symantec antivirus research center navex: norton anti virus
TRANSCRIPT
Symantec AntiVirus Research Center
NAVEX:Norton AntiVirus Extension Technology
To successfully protect computer systems from viruses, it is essentialto have an anti-virus solution that quickly adapts to new virus threats as theyare discovered. Norton AntiVirus Extension (NAVEX) technology, anintegral part of Norton AntiVirus software, is one of the primary tools thatthe Symantec AntiVirus Research Center (SARC) uses to protect computerusers from new virus threats, and it is the only solution of its kind availableto users of anti-virus software.
NAVEX is a technology integrated into all of the Norton AntiVirusproducts that allows SARC to update the scanning engine during routinevirus definitions updates. In addition to providing a faster response time toviruses and other malware threats, NAVEX is also a significantly more cost-effective way to keep the anti-virus protection on all computers (on allplatforms) in the enterprise updated and protected. This paper contrasts thebenefits of NAVEX with the consequences of using other solutions to handlenew and complex virus problems.
I. Laying the groundwork
In the early days of anti-virus program development, there were only afew viruses. Programmers could spend a significant amount of timeanalyzing each new virus that was discovered, build a custom solution for it
into their product, and re-release their programs. As writing viruses becamemore popular, it was no longer practical to build a new product in responseto each new virus threat. Instead, anti-virus producers created scanningengines that were clever at looking for a specific sequence of bytes (alsocalled a fingerprint). This new, simpler approach allowed anti-virusresearchers to add fingerprints to the existing database when new viruseswere discovered. The result was easier and faster development, less datasent to protect customers, and no need to build new products from scratch.
Over the years, whole new classes of viruses emerged that attemptedto evade the traditional detection and repair algorithms of anti-virusprograms. The number of examples of problematic viruses that thetechnology of the time couldn't handle was quite large: some viruses encryptthe user’s data using complex encryption algorithms 1, while other virusestargeted new Microsoft Office word processing and spreadsheet programs.Each of these new threats require engine changes or entirely new engines.Following is a small sampling of virus attacks that demanded new anti-virustechnology in the past:
32-bit Windows virusesJava virusesPolymorphic (self mutating) virusesOffice macro viruses for Excel, Word and AccessOffice 97 macro viruses for Excel, Word, Access and Powerpoint
For each of these new virus threats, adding traditional fingerprints wasuseless -- new engine technology had to be constructed to properly traversethe file formats of these files, locate the viral code and remove it.
Today, there are tens of thousands of viruses and a lot more peoplewho use anti-virus programs. This proliferation has the effect of making thepresence of troublesome viruses more common and the task of keepingcomputer users updated more costly. Viruses that pose problems forexisting technology are discovered almost every month, creating problemsfor both anti-virus and computer users. Traditional anti-virus softwarerequires corporate users to re-install, re-test, and distribute anti-virus
1 The One_Half virus, for instance, will encrypt the user’s hard drive. If theuser removes the virus without properly designed anti-virus software, theywill lose the encrypted contents of their hard drive!
software in-lines for each of these difficult threats. Although it's evident thatthis problem requires a new approach, no other anti-virus producers haveattempted to address the problem. They continue to maintain an outdatedsolution, bringing high costs on themselves, and ultimately, the corporationsthat use their programs.
Several years ago, SARC anti-virus researchers recognized that"abnormal" viruses had become the norm. Unless detection and repair forcomplex viruses were implemented with the same ease as the fingerprintingtechnology of the past, maintaining a robust anti-virus solution wouldbecome impossible in the Enterprise. Therefore, in addition to standardupdating, new detection and repair strategies had to become part of thenormal virus definitions update, which is precisely what NAVEX does.Instead of including just data files as part of a set of virus definitions, NortonAntiVirus includes NAVEX files that extend the virus scanning enginescapabilities.
II. How does NAVEX work?
The typical anti-virus program is comprised of two majorcomponents: the scanning application and the scanning engine.
The scanning application typically provides a user interface, alerting,logging and determines which files to scan and how to react if and when avirus is found on the user’s machine. The scanning application knowsabsolutely nothing about computer viruses. Every time the scanningapplication decides it wants to scan a file or diskette, it calls upon thescanning engine to detect computer viruses in the designated file or diskette.If the scanning engine locates a virus, it reports this back to the scanningapplication. The scanning application can then inform the user of theinfection and prompt the user to repair the file. If the user chooses to do so,the scanning application again calls upon the scanning engine to repair theinfected file or diskette.
