[real-eyes] Immunet: A Second Opinion Worth a Second Look
- From: Steve <kcpadfoot@xxxxxxxxx>
- To: "real-eyes@xxxxxxxxxxxxx" <real-eyes@xxxxxxxxxxxxx>
- Date: Thu, 15 Apr 2010 15:48:29 -0500
The following is from the Krebs On Security blog.
http://krebsonsecurity.com/
The program mentioned in this blog can be found at
http://www.immunet.com/
Steve
Immunet: A Second Opinion Worth a Second Look
Security experts have long maintained that running two different
anti-virus products
on the same Windows machine is asking for trouble, because the programs
inevitably
will compete for resources and slow down or even crash the host PC.
But an upstart anti-virus company called
Immunet Protect
is hoping Windows users shrug off this conventional wisdom and embrace
the dual
anti-virus approach. Indeed, the company’s
free product
works largely by sharing data about virus detections from other
anti-virus products
already resident on the PCs of the Immunet user community.
Users can
run Immunet alone, and many do: The program scans files using two types
of threat
profiles: specific definitions or fingerprints of known threats, and
generic signatures
that are more akin to looking for a specific malware modus operandi.
But what makes Immunet different from other anti-virus products is that
it also incorporates
detections for malware from other anti-virus products that may be
resident on users’
machines. For example, each time someone’s PC in the Immunet user base
encounters
a virus, that threat is logged and flagged on a centralized server so
that all Immunet
users can be protected from that newly identified malware.
I’ve been running Immunet in tandem with Kaspersky Internet Security 2010
for the past three months, and have haven’t noticed any impact on system
resources
or stability issues. Immunet’s creators are especially proud of that
last aspect
of the program, and say it’s due to the fact that the program does most
of its scanning
and operations “in-the-cloud,” – that is, not on the user’s system.
Immunet currently
has about 133,000 active users, and that number changes constantly: Each
time you
reboot a system with it installed, chances are you will see a different
– usually
higher – number of users in the community.
imm3
I spoke recently with Immunet’s vice president of engineering, Alfred Huger
, a former VP at
Symantec Corp., and Adam O’Donnell
, director of cloud engineering for the startup. That conversation —
excerpts of
which are included below — provides interesting insights into how the
anti-virus
industry operates, how consumers interact with these products, and how
Immunet hopes
to differentiate itself in already crowded field.
Adam O’Donnell (AO):
People have been running multiple anti-virus packages on their desktop
for years
because they think they will get double protection. We’re just making
sure we play
well in that environment and that we tell customers, “No, it’s okay. We
would like
to be one of those.” A lot of our users are excited by fact that can run
us in tandem
with other products.
BK:
Okay, but does the world really need another anti-virus product? Why
should people
turn to Immunet?
Alfred Huger (AH):
The goal of the company was to build the next generation anti-virus
product. We
wanted to build an anti-virus program that could convict threats that
weren’t previously
seen – as well as those that were already known — but also to be able to
do it in
a way that was extremely light on resources and not as dependent on
infrastructure,
or on the way that anti-virus companies usually gather data.
BK: And how do they do that?
AH:
Well, for example, with your typical anti-virus company, 95 percent of
data you
end up building definitions for you get from trading partners, other
anti-virus companies.
If I’m a large vendor and I’m sample trading, I’m probably getting 35-40
good feeds
of actual malware that aren’t super
false-positive
laden. But the problem is I don’t always know how old those feeds are.
If you do enough testing, you’ll find that the feeds are probably
anywhere between
1-30 days old. And that’s for a couple of reasons. First off, the guys
trading you
this stuff compete with you. They’re not stupid: The last thing they
want to do is
give you all of their signatures so you can compete better in product
reviews. Every
vendor — no matter how honest they are — games each other when it comes
to trading
samples.
BK:
Do these samples all come from stuff the anti-virus companies have
discovered, or
is it just suspicious files, or…
AO:
So, the way other vendors get their samples is not only from each other,
but if
you go far enough down the pipe, it’s off some desktop somewhere.
AH:
And it really depends on the vendor. Symantec, for example, takes a
truckload of
stuff of desktops but they don’t ever trade that. Generally speaking,
they don’t
retrade stuff off of customer desktops. Hardly any of the vendors do.
And they also
retrade a truckload. What they trade is stuff that they have verified as
malicious
— meaning they have a guy who has hand-analyzed it. They also trade
stuff they crawl.
