Symantec 's Endpoint Protection (SEP) 12.1 business anti-malware product, released July 6th, is the first of a new generation of security products that will be hitting the market over the coming months.

The threat landscape has changed radically since 2007, when the previous version of Symantec's endpoint security software was released, SEP 11. Back then it and most competing products relied heavily on frequently updated databases of virus signatures to spot malware when it arrived on a computer. With a total of just about 250,000 viruses to watch out for, this approach was practical and effective.


But in the last few years the rate of malware creation has increased dramatically: About 55,000 new ones appearing every day according to Symantec. Many of these are created using malware authoring kits which can generate thousands of variants of a single instance of malware -- each with a different signature.

The result is that any given virus may only be distributed to a handful of end user computers, and 75% of malware infects less than 50 machines.

No security software vendor can generate virus signatures at the rate of 55,000 per day, so protection based on creating virus signatures alone is no longer practical.

"Signature-based malware detection has been limping along on life support for years, yet vendors seem unwilling to aggressively invest in more-effective solutions, preferring to "tweak" the existing paradigm ," is how Gartner put it in a recent research note .

In fact, Symantec and other leading security software vendors have already moved on from relying exclusively on virus signatures in their consumer security products with the introduction of cloud-based "reputation" technology, and dynamic or behavioral protection which seeks to detect previously unseen malware by recognizing malicious behavior. But business security software is updated far less frequently than consumer security software (a new version is typically released every year) and it is only now that the technologies, proven in consumer products, are making their way into the latest generation of business editions.

What's new

SEP 12.1 includes cloud-based reputation technology in a feature the company calls Insight. Insight collects data from about 175 million endpoints -- mainly other Symantec customers -- and gives individual files a reputation score based on factors such as age, prevalence, source and behavior.

Malware variants may well be flagged as suspicious precisely because they are new and have not been widely reported by other endpoints, for example, and newly discovered sources of malware can be blocked. The Insight system also allows known "good" files to be white listed and skipped during security scans. This can improve machine-level performance by reducing scan overhead by up to 70%, Symantec claims.

Talking at a security conference earlier this year, Eugene Kaspersky, co-founder of security vendor Kaspersky Lab, said that cloud components like Insight are likely to have a significant impact on security products: "Malware that cloud systems can't detect is much harder to develop. That means the entrance ticket for cybercriminals is much higher, and junior cybercriminals can't get involved."

But cloud based protection is by no means perfect, and hackers are already finding ways to get around it, said Andreas Marx, CEO of Germany-based security testing company AV-Test . "They are definitely getting more tricky. For example, malware writers are trying to tune their malware files so that they are not detected by reputation systems, perhaps by infiltrating it onto well known websites so that it is downloaded from pages with good reputations."

The other significant consumer feature that has now been added to SEP 12.1 is Symantec Online Network for Advanced Response (SONAR), which provides dynamic or behavioral based protection. A version of this technology has been included in Symantec's Norton consumer security products since 2007, and is based on software developed by a company called WholeSecurity, which Symantec acquired.

SONAR spots possible malware by analyzing suspicious behavior such as connecting to a site and downloading files without opening a visible window.

How it rates

Given that all the major security vendors have very similar signature-based anti-malware engines, the big question is whether the inclusion of additional security technologies such as those in Insight and SONAR really make any difference.