The scanning engine knows nothing about user interfaces, which filesto scan, or what to tell the user when it finds a virus. What it does know howto do is detect and repair viruses. The scanning engine is comprised ofdozens of complex searching algorithms, CPU emulators, and otherelaborate program logic. The job of the scanning engine is to examine
whatever file or diskette the scanning application directs it to, and determineif it harbors any viruses. Typically, scanning engines work by scanning eachfile or diskette for thousands of virus fingerprints (unique sequences of bytesthat are known to be contained in viruses). These fingerprints are stored inthe virus definitions data files that users around the world download eachweek.
In all anti-virus programs other than Norton AntiVirus, thescanning engine and the scanning application are built by the anti-virusvendor as one inseparable component.
To understand the issue with this single application and enginearchitecture, consider this simple example. Just as you can’t easily switchout a built-in car stereo with a new higher-powered stereo, you can’t switchout the engine of the typical anti-virus product with a newer more powerfulengine.
Keeping with the stereo analogy, the owner of the car would have totake it to a car stereo shop, wait several days, and then pick up the car withnew stereo installed. Likewise, vendors of anti-virus software must in-linean entire anti-virus product in order to update the engine component of thatanti-virus product. And since it’s costly and time consuming to in-line aproduct, anti-virus companies tend to stagger releases of the various anti-virus platforms. The desktop in-lines come first, server in-lines comeseveral months later, and groupware anti-virus in-lines are last. The lack ofconsistent protection across all desktops, servers and gateways can posehuge security risks and can cause unending headaches. Desktop computersand servers without updated engines continue to become re-infected, andconsequently need to be manually re-cleaned over and over.
Virus authors revel in their attempts to confound anti-virusresearchers. And while most viruses do use the same techniques to spreadthemselves, and can be detected with existing engines, a handful of virusesdo break the mold. First there were DOS viruses, then came macro viruses –a completely new type of threat requiring completely new fingerprinting andrepair algorithms. Then came 32-bit Windows viruses, and later, Javaviruses. There are also “special case” viruses – they use common techniquesto spread but have some nasty side effect that can’t be undone by a simplescanning engine. Each of these new threats required its own algorithms –
and consequently a new anti-virus engine. The emergence of these newthreats necessitates the NAVEX design.
Figure 1: Classical anti-virus architecture vs. NAVEX architecture.
Norton AntiVirus has a modular scanning engine
Like other anti-virus products, Norton AntiVirus has two differentcomponents: a scanning application and a scanning engine.
However, unlike other anti-virus programs, the Norton AntiVirusscanning engine is separate from the scanning application.
The Norton AntiVirus scan engines can be updated on their own,improved on their own, and re-shipped with the standard Norton AntiVirusvirus definitions without having to in-line the entire anti-virus application.
You can think of NAVEX as being like one of the new removable carstereos. While older car stereos might be costly to upgrade, it’s extremelyeasy to slip out a removable car stereo and insert a new model (with morepower) into the dash without ever taking your car to the shop. Similarly, ifand when a nasty new virus or new class of viruses emerges, SARCengineers can quickly upgrade Norton AntiVirus’ fundamental scanning
Other anti-virus product
The anti-virusengine must be updatedalong with the rest of the
product in an in-line.
Anti-virusapplication
Anti-virusengine
Definitiondata files
Norton AntiVirus
Virus definitionscan be updated
without extensivesupport/costs.
Anti-virusapplication
NAVEXengines
Definitiondata files
engines. These scanning engines are shipped along with the standard NortonAntiVirus virus definitions. All a user has to do is update their virusdefinitions and not only do they have the latest fingerprint databases, butalso the latest scanning engines as well.
Rollout of new software, even in-lines, is a complex and timeconsuming process. Furthermore, sending product in-lines to remote userscan cause even more headaches. The NAVEX modular engine solves theseproblems. Administrators can use Symantec’s wide variety of remotedistribution tools or other distribution tools to quickly and easily send outNAV virus definitions (which include NAVEX engines) to both remote andon-site users.
Figure 2: NAVEX is written entirely in portable C source code. Oneconsistent set of logic is compiled to produce a consistent NAVEX modulefor every single Norton AntiVirus platform.
