Symantec pitches rootkit tech as Veritas validation

Symantec's Raw Disk Scan rootkit search-and-remove app is an example of what kind of technology the Symantec-Veritas merger will bring forth

Some industry watchers may still question why Symantec moved to acquire storage software maker Veritas for $10.2 billion in 2004, but the fruits of the companies' combined labors are already proving the deal as a winner, according to executives with the massive security firm.

As part of a recent media tour aimed at highlighting innovation ongoing within the security giant, Mark F. Bregman, CTO at Symantec, said that the Veritas merger has armed the company with a wealth of strategic opportunities.

While some industry and financial analysts have wondered aloud when Symantec would begin marketing technologies that were borne as a result of the two companies' merger -- the types of products that Symantec Chief Executive John Thompson touted at the time the deal was announced -- Bregman and Stephen Trilling, vice president of research and advanced development at the firm, said that jointly-developed tools are already in customers' hands.

The executives said the best example of technologies made possible by the marriage of the vendors isn't a standalone point product as some observers might have expected but instead an application that helps Symantec's existing antivirus products ward off sophisticated rootkit attacks.

Labeled as Raw Disk Scan, the application -- shipped as a feature of Symantec's corporate AntiVirus and Norton consumer anti-malware packages -- combines a hard drive scanning technology built by Veritas with the security company's own malware detection and removal tools to hunt down and eliminate rootkits.

The Veritas software used in the application allows the technology to directly read sector data from device hard drives and then reconstruct the files for malware scanning without ever needing to access a machine's operating system.

Traditional security applications have carried out such file scans through the OS, allowing rootkits an opportunity to inject code to cloak themselves and circumvent antivirus systems, said Carey Nachenberg, chief architect at Symantec

"With Raw Disk Scan, we take the most common technique that rootkits and spyware use to hide themselves, what we call file-level stealthing, and bypass all known file-based techniques for those types of programs," said Nachenberg. "It's a great synergy between the two existing technologies that instantly gave us the ability to detect and remove every rootkit we know about today."

While the first iteration of Raw Disk Scan searches for attacks using malware signatures and can't detect previously unidentified rootkits, future versions of the product that do so are in currently development, Nachenberg said.

Bregman said that the technology is a prime example of the type of capability engendered by the Veritas merger that those who question the success of the two companies' marriage might have missed.

"We couldn't do this on our own, and Wall Street sometimes misses that point; many times, the big innovation from this merger will come in core improvements of our products," Bregman said.

"I think the misconception was that people thought they were going to wake up the day after the merger and find a new product category, and maybe we were guilty of setting some of those expectations," the CTO said. "Clearly, some people outside the company thought that was what would happen, but Raw Disk Scan is a great example of how we can leverage the combined technologies to solve important problems today."

Bregman said that Symantec is currently building a number of technologies meant to address issues of IT security, availability, and compliance based on tools that came to the company via the Veritas acquisition, including messaging-oriented products that will help enterprises manage controls across all of their e-mail, IM, and collaboration systems.

Some industry watchers agree that Raw Disk Scan is a boon to Symantec's AntiVirus product lineup, having proven itself as a useful tool in battling rootkits in independent tests. 

"Independent firms doing benchmarking have shown that Raw Disk Scan has improved Symantec's ability to detect rootkits," said Andrew Jaquith, an analyst with Yankee Group. "It's clearly a good example of cross-pollination between the companies and shows how the Veritas group can deliver benefits to the malware division."

The analyst agreed with Bregman that such development efforts will be one of the greatest benefits of the Veritas deal but also said that the notion that such product integration answers all the market's questions about the success of the merger might be something of a "red herring," on the part of the CTO.

"Mark has a good point that many analysts thought that there would be some magical transformative technologies born of the deal that would drive growth, but the reality is there likely will be more of this cross pollination," Jaquith said. "But the real criticism of the deal -- which they haven't addressed -- is whether they have been able to take advantage of the cross-selling opportunities between the two companies' customer bases."

"That's what Wall Street was really looking for," the analyst said. "And I'm not sure they've seen all the benefits they expected to realize to that end."

Rachel Chalmers, an analyst with The 451 Group, characterizes herself as a "longtime skeptic" of the Symantec-Veritas marriage who thought the deal was "insane" at the time of its announcement.

However, the analyst said that as time has passed, specifically in light of Symantec's Jan. 2007 buyout of systems management specialists Altiris for $830 million, she's become convinced that the security giant is making strategic moves that will benefit its future.

The combination of the three entities, in particular, makes sense given the trend toward security becoming an aspect of desktop and systems management with storage technologies from Veritas playing an important role in allowing Symantec to build end-to-end management and security applications.

"So what Symantec has really bought through these deals is a foot in the door of enterprise desktop management, and that's probably pretty smart given the questions that exist about the future of standalone security companies," Chalmers said.

"With Symantec and Veritas, my perception was that you had two halves of the company who were not good at talking to each other but still working toward a common future," she said. "Altiris will help fill that gap and create more of an IT systems management company; looking at the combined capabilities of the three companies, these deals should help Symantec bridge the gap between all their traditional markets."

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies