritas group and a shift by more enterprises to long-term maintenance contracts. "There's a huge personal disappointment associated with all of this,'' Thompson said during a conference call. He also said that the company will disclose cost-cutting measures next week.

By mid-day, Symantec shares had climbed 16 cents to $17.95, after dropping $2.69 to $17.79 Tuesday, a one-day decline of 13.2%.