The modular NAVEX engine is supported on all Norton AntiVirus productsand platforms
All Norton AntiVirus products on all platforms support NAVEX – notjust the Windows on-demand scanner, but all on-demand Norton AntiViruscomponents, real-time components, server products, gateway products, andgroup-ware products. This means that when an enterprise upgrades to thelatest virus definitions, their desktops have the latest protection (both on-demand and on-access components), their Windows NT servers have thelatest protection, their NLM has the latest protection, etc. After updating,every Norton AntiVirus product on every platform has the latest engines anddatabases.
The NAVEX engine is built from a single “code-base” to yield consistentprotection across the enterprise
NAV forDOS
NAVEX.EXE
VIRSCAN1.DAT…VIRSCAN9.DAT
NAV forWin 3.1
NAVEX16.DLL
VIRSCAN1.DAT…VIRSCAN9.DAT
NAV forWin 98/NT
NAVEX32.DLL
VIRSCAN1.DAT…VIRSCAN9.DAT
NAV forNT/Alpha
NAVEX32A.DLL
VIRSCAN1.DAT…VIRSCAN9.DAT
NAV forNetware
NAVEX.NLM
VIRSCAN1.DAT…VIRSCAN9.DAT
NAV forNotes &
Exchange
NAVEX32.DLL
VIRSCAN1.DAT…VIRSCAN9.DAT
NAV forOS/2
NAVEX32O.DLL
VIRSCAN1.DAT…VIRSCAN9.DAT
void ScanForVirus(){ int a;
for (a=0;a<1079;a++) {
NAVEXC Source Code
NAVEX.VXD For Win 9x
Real-time
NAVEX.SYSFor Win NT
NAVEX32A.SYS
Real-time
etc...
All NAVEX engines are generated from one set of source code. Thismeans that SARC engineers need only modify our C program logic once inorder to properly update our scanning engines for all products. Since the Csource code is the same, the virus scanning engines are the same, on allNorton AntiVirus platforms, in real-time and on-demand scanners.
Other anti-virus products may claim to have a separate, NAVEX-likeengine for their Windows on-demand scanner, but no other anti-virusoffering has a NAVEX-like engine for every single anti-virus component,across all platforms, for both real-time and on-demand anti-virus offerings.Ask your vendor if their Windows 95/98 system scanning driver (this is thereal-time scanner that scans all files as they are accessed) has a separate,NAVEX-line engine. Ask them about their Novell NLM products, their NTkernel-mode scanners, and their gateway scanners. The answer will be no.
The Norton AntiVirus design means you can upgrade protection withoutrebooting or bringing servers down
When SARC engineers encounter a nasty new virus or whole newclass of viruses, they can update the Norton AntiVirus NAVEX enginesonce and ensure consistent protection for customers across all platforms,without costly in-lining or re-installation. And here’s a bonus – all NortonAntiVirus products can have their NAVEX protection upgraded withouthaving to reboot the computer or shut-down the anti-virus scanner. There isno need to re-boot your file servers, take down your groupware emailservers, or reboot your users’ desktop computers to update their anti-virusprotection.
No in-lines to re-install and distribute, no reboots, and consistentprotection across the enterprise, all with a simple virus definition update.
III. How other anti-virus companies deal with“special case” viruses
Let’s consider a computer virus scenario which arises at least severaltimes each year.
A typical end-user in a medium-sized corporation, Compuloid, has foundthat their workstation is misbehaving. Over and over, the computer crashesand fails to operate properly. Finally, the frustrated user calls the help desk.Several hours later, the IS representative stops by the computer and takes alook. He notices that a number of executable files appear to be corruptedand suspects a computer virus. The representative sends theses files to thehis anti-virus vendor for analysis.
The next day, the anti-virus vendor’s virus response coordinator sortsthrough the latest customer submissions. He notices that Compuloid hassent in several files and assigns one of his engineers to take a look. Theengineers immediately realize that their client has become infected with anew Windows virus. While most viruses merely append themselves onto theend of application files, this virus appears to actually scramble infectedapplication files with a complex encryption algorithm. It also uses anextremely complex polymorphic (self-mutating) decryption routine toconceal its own viral program logic. The engineers realize that their anti-virus product’s existing virus scanning engines won’t be able to detect orrepair this virus. It’s just too different.
Meanwhile at Compuloid, several more workstations have startedbehaving erratically as well. Furthermore, the Tokyo site has reportedseveral problems with their machines. The director of IS at Compuloiddecides to call their anti-virus vendor for support.
The anti-virus engineers attempt to calm the director and explain that thisnew virus employs some nasty tricks, but shouldn’t be that difficult toeliminate. They tell the director that they’ll deliver a solution to himsometime during the next day.
