So I'd like to add some data here.
One of the things that makes us different to the other and particularly some of the smaller vendors out there is our approach to false positives. We will not put a signature into our definitions if we think it has the potential to cause false positives. If you were to ask the vast majority of our customers what would be worse for them, a virus outbreak on a small number of PC's (or even a large number, particularly with todays types of threats) versus a false positive on a system or executable file I am fairly sure they would choose the virus option. We are very proud of our false positive ratio, its currently around 0.1% When you protect over 130million endpoints around the world, thats no mean feat! Other vendors can potentially afford a higher FP ratio, since their customer numbers will be lower.
Now, thats not to say we aren't changing the way we work, we are constantly looking for new ways to detect and pickup threats - whether that is sharing code with other vendors or taking a feed from VirusTotal. Sadly, the nature of todays changing threat landscape means we are seeing more and more variants of the same virus. As most traditional AV blacklisting is done based on file signatures, a quick change to the code gives you a new signature and a variant. However, what we have been doing recently is extending the detection capabilities of each signature, rather than creating a new one for each variant (anybody remember the days of NetSky or MyDoom and their huge numbers of variants?) so when you see something was listed as being detected since February 2009 or similar, thats only when the signature was first written - we have no easy way of telling if the specific variant you are seeing is in there. Thats the problem, by the time you get a signature out, the malware has gone and changed again. To give you an idea of the effect that variants have, in the year 2002, we wrote just over 20,000 signatures for the whole year. In 2005, that number increased to around 110,000. Now comes the jump! In 2007, we wrote 600,000 signatures and in 2008 we added 1.6 million! Put another way, in 2000 we were writing about 5 signatures per day and in 2007 that number was 1431. Now, in 2008 we were averaging around 12,000 signatures PER DAY! Thats a 239% increase on 2007 and the numbers are still going up. Our current estimates are that we will peak at 25,000 per day this year. In addition to that, we recieve 200,000 file submissions per day - most of these are processed automatically - they are analysed and where required, definitions are updated or written and automatically put into the next set of rapid release definitions.
For those of you talking about honeypots, of course we have our own honeypot, but we also take data from our customers and their networks - we have over 240,000 sensors on customer networks and the Internet spread across 200 countries, add to that over 2.5million decoy email accounts and the fact that via brightmail we process in excess of 150 BILLION emails per day (
http://www.symantec.com/business/security_response/landing/spam/index.jsp) thats a huge amount of information we have on the threat landscape.
Having said that, can we do better? Sure we can, any vendor who says they can't simply doesn't understand the scale of the problem. Over the last few months, some of you have probably noticed more detections from Bloodhound signatures or "Suspicious.something" signatures - these are new heuristic signatures in action. We are currently working on more signatures like this to better protect our customers - however our FP policy still stands and for that reason we release these signatures in stages, if you want to get these sigs as quick as possible, (but at the small but potential risk of FP) then set your bloodhound settings to the highest and they will be active. Once we have tested at that level and confirmed there are no major issues, then we release to the normal bloodhound levels too. These signatures are already having good effects on customers networks, one particularly long running threat has seen a marked drop since we did this - its also a threat that has specifically targetted us and our detection methods in the past.
Going further, I'm sure you are all aware of the Krypton IPS engine in SEP, if not then you should read this:
https://www-secure.symantec.com/connect/articles/so-what-krypton-anyway As others have mentioned, we are now at the point where there IS more BAD code than GOOD code so have you to start wondering if blacklisting is the answer anymore. Its clearly not going to go anyway anytime soon, but we think it can start to take more of a back seat when you start to look at technologies like reputation based whitelisting. You can see our "first version" of this technology in the Norton 2009 and N360 v3.0 products - its called Norton Insight and we are using it to control the number of files we scan. If we know based on our whitelist that 80% of the files on your machine are clean then we don't need to scan them and can concentrate more effort of checking the remaining 20%... the reputation side comes in based on how many people are running those files or have downloaded them, etc. Its a very complicated set of critieria, but it works very well. Again, this is where our size comes in handy, we have been building this whitelist over the last few years, based on information from third parties and huge amounts of consumer data that is submitted via Norton Community Watch.
I do just want to cover off the point around zip files. Its true, we do not scan them when you download the file. Is there really a point in slowing down the download/copy/write to scan the file when its harmless at that point? If you extract the files OR attempt to launch the malcode direct from the zip then we will pick it up since its accessed or written to the temp folder. If you run a scheduled scan, then you have the option of scanning inside these files - by default we will scan 3 levels into a nested archive, but you can increase that if you wish.
Lastly, we can never please everyone, I realise that, but please take a look at the independent reviews - AV Comparatives (
http://av-comparatives.org/comparativesreviews/main-tests) where we get one of the highest detection ratios with one of the lowest FP ratios - thats the key, ANY product can claim 100% detection if they say every file on a PC is a threat, you must take the FP rate into account too. Andreas Marx over at AV-Test also does similar reviews (
http://www.virusbtn.com/news/2008/09_02). In a recent PC Magazine test (
http://www.pcmag.com/article2/0,2817,2345349,00.asp), MalwareBytes got a great writeup and it was noted that their particular strength was with clearing up threats already on the machines - thats something we are wanting to fix soon and have tasked our Security Technology and Response (STAR) group to fix. Lastly, for those Germans here you will know that we recently achieved a 99.8% detection record in the Computerbild long term test.
I hope you found the above interesting and informative, it took a while to write - if you have questions then please post them and I will do my best to answer them. In the meantime, what can you do to help us (if you are that way inclined)? If you see something strange or suspicious on your machine then please please please submit it to us for analysis, even if it turns out to be clean we don't mind, we have the resources to deal with it. Who knows, you might actually help to protect another member of this forum. This is a war, and like it or not, we are all in it together - on a more serious note, it truly is no better for other vendors - I know from the number of customers I talk to day in day out.