Longtime readers know that I abhor antimalware companies that promise 100 percent detection. It's No. 3 on my vendor snake oil list. Many companies have made similar guarantees in the past, and none has come close to fulfilling them. If it could be done, don't you think McAfee, Symantec, Microsoft, or any of the other 100-plus antimalware vendors would have figured it out billions of dollars ago?
Now along comes another company, Trustwave, to raise the red flag and guarantee 100 percent detection. This surprised me because I'm a fan of Trustwave. What I knew of its business and reputation is one of a trustworthy MSS (managed security service) provider.
[ 5 lessons from companies that get computer security right | Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
I called Trustwave and talked to Leo Cole, general manager of security solutions and Stephen Brunetto, director of product management. I wanted to know what Trustwave was doing that no other antimalware company could manage.
Brunetto, a veteran with more than 10 years of experience, explained that Trustwave very much understood the scrutiny and challenges it would undergo by making such a bold claim, and it didn't make the choice lightly. He said the decision was eased by the fact that it has existing customers, including a bank, that have gone without a single bypassing malware program for two-plus years now.
The secret sauce
Trustwave's detection method involves intercepting Web traffic before it gets to the user's browser and executing the malware program in real time, assembling the whole Web page, and downloading and executing all content, looking for malicious behavior.
Many other antimalware vendors and programs do and have been doing this for many years. The behavior-checking is also known as heuristics, and heuristic analysis never became the perfect panacea that most antimalware vendors hoped it would be. Most vendors also do environment simulation or emulation to see what potential programs might do if executed.
How does Trustwave's solution differ? The company says most antivirus vendors analyze threats using these advanced techniques, but don't do as good of a job recognizing threatening behavior. If they do, it's accomplished offline, after it's snuck by at least the first user -- in other words, at least one user must be compromised before the other antimalware engines flag it as malicious. Trustwave said its solution does the inspection in real time, before it is executed in the first user's browser.
I responded that real-time inspection must significantly slow down the user's experience.
Cole stated that its behavioral analysis is remarkably fast:
The accepted threshold for a user noticing browser delay or latency is about 200 milliseconds or one-fifth of a second. Most Web pages are fairly simple, and we can load and test them quite fast. There are some complex Web pages, but most aren't. We even do things like prefetch Web pages, analyzing them in the background before the user has even downloaded the page so we can pass along the approved Web page immediately. In most cases the user doesn't notice the introduced delay caused by our inspection.