As soon as the anti-virus engineers finish the phone call, they get towork. They finish analyzing the virus and one team of researchers proceedsto write a C module that can detect the virus (C is a common programming
language used to write anti-virus software). This C module is speciallydesigned to recognize the complex polymorphic subroutines the virus uses toconceal itself.
A second team of engineers begins to work on a cure for the virus. Theywrite a specialized C module to reverse the virus’ encryption technologiesand remove the virus from infected host application files.
Both teams finish their work at around 2 am and integrate their newlyprogrammed modules into a simple standalone virus scanning program. It’sa DOS-based tool that can be used from a floppy diskette. They write upsome simple documentation and send it to the director of IS at Compuloid.
At 8:00 am the next morning, the director comes in and is happy to see anemail from his anti-virus vendor. He quickly extracts the email attachmentand takes the tool to the infected machine. He then runs the tool andproceeds to detect and repair 17 different infected files. The gratified usergets back to work and thanks the director for personally resolving hisproblem.
Fifteen minutes later, however, the IS director receives a call from thesame panicked user. Apparently his computer is again behaving erratically.The director thinks for a moment and realizes that this virus probably hasspread to his file servers and possibly his email servers.
The IS director starts to panic. What if this virus has spread to othercomputers? He’d have to walk to each and every one to scan and clean it.And how would he clean out his Lotus Notes server? This tool won’t scaninside Lotus Notes databases. Frustrated, he calls his anti-virus vendor forhelp.
Director: “The tool worked, but I think the virus may be on my networks andemail servers. I’ve had complaints from Japan too. What can I do?”
Anti-virus vendor: “You should use the tool to scan each of the infectedmachines. Send it in email to your other offices too.”
Director: “But what about my email server? Can’t I just get a new virusfingerprint file like usual? Then my email server anti-virus software canscan all my email databases and get rid of this thing. I need the same thing
for my file servers. And what if somebody sends an infected file to one ofour clients! This tool won’t do any good unless each of my users scans everyfile before they use it or send it out.”
Anti-virus vendor: “Well, this virus broke the mold. It can’t be detectedwith simple fingerprints. We’ll probably be able to produce an in-linedversion of our workstation anti-virus product with support for this virus nextmonth. We’re planning to in-line our server products sometime near the endof the third quarter of this year. You have to understand, we have to take thenew C modules we’ve written, integrate them into the main anti-virusprogram for each platform, re-test it, re-translate it for our globalcustomers…. It takes a while. The tool should take care of you.”
The IS director gets several of his top guys and take the tool around toany potentially infected machines. They manually scan all the file servers,and hand the tool out to all infected users. They also send copies of the toolout to their other offices.
One month passes.
The anti-virus vendor finally ships an in-line for the desktop versionof their anti-virus product. This version has a number of bug fixes and alsoincludes the C modules to detect the nasty new virus. The anti-virus vendorships a CD to the director of IS at Compuloid.
The director receives the CD and begins the usual certification processin his test lab. He has several of his IS people install the new software andtest it with his other applications. After a few days, his reports tell him thatthe new in-line is stable. Now, he has to convince upper management thatit’s worth it to install the in-line on 3,500 desktops.
“This in-line will definitely rid all our desktops of this virus. Ouranti-virus vendor tells me that they’ll have server versions out soon, so weshould be completely protected by the middle of the third quarter. And asthis was a special case, we shouldn’t have to do such an installation again fora year.”
The IS director gets permission to install the new software. He thenuses his distribution tools to distribute the software to all his desktops.About 312 desktops can’t be reached for one reason or another. Also, all of
his remote users will have to be updated manually because the directordoesn’t have software distribution set up for his remote machines.
----
The above scenario is typical of virtually all anti-virus companies andtheir clients. In the story above, it took a month for the anti-virus vendor toprovide support for the virus on just desktop platforms. And in order toprotect his users against this virus, the IS director needed to manually scandozens (hundreds?) of machines, re-install his anti-virus software onthousands of machines, reboot them, and inconvenience his users. Becausethe solution was not included as part of the normal anti-virus program, thevirus will spread again if it has not been completely eradicated or is re-introduced into the enterprise. And then there are the machines that hisdistribution tools failed to reach. In general, such updating is extremelycostly.
