Symantec's Ubiquity takes broad view of malware

With its Ubiquity product, the company aims to protect customers against targeted, mutated malware, which can be hard to detect via more traditional virus fingerprints.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Symantec says it has a new method for combatting malware, one that taps into a wider repository of information on potentially malicious code.

The security vendor today announced its new Ubiquity product, which combines data analyzed from the PCs of Symantec customers with Symantec's own Global Intelligence Network to combat new and mutating types of threats.

First featured in Symantec's Norton 2011 security product lineup and in its Hosted Endpoint Protection, Ubiquity is now gearing up for a rollout across a wider range of enterprise products in the coming year, starting with Symantec Web Gateway, the company said.

"By harnessing the anonymous software usage patterns of more than one hundred million customers, Ubiquity allows Symantec to compute a unique safety rating for virtually every software application on the Internet," Stephen Trilling, senior vice president of Security Technology and Response for Symantec, said in a statement. "This gives us the ability to protect our customers against targeted, mutated malware that would otherwise evade traditional virus fingerprints."

Using traditional protection, security companies have to capture and analyze specific types of malware to determine how to defend against them. While some malware strains can hit millions of computers, other strains affect only a small number. Last year, Symantec discovered 240 million unique threat samples on an average of fewer than 20 computers each and many on just a single PC. Analzying every threat, both large and small, puts a strain on traditional malware detection methods.

Employing a different approach, Ubiquity runs a thorough analysis of each infected file to determine its context--where it came from, how old it is, and how widespread it is, and then assigns it a security rating. Cybercriminals can easily change a malware's file contents to sneak past traditional antivirus signatures, but they have less control over the other information that Ubiquity is able to collect, Symantec said.

Ubiquity also tries to cut down on the number of false positives. Beyond storing data on malware, it gathers ratings for just about every legitimate application on the Internet, essentially giving it a huge white list of trusted software and helping it more intelligently figure out which files to block and which to leave alone. Based on anonymous software usage feedback from Symantec customers, Ubiquity's database now contains safety ratings on more than 1.5 billion files, both good and bad, and is adding around 22 million new files each week, according to the company.

Symantec also claims Ubiquity is faster at antivirus scanning than traditional scanners as it looks at only those files identified as risky. Finally, the data offered by Ubiquity can help IT administrators better control which software their users can run and which software is risky and off-limits.