Want CNET to notify you of price drops and the latest stories?

Avast's virus lab relies on robust community

Avast has more active home users than any other security suite in the world. About 130 million people claim the Prague-based company as their preferred antivirus vendor, so CNET editor Seth Rosenblatt visited their headquarters to find out what makes them so trusted.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
7 min read
Avast's virus lab remains undecorated, yet nevertheless is the heart of the company. Seth Rosenblatt/CNET

Seemingly random names are embossed on the interior glass walls of the Avast offices and conference rooms in its Prague headquarters, and the June morning light illuminates them from behind. Written in black, these names and the orange-colored names of cities below them are, in fact, the forum nicknames of the people who use Avast and the cities they originate from. It appears there are Avast users on every continent, and that, said the company's CEO Vincent Steckler, is by design.

"Two-thirds of new users come from personal recommendations," he said. "Trying to get 35 million users from direct marketing is nearly impossible, so we have to rely on the community." Originally from the United States but living in Prague since he took over as Avast's chief officer in July 2009, Steckler is a numbers man. He touts the raw numbers of Avast's achievements with a pride that most parents reserve for a straight-A report card from their kids.

He gleefully told CNET that Avast can boast 29 countries with at least 1 million active users each. He pointed to Brazil having just passed France as the country with the most Avast active users, both with 12 percent. The United States is in third with 8 percent, but that Americans lead with the most Avast paid-upgrade installs. Five percent of its actives are in Russia, which Steckler said puts the country fourth on Avast's list and gives the company more active users there than the Moscow-based Kaspersky.

"We have about 1 million users per employee," Steckler noted. Avast's Marking Director Miloslav Korenko quipped. "This is the first marketing job in my career that I don't have a marketing budget."

Steckler--a former senior vice president of sales for Symantec, the makers of Norton--said that Avast has about 20 million more active users than its nearest competitor, AVG, because "there is no difference in malware protection between free and paid."

How Avast builds protection
More so than any third-party efficacy test, Avast relies on its reputation with users to fuel its growth. On CNET's Download.com, the free version of Avast is the only program with a 4.5-star rating from readers with more than 10,000 votes. Jindrich Kubec, Avast's director of antivirus research, said that to keep individuals safe Avast must deal with the same problem that all antivirus vendors struggle with. "The one single biggest challenge is the number of samples every day. This is the biggest challenge for everyone in the industry."

Also like its competitors, Avast's detection starts with gathering threat samples. Kubec said that the company sees about 50,000 to 60,000 new virus samples per day, while Steckler added that about 15,000 of those are actually unique. The difference is that the former number is the raw number of virus threats detected, whereas the latter is the number of polymorphic virus families. As the name implies, these virus families behave or look similar with only slight variations, so they are considered of the same group.

Kubec also pointed out that the "bad guys" are extremely responsive. "They have very fast reactions. It takes about 3 hours after a threat has been stopped for the virus maker to put out a new one," which he clarified to mean a new variant.

Avast has built about 5 million "honeypots" around the Web for picking up on threats early, and it also relies heavily on its CommunityIQ database, Kubec said. "We see hundreds of gigabytes per week in our own feeds, so we have lots of metadata and heuristics over the metadata. We have the automated way of detecting something, and we have the manual power to decide quickly," he said.

The honeypot attracts threats and stops them before they reach people. For example, Kubec said, "we know that some domains are really bad, [they're] just for malware. So we have some honeypots that know the binary from that domain, and then it gets killed." He cited the CZ.CC, CO.BE, and VB.CC domains, as well as old Soviet domains .SU as notorious sources of malware.

Most if not all major consumer security vendors manage a database like Avast's CommunityIQ, which gets its anonymously contributed security data from its users. Within the program itself, CommunityIQ uses automated processes to gather its data, mostly from the program's behavior shield and anti-rootkit modules. "Rootkits are considered the most dangerous kinds of malware and the most difficult to remove," said Ondrej Vlcek, Avast's chief technical officer. "So we struck a deal with the maker of the popular GMER to integrate it into Avast. We've developed it further," to both integrate it and make it more powerful at rootkit detection, he said.

