Thursday, May 24, 2007

Version 5.0 Release

The DLL form of our new v5.0 antivirus scanner engine gets delivered Tuesday. As many of you know, that isn't soon enough for me. ;-)

V5.0 is a major version upgrade for us - the first in four years - and represents the results of four years of continuous development. Here's the highlights of the testing so far:

Our heuristics have been significantly improved to the point where they now beat most zero-day approaches in market. The advantage of having good heuristics is that whole specie of threats can be caught on the fly - without the need for definition files, or prior to triggering a lookup request. This improves response times, and provides additional options with respect to event chains and service levels.

The other improvements in the areas of heuristics that we're working on involve dealing with black and gray-listed "packers" - otherwise known as "Russian Dolls". This threat takes the form of a piece of malware wrapped in multiple layers of encrypted code, each of which looks to a normal scanner like a new threat. Typical approaches involve infinite "peeling back" of these layers and this can slow down devices significantly.

Note: we're not abandoning definition files as the basis for our analysis - not by a long shot. In addition to the new heuristics, the new engine will feature more than 130,000 additional virus definitions. These are not generic definitions but absolute, bit-accurate virus definitions.

These additions will mainly benefit users of our COM SDK desktop products. Currently, our desktop products rely on our superior on-access scanner - and its built-in heuristics engine - to catch threats "on access".

The addition of these def files will bring our on-demand scanner into line with real-time/DVP results and also bring our test scores into line with market (most currently published tests are of our older on-demand scanner and don't reflect our new analytic capabilities: for example, the most recent AV-Test results reference our 4.93 engine - a product that is nine months out of date).

With respect to the DLL version of our AVSDK that will be delivered Tuesday, this is our most-licensed product, and is typically deployed in high-throughput environments. We've spend a lot of time thinking about how we can improve ROIs in that space, and we've focused mainly on five areas consequential to operating MSSPs:

1. Detection rate
2. Speed of response
3. False positive rate
4. Speed of analysis (throughput)
5. Size of memory footprint

So far, in QA testing, the new engine appears is showing very good numbers in all these areas - but especially so in terms of throughput and memory footprint. The new engine's optimization will enable us to continue to lower the capital expense costs of our appliance manufacturer and MSSP licensees.

Gateway customers will find the new engine much faster. Practically, what the tests show is that we have the ability to rip through the entire database in a fraction of the time taken by many of the other engines on the market, while maintaining a superior detection rate.

That all adds up to less false positives, better detection rates, less boxes, less air conditioners, and a greater ROI for our partners - all factors that will keep our AV SDK business humming - provided this release comes out on time.

No comments: