[real-eyes] Immunet: A Second Opinion Worth a Second Look

The following is from the Krebs On Security blog.
http://krebsonsecurity.com/
The program mentioned in this blog can be found at
http://www.immunet.com/

Steve



Immunet: A Second Opinion Worth a Second Look
Security experts have long maintained that running two different 
anti-virus products
on the same Windows machine is asking for trouble, because the programs 
inevitably
will compete for resources and slow down or even crash the host PC.
But an upstart anti-virus company called
Immunet Protect
is hoping Windows users shrug off this conventional wisdom and embrace 
the dual
anti-virus approach. Indeed, the company’s
free product
works largely by sharing data about virus detections from other 
anti-virus products
already resident on the PCs of the Immunet user community.
Users can
run Immunet alone, and many do: The program scans files using two types 
of threat
profiles: specific definitions or fingerprints of known threats, and 
generic signatures
that are more akin to looking for a specific malware modus operandi.
But what makes Immunet different from other anti-virus products is that 
it also incorporates
detections for malware from other anti-virus products that may be 
resident on users’
machines. For example, each time someone’s PC in the Immunet user base 
encounters
a virus, that threat is logged and flagged on a centralized server so 
that all Immunet
users can be protected from that newly identified malware.
I’ve been running Immunet in tandem with Kaspersky Internet Security 2010
for the past three months, and have haven’t noticed any impact on system 
resources
or stability issues. Immunet’s creators are especially proud of that 
last aspect
of the program, and say it’s due to the fact that the program does most 
of its scanning
and operations “in-the-cloud,” – that is, not on the user’s system. 
Immunet currently
has about 133,000 active users, and that number changes constantly: Each 
time you
reboot a system with it installed, chances are you will see a different 
– usually
higher – number of users in the community.
imm3
I spoke recently with Immunet’s vice president of engineering, Alfred Huger
, a former VP at
Symantec Corp., and Adam O’Donnell
, director of cloud engineering for the startup. That conversation — 
excerpts of
which are included below — provides interesting insights into how the 
anti-virus
industry operates, how consumers interact with these products, and how 
Immunet hopes
to differentiate itself in already crowded field.
Adam O’Donnell (AO):
People have been running multiple anti-virus packages on their desktop 
for years
because they think they will get double protection. We’re just making 
sure we play
well in that environment and that we tell customers, “No, it’s okay. We 
would like
to be one of those.” A lot of our users are excited by fact that can run 
us in tandem
with other products.
BK:
Okay, but does the world really need another anti-virus product? Why 
should people
turn to Immunet?
Alfred Huger (AH):
The goal of the company was to build the next generation anti-virus 
product. We
wanted to build an anti-virus program that could convict threats that 
weren’t previously
seen – as well as those that were already known — but also to be able to 
do it in
a way that was extremely light on resources and not as dependent on 
infrastructure,
or on the way that anti-virus companies usually gather data.
BK: And how do they do that?
AH:
Well, for example, with your typical anti-virus company, 95 percent of 
data you
end up building definitions for you get from trading partners, other 
anti-virus companies.
If I’m a large vendor and I’m sample trading, I’m probably getting 35-40 
good feeds
of actual malware that aren’t super
false-positive
laden. But the problem is I don’t always know how old those feeds are.
If you do enough testing, you’ll find that the feeds are probably 
anywhere between
1-30 days old. And that’s for a couple of reasons. First off, the guys 
trading you
this stuff compete with you. They’re not stupid: The last thing they 
want to do is
give you all of their signatures so you can compete better in product 
reviews. Every
vendor — no matter how honest they are — games each other when it comes 
to trading
samples.
BK:
Do these samples all come from stuff the anti-virus companies have 
discovered, or
is it just suspicious files, or…
AO:
So, the way other vendors get their samples is not only from each other, 
but if
you go far enough down the pipe, it’s off some desktop somewhere.
AH:
And it really depends on the vendor. Symantec, for example, takes a 
truckload of
stuff of desktops but they don’t ever trade that. Generally speaking, 
they don’t
retrade stuff off of customer desktops. Hardly any of the vendors do. 
And they also
retrade a truckload. What they trade is stuff that they have verified as 
malicious
— meaning they have a guy who has hand-analyzed it. They also trade 
stuff they crawl.
BK:
By “stuff they crawl” do you mean malware they find by following links 
