Information Security News: eEye Enters Antivirus Business with Blink Suite

[InfoSec News <alerts () infosecnews org>]

http://www.betanews.com/article/eEye_Enters_Antivirus_Business_with_Blink_Suite/1170087333

By Scott M. Fulton, III
BetaNews
January 29, 2007

The security research firm known that first came to prominence in 2001 
after having discovered the gaping security hole in Microsoft Internet 
Information Services exploited by the worm it dubbed "Code Red," has 
thrown its hat all the way into the security software ring. This 
morning, eEye becomes an anti-virus company, going to bat against 
Symantec and McAfee, and integrating Norman anti-virus technology into 
its Blink Professional security suite.

What will distinguish the new Blink from its competition is Norman's 
approach to evaluating executable program behavior before it runs. As 
eEye Chief Technology Officer Mark Maiffret explained to BetaNews, the 
new Blink system will actually run executable files in a protected 
virtual machine, which the company says will still be called the Norman 
SandBox.

When eEye began scouting potential anti-virus vendors for inclusion in 
the new Blink, Maiffret said, "we had a large kind of honey pot that we 
had set up with about 20 or so antivirus vendors, and consistently the 
one company that kept detecting viruses ahead of time, before everybody 
else, was Norman. The reason we liked it is because they have real great 
generic technology to be able to generically identify viruses based on 
their characteristics, rather than using constantly updating a known 
signature database."

The Norman SandBox, Maiffret described, is a fast, stand-alone virtual 
machine, which tests the code of executables to see whether they'll do 
interesting things, such as changing the Windows System Registry startup 
keys, or some very interesting things, such as connect to an IRC chat 
server somewhere in Russia.

Rather than scan everything all the time, however, the new Blink will 
scan newly discovered executables, and may perhaps rescan them if, for 
instance, their patterns or file size appears to have changed. But if 
it's the same executable, by default, Blink will only scan it once.

As Maiffret added, it's this type of active investigation of executables 
on users' systems that will define the new Blink suite.

"The virus writers have gotten to the point where they're able to create 
so many different types of viruses, and do just enough to change them so 
that their signatures are constantly different," remarked Maiffret. "So 
for the 'Virus 1.0' companies like the Symantecs and McAfees of the 
world, which have never really had to innovate because they're the 
market leaders and have never really been challenged, it's been okay for 
them to just continue to do signatures and charge everybody for them, 
and go down that path. But for the most part, consumers and definitely 
large enterprises and companies, the signature game just doesn't work. 
They're constantly out of date. If you miss the signature update one 
night, and you're on the wrong Web site the next day, you're basically 
at potential risk of being compromised, especially with the new types of 
threats that are happening like zero-day attacks - stuff that anti-virus 
was never meant to protect from in the first place."

That said, Blink will use a signature-based system as a backup. "One of 
the things we always believed with Blink is that you should do 
everything generic as much as possible, at the same time knowing that 
it's not a perfect science," Maiffret told BetaNews. "If you look at 
security in general, not just viruses, there's always a point where 
you're never going to have the perfect generic security system, because 
the more 'perfect' you get at generically securing things, the more 
chance you increase the potential for false positives, and things of 
that nature." For that reason, the "generic" part of the suite - the 
part that examines each new case with a fresh perspective - may be about 
80% effective, Maiffret said, which is good because the signature-based 
backup system will identify the other 20%.

Other vendors tend to maintain huge signature databases, he noted, for 
files that may not even pertain to the software people use. A research 
team such as eEye, he argued, recognizes this fact in advance. But on 
the other hand, while it's tempting to create the security suite with 
every feature every geek (and Marc knows some) would ever want, too much 
preventative action could actually end up compromising security, as he 
implied has already been seen with other vendors.

"Sometimes in the security world, people think black and white in terms 
of what you have to do for security," he said. "The reality is, you do 
have to think about things in terms of performance and usability, 
because at the end of the day, people don't really care how great and 
how secure they are, if it's a pain to use their PC, they're not going 
to want to use your software."

Sure, corporate antivirus uses heuristic analysis measures and not just 
signatures, Maiffret conceded. But translating those administrative 
features to a consumer level just isn't practical. "Would any consumer 
ever want to maintain running it, configuring it, teaching it new 
things?... Users just don't care about that stuff. They don't really 
know the right decisions to make. No, they would never want to do that."

In the first part of our interview with Marc Maiffret last week, he told 
us his company will continue to deal directly with firms like Microsoft, 
in cases where eEye discovers a potentially exploitable threat. Yet his 
company's first priority, in terms of awareness and prevention, will 
remain the public at large...and if others don't like that, they'll just 
have to deal with it.

At press time, the previous edition of Blink Professional remained 
available on eEye's Web site. The previous edition sold for $59.95 for a 
single-user license. Availability for Windows XP is expected to be 
immediate, with Vista availability following thereafter - Maiffret said 
he doesn't anticipate the problems with Vista that his newly challenged 
competitors have been complaining about.

"In Microsoft's effort to try to protect from [rootkit attacks], they've 
kinda locked out companies like Symantec and McAfee," Maiffret noted. 
"But there's so many different ways to protect the host; it just turns 
out the way that one of the McAfee products protects the host is very 
similar to how hackers' rootkits tie into the system. So there's 
definitely going to be problems like that, but I don't think you can 
blame Microsoft as the bad guy, necessarily. They've created a balance 
now where they've created extra gateways to hooking parts of the 
operating system...Microsoft has done a much better job with Vista than 
with anything previous, to make it more secure. At the same time, 
conspiracy theories aside, people shouldn't forget the fact that 
Microsoft has, as a business, made a conscious effort to answer the 
anti-virus market."

Maiffret said he welcomes competition from Microsoft and what he truly 
believes are the major players. With Microsoft on one side and eEye on 
the other, they're both liable to shake things up in this market pretty 
vigorously.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn