Security firms cutting malware problem down to size

Publicizing large numbers of viruses and malware may be good marketing, but Symantec and others are focused on minimizing their signature databases

Not every company believes bigger is better.

In my recent blog post "Skyrocketing viruses, less danger?" I explained why the exponentially increasing number of malware samples does not necessarily constitute an increased threat. I've since come across two examples of companies who are trying to reduce the number of signatures -- a rough measure of the "different" threats they detect -- in their products.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

In the first quarter of 2010, Symantec added about 959,000 new signatures to its products. In the second quarter, the security company created less than half that number -- 458,000 signatures. It almost sounds like the company's researchers are not doing their job. The trend runs counter to the numbers reported by most other security companies, which by their accounts are creating millions of malware signatures every quarter: 55,000 per day at Panda Security and McAfee, and 60,000 per day at Sophos. Symantec's volume averages about 5,000 new signatures per day.

The difference is Symantec's focus on families of malware, rather than individual binaries or variants.

"The number of variants is blowing sky high," says Gerry Egan, director at Symantec's security response group. "So we are now focusing on generic signatures. One generic signature can replace hundreds of thousands of traditional signatures."

In 2009 alone, Symantec encountered 240 million unique binaries. Reducing that number by focusing on different patterns in malicious software helps streamline its product and gives its virus-scanning engines the ability to detect some malicious behavior, even if the actual binary is new. As an example, Egan points to the company's generic signature for the Farfli family of malicious software. A single generic signature now replaces 350,000 to 400,000 single-sample hashes.

Symantec is not alone in this practice. Antivirus firm Avast is also cleaning up its database, which would have hit 3 million signatures this month without this effort, the company states on its blog.

"The main reason for this [work] is to decrease the size of our virus database updates sent to users around the globe," the firm says. "This will reduce the amount of transferred data, subsequently reducing the amount of needed energy and helping, of course, our forests."

While other antivirus firms are likely shrinking their databases as well, most seem to favor publicizing the large number of variants their analysts encounter. Unfortunately, the large numbers of variants detected by firms is generally used as a proxy for the level of threat online. Yet that is a misleading measure.

Given that many of these variants are created automatically on a daily, if not per-install, basis, the industry should start finding better metrics for threat.

This article, "Security firms cutting malware problem down to size," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.