in spam and
by scouring the search engines and so on?
AH:
Right. But a lot of it is aged. The average lifespan for a piece of 
malware when
it’s most dangerous is one to two days. On the other hand, Immunet is 
community-reliant,
which means it’s taking a sample right off of your PC and — providing it 
can make
a distinction about whether it’s bad or not — and then sharing that with 
everyone
in the community here and now. Which means protection is a lot faster 
for all users.
BK:
And you think with enough time and users, Immunet will be better and 
faster at detecting
threats?
AH:
We’re able to pull in data from a community that isn’t homogeneous. The 
data isn’t
just from AVG or Symantec or McAfee. Now, this doesn’t mean we’re going 
to blow the
rest out of the water on detection. We’re still reliant on the same 
sorts of heuristic
engines that every other anti-virus vendor is. The difference is once we 
identify
it, we’re able to make detection for it available much, much faster. But 
there’s
no question whether our product will increase your ability to detect 
viruses, full
stop.
BK:
If I have Immunet on my system in addition to another anti-virus 
product, which one
speaks up first about an infection? Or will they both?
AH:
Typically, the other anti-virus product will reside in front of us, but 
in some cases
they don’t. In both cases, they should both alert if they both have 
[detection for]
it. If you are running Kaspersky anti-virus and our stuff, and you 
download a threat,
if Kaspersky detects it, they’ll flag it even if we do as well.
BK:
So who’s your typical Immunet user? Have you learned anything about the 
user community
yet?
AH:
We’ve found a lot of stuff that’s completely bizarre. We have a Japanese 
partner
that co-brands our stuff and distributes it Japan, and so we get to 
compare their
user base with ours, which is mostly Western Europe, North America, and 
Brazil. So,
we know which anti-virus products we’re co-resident with. But a decent 
portion of
our user base are running no anti-virus at all other than us.
If you take that over to our Japanese users, 96 percent have another 
anti-virus product
installed. At first we thought, ‘Wow, we have a serious bug.’ But as it 
turns out,
there are a truckload of users who are in two boats: For whatever 
reason, they un-installed
all anti-virus. Maybe it slowed down their computer or they decided they 
didn’t need
it. Either that or they had a virus that disabled anti-virus. The 
breakdown is probably
25 percent had a virus that disabled their anti-virus, and 75 percent 
who didn’t
have any anti-virus before they installed our product thought they 
didn’t need it.
So there seem to be really two schools of users, [those who have] 
nothing or everything.
There are people who run Spyware Doctor, Threatfire, AVG, and then they 
will have
like AVIRA with resident detection turned off, and then Hitman Pro and 
Online Armor,
all on one machine. And you think, ‘Wow, how does your computer even 
boot, man?’”
BK:
Interesting. So, that means a fair number of your users have a virus on 
their system
when they install your product?
AH:
It’s about 10 percent. At one point, a significant portion of our user 
base already
had a virus when they signed up with us.
BK:
Doesn’t that suggest that the anti-virus industry is advertising 
protection it can’t
provide?
AH:
The majority of anti-virus doesn’t work very well. The numbers they 
publish in the
reviews are bull. It’s shameful. When we get past the “this software has 
turned my
computer into a brick” syndrome, everyone I know has had a virus on 
their system
even though they had a fully up-to-date anti-virus product. One of 
biggest problems
of AV is that it’s still not solving the problem. If people made seat 
belts unreliable
like this, executives would go to jail.
BK: What anti-virus products does Immunet currently play nice with?
[Huger provided me with a list of those anti-virus products that are
officially supported
and those that are
unofficially supported
(meaning Immunet doesn't test them but users report success). Readers 
contemplating
installing Immunet should read
this known issues support Q&A
.]
BK: So what’s next for Immunet?
AH:
The 2.0 version – which ships at the end of May – will be significantly 
different
[screenshot below]. It has all of the functionality that a ‘pro’ main 
line AV product
has. It still supports installing along side other AV products and it 
does have two
new [anti-virus scanning] engines. One is called SPERO which is machine 
learning
and cloud based and another called TETRA which is an ‘offline’ 
traditional PC side
side engine which will only ship in the ‘Plus’ (commercial) version. We 
will also
have both our Free version and a new commercial version which has 
offline protection
and enhanced malware removal.

To subscribe or to leave the list, or to set other subscription options, go to 
www.freelists.org/list/real-eyes

Other related posts:

  • » [real-eyes] Immunet: A Second Opinion Worth a Second Look - Steve