Unfortunately, the scenario played out above happens at least severaltimes per year. This means that companies may lack protection against keyviruses for months at a time. It means that users must manually scan fileswith special purpose tools, and that administrators must sift through emailservers by hand to track down and eradicate infections. With all the greatanti-virus products and infrastructure being deployed in today’s enterprises,this sort of thing shouldn’t happen.
IV. How Symantec deals with “special case”viruses
Now let’s look at the same scenario again, assuming that Compuloid wasa Norton AntiVirus customer.
Once again, our end user finds his computer acting erratically and callsthe help-desk. Several hours later, the help desk person isolates severalsuspicious files and sends them to SARC, via Norton AntiVirus’ Scan andDeliver feature. This automated technology helps Symantec provide thefastest measured virus turn-around in the industry. 2
2 For example, during 01/31/1999 to 02/06/1999, Scan and Deliver provided customers with a solution inan average of 6.05 hrs.
At Symantec, the Scan and Deliver automated analysis system scans eachand every file in the submission to determine whether the files contain aknown virus. In the case of the Compuloid submission, the files don’tappear to have a known virus, so Scan and Deliver creates a new issuerecord in the database and sets the status to “Platinum priority (high).”
After being alerted to the new high priority submission, Symantecresearchers take a look at the files and quickly realize that they contain anasty new polymorphic Windows virus. The lead researcher calls thedirector and explains that this new virus employs some nasty tricks, butshouldn’t be that difficult to eliminate. They tell the director that they’lldeliver a solution to him sometime during the next 24 hours.
The SARC engineers finish analyzing the virus and begin writing Cmodules to detect and repair the virus. As soon as the engineers verify thatthe modules properly remove the virus, they integrate these new C modulesinto the NAVEX engine.
The engineers then launch an automated build process. The entireNAVEX C source library is rebuilt from scratch for each of the supportedNorton AntiVirus platforms: DOS, Windows 3.1, Windows 95/98, WindowsNT and Alpha, Lotus Notes, Novell Netware, etc. The exact same sourcecode is designed to properly compile into binary executable files for each ofthe supported platforms, to ensure that Norton AntiVirus has the sameprotection on all platforms. The entire build process takes several hours.
The result of the build is a new virus definitions set which includes thelatest virus fingerprint database and the latest NAVEX engine files for allplatforms supported by Norton AntiVirus. (When updating to a new virusdefinition set, all Norton AntiVirus products use built-in logic to replace theold NAVEX engines and database files with their revised versions. NortonAntiVirus products can completely replace their old Norton AntiVirusengines with the latest engines every time they receive new virus definitions.Without rebooting, and without re-installing the product from scratch.)
A SARC quality assurance (QA) engineer takes the virus definitionupdate into the SARC test lab and tests the new virus definitions on thesamples of the new virus. He performs regression tests on each of thehundreds of older wild viruses. The QA engineer then performs false
positive scans on a large hard drive containing the most commonapplications.
This testing is done for each platform that Norton AntiVirus runs on,since our definition update contains a separate NAVEX file for each andevery Norton AntiVirus platform, for both real-time and on-demandcomponents.
After several hours of certification, the Symantec engineers approve thenew fingerprint and NAVEX engine files. The Scan and Deliver systemautomatically sends this update to the Compuloid.
At 8:00 am the next morning, the director comes in and is happy to see anemail from his anti-virus vendor. He quickly extracts the new definitions setfrom the email attachment and hands it to his top engineer.
Fifteen minutes later, the engineer has verified that the new virusdefinitions properly detect and repair the virus. The IS director tells theengineer to use the standard distribution tools to distribute the new virusdefinitions to the desktops, servers and gateways.
The engineer rolls out the new virus definitions to all workstations, fileservers, email servers, and gateways. He then initiates scans of all thenetwork drives, email servers, and desktops. Moments after the rollout,alerts start coming into the Norton System Center console. Norton AntiVirushad found and cleaned the virus from 35 separate desktops. It was alsofound and cleaned from 17 separate email messages in the Lotus Notesemail databases. He sends the virus definition set to the other sites fordeployment.
The above scenario is typical of how Symantec responds to a “hard”new computer virus.
In both anecdotes, it took roughly the same amount of time for bothSymantec and other anti-virus engineers to come up with a solution for thevirus. However, because of Symantec’s NAVEX technology, the Symanteccustomer was able to deploy the solution and protect his users within hoursof the initial infection.