BK:
By “stuff they crawl” do you mean malware they find by following links
in spam and
by scouring the search engines and so on?
AH:
Right. But a lot of it is aged. The average lifespan for a piece of
malware when
it’s most dangerous is one to two days. On the other hand, Immunet is
community-reliant,
which means it’s taking a sample right off of your PC and — providing it
can make
a distinction about whether it’s bad or not — and then sharing that with
everyone
in the community here and now. Which means protection is a lot faster
for all users.
BK:
And you think with enough time and users, Immunet will be better and
faster at detecting
threats?
AH:
We’re able to pull in data from a community that isn’t homogeneous. The
data isn’t
just from AVG or Symantec or McAfee. Now, this doesn’t mean we’re going
to blow the
rest out of the water on detection. We’re still reliant on the same
sorts of heuristic
engines that every other anti-virus vendor is. The difference is once we
identify
it, we’re able to make detection for it available much, much faster. But
there’s
no question whether our product will increase your ability to detect
viruses, full
stop.
BK:
If I have Immunet on my system in addition to another anti-virus
product, which one
speaks up first about an infection? Or will they both?
AH:
Typically, the other anti-virus product will reside in front of us, but
in some cases
they don’t. In both cases, they should both alert if they both have
[detection for]
it. If you are running Kaspersky anti-virus and our stuff, and you
download a threat,
if Kaspersky detects it, they’ll flag it even if we do as well.
BK:
So who’s your typical Immunet user? Have you learned anything about the
user community
yet?
AH:
We’ve found a lot of stuff that’s completely bizarre. We have a Japanese
partner
that co-brands our stuff and distributes it Japan, and so we get to
compare their
user base with ours, which is mostly Western Europe, North America, and
Brazil. So,
we know which anti-virus products we’re co-resident with. But a decent
portion of
our user base are running no anti-virus at all other than us.
If you take that over to our Japanese users, 96 percent have another
anti-virus product
installed. At first we thought, ‘Wow, we have a serious bug.’ But as it
turns out,
there are a truckload of users who are in two boats: For whatever
reason, they un-installed
all anti-virus. Maybe it slowed down their computer or they decided they
didn’t need
it. Either that or they had a virus that disabled anti-virus. The
breakdown is probably
25 percent had a virus that disabled their anti-virus, and 75 percent
who didn’t
have any anti-virus before they installed our product thought they
didn’t need it.
So there seem to be really two schools of users, [those who have]
nothing or everything.
There are people who run Spyware Doctor, Threatfire, AVG, and then they
will have
like AVIRA with resident detection turned off, and then Hitman Pro and
Online Armor,
all on one machine. And you think, ‘Wow, how does your computer even
boot, man?’”
BK:
Interesting. So, that means a fair number of your users have a virus on
their system
when they install your product?
AH:
It’s about 10 percent. At one point, a significant portion of our user
base already
had a virus when they signed up with us.
BK:
Doesn’t that suggest that the anti-virus industry is advertising
protection it can’t
provide?
AH:
The majority of anti-virus doesn’t work very well. The numbers they
publish in the
reviews are bull. It’s shameful. When we get past the “this software has
turned my
computer into a brick” syndrome, everyone I know has had a virus on
their system
even though they had a fully up-to-date anti-virus product. One of
biggest problems
of AV is that it’s still not solving the problem. If people made seat
belts unreliable
like this, executives would go to jail.
BK: What anti-virus products does Immunet currently play nice with?
[Huger provided me with a list of those anti-virus products that are
officially supported
and those that are
unofficially supported
(meaning Immunet doesn't test them but users report success). Readers
contemplating
installing Immunet should read
this known issues support Q&A
.]
BK: So what’s next for Immunet?
AH:
The 2.0 version – which ships at the end of May – will be significantly
different
[screenshot below]. It has all of the functionality that a ‘pro’ main
line AV product
has. It still supports installing along side other AV products and it
does have two
new [anti-virus scanning] engines. One is called SPERO which is machine
learning
and cloud based and another called TETRA which is an ‘offline’
traditional PC side
side engine which will only ship in the ‘Plus’ (commercial) version. We
will also
have both our Free version and a new commercial version which has
offline protection
and enhanced malware removal.
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
- » [real-eyes] Immunet: A Second Opinion Worth a Second Look - Steve