Saturday, January 27, 2007

Zero Updates = Improved Protection

Security software sales folks often use a “higher frequency of updates” argument to get customers to buy their products. The truth is more complex - in our world, sometimes the vendors that provide the least amount of updates provide the highest levels of protection.

I spent this morning with the team in our anti-malware labs, talking about strategy and current threats. Warezov has been in the news a lot lately, so it was natural that we should touch on this threat in this meeting. When I asked how many updates had gone out to our scanning engine specific to Warezov, I was not surprised to hear that the answer was “virtually none”.

The reason for this is that the heuristic technologies we use in our anti-malware engines are really excellent. Whereas other antivirus and antimalware technology vendors are having to send out a ton of updates to deal with this threat, we are currently detecting virtually all variants of Warezov “in the wild” - using heuristics/behavior-based detection.

So while it might appear that we are not pushing out the same number of updates, we’re actually keeping our customers much safer - by providing “zero day” protection against Warezov variants “out of the box”.

Purchasers, the next time someone comes to you with a threat detection product or service, ask them how good their heuristics are. You will improve your quality of service metrics as a result. Because there is always going to be a lag between detection and protection in an update-driven model, detecting threats “in the wild” using advanced heuristics provides a potentially better level of quality of service than relying on an update-driven mechanism alone.

No comments: