Symantec’s Quorum is the latest in pro-active defenseby Steve Ragan - Sep 10 2009, 02:36
Symantec has lifted the lid officially on the new revamp to the Insight engine named Quorum. The technology behind Quorum is included with the 2010 versions of Symantec’s Norton products. So what exactly is Quorum?
Quorum ties heavily into the detection aspect of Symantec’s family and will likely drive product development for some time to come. One of the things we should mention early on in this article is that Quorum is not a new product. Quorum is the logical progressive step forward for Symantec’s existing technology. The reason for this is how it works.
Quorum uses everything Symantec offers to judge the reliability of a process or application. Starting with Norton Insight, which is mostly application whitelisting, Quorum will check a process or an application against the Insight records and determine if Norton has seen it before.
If the process has been seen, the next step is to determine how many Norton users are using it. If the number of users is high enough, or the age of the process or application is old enough, then Insight will have a trust rating already assigned. If the rating is listed as Good or Norton Trusted, Quorum will proceed no further, as the process or application is deemed safe.
If the application or process is unknown, based on an Insight check, Quorum will trigger SONAR for heuristic detection as well as check the process or application against known signatures. If there is a malicious match, the process is halted or the application blocked. If it appears clean, despite all the checks, Quorum will trigger an alert explaining that the user is the first to run the program and offer an option to avoid it temporarily.
Quorum runs constantly. Again, this is because it ties directly into all of the other technologies used by Symantec. For installed applications on a system, Quorum will check with Norton Insight first, downloads are checked against Norton’s Download Insight, and so on. Since most of the signatures and the collective of the Insight rankings are all stored in the cloud, the process is faster than before when you compare Symantec’s 2009 line to the 2010 line.
The Tech Herald started testing Quorum early on when the Internet Security 2010 beta was released. We are currently testing Norton Internet Security 2010 in our labs for review. In both versions, Quorum remained mostly unchanged.
Since Norton Insight is an opt-in feature across the Norton line of products, the vast amount of applications that had a user count and trust assignment was frustrating to the point of being comical. Try as we might, even the most obscure application had a trust ranking and user count. However, Quorum, despite the reliance on reputation-based protections, didn’t help much in the anti-Spam department.
Sure, Norton blocked a large amount of Spam, but some rather obvious attempts slipped past the reputation defenses, including the recent IRS scam, and more than one UPS email with a malicious attachment. Only after they were manually flagged were they blocked.
When it comes to scanning, Quorum helps, but the extent of how well it helps is being tested, but when coupled with Insight, the system scans during the beta were on par with what they were in the 2009 version. Since most signatures are online and not on the client, Symantec is able to speed up the scanning process. You can see a serious difference in scanning, thanks to the cloud, if you compare Norton Internet Security 2008 to the scanning used in 2009 or 2010 beta.
When I was quoted in the print edition of Tuesday’s USA Today as saying, "Reactive defenses just don't work anymore. Predictive systems will give an edge to the good guys." I meant every word.
The old way of signatures and the reliance on them alone, a reactive approach to security, is dead. Vendors like Symantec, McAfee, Panda, Kaspersky, and Trend Micro are moving forward with pro-active or predictive methods of detection, because they know signatures alone simply will not work.
The cat and mouse game of keeping up with the latest criminal trends needs to end, because the race has always been about what the criminals have done, and how to stop them.
What the race should be is what the criminals are doing now, and why it is working. Quorum, Artemis, Collective Intelligence, or Smart Protection Network, no matter what you call it, the aim is the same, catch the threat the second it starts, not after it worked.
Is Quorum the end all be all of Malware detection technology? No it is not, but it is a great step forward. Over time, this sort of technology will only get better. The same can be said for Symantec’s competition as well.
We’ll post the review of Norton Internet Security 2010 soon.
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to [email protected]]