Careful, Trend Micro Might Give You a Bad Web Reputation
"It's not dead," said the co-founder of the company that practically invented gateway virus scanning. "But you cannot survive by just doing [scanning and signature matching]; you must expand beyond that technology."
What she said next didn't necessarily astound me, since it was the reason we were having dinner, but it fascinated me because it makes perfect sense but is nearly impossible to execute.
The next stage in the antivirus evolution, according to Chen, is "reputational analysis." The newly released OfficeScan 8.0 will include endpoint security features that will block access to Web sites that have a reputation as sources for malicious activity.
Wow! It's security software that will automagically tell you that you're in a bad neighborhood of the Internet. From what Chen described, this is more than just the realtime blackhole lists (RBLs) from the early days of the spam wars. Trend Micro will actively scan more than 300 million Web pages -- home pages, directories and downloadable materials -- for evidence of bots, viruses and other contagents.
"The nature of the Web threat is to always look back to the hacker," she said. "Instead of investigating each crime, we link back to the command and control center of the attack."
Indeed, botnets are the preferred method for compromising hundreds. if not thousands. of machines for launching DDoS attacks, spam floods and spyware distribution. Compromised Web sites, servers and host machines are often invisible to the casual user. By giving security software automatic updates to block sites with the worst reputation for spreading malware, users could, in theory, cut down on the propagation of malware.
I say "in theory" because behavioral and reputational analysis does have its limitations. Reputational analysis isn't a new idea. E-mail security pioneer CipherTrust (now owned by Secure Computing) introduced reputational awareness a few years ago to combat spam and phishing. Websense and SurfControl operate on the presumption of inspecting Web traffic for malicious content before it hits the perimeter.
Trend Micro's implementation would bring reputational protection from the network level to the host. Here's the problem Trend Micro and everyone else who tries reputational analysis faces: pure volume. Last November, the number of domains passed 100 million, doubling the size of the Internet in just over two years. Roughly half are very active sites, in which content changes frequently. If the Internet is doubling in size every two years, and 50 percent of the sites are active, keeping accurate intelligence of all the bad apples is, to say the least, challenging.
Reputational analysis feels a bit like behavioral analysis, a form of security monitoring and intrusion prevention based on anomalous network traffic that was pioneered by companies such as Mazu Networks and Lancope. The problem with behavioral analysis is the more information you collect, the less certain the end intelligence becomes. In other words, keeping up with all of the possible variations and exceptions vs. real-world activity is extremely difficult.
Time is the other issue. As many Web sites discovered before the age of the CAN-SPAM Act, getting off an RBL is significantly harder than getting on. Reputational analysis may tag a site as being malicious, but what will it do about remediation? Will the system notify the site owners, or will a sudden drop in traffic be the indication of a larger problem? Even if the site is remediated, it will be interesting to see how long it takes for the Trend Micro scanners to swing around to do a reassessment.
Now, is this a completely bad idea? Is it so complicated that it's not worth trying? As Chen said, "The Web threat is still invisible; it's a silent killer." Indeed, conventional signature-matching AV scanners and other anti-malware technology isn't enough. Working in concert with conventional AV tools, reputational analysis could add more punch in the war against malware. But, I'm going to reserve praise until we see it's true effectiveness in the real world.
What do you think about reputational analysis? Do you think it will put a dent in the fight against malware? Send me your thoughts or post them below on our discussion board.
