14Apr 10 Immunet: A Second Opinion Worth a Second Look Security experts have long maintained that running two different anti-virus products on the same Windows machine is asking for trouble, because the programs inevitably will compete for resources and slow down or even crash the host PC. But an upstart anti-virus company called Immunet Protect is hoping Windows users shrug off this conventional wisdom and embrace the dual anti-virus approach. Indeed, the company’s works largely by sharing data about virus detections from other anti-virus products already resident on the PCs of the Immunet user community. Users can run Immunet alone, and many do: The program scans files using two types of threat profiles: specific definitions or fingerprints of known threats, and generic signatures that are more akin to looking for a specific malware modus operandi. But what makes Immunet different from other anti-virus products is that it also incorporates detections for malware from other anti-virusproducts that may be resident on users’ machines. For example, each time someone’s PC in the Immunet user base encounters a virus, that threat is logged and flagged on a centralized server so that all Immunet users can be protected from that newly identified malware. I’ve been running Immunet in tandem with Kaspersky Internet Security 2010 for the past three months, and have haven’t noticed any impact on system resources or stability issues. Immunet’s creators are especially proud of that last aspect of the program, and say it’s due to the fact that the program does most of its scanning and operations “in-the-cloud,” – that is, not on the user’s system. Immunet currently has about 133,000 active users, and that number changes constantly: Each time you reboot a system with it installed, chances are you will see a different – usually higher – number of users in the community. I spoke recently with Immunet’s vice president of engineering, Alfred Huger, a former VP at Symantec Corp., andAdam O’Donnell, director of cloud engineering for the startup. That conversation — excerpts of which are included below — provides interesting insights into how the anti-virus industry operates, how consumers interact with these products, and how Immunet hopes to differentiate itself in already crowded field. Adam O’Donnell (AO): People have been running multiple anti-virus packages on their desktop for years because they think they will get double protection. We’re just making sure we play well in that environment and that we tell customers, “No, it’s okay. We would like to be one of those.” A lot of our users are excited by fact that can run us in tandem with other products. BK: Okay, but does the world really need another anti-virus product? Why should people turn to Immunet? Alfred Huger (AH): The goal of the company was to build the next generation anti-virus product. We wanted to build an anti-virus program that could convict threats that weren’t previously seen – as well asthose that were already known — but also to be able to do it in a way that was extremely light on resources and not as dependent on infrastructure, or on the way that anti-virus companies usually gather data. BK: And how do they do that? AH: Well, for example, with your typical anti-virus company, 95 percent of data you end up building definitions for you get from trading partners, other anti-virus companies. If I’m a large vendor and I’m sample trading, I’m probably getting 35-40 good feeds of actual malware that aren’t super laden. But the problem is I don’t always know how old those feeds are. If you do enough testing, you’ll find that the feeds are probably anywhere between 1-30 days old. And that’s for a couple of reasons. First off, the guys trading you this stuff compete with you. They’re not stupid: The last thing they want to do is give you all of their signatures so you can compete better in product reviews. Every vendor — no matter how honest they are — games each other whenit comes to trading samples. BK: Do these samples all come from stuff the anti-virus companies have discovered, or is it just suspicious files, or… AO: So, the way other vendors get their samples is not only from each other, but if you go far enough down the pipe, it’s off some desktop somewhere. AH: And it really depends on the vendor. Symantec, for example, takes a truckload of stuff of desktops but they don’t ever trade that. Generally speaking, they don’t retrade stuff off of customer desktops. Hardly any of the vendors do. And they also retrade a truckload. What they trade is stuff that they have verified as malicious — meaning they have a guy who has hand-analyzed it. They also trade stuff they crawl. BK: By “stuff they crawl” do you mean malware they find by following links in spam and by scouring the search engines and so on? AH: Right. But a lot of it is aged. The average lifespan for a piece of malware when it’s most dangerous is one to two days. On the other hand, Immunet iscommunity-reliant, which means it’s taking a sample right off of your PC and — providing it can make a distinction about whether it’s bad or not — and then sharing that with everyone in the community here and now. Which means protection is a lot faster for all users. BK: And you think with enough time and users, Immunet will be better and faster at detecting threats? AH: We’re able to pull in data from a community that isn’t homogeneous. The data isn’t just from AVG or Symantec or McAfee. Now, this doesn’t mean we’re going to blow the rest out of the water on detection. We’re still reliant on the same sorts of heuristic engines that every other anti-virus vendor is. The difference is once we identify it, we’re able to make detection for it available much, much faster. But there’s no question whether our product will increase your ability to detect viruses, full stop. BK: If I have Immunet on my system in addition to another anti-virus product, which one speaks up first about aninfection? Or will they both? AH: Typically, the other anti-virus product will reside in front of us, but in some cases they don’t. In both cases, they should both alert if they both have [detection for] it. If you are running Kaspersky anti-virus and our stuff, and you download a threat, if Kaspersky detects it, they’ll flag it even if we do as well. BK: So who’s your typical Immunet user? Have you learned anything about the user community yet? AH: We’ve found a lot of stuff that’s completely bizarre. We have a Japanese partner that co-brands our stuff and distributes it Japan, and so we get to compare their user base with ours, which is mostly Western Europe, North America, and Brazil. So, we know which anti-virus products we’re co-resident with. But a decent portion of our user base are running no anti-virus at all other than us. If you take that over to our Japanese users, 96 percent have another anti-virus product installed. At first we thought, ‘Wow, we have a serious bug.’ Butas it turns out, there are a truckload of users who are in two boats: For whatever reason, they un-installed all anti-virus. Maybe it slowed down their computer or they decided they didn’t need it. Either that or they had a virus that disabled anti-virus. The breakdown is probably 25 percent had a virus that disabled their anti-virus, and 75 percent who didn’t have any anti-virus before they installed our product thought they didn’t need it. So there seem to be really two schools of users, [those who have] nothing or everything. There are people who run Spyware Doctor, Threatfire, AVG, and then they will have like AVIRA with resident detection turned off, and then Hitman Pro and Online Armor, all on one machine. And you think, ‘Wow, how does your computer even boot, man?’” BK: Interesting. So, that means a fair number of your users have a virus on their system when they install your product? AH: It’s about 10 percent. At one point, a significant portion of our user base already had avirus when they signed up with us. BK: Doesn’t that suggest that the anti-virus industry is advertising protection it can’t provide? AH: The majority of anti-virus doesn’t work very well. The numbers they publish in the reviews are bull. It’s shameful. When we get past the “this software has turned my computer into a brick” syndrome, everyone I know has had a virus on their system even though they had a fully up-to-date anti-virus product. One of biggest problems of AV is that it’s still not solving the problem. If people made seat belts unreliable like this, executives would go to jail. BK: What anti-virus products does Immunet currently play nice with? [Huger provided me with a list of those anti-virus products that are and those that are (meaning Immunet doesn’t test them but users report success). Readers contemplating installing Immunet should read .] BK: So what’s next for Immunet? AH: The 2.0 version – which ships at the end of May – will be significantly different [screenshotbelow]. It has all of the functionality that a ‘pro’ main line AV product has. It still supports installing along side other AV products and it does have two new [anti-virus scanning] engines. One is called SPERO which is machine learning and cloud based and another called TETRA which is an ‘offline’ traditional PC side side engine which will only ship in the ‘Plus’ (commercial) version. We will also have both our Free version and a new commercial version which has offline protection and enhanced malware removal. Tags: , , This entry was posted on Wednesday, April 14th, 2010 at 12:20 am and is filed under , , . You can follow any comments to this entry through the feed. Both comments and pings are currently closed.