Avast CEO Vincent Steckler. "It's not just the community, it's the influencers with the community," he said. "If they see that you're annoying their mother or their friends, they're going to stop recommending you." Seth Rosenblatt/CNET

The data that CommunityIQ gathers includes "safe" programs as well as malicious ones, Kubec said, and provides Avast with a broad base of data in exchange for securing your computer. While the "Little Brother" implications may worry some, it's clearly a trade people are willing to make. "About 60 [percent] to 80 percent [of active users] opt in to the community reporting, said Steckler, who added that CommunityIQ is an opt-out choice when you install Avast. That means that during the install, users must actively choose to remove themselves from CommunityIQ, although doing so does not decrease the level of protection that Avast provides.

Preprocessing helps Kubec's team manage the virus samples that come in. By the time that one of his analysts starts working on a sample, he said, they already know its file name and metadata. Not unlike competitor AVG, Avast's virus lab runs the sample in a virtual machine through the company's proprietary tools to get a graphical layout and entropy map of the file. From there, "we search for something rare in files," said Michal Trs, a senior virus analyst at Avast.

One of 30 analysts the company employs, all based from their Prague office, he explained his comment further by saying that he and his colleagues look for code in a file that shouldn't be there, like an executable command hidden in an image file. "It's not perfect, but it does look for the file signature for metamorphic viruses and polymorphic viruses. We know that our tool is a program that the virus is not prepared for."

After generating the entropy map and determining that a file is indeed a threat, the analyst generates a checksum for it and pushes the update to Avast's users. A checksum is a fixed number generated by a tool that essentially "fingerprints" the file. If the data inside the file changes, whether by a virus or by authorized means, the checksum changes. Similar to how the police might compare fingerprints, the checksum has proven to be an effective tool for verifying a file's contents.

Related links
Avast to go mobile, get VPN
How AVG keeps your computer safe

The last step, Vlcek added, is making sure the new rule is risk-free. "Before we push a rule out we test it so it doesn't hurt the user. We have seen few complaints," he said.

The changing threatscape
Defining what constitutes a threat to a person's computer security may appear on its face to be an easy task. Perhaps it once was. Today, however, Kubec said we face a much more challenging task in figuring out what is a threat that a traditional antivirus company ought to handle. "The border of where we should interfere is very difficult. Some users want more security. Some want less. It's harder to define what is a virus," he said.

The bad guys, he continued, can simply buy their way into being bad guys. "They can buy server hosting, exploit kits, hire interface designers, hire accountants...I believe that the number of people writing the malware is very low, but the number of clients buying it is very high."

Worse than that, he added, are the way that social engineering is driving creativity in newer threats. "There was a very strange kind of fraud in Slovakia, where [the people committing the fraud] were getting people to register a username on what looked like a normal site. So you tick [the box] that you accept, and then in the TOS, in the small print it said you owe them $90 per year," he said. "They were not charging you for the software, they're charging you for the link to the software."

Jindrich Kubec, Avast's director of antivirus research: "The bad guys are adopting new techniques like caching servers, and they are downloading the malware constantly so it looks it's a new version--but it's really nearly the same." Seth Rosenblatt/CNET

But, Kubec says, the burden of protection should not rely on the Internet service provider. "ISPs should not alter your results, they should just deliver the data. That's what they're paid for." And search engines, like Google, he said are "good" but "too slow."

"When you see a Web-based infection, it's a chain. So should Google block the original site that has a bad iFrame on a good site? I don't know," he said, shaking his head. Kubec laid a lot of the blame on unscrupulous ad agencies that he says don't care where the ads come from, even though they are being used to deliver malware and exploit people's computers.

Vlcek explained how that works. "The JavaScript doesn't usually contain the malicious payload. Instead, it scans the computer for vulnerabilities. It looks at Java, PDFs, Flash, and it only takes one to infect the computer."

Kubec also said that, at least in Europe, people have been getting malware just from listening to music. "You can run a standalone music application, which displays an ad. If it hits a Java exploit, you get infected." He also criticized the blogging tool WordPress for its shared theme plug-ins, because they're often written with backdoors installed, creating yet another vector by which hackers can access your Web site.

Whatever the nature of the threat, the bottom line for Steckler is reduced to Avast's reputation. "It's not just the community, it's the influencers with the community," he said. "If they see that you're annoying their mother or their friends, they're going to stop recommending you. If we've got the choice between near-term revenue or long-term user happiness, we'll go with long term."