While our other anti-virus vendor came up with a robust solution tothe virus, they were only able to provide this solution in the form of astandalone tool – one that required manual intervention at every step. Andby the time the vendor updated their anti-virus offering on each and everyplatform, the customer had already wasted hundreds of hours of time.
V. Summary Of Non-NAVEX Solutions
Anti-virus companies that require their customers to use standalone toolsand in-line their anti-virus products to deal with new virus threats are awareof the cost of this choice. In order to lessen the expense, these companieshave tried alternatives to the NAVEX approach:
• Fail to address the threat:Recognizing that solving a new class of virus threat is expensive, thesecompanies choose not to protect against these threats. Sometimes thisdecision is due to the difficulty of creating a robust solution; other timesit results from the inability to integrate such a solution cleanly andquickly. Although not an expensive solution, it is the worst choice, as itfails to achieve what an anti-virus program is designed to do: protectcomputers from viruses.
• Build standalone tools to solve an immediate problem:The first problem with this choice is that a whole new program must bebuilt, delivered, tested, and downloaded to the machine that needs theextra protection. Administration of these tools is a nuisance, time-consuming, and, most importantly, unnecessary (as NAVEX technologydemonstrates). Third, this tool is not platform-independent; usually it's acommand-line utility written only for DOS. Second, end-users must betrained how to use this tool, and must regularly use it to scan their filesand email attachments, etc. This is a time consuming process that nouser is likely to perform. As with all scanning capabilities of NortonAntiVirus, NAVEX is used by our real-time anti-virus components andcan run in the background (our AutoProtect feature), so once you installan update, your users don’t have to think about manually scanning eachand every file they access with a tool. Finally, even if the anti-virusvendor ships a standalone tool, the huge cost for updating the anti-virusprogram (across all servers, desktops, and gateways) is not eliminated,just delayed. Eventually, when the anti-virus vendor has finally
integrated and tested this new technology on all the anti-virus platforms,customers of the anti-virus product must switch all their users to the newproduct, and have to put up with re-installation hassles and even moreexpenses.
• Group solutions together in large releases:This is a compromise between the previous two choices. The philosophyis essentially to first leave customers unprotected for a while (whichsacrifices protection for savings) and then re-release the anti-virusproducts later to protect them (sacrificing savings for protection). Inmany cases, competing anti-virus vendors often required 6 months ormore to update their entire line of anti-virus products, across allplatforms, to protect against a new type of virus. First they update theWindows 32-bit scanner, then the NLM, then the NT server product.Finally, they update the gateway products. Unfortunately, during thistime, customers have unequal protection across their enterprise. Someanti-virus components have been updated to support the new threat whileothers haven’t.
VI. Distributing new anti-virus protection
This section describes a case study to illustrate the costs of updatingNorton AntiVirus, to detect a new virus, with NAVEX technology, vs.updating a competing anti-virus product without NAVEX technology.
In both instances, we consider a typical company of 5000 usersrunning 30 NT 4.0 servers and 4700 clients of Windows 95 and WindowsNT.
This example assumes that the Network Administrator makes anaverage of $60,000 per year (loaded times 1.37 = $82,200/year). Assume2000 working hours per year, yielding an approximate hourly rate of $41.00per hour.
First lets consider the costs of distributing the new Norton AntiVirussolution. In order to update Norton AntiVirus to detect a completely new
threat, such as Office 2000 viruses, the administrator needs to distribute thelatest virus definitions files to all his desktops and servers:
This roll-out is typically done in two phases:
Most administrators test new virus definitions before a full roll out.Assuming approximately 16 hours of testing, at $41.00 per hour, testing willcost approximately $656.00.
Once the administrator verifies the stability of the new virusdefinitions, (s)he can post the virus definitions on the corporate LiveUpdateserver (LiveUpdate is a pull technology that all Symantec products use toobtain updates. The administrator can maintain intranet LiveUpdate serversand post new updates (virus definitions) to them as required. ClientSymantec software, such as Norton AntiVirus, can be scheduled to pick upthese updates as often as necessary. LiveUpdate servers can use virtuallyany operating system and platform, as long as there is UNC, FTP or HTTPaccess.)
If we assume that it takes 2 hours to post the new virus definitions onthe LiveUpdate server, the administrator will incur a cost of $82.00. Afterthe virus definitions are posted, all Norton AntiVirus desktop, server andgateway versions can pull them when appropriate.
Since Norton AntiVirus does not require a computer-reboot when newvirus definitions are updated, no additional administrative effort is requiredto update all Norton AntiVirus products across the enterprise.
