eEye Enters Antivirus Business with Blink Suite
The security research firm known that first came to prominence in 2001 after having discovered the gaping security hole in Microsoft Internet Information Services exploited by the worm it dubbed "Code Red," has thrown its hat all the way into the security software ring. This morning, eEye becomes an anti-virus company, going to bat against Symantec and McAfee, and integrating Norman anti-virus technology into its Blink Professional security suite.
What will distinguish the new Blink from its competition is Norman's approach to evaluating executable program behavior before it runs. As eEye Chief Technology Officer Mark Maiffret explained to BetaNews, the new Blink system will actually run executable files in a protected virtual machine, which the company says will still be called the Norman SandBox.
When eEye began scouting potential anti-virus vendors for inclusion in the new Blink, Maiffret said, "we had a large kind of honey pot that we had set up with about 20 or so antivirus vendors, and consistently the one company that kept detecting viruses ahead of time, before everybody else, was Norman. The reason we liked it is because they have real great generic technology to be able to generically identify viruses based on their characteristics, rather than using constantly updating a known signature database."
The Norman SandBox, Maiffret described, is a fast, stand-alone virtual machine, which tests the code of executables to see whether they'll do interesting things, such as changing the Windows System Registry startup keys, or some very interesting things, such as connect to an IRC chat server somewhere in Russia.
Rather than scan everything all the time, however, the new Blink will scan newly discovered executables, and may perhaps rescan them if, for instance, their patterns or file size appears to have changed. But if it's the same executable, by default, Blink will only scan it once.
As Maiffret added, it's this type of active investigation of executables on users' systems that will define the new Blink suite.
"The virus writers have gotten to the point where they're able to create so many different types of viruses, and do just enough to change them so that their signatures are constantly different," remarked Maiffret. "So for the 'Virus 1.0' companies like the Symantecs and McAfees of the world, which have never really had to innovate because they're the market leaders and have never really been challenged, it's been okay for them to just continue to do signatures and charge everybody for them, and go down that path. But for the most part, consumers and definitely large enterprises and companies, the signature game just doesn't work. They're constantly out of date. If you miss the signature update one night, and you're on the wrong Web site the next day, you're basically at potential risk of being compromised, especially with the new types of threats that are happening like zero-day attacks - stuff that anti-virus was never meant to protect from in the first place."
That said, Blink will use a signature-based system as a backup. "One of the things we always believed with Blink is that you should do everything generic as much as possible, at the same time knowing that it's not a perfect science," Maiffret told BetaNews. "If you look at security in general, not just viruses, there's always a point where you're never going to have the perfect generic security system, because the more 'perfect' you get at generically securing things, the more chance you increase the potential for false positives, and things of that nature." For that reason, the "generic" part of the suite - the part that examines each new case with a fresh perspective - may be about 80% effective, Maiffret said, which is good because the signature-based backup system will identify the other 20%.
Other vendors tend to maintain huge signature databases, he noted, for files that may not even pertain to the software people use. A research team such as eEye, he argued, recognizes this fact in advance. But on the other hand, while it's tempting to create the security suite with every feature every geek (and Marc knows some) would ever want, too much preventative action could actually end up compromising security, as he implied has already been seen with other vendors.
"Sometimes in the security world, people think black and white in terms of what you have to do for security," he said. "The reality is, you do have to think about things in terms of performance and usability, because at the end of the day, people don't really care how great and how secure they are, if it's a pain to use their PC, they're not going to want to use your software."
Sure, corporate antivirus uses heuristic analysis measures and not just signatures, Maiffret conceded. But translating those administrative features to a consumer level just isn't practical. "Would any consumer ever want to maintain running it, configuring it, teaching it new things?... Users just don't care about that stuff. They don't really know the right decisions to make. No, they would never want to do that."
In the first part of our interview with Marc Maiffret last week, he told us his company will continue to deal directly with firms like Microsoft, in cases where eEye discovers a potentially exploitable threat. Yet his company's first priority, in terms of awareness and prevention, will remain the public at large...and if others don't like that, they'll just have to deal with it.
At press time, the previous edition of Blink Professional remained available on eEye's Web site. The previous edition sold for $59.95 for a single-user license. Availability for Windows XP is expected to be immediate, with Vista availability following thereafter - Maiffret said he doesn't anticipate the problems with Vista that his newly challenged competitors have been complaining about.
"In Microsoft's effort to try to protect from [rootkit attacks], they've kinda locked out companies like Symantec and McAfee," Maiffret noted. "But there's so many different ways to protect the host; it just turns out the way that one of the McAfee products protects the host is very similar to how hackers' rootkits tie into the system. So there's definitely going to be problems like that, but I don't think you can blame Microsoft as the bad guy, necessarily. They've created a balance now where they've created extra gateways to hooking parts of the operating system...Microsoft has done a much better job with Vista than with anything previous, to make it more secure. At the same time, conspiracy theories aside, people shouldn't forget the fact that Microsoft has, as a business, made a conscious effort to answer the anti-virus market."
Maiffret said he welcomes competition from Microsoft and what he truly believes are the major players. With Microsoft on one side and eEye on the other, they're both liable to shake things up in this market pretty vigorously.