Not every company believes bigger is better.
In my recent blog post "Skyrocketing viruses, less danger?" I explained why the exponentially increasing number of malware samples does not necessarily constitute an increased threat. I've since come across two examples of companies who are trying to reduce the number of signatures -- a rough measure of the "different" threats they detect -- in their products.
In the first quarter of 2010, Symantec added about 959,000 new signatures to its products. In the second quarter, the security company created less than half that number -- 458,000 signatures. It almost sounds like the company's researchers are not doing their job. The trend runs counter to the numbers reported by most other security companies, which by their accounts are creating millions of malware signatures every quarter: 55,000 per day at Panda Security and McAfee, and 60,000 per day at Sophos. Symantec's volume averages about 5,000 new signatures per day.
The difference is Symantec's focus on families of malware, rather than individual binaries or variants.
"The number of variants is blowing sky high," says Gerry Egan, director at Symantec's security response group. "So we are now focusing on generic signatures. One generic signature can replace hundreds of thousands of traditional signatures."
In 2009 alone, Symantec encountered 240 million unique binaries. Reducing that number by focusing on different patterns in malicious software helps streamline its product and gives its virus-scanning engines the ability to detect some malicious behavior, even if the actual binary is new. As an example, Egan points to the company's generic signature for the Farfli family of malicious software. A single generic signature now replaces 350,000 to 400,000 single-sample hashes.