Panel Introduction: Life After Antivirus – What Does the Future Hold? Martin Fréchette Sr. Principal Engineer Symantec Research Labs – Advanced Concepts

2 The Evolving Threat Landscape Attackers have shifted away –from mass distribution of a small number of threats –to micro distribution of millions of distinct threats How? Their servers generate a new malware strain every few minutes/hours –Each victim potentially gets attacked by a different strain! –Called “server-side polymorphism” How big is the problem? –We now know of over 1.8M distinct malware strains –We’re collecting 10,000s of new strains per day Further, our sensor data shows us that we’ve passed an inflection point… –The amount of malware released now exceeds the amount of goodware! –From Nov 7 th to Nov 14 th, roughly 54,600 new EXEs were downloaded by (participating) consumer users –Of these, roughly 65% of all files were malicious! time # of apps good apps malware

Coping with the Malware Flood The current blacklist model is decreasingly effective at coping with millions of distinct threats –Vendors are generating up to 20,000+ new fingerprints per day! –Furthermore, many strains of older malware may also go permanently undetected! Why? Because if only 3 people in the world have a threat, there’s little chance a security vendor has discovered it and written a signature for it –A few years ago, a single classic signature could protect 10,000s of users –Today a single classic signature typically protects < 20 users The result is that the industry –is flooding its customers with 100s of thousands of signatures every month, –yet our efficacy was arguably better a decade ago with 1/100 th the signatures! Conclusion: The classic fingerprinting approach needs to be augmented/replaced.

4 A New Approach Symantec’s top security architects believe –a hybrid whitelisting and reputation-based antivirus approach –will become the only effective means of –securing enterprise & consumer endpoints In the long-run, these schemes will largely replace traditional blacklist AV technologies –Traditional fingerprinting AV will become a part of the supporting cast

The New Approach to Antivirus Software applications have a “long-tail” distribution. Prevalence 1 user 100M users Most popular file Least popular file e.g., the 10 th most popular app is used by 1M users e.g., the 4,999,125 th most popular app is used by 2 users Legitimate apps span the spectrum, with the most popular apps occupying the head of the curve. On the other hand, most malicious software occupies the long tail… Traditional blacklisting works best for mass-distributed malware where a single sig covers thousands of users. x x x x x However the advent of personalized malware has made it difficult for AV vendors to discover and protect against the majority of today’s threats. x x x x Legend x Traditional Blacklisting Symantec proposes using a whitelist to identify the most popular legitimate applications. Over time we can expand the whitelist to cover lower-prevalence software as well. w w w w w w w w w w Whitelisting So how can whitelisting and reputation-based detection help? But how about the long tail of good and malicious apps? We propose using a novel new reputation system (like systems used by amazon.com) to automatically derive the reputation of long- tail apps based on the wisdom of our 100M strong crowd of users. r Reputation system r r r r r r r r r r r r r r r r r r r rrr r rr r r r r r rr r rrr The Idea Rather than just blocking software found on the blacklist, we will shift to a hybrid model employing whitelisting, reputation, and blacklisting.

ReputationWhitelistingBlacklisting The New Approach to Antivirus Here’s another way of thinking about the problem: Prevalent malware Prevalent goodware The long tail