The total cost of updating such a corporation will amount to $738.00.
Now let’s consider the costs of updating a competitors product toprovide detection and repair for a new virus threat, such as Microsoft Office2000 macro viruses. Once again, this roll-out is typically done in twophases:
We believe that our typical customer tests an in-line version of anAntiVirus product for an average of 60 hours before deploying it across theenterprise. While in-lines often fix many problems for users, they frequentlyintroduce new issues such as incompatibilities with existing software, etc.
This 60 hours of testing will cost approximately $2,460.00 (60 hours at$41.00 per hour).
Once the administrator has finished testing the virus definitions, theymust begin the rollout of the new in-line. With software distribution inplace, such an effort would probably take around 32 hours. At our assumedadministrator billing rate, this would cost roughly $1,312.00. Forenterprise companies with more than the 5,000 nodes in this example,this software distribution can cost tens or hundreds of thousands ofdollars!
Without software distribution in place, let’s assume that theadministrator posts the in-line on a publicly available file or FTP server andthen notifies his users about the update via email. All users will then beresponsible for updating their own computer.
If we assume that it will take the average user 20 minutes to find thein-line on the server, re-install, and then re-boot their desktop computers,this update will take:
20 minutes X 4700 users = 1500 hours for users
If we assume that the typical employee also makes an average of $41per hour, this will cost a total of 1500 * $41.00 or $61,500.00.
Finally, let’s assume that some users will have problems installing thenew update and will call the helpdesk. If we assume failure rate of 5%, thiswill yield 150 calls to the help desk, at approximately 20 minute each. Thisresults in another 50 hours of support time, with an additional cost of$2,050.00.
In summary, in-lining a non-NAVEX-based anti-virus product tosupport a hard new virus or new class of viruses will cost a company of5,000 users:
With software distribution $5,822.00Without software distribution $66,010.00
Scaling these figures, in-lining a non-NAVEX-based anti-virusproduct will cost a company of 100,000 users roughly:
With software distribution $97,000.00Without software distribution $1.3 million
In addition, regular virus definitions updates must still be distributedto ensure protection against new viruses for which engine updates are notrequired (for instance to protect against new Microsoft Office 95/97 macroviruses, DOS, or BOOT viruses). Assuming that competing anti-virusproducts have a similar distribution mechanism as Symantec’s LiveUpdate,this will cost an additional $1312.00 per update. However, since competingproducts may require a reboot of desktop machines and a shut down of thefile server, groupware server, etc. during the update, the administrator andend users will incur additional unproductive downtime during definitionupdates.
Finally, since anti-virus vendors must in-line multiple products onmultiple platforms to add support for a hard new virus, there will be aperiod of months where the enterprise has inconsistent protectionacross servers, desktops, groupware servers, and the gateway.Inconsistent protection will cause repeat infections and generally increasethe cost of maintaining the non-NAVEX solution.
TIP!
As your users or business partners start usingMicrosoft Office 2000, your enterprise will need
protection against this new viral platform.
If you’re using a competing anti-virus offering,and are intending to in-line your solution yet again(as you did for Microsoft Office 97), consider the
following…
For the one-time cost of switching to NortonAntiVirus, it will be the last time you have to re-deploy in-lines of your anti-virus software to stay
protected against new viruses!
Task to Update Norton AntiVirus Cost to updateNorton AntiVirusin a company of5,000 users
Cost to updateNortonAntiVirus in acompany of100,000 users
Testing of new virus definitions $656.00 $656.00Deployment of new virus definitions onto LiveUpdate server
$82.00 (2 hrs) $656.00 (16 hrs)
Total cost $738.00 $1,312.00
Table 1: Cost to update Norton AntiVirus to support a new threat,across the enterprise (5,000 and 100,000 user profiles).
Task to Update Competing Anti-virusProduct (Software distribution in place)
Cost toupdateCompetitor’sAnti-virus in5,000 nodecompany
Cost to updateCompetitor’sAnti-virus in100,000 nodecompany
Testing of the new version of the anti-virussoftware, configuration of settings, etc.
$2,460.00 $2,460.00
Rollout with software distribution tools $1,312.00 $26,240.00Calls to the help desk at 5% rate $2,050.00 $68,300.00Total cost $5,822.00 $97,000.00
Table 2: Cost to update a competing anti-virus product to support anew threat, across the enterprise. Assuming software distributiontechnologies.
