When
Immunet announced its new
product, called Immunet Protect, earlier this week, a core advantage of it
was going to be that if a group of users ran a collection of different
antivirus software, the Protect metaengine could use those products’ threat
alerts to inform its own population.
“Immunet
Protect provides protection by harnessing the collective wisdom of the security
products that you already run, as well as knowledge on the applications
installed across Immunet’s entire user population,” the company states in its press release on the
technology. “Immunet Protect collects security judgments on what is, and
what is not safe from its community. These aggregated judgments are coalesced
in the cloud, and, if they are sound, made available to the rest of the Immunet
Community immediately.”
Advertisement
Yet,
by Wednesday, the company had decided not to include that attribute in the program.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
“One
of the more controversial [attributes] was whether or not a file [could be] detected
by another [antivirus] product,” Oliver Friedrichs, CEO of Immunet, wrote in
an e-mail on Thursday. “After considering the implications, we have
decided to not do this moving forward.”
The
idea posed a problem because companies who want to use the results of multiple
antivirus engines to protect their users typically are required to license the
engines. Using the results of another antivirus engine’s scan on a user’s
computer could have been seen as a copyright infringement of antivirus
databases.
In
some cases, however, the industry apparently looks the other way. Antivirus firms
frequently exchange the threats that they have identified as a way to protect
the general population against mass outbreaks, says Pedro Bustamante, senior
research adviser with Panda Security. Moreover, many antivirus firms use
computers that run rivals’ antivirus software to act as canaries and detect
threats that the firms might have missed. Then the firm’s analysts take a part
the file to see if it’s actually malicious.
“It’s
the industry’s dirty little secret,” Bustamante says. “We are all
doing the same thing in terms of using competitors’ products to add detections
to our products. When one group sees a threat, other people will quickly add
the detection.”
Doing
so only makes sense.
In
a research paper published
by three University of Michigan researchers, 10 major antivirus programs
were tested against a collection of malicious code. Even the best antivirus
engine could only initially detect three-quarters of newly packed malicious
code. It took three months for the best antivirus engine to detect 90 percent
of the dangerous software.
Where one engine fails, multiple engines can
succeed, says Jon Oberheide, a PhD student at the University of Michigan and
the lead author of the paper.
Advertisement
Scanning potential malicious software with two or more engines improves accuracy dramatically. (Source: Oberheide et al.)
“Combining
the intelligence of multiple antivirus engines can result in significant gains
in detection coverage of globally scoped malware,” he says.
In
the paper, Oberheide and his colleagues found that any single engine detects 40
to 80 percent of viruses in the first week–using more than one antivirus
engine to scan the same program increases the detection rate to between 75 and
95 percent in the first week. The University of Michigan researchers call the
technique n-version protection.
While
the technique could help companies recognize threats faster, licensing three or
four engines per user would be prohibitively expensive. So, for now, automated
detection based on multiple antivirus scanners seems to be a dead end.
