Business Issues Security & Risk
Business Issues Channels Enterprise Services SME Technology
Module Header
Craig WentworthMWD Advisors
Craig Wentworth
16th April - Egnyte the blue touchpaper...
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - Managed Print Services: Are SMBs Ready?
Louella FernandesLouella Fernandes
Louella Fernandes
11th April - The Managed Print Services (MPS) Opportunity for SMBs
Simon HollowayThe Holloway Angle
Simon Holloway
11th April - Intellinote - capture anything!
David NorfolkThe Norfolk Punt
David Norfolk
11th April - On the road to Morocco


Symantec release highlights the art of greylisting
Bob Tarzey By: Bob Tarzey, Service Director, Quocirca
Published: 1st April 2011
Copyright Quocirca © 2011
Logo for Quocirca

In February, Symantec released a new version of its Endpoint Protection suite—SEP 12 and the associated small business editions SEP SBE 12. It contains all the usual stuff you would expect to find in such suites: antivirus/spyware, desktop firewall, intrusion prevention and so on. So what’s new?

Well, as ever, Symantec has focused on performance, to ensure that the product has minimal impact on desktop performance—a focus all desktop security vendors must have. It has also improved support for virtual desktops, where scans can have a big impact on the performance of the servers that run them if multiple scans are invoked at the same time. However, the feature Symantec was keenest to talk about was an upgrade to the way its Insight file reputation service works.

Insight is a cloud-based service that backs all Symantec malware protection products including Norton for consumers. Insight assesses the threat an executable file might represent based on a number of factors including prevalence, age, provenance and reputation, and returns a rating that can be used when setting security policies, sometimes called greylisting (as opposed to whitelisting = good, blacklisting = bad).

For example, a file over two months old with thousands of users is likely to be safe, while one created yesterday, with no known users, looks decidedly risky. With V12 it has made a change that allows security administrators to set policies rather than end users, as was the case in previous versions.

With Insight, “executable” files include traditional EXE files, driver files (including printer drivers), screen savers, DLLs, OCXs, MSI Installer files, etc. Insight does not rely on file extensions to recognise such files but examines all files to see if they are known and, if not, checks to see if they are actually executable. At present Insight has a community-based security rating for 2.5 billon files—good, bad and grey. This data is collected by Symantec’s Global Intelligence Network, which consists of more than 175 million endpoints that run Symantec’s security software and have opted-in submission of threat data and from Symantec’s hosted services or gateway products.

All well and good, but all the major security vendors have protection networks and these all include file reputation services. So, is Symantec catching up with or jumping ahead of the competition? Here are three examples:

  • McAfee’s Global Threat Intelligence also includes file reputation. It catalogues known bad files and greylists files that might be bad. Like Symantec Insight it uses a file scoring algorithm, however McAfee does not whitelist. Quarantine thresholds can be configured depending on a given customer’s tolerance for risk. McAfee is not just relying on the file itself, but other information such as network connection reputation and mode of arrival: for instance is it attached to a “spammy” email.
  • Trend Micro’s Smart Protection Network (SPN) has been around for over five years and has included file reputation since 2008; it also greylists files as suspicious. To do this it looks at the file's behaviour and heuristic information.  Suspicious files are checked against whitelists to minimise false positives.  Information on new files is then fed back to SPN for analysis and confirmation as to whether they are truly malicious or not.
  • Blue Coat’s threat protection network is called Web Pulse. It has been profiling web traffic for over five years and it is central to all its security products. It greylists malware based on provenance, history, behaviour, mode of arrival and previous knowledge of a particular file.

The truth is, as Blue Coat’s spokesperson told Quocirca, threat protection networks are “table-stakes” for security vendors. You have to have one and it has to work. The vendors vary in the approaches but they all do the same sort of things. The speed at which new threats are discovered will depend on the size of the network, and as one of the biggest suppliers of security software to both businesses and consumers, Symantec’s is big.

Perhaps the biggest such network sits behind Microsoft Forefront security offerings and the Microsoft Malware Protection Centre (MMPC). But as Quocirca has reported before, Microsoft has other shortcomings when it comes to security, mostly to do with its inward focus—only protecting its own infrastructure. This is where specialist security vendors definitely have the upper hand, for example Symantec’s SEP 12 includes protection for Mac OSX and Linux. An on-going race will be to extend protection to smartphones and tablets with their new range of operating systems. SEP 12 does not address this, but then nor do most of its competitors.


Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761