At the RSA Conference this week, security juggernaut Symantec unveiled new versions of its Endpoint Protection software that come with enhanced features that the company says are better positioned to stop malware in its tracks. The company also announced a Small Business Edition (SBE) of Symantec Endpoint Protection 12 that will offer the same enterprise-class threat detection technologies, but with the needs of SMBs in mind. Highlighted features include an installation wizard to assist deployments, pre-configured policy settings and reports tailored for small business customers.
The presence of a new "Insight Reputation System" will help optimize scanning by skipping known good files, while SONAR (Symantec Online Network for Advanced Response) technology examines behaviors and characteristics to identify new or novel threats, says Symantec. In the official press release, Symantec Endpoint Protection 12 was touted as being "twice as fast as the average security solution."
The new features caught my attention because while it is typical for Symantec to release periodic updates to its products, the way Insight works suggests a paradigm shift in the technical abilities incorporated into its anti-virus software. After having ignored-or at least sidelined-whitelisting for the longest time, Symantec appears to have finally adopted it. Indeed, Symantec has also stepped out of the box by leveraging the use of a cloud-based approach to further narrow down potential new threats, amalgamating it with other technologies in its arsenal so as to complement and substantially strengthen its traditional blacklist approach.
Hopefully, this combination of multiple defensive strategies involving the use of traditional signature-based (blacklisting) and heuristic scanning, the new behavioral and Insight online reputation system will help stop any Stuxnet-like malware in its track.
Even as he sang praises about the new reputation-based approach, Symantec CEO Enrique Salem himself admitted that scanning files using blacklisted information contained within virus definition files has its limits:
The idea of a blacklisting approach is no longer going to be effective ... We need real-time, contextual tracking that look at a series of attributes; things like file age, download source, prevalence, and brings all those things together.
Indeed, a large proportion of new attacks are attributed to "attack toolkits" created and distributed by hackers, usually for a price. These specially created malware generators are able to churn out large numbers of signature-unique malware that tend to be selectively distributed, yet result in high-impact threats. Against this threat landscape, the incorporation of Insight-if it works as advertised-will go a long way towards protecting endpoints devices.
The Symantec Endpoint Protection 12 family of products is expected to be available this summer, with a public beta scheduled to roll out in April. In the meantime, those who are interested can sign up for the beta of Symantec Endpoint Protection 12 here.