Task to Update Competing Anti-virus Product(No software distribution in place)
Cost to updateCompetitor’sAnti-virus
Cost to updateCompetitor’sAnti-virus in100,000 nodecompany
Testing of the new version of the anti-virussoftware, configuration of settings, etc.
$2,460.00 $2,460.00
Manual rollout $61,500.00 $1,230,000.00Calls to the help desk at 5% rate $2,050.00 $68,300.00Total cost $66,010.00 $1.3M
Table 3: Cost to update a competing anti-virus product to support anew threat, across the enterprise. Assuming no software distributiontechnologies.
VII. New types of virus threats from 1998
As you can see, the cost of updating to the latest Norton AntiVirus enginetechnology is the same as the cost of updating the Norton AntiVirus
definitions files. This method is much cheaper than deploying entirely newin-lines across the enterprise to update the anti-virus engine.
A good question to ask is: “How many times does the anti-virus engineneed to be updated?” Below is a partial list of new viruses and virus classeswhich have required fundamentally new anti-virus engines. Consequently,each of these viruses or classes of viruses, caused our competitors (and theircustomers) to in-line their anti-virus software for protection.
• Microsoft Office '97 virusesThe release of Microsoft Office '97 included a change in the basic macrolanguage of the applications. Existing macro detection strategies had tobe researched and reengineered to understand the new file formats.Viruses of this type already make up roughly 5% of viruses known to bespreading "in the wild."
• 32-bit Windows VirusesThe number and incidence of 32-bit Windows viruses has risensignificantly in the last 18 months and many of these viruses are complexpolymorphic (self mutating) viruses. The first one, HPS was discoveredin May of 1998, and a more recent polymorphic virus (Win95.Marburg)has been found "in-the-wild" in many locations. While most anti-virusproducts have excellent technology for detecting DOS polymorphicviruses, detecting new 32-bit Windows polymorphic viruses is a wholenew game requiring a whole new engine.
• XF.PaixXF stands for "Excel Formula Virus." This virus employs a new type ofattack on Microsoft Excel spreadsheets. Scanners had to be re-designedto scan these files more robustly, especially since Paix is spreading "in-the-wild." The leading Norton AntiVirus competitor took more than 6months to provide in-lines that protected against this now-prevalent classof virus, on all platforms.
• Remote Explorer virusThe high profile Remote Explorer virus has the unusual characteristic ofcompressing and storing the original host within itself (using the gzipalgorithm). Norton AntiVirus was the first anti-virus product to have anintegrated, cross-platform solution. At the time of this writing, most
competitors still lack detection and repair for this virus across allplatforms, in real-time and on-demand products.
• PowerPoint virusesAs predicted, the first Microsoft PowerPoint viruses emerged in 1998(e.g., PP97M.Master.A). Although none have yet made the Wildlist, it isonly a matter of time before they do. As usual, a newly discovered virusclass requires a new detection strategy.
• Microsoft Access virusesA97M.AccessiV.A was discovered in the beginning of 1998, and is thefirst virus to infect Access macros.
• Java virusesStrange Brew, found by Symantec’s Seeker web-spider technology, is thefirst Java virus of its kind. New scanning strategies are needed to scanJava files efficiently.
• Microsoft Office 2000 virusesMicrosoft is planning to release a new office suite in 1999 that willprovide a whole new target for viruses (as Microsoft Office '97 did). Ifyou use Norton AntiVirus, there is no need to update to a new product;our standard virus definition updates, with NAVEX, will protect yourenterprise automatically!
VIII. Summary
With hard new viruses becoming the norm rather than the exception,it is more important than ever to employ an anti-virus product that supports amodular engine. Such a modular product architecture will save countlesshours of headaches, testing, updating, manual virus elimination and helpdeskcalls.
As we have seen, competing anti-virus vendors provide customerswith a number of ad-hoc solutions to new virus threats until they can in-linetheir anti-virus protection. However, these solutions are not cost effective,provide varying levels of anti-virus protection at different areas of theenterprise, and often require manual end-user intervention. Finally, when in-lines of the anti-virus product (to support hard new viruses or new classes ofviruses) are available, they require extensive testing, distribution, rebootingof desktops/servers and end-user support.
Without NAVEX, there are two choices: either pay a lot more forgood protection, or stay unprotected. With NAVEX, the entire enterprisecan be quickly updated with very little hassle or administration. The bestpossible protection is available for a fraction of the cost -- and that's theNAVEX advantage.